Install and Configure Nginx With Naxsi

With this article, you will have your webserver ready to production, filtering all requests with NAXSI WAF configured on nginx.
  • Versions: nginx 1.8.1 + naxsi 1.5.3 (You can use newer versions without problem)
  • Tested on CentOS 7 and Ubuntu Trusty
  • Execute all steps on root account


Get the nginx and nasxi source code, compile and install from source.


Unpack the tar files

tar -xvzf nginx-1.8.1.tar.gz
tar -xvzf 0.54.tar.gz
tar -xvzf 0.53.tar.gz

Remove old nginx files and move the naxsi directory

rm -rf /usr/local/nginx
mkdir /usr/local/nginx/
mv naxsi-0.54/ /usr/local/naxsi-0.54/
mv naxsi-0.53/nx_util/ /usr/local/naxsi-0.54/nx_util-0.53/

Configure and compile the nginx on your linux kernel

cd nginx-1.8.1
./configure — conf-path=/usr/local/nginx/conf/nginx.conf \
— add-module=/usr/local/naxsi-0.54/naxsi_src/ \
— error-log-path=/var/log/nginx/error.log \
— http-client-body-temp-path=/usr/local/nginx/body \
— http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
— http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
— http-scgi-temp-path=/usr/local/nginx/scgi \
— http-log-path=/var/log/nginx/access.log \
— http-proxy-temp-path=/usr/local/nginx/proxy \
— lock-path=/var/run/nginx.lock \
— pid-path=/var/run/ \
— with-http_ssl_module \
— with-http_ssl_module \
— with-http_addition_module \
— with-http_realip_module \
— with-http_gunzip_module \
— without-mail_pop3_module \
— without-mail_smtp_module \
— without-mail_imap_module \
— without-http_uwsgi_module \
— without-http_scgi_module \
— with-ipv6 \
— sbin-path=/usr/sbin/nginx \
— prefix=/usr/local/nginx
make install


Copy naxsi base rules to nginx conf directory

cp /usr/local/naxsi-0.54/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

Edit the nginx.conf and include the naxsi base rules on http section

$ vim /usr/local/nginx/conf/nginx.conf
http {

include /usr/local/nginx/conf/naxsi_core.rules;


Create your custom naxsi rules

$ touch /usr/local/nginx/conf/naxsi_custom.rules
$ cat << EOF >/usr/local/nginx/conf/naxsi_custom.rules
DeniedUrl “/RequestDenied”;
## check rules
CheckRule “$SQL >= 8” BLOCK;
CheckRule “$RFI >= 8” BLOCK;
CheckRule “$TRAVERSAL >= 4” BLOCK;
CheckRule “$EVADE >= 4” BLOCK;
CheckRule “$XSS >= 8” BLOCK;

Include your custom rules on every server configuration

$ vim /usr/local/nginx/conf.d/*.conf
server {

location / {
include /usr/local/nginx/conf/naxsi_custom.rules;


Configure the nginx deamon

$ sudo vim /lib/systemd/system/nginx.service
Description=The NGINX HTTP and reverse proxy server
ExecStartPre=/usr/sbin/nginx -t
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID

Start your nginx, with naxsi compiled inside

$ sudo systemctl daemon-reload
$ sudo service nginx start
After some days on LearningMode, configure the nx_util to create your custom whitelist
ps: I used the 0.53 version, because the setup creates the elasticsearch to execute the
$ cd /usr/local/naxsi-0.54/nx_util-0.53/
$ python build
$ python install
$ python -l /var/log/nginx/error.log -o >> /usr/local/nginx/conf/naxsi_custom.rules

Look your configuration file and analyses the whitelist to understand the requests and his needs

Turn off the naxsi LearningMode

sed -i ‘s/LearningMode/#LearningMode/’ /usr/local/nginx/conf/naxsi.rules

If you have some question or update about this procedure, please contact me.

See Ya!
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.