akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
85d3917f08a202bca612bca9086db51a40ea333e
caddy-proxy-manager/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf

348 lines
7.7 KiB
Plaintext
Raw Blame History

## Block SQL injections
set $block_sql_injections 0;
# Traditional SQL injection patterns
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.*all.*select.*") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}
# Enhanced SQL injection patterns
if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
set $block_sql_injections 1;
}
if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
set $block_sql_injections 1;
}
if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
set $block_sql_injections 1;
}
if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
set $block_sql_injections 1;
}
if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
set $block_sql_injections 1;
}
# NoSQL injection patterns (MongoDB, CouchDB, etc.)
if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
set $block_sql_injections 1;
}
if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
return 403;
}
## Block file injections
set $block_file_injections 0;
# Remote file inclusion
if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps|file|data|php|expect|gopher)://") {
set $block_file_injections 1;
}
# Directory traversal - enhanced patterns
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
# Additional traversal patterns
if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
set $block_file_injections 1;
}
if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
set $block_file_injections 1;
}
# Windows system files
if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
set $block_file_injections 1;
}
# Unix system files
if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
set $block_file_injections 1;
}
# Null bytes and dangerous encoding attacks
if ($query_string ~ "(%00|%0a%0d|%0d%0a)") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 403;
}
## Block common exploits
set $block_common_exploits 0;
# XSS protection - enhanced patterns
if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
set $block_common_exploits 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
# Enhanced XSS vectors
if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
set $block_common_exploits 1;
}
if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
set $block_common_exploits 1;
}
# PHP globals and superglobals
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
# System information disclosure
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
# Encoding attacks
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
# Command injection patterns
if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
set $block_common_exploits 1;
}
if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
set $block_common_exploits 1;
}
# LDAP injection
if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
set $block_common_exploits 1;
}
# XML/XXE attacks
if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
set $block_common_exploits 1;
}
# Server-side template injection
if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 403;
}
## Block malicious user agents
set $block_user_agents 0;
# Original user agents
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}
# Common bandwidth hoggers and hacking tools
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}
# Enhanced malicious bots and tools
if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
set $block_user_agents 1;
}
# Scrapers and harvesters
if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
set $block_user_agents 1;
}
# Suspicious patterns
if ($http_user_agent ~ "^-$|^$|^\.$") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
set $block_user_agents 1;
}
# Common attack frameworks
if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
set $block_user_agents 1;
}
if ($block_user_agents = 1) {
return 403;
}
## Block suspicious request methods
set $block_methods 0;
if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
set $block_methods 1;
}
if ($block_methods = 1) {
return 405;
}
## Block suspicious headers
set $block_headers 0;
if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
set $block_headers 1;
}
if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
set $block_headers 1;
}
if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
set $block_headers 1;
}
# Block requests with suspicious Host headers
if ($host ~ "[\x00-\x20\x7f-\xff]") {
set $block_headers 1;
}
if ($block_headers = 1) {
return 403;
}
## Block excessive request size (basic DoS protection)
set $block_size 0;
if ($content_length ~ "^[0-9]{8,}$") {
set $block_size 1;
}
if ($block_size = 1) {
return 413;
}
## Block requests with too many parameters (potential DoS)
set $block_params 0;
if ($args ~ "^([^&]*&){50,}") {
set $block_params 1;
}
if ($block_params = 1) {
return 403;
}
## Block protocol attacks
set $block_protocol 0;
# HTTP Request Smuggling patterns
if ($http_transfer_encoding ~ "chunked.*chunked") {
set $block_protocol 1;
}
if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
set $block_protocol 1;
}
# Block requests with null bytes in URI
if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
set $block_protocol 1;
}
# Block requests with control characters
if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
set $block_protocol 1;
}
if ($block_protocol = 1) {
return 400;
}
Reference in New Issue View Git Blame Copy Permalink