Suricata with NginX in Proxy Mode

nonoti · April 14, 2020, 3:21pm

I’m trying to do the following, and not sure if i’m trying to do the impossible or doing something wrong.

I have nginx listening on port 80, proxying the requests to http://remoteserver/
On the same nginx box, I have suricata with $HOME_NET=“myip, localhost” where myip is the IP of eth0.
$EXTERNAL_NET is set to !$HOME_NET

My problem is Suricata seems to have no visibility of traffic for some reason and the rules never trigger.

If I disable proxying on NginX and just host a little PHP page locally and try some attacks in emerging rules - Suricata works 100% and logs the alerts.

But as soon as NginX is set to act as a proxy to an upstream webserver, Suricata cannot see anything nginx is doing anymore. But it should, since its still getting an HTTP POST/GET its just that NginX is forwarding it after that?

nonoti · April 14, 2020, 5:19pm

Think i may know the issue: If create my own HTTP POST rules they work, so i’m going to check and make sure that the Emerging web rules actually have HTTP POST entries not just HTTP GET request checks.

Andreas_Herz · April 17, 2020, 9:12pm

It also depends on how you run suricata in that case, can you give us more details like how you run it (command line) and the configuration?

Topic		Replies	Views
Suricata with Nginx Reverse Proxy Help	3	1769	July 12, 2022
Suricata with HTTPs traffic Help suricata	1	879	January 5, 2023
Suricata rules & the proxy protocol Help	4	1347	May 31, 2021
Suricata don`t mutch http post request with my rule Help rules	7	708	November 5, 2021
Suricata behind proxy server Help ips	8	4220	June 17, 2024

Suricata with NginX in Proxy Mode

Related topics