Naxsi Started acting weird after last update
ampersand-et opened this issue · 1 comments
Just after Christmas I noticed pages being served all weird, notice Nginx had an update to 1.21.5 within that same time frame. Pages started being served had lots of issues, checked the logs and Naxsi was blocking things that have been fine for a couple years now. Figuring something updated on the page side, I started making some new whitelists for the things I was doing that were getting blocked like I have done in the past. Strangely though, none of the whitelist entries were working, same things were being blocked regardless of whitelists. Tried moving my whitelists entries to main rule files, tried re-writing rules more broadly, nothing. Removing the block rules that were being triggered worked for that rule but then i'd have a new block and would keep needing to delete rules. That was going nowhere so I had to completely disable Naxsi to get pages back up normally.
Noticing on the Nginx 1.21.5 release notes that it has switched to PCRE2. Also notice people having errors installing Naxsi on new installs because of PCRE2. Maybe something to do with the regex, --with-pcre-jit? Not sure if that is related but something seems to have borked Naxsi on that last mainline update with nginx-ee.
Cheers
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
nginx version: nginx/1.21.5 (VirtuBox Nginx-ee)
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --add-module=../naxsi/naxsi_src --with-cc-opt='-m64 -march=native -mtune=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector-strong -flto -ffat-lto-objects -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-z,now -fPIC -flto -ffat-lto-objects' --prefix=/usr/share --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --modules-path=/usr/share/nginx/modules --build='VirtuBox Nginx-ee' --with-file-aio --with-threads --with-http_v2_hpack_enc --with-http_v2_module --with-http_ssl_module --with-pcre-jit --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_sub_module --add-module=../ngx_http_substitutions_filter_module --add-module=../srcache-nginx-module --add-module=../ngx_http_redis --add-module=../redis2-nginx-module --add-module=../memc-nginx-module --add-module=../ngx_devel_kit --add-module=../set-misc-nginx-module --add-module=../ngx_http_auth_pam_module --add-module=../nginx-module-vts --add-module=../ipscrubtmp/ipscrub --add-module=../incubator-pagespeed-ngx-latest-stable --add-module=../echo-nginx-module --add-module=../headers-more-nginx-module --add-module=../ngx_cache_purge --add-module=../ngx_brotli --with-zlib=../zlib-cf --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3 no-ssl3-method -march=native -ljemalloc' --sbin-path=/usr/sbin/nginx
I rolled nginx back to stable and the issue was still happening. No real option to roll back to a different version of naxsi so I'm assuming it just installs the latest version.
Naxsi seems to be not reading any of my whitelists anymore but is reading the rules and enforcing them fine.
Doesn't look like anyone else is complaining about Naxsi having a similar issue so I'm assuming it is on my end somewhere. Going to keep digging.