[GH-ISSUE #85] Rule 一些疑問和許願 #61

New issue

Closed

opened 2026-03-04 12:18:37 +03:00 by kerem · 4 comments

kerem commented 2026-03-04 12:18:37 +03:00

Owner

Copy link

Originally created by @ADeeeee on GitHub (Jan 20, 2022).
Original GitHub issue: https://github.com/ADD-SP/ngx_waf/issues/85

測試環境：
Ubuntu 20.04.3 LTS

nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled

ngx_waf: 自己照文件流程 compile 出來的 LTS 1.18 版

規則參考：
https://docs.addesp.com/ngx_waf/advance/rule.html#ip-whitelist
https://github.com/ADD-SP/ngx_waf/issues/29

問題：

1. 規則內有 UserAgent 的黑名單機制，但卻沒看見白名單的機制，請問未來有機會會增加嗎？或是現在有一些辦法達成嗎？
   因為有時候 IP 白名單沒辦法一次加到全部，為方便作業所以會統一用內部規定的 user-agent 來執行 API 或是內部的 request，希望可以直接把這些 request 全部利用 user-agent 一次搞定，而不會開發過程時常為 IP 白名單的事情操勞

參考 AWS WAF 運作上各規則基本上也都是有一黑一白的作法，讓使用者能比較彈性應對各種需求，建議以下五個項目都也要有白名單

• Get parameter blacklist with the filename args.
• Post request body blacklist, with the filename post.
• UserAgent blacklist with the filename user-agent.
• Cookie blacklist, with the filename cookie.

2. Advanced 的內容在文件上找不到，完全不知道該怎麼使用，請再協助解惑

Advanced rules with the file name advaced.

3. 是否該把 URI 的部份獨立從 URL 拉出來 (如果是一起的話)
   畢竟如果規則語法一時不查，可能會出大事

許願：

1. 希望規則的文件上可以放上一些範例和寫法，畢竟有時候用文字敘述會不太確定實際運作狀況和語法如何
   如 URL 是不是有含 URI 的部份，如我有額外參考這篇 issue 才大概知道怎麼寫
   Ref. https://github.com/ADD-SP/ngx_waf/issues/29

2. 希望文件能完整的將 current 和 LTS 版本的設定內容切清楚，譬如 waf_cc_deny 那部份就會混雜，不確定是否支援
   Ref. https://github.com/ADD-SP/ngx_waf/issues/84

*Edit for wrong quote.

Originally created by @ADeeeee on GitHub (Jan 20, 2022). Original GitHub issue: https://github.com/ADD-SP/ngx_waf/issues/85 測試環境： Ubuntu 20.04.3 LTS nginx version: nginx/1.18.0 (Ubuntu) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled ngx_waf: 自己照文件流程 compile 出來的 LTS 1.18 版 規則參考： https://docs.addesp.com/ngx_waf/advance/rule.html#ip-whitelist https://github.com/ADD-SP/ngx_waf/issues/29 問題： 1. 規則內有 UserAgent 的黑名單機制，但卻沒看見白名單的機制，請問未來有機會會增加嗎？或是現在有一些辦法達成嗎？ 因為有時候 IP 白名單沒辦法一次加到全部，為方便作業所以會統一用內部規定的 user-agent 來執行 API 或是內部的 request，希望可以直接把這些 request 全部利用 user-agent 一次搞定，而不會開發過程時常為 IP 白名單的事情操勞 參考 AWS WAF 運作上各規則基本上也都是有一黑一白的作法，讓使用者能比較彈性應對各種需求，建議以下五個項目都也要有白名單 - Get parameter blacklist with the filename args. - Post request body blacklist, with the filename post. - UserAgent blacklist with the filename user-agent. - Cookie blacklist, with the filename cookie. 2. Advanced 的內容在文件上找不到，完全不知道該怎麼使用，請再協助解惑 ``` Advanced rules with the file name advaced. ``` 3. 是否該把 URI 的部份獨立從 URL 拉出來 (如果是一起的話) 畢竟如果規則語法一時不查，可能會出大事 許願： 1. 希望規則的文件上可以放上一些範例和寫法，畢竟有時候用文字敘述會不太確定實際運作狀況和語法如何 如 URL 是不是有含 URI 的部份，如我有額外參考這篇 issue 才大概知道怎麼寫 Ref. https://github.com/ADD-SP/ngx_waf/issues/29 2. 希望文件能完整的將 current 和 LTS 版本的設定內容切清楚，譬如 waf_cc_deny 那部份就會混雜，不確定是否支援 Ref. https://github.com/ADD-SP/ngx_waf/issues/84 *Edit for wrong quote.

kerem 2026-03-04 12:18:37 +03:00

• closed this issue
• added the
  enhancement
  question
  stale
  labels

kerem commented 2026-03-04 12:18:38 +03:00

Author

Owner

Copy link

@ADD-SP commented on GitHub (Jan 20, 2022):

Questions

1. At the moment there is no support for whitelist of user-agent. I'm working on v11, and I'm considering adding some whitelists, so keep an eye on the release.
2. The code for the advanced rules, while still present in the LTS version, is no longer recommended and has not been removed to ensure compatibility. In the Current version, the relevant code has been removed and its functionality replaced by modsecurity.
3. Actually the correct name should be uri, it was wrong to name the rule file url at first, but now it's not going to be corrected, keep it as it is. For https://www.example.com/test/client?q=xxx, url is /test/client, does not contain the schema, domain, and query string.

Advices

1. Okay, I will update the document to make it more rigorous.
2. Content that belongs only to the Current version is clearly marked, such as the green text box. But some details are really easy to confuse, I will improve.

<!-- gh-comment-id:1017365807 --> @ADD-SP commented on GitHub (Jan 20, 2022): ## Questions 1. At the moment there is no support for whitelist of user-agent. I'm working on v11, and I'm considering adding some whitelists, so keep an eye on the release. 2. The code for the advanced rules, while still present in the LTS version, is no longer recommended and has not been removed to ensure compatibility. In the `Current` version, the relevant code has been removed and its functionality replaced by `modsecurity`. 3. Actually the correct name should be `uri`, it was wrong to name the rule file `url` at first, but now it's not going to be corrected, keep it as it is. For `https://www.example.com/test/client?q=xxx`, `url` is `/test/client`, does not contain the schema, domain, and query string. ## Advices 1. Okay, I will update the document to make it more rigorous. 2. Content that belongs only to the `Current` version is clearly marked, such as the green text box. But some details are really easy to confuse, I will improve. 

kerem commented 2026-03-04 12:18:38 +03:00

Author

Owner

Copy link

@ADeeeee commented on GitHub (Jan 21, 2022):

沒問題，感謝解答

但今天測試又遇到一個問題，請問我 rule 裡面有辦法新增註解嗎？我寫了註解下 nginx -t 檢查語法都會出錯

尤其是 ip 的部份，加了一堆希望能有註解可以一目了然

<!-- gh-comment-id:1018336465 --> @ADeeeee commented on GitHub (Jan 21, 2022): 沒問題，感謝解答 但今天測試又遇到一個問題，請問我 rule 裡面有辦法新增註解嗎？我寫了註解下 nginx -t 檢查語法都會出錯 尤其是 ip 的部份，加了一堆希望能有註解可以一目了然

kerem commented 2026-03-04 12:18:38 +03:00

Author

Owner

Copy link

@ADD-SP commented on GitHub (Jan 21, 2022):

沒問題，感謝解答

但今天測試又遇到一個問題，請問我 rule 裡面有辦法新增註解嗎？我寫了註解下 nginx -t 檢查語法都會出錯

尤其是 ip 的部份，加了一堆希望能有註解可以一目了然

This feature is not available.

<!-- gh-comment-id:1018436793 --> @ADD-SP commented on GitHub (Jan 21, 2022): > 沒問題，感謝解答 > > 但今天測試又遇到一個問題，請問我 rule 裡面有辦法新增註解嗎？我寫了註解下 nginx -t 檢查語法都會出錯 > > 尤其是 ip 的部份，加了一堆希望能有註解可以一目了然 This feature is not available.

kerem commented 2026-03-04 12:18:39 +03:00

Author

Owner

Copy link

@stale[bot] commented on GitHub (Jan 28, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
此 issue 因为最近没有任何活动已经被标记，如果在此之后的一段时间内仍没有任何活动则会被关闭。感谢您对项目的支持。

<!-- gh-comment-id:1024147647 --> @stale[bot] commented on GitHub (Jan 28, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. 此 issue 因为最近没有任何活动已经被标记，如果在此之后的一段时间内仍没有任何活动则会被关闭。感谢您对项目的支持。

kerem referenced this issue 2026-03-13 16:46:15 +03:00

[GH-ISSUE #61] Many attacks are bypassed and whitelist/blacklist IP #177

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

lts

lts-dev

add_sp/refactor-replace-libcurl-with-subreq

current-dev

current

current-dev-backup

v6.1.10

v10.1.2

v6.1.9

v6.1.8

v10.1.1

v10.1.0

v6.1.7

v10.0.1

v10.0.0

v9.0.6

v9.0.5

v6.1.6

v6.1.5

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.0.3

v6.1.4

v8.0.2

v8.0.1

v6.1.3

v8.0.0

v7.1.0

v6.1.2

v7.0.1

v7.0.0

v6.1.1

v6.1.0

v6.0.3

v6.0.2

v6.0.2-beta.1

v6.0.1

v6.0.1-beta.2

v6.0.1-beta.1

v6.0.0

v6.0.0-beta.4

v5.5.1

v6.0.0-beta.2

v6.0.0.beta.3

v6.0.0-beta.1

v5.5.0

v5.4.2

v5.4.2-beta.2

v5.4.2-beta.1

v5.4.1

v5.4.1-beta.1

v5.4.0

v5.4.0-beta.1

v5.3.2

v5.3.1

v5.3.0

v5.3.0-beta.4

v5.3.0-beta.3

v5.3.0-beta.2

v5.3.0-beta.1

v5.2.0

v5.2.0-beta.2

v5.2.0-beta.1

v5.1.1

v5.1.1-beta.1

v5.1.0

v5.0.0

v5.0.0-beta.5

v5.0.0-beta.4

v5.0.0-beta.3

v5.0.0-beta.2

v5.0.0-beta.1

v4.1.0-beta.4

v4.1.0-beta.3

v4.1.0-beta.2

v4.1.0-beta.1

v4.0.0

v4.0.0-beta.2

v3.1.6

v3.2.0-beta.1

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.1.0-beta-1

v3.0.3-beta-3

v3.0.2

v3.0.3-beta-2

v3.0.3-beta-1

v3.0.2-beta-2

v3.0.2-beta-1

v3.0.1

v3.0.0

v3.0.0-beta-2

v3.0.0-beta-1

v2.1.1

v2.1.0

v2.0.2

v2.0.1

v2.0.1-beta-1

v2.0.0

v2.0.0-beta.1

v1.0.1

v1.0.0

v1.0.0-RC2

v1.0.0-RC1

Labels

Clear labels   

MacOS

  

Nginx

  

OpenResty

  

Tengine

  

bug

  

documentation

  

enhancement

  

needs-investigation

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

stale

  

stale

  

timeout

  

wontfix

No labels

MacOS

Nginx

OpenResty

Tengine

bug

documentation

enhancement

needs-investigation

pull-request

question

stale

stale

stale

timeout

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ngx_waf#61

No description provided.