11## Block SQL injections
22set $block_sql_injections 0;
33
4+ # Traditional SQL injection patterns
45if ($query_string ~ "union.*select.*\(") {
56 set $block_sql_injections 1;
67}
@@ -13,17 +14,49 @@ if ($query_string ~ "concat.*\(") {
1314 set $block_sql_injections 1;
1415}
1516
17+ # Enhanced SQL injection patterns
18+ if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
19+ set $block_sql_injections 1;
20+ }
21+
22+ if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
23+ set $block_sql_injections 1;
24+ }
25+
26+ if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
27+ set $block_sql_injections 1;
28+ }
29+
30+ if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
31+ set $block_sql_injections 1;
32+ }
33+
34+ if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
35+ set $block_sql_injections 1;
36+ }
37+
38+ # NoSQL injection patterns (MongoDB, CouchDB, etc.)
39+ if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
40+ set $block_sql_injections 1;
41+ }
42+
43+ if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
44+ set $block_sql_injections 1;
45+ }
46+
1647if ($block_sql_injections = 1) {
1748 return 403;
1849}
1950
2051## Block file injections
2152set $block_file_injections 0;
2253
23- if ($query_string ~ "[a-zA-Z0-9_]=http://") {
54+ # Remote file inclusion
55+ if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps|file|data|php|expect|gopher)://") {
2456 set $block_file_injections 1;
2557}
2658
59+ # Directory traversal - enhanced patterns
2760if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
2861 set $block_file_injections 1;
2962}
@@ -32,17 +65,60 @@ if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
3265 set $block_file_injections 1;
3366}
3467
68+ # Additional traversal patterns
69+ if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
70+ set $block_file_injections 1;
71+ }
72+
73+ if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
74+ set $block_file_injections 1;
75+ }
76+
77+ # Windows system files
78+ if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
79+ set $block_file_injections 1;
80+ }
81+
82+ # Unix system files
83+ if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
84+ set $block_file_injections 1;
85+ }
86+
87+ # Null bytes and dangerous encoding attacks
88+ if ($query_string ~ "(%00|%0a%0d|%0d%0a)") {
89+ set $block_file_injections 1;
90+ }
91+
3592if ($block_file_injections = 1) {
3693 return 403;
3794}
3895
3996## Block common exploits
4097set $block_common_exploits 0;
4198
99+ # XSS protection - enhanced patterns
100+ if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
101+ set $block_common_exploits 1;
102+ }
103+
104+ if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
105+ set $block_common_exploits 1;
106+ }
107+
42108if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
43109 set $block_common_exploits 1;
44110}
45111
112+ # Enhanced XSS vectors
113+ if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
114+ set $block_common_exploits 1;
115+ }
116+
117+ if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
118+ set $block_common_exploits 1;
119+ }
120+
121+ # PHP globals and superglobals
46122if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
47123 set $block_common_exploits 1;
48124}
@@ -51,6 +127,11 @@ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
51127 set $block_common_exploits 1;
52128}
53129
130+ if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
131+ set $block_common_exploits 1;
132+ }
133+
134+ # System information disclosure
54135if ($query_string ~ "proc/self/environ") {
55136 set $block_common_exploits 1;
56137}
@@ -59,46 +140,49 @@ if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
59140 set $block_common_exploits 1;
60141}
61142
143+ # Encoding attacks
62144if ($query_string ~ "base64_(en|de)code\(.*\)") {
63145 set $block_common_exploits 1;
64146}
65147
66- if ($block_common_exploits = 1) {
67- return 403;
148+ # Command injection patterns
149+ if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
150+ set $block_common_exploits 1;
68151}
69152
70- ## Block spam
71- set $block_spam 0;
72-
73- if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
74- set $block_spam 1;
153+ if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
154+ set $block_common_exploits 1;
75155}
76156
77- if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
78- set $block_spam 1;
157+ # LDAP injection
158+ if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
159+ set $block_common_exploits 1;
79160}
80161
81- if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
82- set $block_spam 1;
162+ # XML/XXE attacks
163+ if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
164+ set $block_common_exploits 1;
83165}
84166
85- if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
86- set $block_spam 1;
167+ # Server-side template injection
168+ if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
169+ set $block_common_exploits 1;
87170}
88171
89- if ($block_spam = 1) {
172+ if ($block_common_exploits = 1) {
90173 return 403;
91174}
92175
93- ## Block user agents
176+ ## Block malicious user agents
94177set $block_user_agents 0;
95178
179+ # Original user agents
96180# Disable Akeeba Remote Control 2.5 and earlier
97181if ($http_user_agent ~ "Indy Library") {
98182 set $block_user_agents 1;
99183}
100184
101- # Common bandwidth hoggers and hacking tools.
185+ # Common bandwidth hoggers and hacking tools
102186if ($http_user_agent ~ "libwww-perl") {
103187 set $block_user_agents 1;
104188}
@@ -131,6 +215,133 @@ if ($http_user_agent ~ "GrabNet") {
131215 set $block_user_agents 1;
132216}
133217
218+ # Enhanced malicious bots and tools
219+ if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
220+ set $block_user_agents 1;
221+ }
222+
223+ if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
224+ set $block_user_agents 1;
225+ }
226+
227+ if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
228+ set $block_user_agents 1;
229+ }
230+
231+ if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
232+ set $block_user_agents 1;
233+ }
234+
235+ if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
236+ set $block_user_agents 1;
237+ }
238+
239+ # Scrapers and harvesters
240+ if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
241+ set $block_user_agents 1;
242+ }
243+
244+ if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
245+ set $block_user_agents 1;
246+ }
247+
248+ # Suspicious patterns
249+ if ($http_user_agent ~ "^-$|^$|^\.$") {
250+ set $block_user_agents 1;
251+ }
252+
253+ if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
254+ set $block_user_agents 1;
255+ }
256+
257+ # Common attack frameworks
258+ if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
259+ set $block_user_agents 1;
260+ }
261+
134262if ($block_user_agents = 1) {
135263 return 403;
136264}
265+
266+ ## Block suspicious request methods
267+ set $block_methods 0;
268+
269+ if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
270+ set $block_methods 1;
271+ }
272+
273+ if ($block_methods = 1) {
274+ return 405;
275+ }
276+
277+ ## Block suspicious headers
278+ set $block_headers 0;
279+
280+ if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
281+ set $block_headers 1;
282+ }
283+
284+ if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
285+ set $block_headers 1;
286+ }
287+
288+ if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
289+ set $block_headers 1;
290+ }
291+
292+ # Block requests with suspicious Host headers
293+ if ($host ~ "[\x00-\x20\x7f-\xff]") {
294+ set $block_headers 1;
295+ }
296+
297+ if ($block_headers = 1) {
298+ return 403;
299+ }
300+
301+ ## Block excessive request size (basic DoS protection)
302+ set $block_size 0;
303+
304+ if ($content_length ~ "^[0-9]{8,}$") {
305+ set $block_size 1;
306+ }
307+
308+ if ($block_size = 1) {
309+ return 413;
310+ }
311+
312+ ## Block requests with too many parameters (potential DoS)
313+ set $block_params 0;
314+
315+ if ($args ~ "^([^&]*&){50,}") {
316+ set $block_params 1;
317+ }
318+
319+ if ($block_params = 1) {
320+ return 403;
321+ }
322+
323+ ## Block protocol attacks
324+ set $block_protocol 0;
325+
326+ # HTTP Request Smuggling patterns
327+ if ($http_transfer_encoding ~ "chunked.*chunked") {
328+ set $block_protocol 1;
329+ }
330+
331+ if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
332+ set $block_protocol 1;
333+ }
334+
335+ # Block requests with null bytes in URI
336+ if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
337+ set $block_protocol 1;
338+ }
339+
340+ # Block requests with control characters
341+ if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
342+ set $block_protocol 1;
343+ }
344+
345+ if ($block_protocol = 1) {
346+ return 400;
347+ }
0 commit comments