naxsi

Directives

DeniedUrl

DeniedUrl is a directive that indicates where naxsi will redirect (nginx’s internal redirect) blocked requests.

As the request might be modified during redirect (url & arguments), extra http headers orig_url (original url), orig_args (original GET args) and naxsi_sig (NAXSI_FMT) are added.

The headers that are forwarded to the location denied page are :

NAXSI_HEADER_ORIG_URL “x-orig_url” NAXSI_HEADER_ORIG_ARGS “x-orig_args” NAXSI_HEADER_NAXSI_SIG “x-naxsi_sig”

example:

location / {
...
DeniedUrl "/RequestDenied";
}

location /RequestDenied {
return 418; #I'm a teapot
}

LearningMode

LearningMode if instructs naxsi to enable learning mode (don’t honor BLOCK directive) in the location.

For example:

location /a {
# request triggering BLOCK score won't be blocked here, but simply logued.
LearningMode;
}

Keep in mind that internal rules (those with an id inferior to 1000) will drop the request even in learning mode, because it means that something fishy is going on, since naxsi can’t correctly process the request. You can of course apply whitelist if those are false-positives.

SecRulesEnabled

SecRulesEnabled is a mandatory keyword to enable naxsi in a location.

SecRulesDisabled

SecRulesDisabled can be used to explicitely disable naxsi in a location.

CheckRule

See CheckRule

BasicRule

A directive used to declare a rule or a whitelist.

MainRule

A directive used to declare a rule or a whitelist.

LibInjectionXss

A directive to enable libinjection’s xss detection on all part of the http request.

LibInjectionSql

A directive to enable libinjection’s sqli detection on all part of the http request.

naxsi_extensive_log

A flag that can be set at runtime to enable naxsi extensive logs.

server {
...

 if ($remote_addr = "1.2.3.4") {
  set $naxsi_extensive_log 1;
 }
 
location / {
 ...
 }
}

naxsi_json_log

Enable JSON in logs. Examples:

# normal log in JSON format
2022/12/22 20:36:35 [error] 1189262#0: *1 {"ip":"127.0.0.1","server":"localhost","uri":"/a","config":"block","rid":"a0333f697ff8f12b6a200a24117ff320","cscore0":"$SQL","score0":"8","cscore1":"$XSS","score1":"8","zone0":"ARGS","id0":"1001","var_name0":"b"}, client: 127.0.0.1, server: localhost, request: "GET /a?b="\dasdasdasdadsa HTTP/1.1", host: "localhost"
# extended log in json format
2022/12/22 20:36:35 [error] 1189262#0: *1 {"ip":"127.0.0.1","server":"localhost","uri":"/a","config":"block","rid":"a0333f697ff8f12b6a200a24117ff320","cscore0":"$SQL","score0":"8","cscore1":"$XSS","score1":"8","zone0":"ARGS","id0":"1001","var_name0":"b"}, client: 127.0.0.1, server: localhost, request: "GET /a?b="\dasdasdasdadsa HTTP/1.1", host: "localhost"

TODO DOCUMENTATION

naxsi_flag_enable

A flag that can be set at runtime to enable or disable naxsi.

server {
 set $naxsi_flag_enable 1;
 location / {
 ...
 }
}

naxsi_flag_learning

A flag that can be set at runtime to enable or disable learning.

server {
 set $naxsi_flag_learning 1;
 location / {
 ...
 }
}

naxsi_flag_libinjection_sql

A flag that can be set at runtime to enable or disable libinjection’s sql detection

server {
 set $naxsi_flag_libinjection_sql 1;
 location / {
 ...
 }
}

naxsi_flag_libinjection_xss

A flag that can be set at runtime to enable or disable libinjection’s xss detection

server {
 set $naxsi_flag_libinjection_xss 1;
 location / {
 ...
 }
}