I’m trying to do the following, and not sure if i’m trying to do the impossible or doing something wrong.
I have nginx listening on port 80, proxying the requests to http://remoteserver/
On the same nginx box, I have suricata with $HOME_NET=“myip, localhost” where myip is the IP of eth0.
$EXTERNAL_NET is set to !$HOME_NET
My problem is Suricata seems to have no visibility of traffic for some reason and the rules never trigger.
If I disable proxying on NginX and just host a little PHP page locally and try some attacks in emerging rules - Suricata works 100% and logs the alerts.
But as soon as NginX is set to act as a proxy to an upstream webserver, Suricata cannot see anything nginx is doing anymore. But it should, since its still getting an HTTP POST/GET its just that NginX is forwarding it after that?