naxsi

Naxsi Basic Configuration

To get started with Naxsi, you can explore the following basic configuration.

Configuring Naxsi

Naxsi must be configured based on what it is going to protect.

The first step, once compiled dynamically compiled, you will have a shared library which will need to be loaded by nginx by adding an entry to the /etc/nginx/nginx.conf file.

load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;

Once the module is added to the NGINX configuration, the next step is to include global rules; in the Naxsi repository you can find the naxsi_core.rules which gives to the user the ability to add the most basic ruleset to Naxsi itself.

💡 Tip

It is possible to include these rules directly in /etc/nginx/nginx.conf.

include /etc/nginx/naxsi/naxsi_core.rules

The next step is configuring each website which will need to be protected by Naxsi; this happens by adding the directives SecRulesEnabled, DeniedUrl and CheckRule to a location block.

• SecRulesEnabled: is used to enable Naxsi in the location block.
• DeniedUrl: specifies where blocked requests will be redirected (this is an internal redirect for NGINX and requires a different location block as destination).
• CheckRule: takes an action (LOG, BLOCK, DROP, ALLOW) based on a specific score associated with the request.

For more details, check the Directive chapter

location / {
	SecRulesEnabled;
	DeniedUrl "/RequestDenied";
	CheckRule "$FOO >= 8" BLOCK;
}

# The location where all the blocked request will be internally redirected.
location /RequestDenied {
	internal;
	return 403;
}

The last steps are create whitelists and configure the logging.

# Example of whitelist global
MainRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";

# Example of whitelist location-defined
BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";

# Enable JSON logs for Naxsi
set $naxsi_json_log 1;

Example Configuration

This NGINX configuration for /etc/nginx/nginx.conf where we define a reverse proxy towards a webservice hosted on internal-ip-address on port 80.

# load module
load_module /etc/nginx/modules/ngx_http_naxsi_module.so;

http {
	# Include core rules (see below)
	include /etc/nginx/naxsi/naxsi_core.rules;
	
	# Include additional rules
	include /etc/nginx/naxsi/blocking/*.rules;

	server {
		listen 80;
		server_name example.com;

		set $naxsi_json_log 1; # Enable JSON logs for Naxsi

		location / {
			proxy_pass http://internal-ip-address:80;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;

			SecRulesEnabled; # Enables naxsi for this `location`
			# LearningMode;  # When set, BLOCK CheckRule are considered as LOG.
			LibInjectionSql; # Enables libinjection support for SQL injection detection
			LibInjectionXss; # Enables libinjection support for XSS detection

			# Internal denied request.
			DeniedUrl "/RequestDenied";

			# The following CheckRules are mandatory when using the rules found in the naxsi repository.
			# For more info, please check:
			# - https://github.com/wargio/naxsi/tree/main/naxsi_rules/blocking
			# - https://github.com/wargio/naxsi/blob/main/naxsi_rules/naxsi_core.rules

			CheckRule "$SQL >= 8" BLOCK; # SQL injection action (unrelated to libinjection)
			CheckRule "$XSS >= 8" BLOCK; # XSS action (unrelated to libinjection)
			CheckRule "$RFI >= 8" BLOCK; # Remote File Inclusion action
			CheckRule "$UWA >= 8" BLOCK; # Unwanted Access action
			CheckRule "$EVADE >= 8" BLOCK; # Evade action (some tools may try to avoid detection).
			CheckRule "$UPLOAD >= 5" BLOCK; # Malicious upload action
			CheckRule "$TRAVERSAL >= 5" BLOCK; # Traversal access action
			CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; # libinjection XSS action
			CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; # libinjection SQLi action
		}

		# The location where all the blocked request will be internally redirected.
		location /RequestDenied {
			internal;
			return 403;
		}
	}
}

This configuration enables NAXSI and sets up basic rules for blocking requests based on various threat levels.

📣 Important

The SecRulesEnabled directive is mandatory to enable NAXSI in a location.

Some key directives used in this example include:

• LearningMode: if enabled, BLOCK CheckRule will be considered as LOG, thus not blocking the requests.
• LibInjectionXss and LibInjectionSql: When defined, enables libinjection support for SQLi & XSS and requires to define $LIBINJECTION_XSS & $LIBINJECTION_SQL CheckRules.
• include: This directive allows to include other configuration files within the current scope, this can be useful if the system owner wants to have the same configuration for multiple websites without copy-pasting the same lines.

Additionally, this configuration includes directives for enabling libinjection’s XSS and SQLi detection features.

⚠️ Warning

Be aware that Nginx will fail to load the configuration, if ngx_http_naxsi_module.so is not loaded.

💡 Tip

It is possible to test the NGINX configuration by using nginx -t from the command line.

Go Back

Table of Contents.

This site is open source. Improve this page.