Naxsi not logging real source IP

leo.g...@gmail.com

unread,

Jul 29, 2016, 2:19:11 AM7/29/16

to naxsi-discuss

Hi,

Can someone please help with this one.

I have a nginx+naxsi sitting behind AWS ELB proxy.

Config attached below:

http {

...

real_ip_header X-Forwarded-For;

set_real_ip_from ELB_proxy_IP;

}

server {

...

set $naxsi_extensive_log 1;

location / {

...

include naxsi.rules;

}

Nginx log is showing real source IP, however naxsi log only showing ELB proxy IP.

bui

unread,

Jul 29, 2016, 4:03:55 AM7/29/16

to naxsi-discuss, leo.g...@gmail.com

Hello,

It is weird, because we don't have this issue with our LB.

Can you provide an example configuration that show the issue ? (naxsi is using request->connection->addr_text so it really relies on what nginx says)

leo.g...@gmail.com

unread,

Jul 31, 2016, 9:03:50 PM7/31/16

to naxsi-discuss, leo.g...@gmail.com

Thanks, all the configs related are attached below.

Using packages from dotdeb, current version 1.10.1-1~dotdeb+8.2

By the way, I've also added a custom log to verify variables:

--- config ---

log_format custom_log '$remote_addr - $realip_remote_addr - $server_addr';

--- log ---

public_ip - ELB_IP - server_IP

I can confirm $remote_addr is storing the right value. naxsi might be using another variable?

------ nginx.conf ------

user www-data;

worker_processes auto;

pid /run/nginx.pid;

events {

#worker_connections 768;

worker_connections 1024;

# multi_accept on;

multi_accept on;

}

http {

##

# Basic Settings

##

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

# server_tokens off;

# server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

##

# SSL Settings

##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

ssl_prefer_server_ciphers on;

##

# Logging Settings

##

access_log /var/log/nginx/access.log;

error_log /var/log/nginx/error.log;

##

# Gzip Settings

##

#gzip on;

#gzip_disable "msie6";

# gzip_vary on;

# gzip_proxied any;

# gzip_comp_level 6;

# gzip_buffers 16 8k;

# gzip_http_version 1.1;

# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

gzip on;

gzip_disable "msie6";

gzip_comp_level 2;

gzip_min_length 1000;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

# Log Real Source IP

real_ip_header X-Forwarded-For;

set_real_ip_from ELB_IP_Range_A;

set_real_ip_from ELB_IP_Range_B;

set_real_ip_from ELB_IP_Range_C;

##

# nginx-naxsi config

##

# Uncomment it if you installed nginx-naxsi

##

include /etc/nginx/naxsi_core.rules;

##

# Virtual Host Configs

##

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

------ site conf ------

server {

listen 443 ssl http2; # tried without http2, same issue.

root "/xxx/xxx";

server_name www.xxx.com;

index index.php;

large_client_header_buffers 4 16k;

ssl on;

ssl_certificate ssl/www.xxx.com;

ssl_certificate_key ssl/www.xxx.com.key;

access_log /var/log/nginx/www.xxx.com.access.log combined;

error_log /var/log/nginx/www.xxx.com.error.log;

include php.conf;

error_page 404 https://www.xxx.com;

set $naxsi_extensive_log 1;

location / {

include naxsi.rules;

try_files $uri $uri/ @extensionless-php;

}

location @extensionless-php {

rewrite ^(.*)$ $1.php last;

}

------ naxsi.rules ------

LearningMode;

SecRulesEnabled;

DeniedUrl "/50x.html";

## check rules

CheckRule "$SQL >= 8" BLOCK;

CheckRule "$RFI >= 8" BLOCK;

CheckRule "$TRAVERSAL >= 4" BLOCK;

CheckRule "$EVADE >= 4" BLOCK;

CheckRule "$XSS >= 8" BLOCK;

error_log /var/log/nginx/naxsi.log;

include naxsi_whitelist.rules;

------ naxsi_whitelist.rules ------

white list rules

----- php.conf ------

location ~ [^/]\.php(/|$) {

fastcgi_split_path_info ^(.+?\.php)(/.*)$;

fastcgi_pass unix:/var/run/php5-fpm.sock;

fastcgi_index index.php;

include fastcgi_params;

}

------ fastcgi_params -------

fastcgi_param QUERY_STRING $query_string;

fastcgi_param REQUEST_METHOD $request_method;

fastcgi_param CONTENT_TYPE $content_type;

fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;

fastcgi_param REQUEST_URI $request_uri;

fastcgi_param DOCUMENT_URI $document_uri;

fastcgi_param DOCUMENT_ROOT $document_root;

fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;

fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;

fastcgi_param REMOTE_PORT $remote_port;

fastcgi_param SERVER_ADDR $server_addr;

fastcgi_param SERVER_PORT $server_port;

fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param SERVER_NAME $host;

fastcgi_connect_timeout 60;

fastcgi_send_timeout 180;

fastcgi_read_timeout 180;

fastcgi_buffer_size 128k;

fastcgi_buffers 4 256k;

fastcgi_busy_buffers_size 256k;

fastcgi_temp_file_write_size 256k;

fastcgi_intercept_errors on;

Reply all

Reply to author

Forward

Naxsi not logging real source IP - Behind ELB proxy

leo.g...@gmail.com

bui

leo.g...@gmail.com