Any web application can have a security bug, which exploited, may allow the attacker to gain unauthorized access to crucial application components, and, unfortunately, lead to a leakage of a sensitive data. One of the common ways to defend the zero days is to use WAF (Web Application Firewall). In this tutorial I'll put some light on a dedicated Nginx WAF external module called NAXSI (Nginx Anti XSS & SQL Injection), the ModSecurity equivalent for Apachers, by the way...

So NAXSI, how it basicly works? When a client's request is performed, it's being parsed on the server side, splitted into several streams a.k.a. zones: args (GET args), url, body (POST args), header (HTTP headers). Then, these are tested against patterns - the naxsi core rules (naxsi_core.rules) - and, in case of a match, possibly denied. Why possibly? Because it depends then on stream's score, classfied by the NAXSI - if is it below (or equal) the category's score treshold  (sql, rfi, traversal, evade, xss) specified in the naxsi.rules, then deny will apply. Rules whitelisting? Of course creating such can be done too.

Configuration, in short, looks like the following:

  • Include NAXSI core rules (naxsi_core.rules) in nginx's main config file, in the http section,
  • Include NAXSI general rules (naxsi.rules) in the location section, which tells which run mode (Normal, Learning) should be active and here's the place for category's score tresholds,
  • Include NAXSI whitelist rules (naxsi_whitelist.rules), which are contrasted with the core rules during the streams processing, also in the location section.

Lets go with installation now. Presented below steps I'm going to exec on a CentOS 7 Linux distro. Keep in mind that Nginx must be compiled with NAXSI module, thus I'll go with its compilation. Btw: adjust configure args to cover your specific use case.

1) Get sources, compile and install 'em all.

$ git clone https://github.com/nbs-system/naxsi.git
$ git clone https://github.com/nginx/nginx.git
$ cd nginx
$ git checkout nginx-1.7 // current stable release
$ ./configure \
--prefix=/usr \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--with-pcre-jit \
--with-ipv6 \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_image_filter_module \
--with-http_spdy_module \
--with-http_sub_module \
--with-http_xslt_module \
$ make
# make install

2) Initial setup - use NAXSI's default core rules

# cp naxsi/naxsi_config/naxsi_core.rules /etc/nginx/
# cat > /etc/nginx/naxsi.rules << EOF
DeniedUrl "/RequestDenied";

## check rules - put the specific tresholds
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Append naxsi_core.rules line to the /etc/nginx/nginx.conf into http section. 

# file: /etc/nginx/nginx.conf
http {
    include       /etc/nginx/naxsi_core.rules;
    include       /etc/nginx/mime.types;

Moreover, in the same file, modify the server's section (or in you VHOSTs config respectivly!)

# file: /etc/nginx/nginx.conf
server {
        location / {
            include /etc/nginx/naxsi.rules; # only per location
include /etc/nginx/naxsi_whitelist.rules; # only per location
            root   html;
            index  index.html index.htm;
location /RequestDenied {
            return 403;

Now, you could manually add rules into a whitelist, which is checked against the core rules or, run naxsi in learning mode, gather error logs, and then generate whitelist rules (however, more likely you will have to adjust them as well). To get naxsi running in a learning mode simple uncomment the LearningMode in /etc/nginx/naxsi.rules file. For more details on generating the WL rules from nginx logs please see the LearningMode naxsi docs.

Regarding NAXSI's architecture itself, I encourage you to see it's spiffy whitepaper. ;-)

Currently unrated


There are currently no comments

New Comment


required (not published)