Suricata with NginX in Proxy Mode

nonoti · April 14, 2020, 3:21pm

I’m trying to do the following, and not sure if i’m trying to do the impossible or doing something wrong.

I have nginx listening on port 80, proxying the requests to http://remoteserver/
On the same nginx box, I have suricata with $HOME_NET=“myip, localhost” where myip is the IP of eth0.
$EXTERNAL_NET is set to !$HOME_NET

My problem is Suricata seems to have no visibility of traffic for some reason and the rules never trigger.

If I disable proxying on NginX and just host a little PHP page locally and try some attacks in emerging rules - Suricata works 100% and logs the alerts.

But as soon as NginX is set to act as a proxy to an upstream webserver, Suricata cannot see anything nginx is doing anymore. But it should, since its still getting an HTTP POST/GET its just that NginX is forwarding it after that?

nonoti · April 14, 2020, 5:19pm

Think i may know the issue: If create my own HTTP POST rules they work, so i’m going to check and make sure that the Emerging web rules actually have HTTP POST entries not just HTTP GET request checks.

Andreas_Herz · April 17, 2020, 9:12pm

It also depends on how you run suricata in that case, can you give us more details like how you run it (command line) and the configuration?

Topic		Replies	Views
Suricata with Nginx Reverse Proxy Help	3	1344	July 12, 2022
Suricata with HTTPs traffic Help suricata	1	622	January 5, 2023
Non-functional suricata at some cloud providers Help rules , suricata	22	740	August 3, 2023
Suricata running in AWS Help	2	538	October 5, 2021
$HOME_NET and multiple interfaces, plus deployment best practices Help	3	3584	June 27, 2020

Suricata with NginX in Proxy Mode

Related Topics