What is NAXSI?
NAXSI means Nginx Anti XSS & SQL Injection.
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <
, |
or drop
are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is the Naxsi’s administrator duty to add specific rules that will whitelist legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx’s error log, or (recommended) start the project with an intensive auto-learning phase that will automatically generate whitelisting rules regarding a website’s behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only task is to add required ACCEPT rules for the target website to work properly.
If you already have Nginx configured and running on your server, you would want to install this module dynamically
and thats what we are going to do in few simple steps.
Step 1: Download Nginx
Nginx version should be the same as the one you already have on your server, to check this you can use -v
parameter. I am going to use /var/www/nginx
as the root directory here.
$ nginx -v
nginx version: nginx/1.19.1
$ mkdir /var/www/nginx; cd /var/www/nginx
As you can see, I have Nginx version 1.19.1 installed, therefore I am going to download this version from the downloads.
$ wget -qO - http://nginx.org/download/nginx-1.19.1.tar.gz | tar xzvf -
Step 2: Download the latest version of NAXSI from here in the modules directory of nginx
$ cd nginx-1.19.1/src/http/modules/
$ wget -qO - https://github.com/nbs-system/naxsi/archive/0.56.tar.gz | tar xzvf -
Step 3: Install & Compile NAXSI as a dynamic module
We must compile nginx with the same arguments as you had previously configured Nginx with, to do that use -V
attribute to get the list.
$ nginx -V
nginx version: nginx/1.19.1
built by gcc …
built with OpenSSL …
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/…
Copy these arguments and paste it at the end of the below command and replace [YOUR_ARGUMENTS] with your arguments.
$ cd /var/www/nginx-1.19.1
$ ./configure --add-dynamic-module=./src/http/modules/naxsi-0.56/naxsi_src [YOUR_ARGUMENTS]
It is important to note the “–add-dynamic-module” here, it will ensure that NAXSI module will be installed dynamically and we will move the executable to our current directory of Nginx.
Once the configuration completes please execute the following commands.
$ make
$ make install
Step 5: Lastly, configure Nginx for NAXSI
Finally, move *.so
file and naxsi_core.rules
to your nginx directory, I assume its /etc/nginx/
.
$ cp objs/ngx_http_naxsi_module.so /etc/nginx/modules
Load the module into the NGINX Plus core by adding the load_module
directive to the main context in your nginx.conf file:
$ vi /nginx.conf
$ load_module modules/ngx_http_naxsi_module.so;
Add the naxsi_core.rules
to nginx.conf inside http block.
#Edit this ‘include’ directive to point to your naxsi_core.rules file in nginx.conf
include /etc/nginx/naxsi_config/naxsi_core.rules;
NAXSI configuration is described in detail in the project documentation. The following NGINX configuration illustrates the module in action:
server {
listen 80;location / { root /YOUR_ROOT_DIR; # Enable NAXSI SecRulesEnabled; # Define where blocked requests go DeniedUrl "/error.html"; # CheckRules, determining when NAXSI needs to take action CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; # Don’t forget the error_log, where blocked requests are logged error_log /var/log/nginx/naxsi.log; } error_page 500 502 503 504 /50x.html;
}
Voila! you can also verify NAXSI’s implmentation via curl
as explained below.
1. curl http://localhost
2. curl http://localhost/a?=<>
Upon checking the logs, you will see that NAXSI successfully blocked this attempt.
For production deployments, you can also download signed NAXSI releases at https://github.com/nbs-system/naxsi/tags and compile them in a similar fashion.