Ícaro Bichir bio photo

Ícaro Bichir

Geek that dreams to be a hacker, became a intern security, a DevOps Analyst and now, SysAdmin with DevOps Engineering thinking. ;)

Email LinkedIn Github Last.fm

General Vision

With this article, you will have your webserver ready to production, filtering all requests with NAXSI WAF configured on nginx.

Versions: nginx 1.8.1 + naxsi 1.5.3

Tested on CentOS 7 and Ubuntu Trusty

Execute all steps on root account

Get the nginx and nasxi source code

Compile and install from source nginx and naxsi

wget http://nginx.org/download/nginx-1.8.1.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.54.tar.gz
wget https://github.com/nbs-system/naxsi/archive/0.53.tar.gz

Unpack the tar files

tar -xvzf nginx-1.8.1.tar.gz
tar -xvzf 0.54.tar.gz
tar -xvzf 0.53.tar.gz

Remove old nginx files and move the naxsi directory

rm -rf /usr/local/nginx
mkdir /usr/local/nginx/
mv naxsi-0.54/  /usr/local/naxsi-0.54/
mv naxsi-0.53/nx_util/  /usr/local/naxsi-0.54/nx_util-0.53/

Configure and compile the nginx on your linux kernel

cd nginx-1.8.1
./configure --conf-path=/usr/local/nginx/conf/nginx.conf \
--add-module=/usr/local/naxsi-0.54/naxsi_src/ \
--error-log-path=/var/log/nginx/error.log \
--http-client-body-temp-path=/usr/local/nginx/body \
--http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
--http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
--http-scgi-temp-path=/usr/local/nginx/scgi \
--http-log-path=/var/log/nginx/access.log \
--http-proxy-temp-path=/usr/local/nginx/proxy \
--lock-path=/var/run/nginx.lock \
--pid-path=/var/run/nginx.pid \
--with-http_ssl_module \
--with-http_ssl_module \
--with-http_addition_module \
--with-http_realip_module \
--with-http_gunzip_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--with-ipv6 \
--sbin-path=/usr/sbin/nginx \
make install

Copy naxsi base rules to nginx conf directory

cp /usr/local/naxsi-0.54/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

Edit the nginx.conf and include the naxsi base rules on http section

$ vim /usr/local/nginx/conf/nginx.conf

    http {
        include				/usr/local/nginx/conf/naxsi_core.rules;

Create your custom naxsi rules

$ touch /usr/local/nginx/conf/naxsi_custom.rules
$ cat << EOF >/usr/local/nginx/conf/naxsi_custom.rules
DeniedUrl "/RequestDenied";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Include your custom rules on every server configuration

$ vim /usr/local/nginx/conf.d/*.conf
    server {
    	location / {
        	include			/usr/local/nginx/conf/naxsi_custom.rules;

Configure the nginx deamon

$ sudo vim /lib/systemd/system/nginx.service

Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

ExecStartPre=/usr/sbin/nginx -t
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID


Start your nginx, with naxsi compiled inside

$ sudo systemctl daemon-reload
$ sudo service nginx start

After some days on LearningMode, configure the nx_util to create your custom whitelist

ps: I used the 0.53 version, because the setup create the elasticsearch to execute the nx_util.py

$ cd /usr/local/naxsi-0.54/nx_util-0.53/
$ python setup.py build
$ python setup.py install
$ python nx_util.py -l /var/log/nginx/error.log -o >> /usr/local/nginx/conf/naxsi_custom.rules

Look your configuration file and analyses the whitelist to understand the requests and his needs

Turn off the naxsi LearningMode

sed -i 's/LearningMode/#LearningMode/' /usr/local/nginx/conf/naxsi.rules