whitelist incorrect rule

Bug #1170585 reported by Pierre Schweitzer on 2013-04-19
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)

Bug Description


when importing this wl rule into naxsi:
# total_count:2186 (1.37%), peer_count:297 (25.94%) | sql keywords
BasicRule wl:1000 "mz:$URL_VAR:cookie";

nginx can't be restarted anylonger and displays the error:
Restarting nginx: nginx: [emerg] Naxsi-Config : Incorrect line BasicRule wl:1000 (/build/buildd/nginx-1.1.19/debian/modules/naxsi/naxsi_src/naxsi_skeleton.c/329)... in /etc/nginx/mynaxsi.rules:7
nginx: configuration file /etc/nginx/nginx.conf test failed

This rule was generated by nx_util.py.

nginx release in use is the one in Ubuntu 12.04LTS, fully updated.
# nginx -V
nginx version: nginx/1.1.19
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_ssl_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-ipv6 --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.1.19/debian/modules/nginx-cache-purge --add-module=/build/buildd/nginx-1.1.19/debian/modules/naxsi/naxsi_src

This looks similar to: https://code.google.com/p/naxsi/issues/detail?id=30


Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nginx (Ubuntu):
status: New → Confirmed
Thomas Ward (teward) on 2013-10-02
tags: added: precise
Ove Jobring (ovejo) wrote :

The naxsi version included in nginx-1.1.19 package is naxsi-0.45

Version 0.1 of nx_util was released about a year after naxsi v0.45 and intended to use together with naxsi v 0.50 , the syntax for white-list rules have probably changed slightly between releases.

The package naxsi-ui can be used to parse logfiles and generate white-lists for naxsi version 0.45 , but requires a tad more effort to configure.

Github ref for release:


Perhaps contrib/rules_generator/rules_transformer.py can be used to verify if the generated rule have the correct syntax?

Google code is no longer the home for naxsi development, naxsi can be found at https://github.com/nbs-system/naxsi

I've been successfully using nx_utils.py from here: http://naxsi.googlecode.com/svn/tags/0.50/contrib/nx_util/nx_lib/ with 1.1.19.

Ove Jobring (ovejo) wrote :

I'm just a regular naxsi user like you are and not developer/maintainer ... but here's my take on the issue:

Naxsi version 0.45 is included with nginx-naxsi 1.1.19

You have used nx_util intended for naxsi version 0.50.

Yes, nx_util will run just fine, it will read your error.log and generate white-list rules .... with a syntax that is compatible with naxsi version 0.50

Documentation that covers old versions of naxsi is hard to find.

But it's not unlikely that there are some minor difference between the wl-rule syntax in naxsi v0.45 and v0.50 o.

If you tried to use a white-list tool for naxsi version 0.45 it will be possible to confirm or exclude version differences as source of the error.

Well, now that I use the tool above, I don't have the WL issue anylonger (yeah, I forgot to say it in the first place).

The only issue I could find up to now is WL with vars having '[', ']' in their names. There's an open bug report on their Google code place. And even applying the workaround from there fails. Likely a told old naxsi release.

Thomas Ward (teward) wrote :

I have marked this as invalid against Vivid. In the latest merges, the nginx-naxsi flavor and related packaging was removed as a result of Debian dropping support for the naxsi packaging.

Notes to triagers and people looking to fix the bugs: The nginx-naxsi package in Trusty and Utopic is community maintained. If someone from the community provides a debdiff and/or code that is satisfactory of the Stable Release Update requirements (https://wiki.ubuntu.com/StableReleaseUpdates) then it can be reviewed and considered as an upload/update for this issue.

Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers