naxsi

Naxsi Directives

This section explains all the directives, with examples, that are available when the Naxsi module (ngx_http_naxsi_module.so) is enabled.

SecRulesEnabled

ℹ️ Info

NGINX block: location

This directive is mandatory to enable naxsi in a NGINX location.

Example:

location / {
    SecRulesEnabled;
}

CheckRule

ℹ️ Info

NGINX block: location

This directive is required to instruct Naxsi on which action to take when there is a rule match.

The directive requires you to specify a score with a variable name and its min/max value (for example $FOO_BAR >= 4); the score is then followed by an action to take (LOG, BLOCK, DROP, or ALLOW) when is met.

📣 Important

Score variable names must starts with a “dollar sign” $ and can contains “underscores” _.

⚠️ Warning

The action BLOCK will behave like DROP only when LearningMode is not enabled.

Example:

location / {
    CheckRule "$FOO_UU >= 8" LOG;
    CheckRule "$BARRRR < 99" DROP;
    CheckRule "$SOMETHING <= 33" BLOCK;
}

LibInjectionXss

ℹ️ Info

NGINX block: location

When defined, this directive enables libinjection’s xss detection on all requests.

📣 Important

The detected XSS will increase the score $LIBINJECTION_XSS by 1 for each match; this means that is required to define $LIBINJECTION_XSS as a CheckRule.

Example:

location / {
    # enable libinjection xss
    LibInjectionXss;
    # define LIBINJECTION_XSS for libinjection
    CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
}

LibInjectionSql

ℹ️ Info

NGINX block: location

When defined, this directive enables libinjection’s sqli detection on all requests.

📣 Important

The detected SQLi will increase the score $LIBINJECTION_SQL by 1 for each match; this means that is required to define $LIBINJECTION_SQL as a CheckRule.

Example:

location / {
    # enable libinjection sqli
    LibInjectionSql;
    # define LIBINJECTION_SQL for libinjection
    CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
}

LearningMode

ℹ️ Info

NGINX block: location

This directive instructs Naxsi that to not honor CheckRules which defines actions as BLOCK in a NGINX location.

All the BLOCK actions will be interpreted as LOG; this is a useful mode when deploying a new web application and detect all false positives that might be generated by the WAF.

📣 Important

Keep in mind that internal rules (those with an id inferior to 1000) will drop the request even in learning mode, because it means something fishy is going on and Naxsi can’t correctly process the request. You can of course apply whitelists if those are false positives.

Example:

location / {
    # enable Naxsi learning mode
    LearningMode;
}

DeniedUrl

ℹ️ Info

NGINX block: location

This directive is used to define where Naxsi has to redirect (it’s an NGINX’s internal redirect) when blocking, dropping or logging requests.

The following headers that are added are when blocking, dropping or logging requests:

• x-orig_url
• x-orig_args
• x-naxsi_sig

💡 Tip

It is strongly suggested to mark the DeniedUrl location as internal to prevent possible pre-detection of the WAF as per example.

Example:

location / {
    DeniedUrl "/RequestDenied";
}

location /RequestDenied {
    # Mark this location as internal only to prevent possible pre-detection of the WAF
    internal;
    # return code of the location.
    return 403;
}

MainRule

ℹ️ Info

NGINX block: http

This directive is required to declare a global rule or a whitelist.

💡 Tip

You can define these within a config file and use the include directive to include them within the NGINX configuration.

You can find within the Naxsi source code a list of global rules which provides a basic ruleset to protect any web application; these rules requires to include the following CheckRules:

    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 5" BLOCK;
    CheckRule "$UPLOAD >= 5" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    CheckRule "$UWA >= 8" BLOCK;
    CheckRule "$EVADE >= 8" BLOCK;

Example:

http {
    # global whitelist
    MainRule wl:12345 "mz:$URL:/robots.txt|URL";
    # global rule
    MainRule id:45678 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
}

BasicRule

ℹ️ Info

NGINX block: location

This directive is required to declare a location-specific (i.e. not global) rule or a whitelist.

💡 Tip

You can define these within a config file and use the include directive to include them within the NGINX configuration.

💡 Tip

You can find within the Naxsi source code a list of location-specific whitelist which can be used for known web applications like Wordpress, Etherpad, Drupal, and more…

Example:

location / {
    # location-specific whitelist
    BasicRule wl:12345 "mz:$URL:/robots.txt|URL";
    # location-specific rule
    BasicRule id:45678 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
}

IgnoreIP

ℹ️ Info

NGINX block: location

This directive can be used to whitelist requests from certain IPs.

💡 Tip

You can define these within a config file and use the include directive to include them within the NGINX configuration.

Example:

location / {
    IgnoreIP "1.2.3.4";
    IgnoreIP "2001:4860:4860::8844";
}

IgnoreCIDR

ℹ️ Info

NGINX block: location

This directive can be used to whitelist requests from certain IP ranges.

💡 Tip

You can define these within a config file and use the include directive to include them within the NGINX configuration.

Example:

location / {
    IgnoreCIDR "192.168.0.0/24";
    IgnoreCIDR "2001:4860:4860::/112";
}

This site is open source. Improve this page.