ref(router): clean up firewall addition

carmstrong · carmstrong · commit 4c4fa55fba16 · 2014-11-28T16:06:13.000-08:00
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -45,7 +45,7 @@ setting                                      description
 /deis/router/controller/timeout/connect      proxy_connect_timeout for deis-controller (default: 10m)
 /deis/router/controller/timeout/read         proxy_read_timeout for deis-controller (default: 20m)
 /deis/router/controller/timeout/send         proxy_send_timeout for deis-controller (default: 20m)
-/deis/router/firewall/enabled                nginx naxsi firewall (default: false)
+/deis/router/firewall/enabled                nginx naxsi firewall enabled (default: false)
 /deis/router/firewall/errorCode              nginx default firewall error code (default: 400)
 /deis/router/gzip                            nginx gzip setting (default: on)
 /deis/router/gzipCompLevel                   nginx gzipCompLevel setting (default: 5)
diff --git a/router/README.md b/router/README.md
@@ -27,23 +27,20 @@ install, and start **deis/router**.
 
 ## Firewall
 
-Why a firewall in deis-router?
-[Shellshock](https://shellshocker.net) exposed that some apps (mostly CGI based) inside a web server can be exploited like is explained here [Inside Shellshock: How hackers are using it to exploit systems](https://blog.cloudflare.com/inside-shellshock) allowing the arbitrary execution of commands.
+[Shellshock](https://shellshocker.net) exposed that some apps (mostly CGI based) inside a web server can be exploited, allowing the arbitrary execution of commands.
 
-To reduce the contact surface of this attack and others (like sql injection and cross site scripting) is possible to enable the naxsi firewall (disabled by default). [**NAXSI**](https://github.com/nbs-system/naxsi) is an open-source, high performance, low rules maintenance WAF for NGINX.
+To reduce the contact surface of this attack and others (like SQL injection and cross site scripting), it's possible to enable the naxsi firewall (which is disabled by default). [**NAXSI**](https://github.com/nbs-system/naxsi) is an open-source, high performance, low rules maintenance WAF for NGINX.
 The rules included are from this project [doxi-rules](https://bitbucket.org/lazy_dogtown/doxi-rules)
 
-Only this modules are enabled:
+Only these modules are enabled:
 
 |--|--|
 |File| |
 |web_app.rules       |detect exploit/misuse-attempts againts web-applications
-|web_server.rules    |generic rules to protect a webserver from misconfiguration and known mistakes / exploit-vectors 
+|web_server.rules    |generic rules to protect a webserver from misconfiguration and known mistakes / exploit-vectors
 |active-mode.rules   |rules to configure active-mode (block)
 |naxsi_core          |core naxsi rules
 
-
-
 ## License
 
 © 2014 OpDemand LLC
diff --git a/router/parent/firewall/active-mode.rules b/router/parent/firewall/active-mode.rules
@@ -3,8 +3,6 @@ SecRulesEnabled;
 #SecRulesDisabled;
 DeniedUrl "/RequestDenied";
 
-
-
 ## check rules
 CheckRule "$SQL >= 8" BLOCK;
 CheckRule "$RFI >= 8" BLOCK;
diff --git a/router/parent/firewall/naxsi_core.rules b/router/parent/firewall/naxsi_core.rules
@@ -45,10 +45,9 @@ MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:
 MainRule "str:ftps://" "msg:ftps:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
 MainRule "str:phps://" "msg:phps:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
 
-
 #######################################
 ## Directory traversal IDs:1200-1299 ##
-#######################################                                          
+#######################################
 MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
 MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
 MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
diff --git a/router/templates/nginx.conf b/router/templates/nginx.conf
@@ -34,7 +34,7 @@ http {
     gzip_vary {{ or .deis_router_gzipVary "on" }};
     {{ end }}
 
-    {{ $useFirewall := or .deis_router_firewall_enabled "true" }}{{ if eq $useFirewall "true" }}# include naxsi rules
+    {{ $useFirewall := or .deis_router_firewall_enabled "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules
     include     /opt/nginx/firewall/naxsi_core.rules;
     include     /opt/nginx/firewall/naxsi_core.rules;
     include     /opt/nginx/firewall/web_apps.rules;
@@ -68,7 +68,7 @@ http {
 
         {{ if .deis_controller_host }}
         location / {
-            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}            
+            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}
             proxy_buffering             off;
             proxy_set_header            Host $host;
             proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -87,8 +87,8 @@ http {
 
         {{ if eq $useFirewall "true" }}location /RequestDenied {
             return {{ $firewallErrorCode }};
-        }{{ end }}         
-    }{{ end }}
+        }{{ end }}
+    }
     ## end deis-controller
 
     ## start deis-store-gateway
@@ -106,7 +106,7 @@ http {
 
         {{ if .deis_store_gateway_host }}
         location / {
-            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}                    
+            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}
             proxy_buffering             off;
             proxy_set_header            Host $host;
             proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -140,7 +140,7 @@ http {
 
         {{ if $service.Nodes }}
         location / {
-            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}                    
+            {{ if eq $useFirewall "true" }}include                     /opt/nginx/firewall/active-mode.rules;{{ end }}
             proxy_buffering             off;
             proxy_set_header            Host $host;
             {{ if ne $useSSL "false" }}
@@ -161,16 +161,14 @@ http {
 
             proxy_pass                  http://{{ Base $service.Key }};
         }
-
         {{ else }}
         location / {
             return 503;
         }
         {{ end }}
-
         {{ if eq $useFirewall "true" }}location /RequestDenied {
             return {{ $firewallErrorCode }};
-        }{{ end }}         
+        }{{ end }}
     }
     {{ end }}
     ## end service definitions for each application
@@ -207,4 +205,4 @@ tcp {
         proxy_pass builder;
     }
 }{{ end }}
-## end builder
+## end builder
