Install and Configure Nginx With Naxsi

With this article, you will have your webserver ready to production, filtering all requests with NAXSI WAF configured on nginx.
  • Versions: nginx 1.8.1 + naxsi 1.5.3 (You can use newer versions without problem)
  • Tested on CentOS 7 and Ubuntu Trusty
  • Execute all steps on root account

Installation

Get the nginx and nasxi source code, compile and install from source.

wget http://nginx.org/download/nginx-1.8.1.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.54.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.53.tar.gz

Unpack the tar files

tar -xvzf nginx-1.8.1.tar.gz
tar -xvzf 0.54.tar.gz
tar -xvzf 0.53.tar.gz

Remove old nginx files and move the naxsi directory

rm -rf /usr/local/nginx
mkdir /usr/local/nginx/
mv naxsi-0.54/ /usr/local/naxsi-0.54/
mv naxsi-0.53/nx_util/ /usr/local/naxsi-0.54/nx_util-0.53/

Configure and compile the nginx on your linux kernel

cd nginx-1.8.1
./configure — conf-path=/usr/local/nginx/conf/nginx.conf \
— add-module=/usr/local/naxsi-0.54/naxsi_src/ \
— error-log-path=/var/log/nginx/error.log \
— http-client-body-temp-path=/usr/local/nginx/body \
— http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
— http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
— http-scgi-temp-path=/usr/local/nginx/scgi \
— http-log-path=/var/log/nginx/access.log \
— http-proxy-temp-path=/usr/local/nginx/proxy \
— lock-path=/var/run/nginx.lock \
— pid-path=/var/run/nginx.pid \
— with-http_ssl_module \
— with-http_ssl_module \
— with-http_addition_module \
— with-http_realip_module \
— with-http_gunzip_module \
— without-mail_pop3_module \
— without-mail_smtp_module \
— without-mail_imap_module \
— without-http_uwsgi_module \
— without-http_scgi_module \
— with-ipv6 \
— sbin-path=/usr/sbin/nginx \
— prefix=/usr/local/nginx
make
make install

Configuration

Copy naxsi base rules to nginx conf directory

cp /usr/local/naxsi-0.54/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

Edit the nginx.conf and include the naxsi base rules on http section

$ vim /usr/local/nginx/conf/nginx.conf
http {

include /usr/local/nginx/conf/naxsi_core.rules;

}

Create your custom naxsi rules

$ touch /usr/local/nginx/conf/naxsi_custom.rules
$ cat << EOF >/usr/local/nginx/conf/naxsi_custom.rules
LearningMode;
SecRulesEnabled;
DeniedUrl “/RequestDenied”;
## check rules
CheckRule “$SQL >= 8” BLOCK;
CheckRule “$RFI >= 8” BLOCK;
CheckRule “$TRAVERSAL >= 4” BLOCK;
CheckRule “$EVADE >= 4” BLOCK;
CheckRule “$XSS >= 8” BLOCK;
EOF

Include your custom rules on every server configuration

$ vim /usr/local/nginx/conf.d/*.conf
server {

location / {
include /usr/local/nginx/conf/naxsi_custom.rules;

}

Configure the nginx deamon

$ sudo vim /lib/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

Start your nginx, with naxsi compiled inside

$ sudo systemctl daemon-reload
$ sudo service nginx start
After some days on LearningMode, configure the nx_util to create your custom whitelist
ps: I used the 0.53 version, because the setup creates the elasticsearch to execute the nx_util.py
$ cd /usr/local/naxsi-0.54/nx_util-0.53/
$ python setup.py build
$ python setup.py install
$ python nx_util.py -l /var/log/nginx/error.log -o >> /usr/local/nginx/conf/naxsi_custom.rules

Look your configuration file and analyses the whitelist to understand the requests and his needs

Turn off the naxsi LearningMode

sed -i ‘s/LearningMode/#LearningMode/’ /usr/local/nginx/conf/naxsi.rules

If you have some question or update about this procedure, please contact me.

See Ya!
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.