Install and Configure Nginx With Naxsi

With this article, you will have your webserver ready to production, filtering all requests with NAXSI WAF configured on nginx.
- Versions: nginx 1.8.1 + naxsi 1.5.3 (You can use newer versions without problem)
- Tested on CentOS 7 and Ubuntu Trusty
- Execute all steps on root account
Installation
Get the nginx and nasxi source code, compile and install from source.
wget http://nginx.org/download/nginx-1.8.1.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.54.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.53.tar.gzUnpack the tar files
tar -xvzf nginx-1.8.1.tar.gz
tar -xvzf 0.54.tar.gz
tar -xvzf 0.53.tar.gzRemove old nginx files and move the naxsi directory
rm -rf /usr/local/nginx
mkdir /usr/local/nginx/
mv naxsi-0.54/ /usr/local/naxsi-0.54/
mv naxsi-0.53/nx_util/ /usr/local/naxsi-0.54/nx_util-0.53/
Configure and compile the nginx on your linux kernel
cd nginx-1.8.1
./configure — conf-path=/usr/local/nginx/conf/nginx.conf \
— add-module=/usr/local/naxsi-0.54/naxsi_src/ \
— error-log-path=/var/log/nginx/error.log \
— http-client-body-temp-path=/usr/local/nginx/body \
— http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
— http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
— http-scgi-temp-path=/usr/local/nginx/scgi \
— http-log-path=/var/log/nginx/access.log \
— http-proxy-temp-path=/usr/local/nginx/proxy \
— lock-path=/var/run/nginx.lock \
— pid-path=/var/run/nginx.pid \
— with-http_ssl_module \
— with-http_ssl_module \
— with-http_addition_module \
— with-http_realip_module \
— with-http_gunzip_module \
— without-mail_pop3_module \
— without-mail_smtp_module \
— without-mail_imap_module \
— without-http_uwsgi_module \
— without-http_scgi_module \
— with-ipv6 \
— sbin-path=/usr/sbin/nginx \
— prefix=/usr/local/nginx
make
make installConfiguration
Copy naxsi base rules to nginx conf directory
cp /usr/local/naxsi-0.54/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/Edit the nginx.conf and include the naxsi base rules on http section
$ vim /usr/local/nginx/conf/nginx.confhttp {
…
include /usr/local/nginx/conf/naxsi_core.rules;
…
}
Create your custom naxsi rules
$ touch /usr/local/nginx/conf/naxsi_custom.rules
$ cat << EOF >/usr/local/nginx/conf/naxsi_custom.rules
LearningMode;
SecRulesEnabled;
DeniedUrl “/RequestDenied”;## check rules
CheckRule “$SQL >= 8” BLOCK;
CheckRule “$RFI >= 8” BLOCK;
CheckRule “$TRAVERSAL >= 4” BLOCK;
CheckRule “$EVADE >= 4” BLOCK;
CheckRule “$XSS >= 8” BLOCK;
EOF
Include your custom rules on every server configuration
$ vim /usr/local/nginx/conf.d/*.conf
server {
…
location / {
include /usr/local/nginx/conf/naxsi_custom.rules;
…
}Configure the nginx deamon
$ sudo vim /lib/systemd/system/nginx.service[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true[Install]
WantedBy=multi-user.target
Start your nginx, with naxsi compiled inside
$ sudo systemctl daemon-reload
$ sudo service nginx startAfter some days on LearningMode, configure the nx_util to create your custom whitelist
ps: I used the 0.53 version, because the setup creates the elasticsearch to execute the nx_util.py
$ cd /usr/local/naxsi-0.54/nx_util-0.53/
$ python setup.py build
$ python setup.py install
$ python nx_util.py -l /var/log/nginx/error.log -o >> /usr/local/nginx/conf/naxsi_custom.rulesLook your configuration file and analyses the whitelist to understand the requests and his needs
Turn off the naxsi LearningMode
sed -i ‘s/LearningMode/#LearningMode/’ /usr/local/nginx/conf/naxsi.rulesIf you have some question or update about this procedure, please contact me.
See Ya!