Install and Configure Nginx With Naxsi

With this article, you will have your webserver ready to production, filtering all requests with NAXSI WAF configured on nginx.
  • Versions: nginx 1.8.1 + naxsi 1.5.3 (You can use newer versions without problem)
  • Tested on CentOS 7 and Ubuntu Trusty
  • Execute all steps on root account

Installation

Get the nginx and nasxi source code, compile and install from source.

wget http://nginx.org/download/nginx-1.8.1.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.54.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.53.tar.gz

Unpack the tar files

tar -xvzf nginx-1.8.1.tar.gz
tar -xvzf 0.54.tar.gz
tar -xvzf 0.53.tar.gz

Remove old nginx files and move the naxsi directory

rm -rf /usr/local/nginx
mkdir /usr/local/nginx/
mv naxsi-0.54/ /usr/local/naxsi-0.54/
mv naxsi-0.53/nx_util/ /usr/local/naxsi-0.54/nx_util-0.53/

Configure and compile the nginx on your linux kernel

cd nginx-1.8.1
./configure — conf-path=/usr/local/nginx/conf/nginx.conf \
— add-module=/usr/local/naxsi-0.54/naxsi_src/ \
— error-log-path=/var/log/nginx/error.log \
— http-client-body-temp-path=/usr/local/nginx/body \
— http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
— http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
— http-scgi-temp-path=/usr/local/nginx/scgi \
— http-log-path=/var/log/nginx/access.log \
— http-proxy-temp-path=/usr/local/nginx/proxy \
— lock-path=/var/run/nginx.lock \
— pid-path=/var/run/nginx.pid \
— with-http_ssl_module \
— with-http_ssl_module \
— with-http_addition_module \
— with-http_realip_module \
— with-http_gunzip_module \
— without-mail_pop3_module \
— without-mail_smtp_module \
— without-mail_imap_module \
— without-http_uwsgi_module \
— without-http_scgi_module \
— with-ipv6 \
— sbin-path=/usr/sbin/nginx \
— prefix=/usr/local/nginx
make
make install

Configuration

Copy naxsi base rules to nginx conf directory

cp /usr/local/naxsi-0.54/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

Edit the nginx.conf and include the naxsi base rules on http section

$ vim /usr/local/nginx/conf/nginx.conf
http {

include /usr/local/nginx/conf/naxsi_core.rules;

}

Create your custom naxsi rules

$ touch /usr/local/nginx/conf/naxsi_custom.rules
$ cat << EOF >/usr/local/nginx/conf/naxsi_custom.rules
LearningMode;
SecRulesEnabled;
DeniedUrl “/RequestDenied”;
## check rules
CheckRule “$SQL >= 8” BLOCK;
CheckRule “$RFI >= 8” BLOCK;
CheckRule “$TRAVERSAL >= 4” BLOCK;
CheckRule “$EVADE >= 4” BLOCK;
CheckRule “$XSS >= 8” BLOCK;
EOF

Include your custom rules on every server configuration

$ vim /usr/local/nginx/conf.d/*.conf
server {

location / {
include /usr/local/nginx/conf/naxsi_custom.rules;

}

Configure the nginx deamon

$ sudo vim /lib/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

Start your nginx, with naxsi compiled inside

$ sudo systemctl daemon-reload
$ sudo service nginx start
After some days on LearningMode, configure the nx_util to create your custom whitelist
ps: I used the 0.53 version, because the setup creates the elasticsearch to execute the nx_util.py
$ cd /usr/local/naxsi-0.54/nx_util-0.53/
$ python setup.py build
$ python setup.py install
$ python nx_util.py -l /var/log/nginx/error.log -o >> /usr/local/nginx/conf/naxsi_custom.rules

Look your configuration file and analyses the whitelist to understand the requests and his needs

Turn off the naxsi LearningMode

sed -i ‘s/LearningMode/#LearningMode/’ /usr/local/nginx/conf/naxsi.rules

If you have some question or update about this procedure, please contact me.

See Ya!