Installing Naxsi On Ubuntu
NAXSI means Nginx Anti XSS & SQL Injection.
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in websites vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is Naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.
Step 1A: Installing Naxsi without an existing Nginx installation
Should you not have Nginx installed on your server yet, you should follow this step. If you already have an existing Nginx installation, follow step 1B. Before we're going to install Naxsi, it might be smart to update our system. Do this by executing:
Next, we can install Naxsi. Using apt-get for the install, Naxsi and its dependencies will be installed. Naxsi will automatically be started on boot.
apt-get install nginx-naxsi
Step 1B: Installing Naxsi with an existing Nginx installation
Step 1A cannot be followed in case Nginx is already installed, as the nginx-naxsi package will be Nginx + Naxsi. If you already have Nginx and want Naxsi on top of that, generally, replacing the nginx-core package with the nginx-naxsi package should work fine. It is smart to create a backup of preferably your whole server, and the /etc/nginx/ directory should be backed up as well.
If possible, deploy a new server with a totally new Nginx installation using the nginx-naxsi package. If not, backup your server and type:
apt-get install nginx-naxsi
This should install Naxsi and replace the existing Nginx, but keep all your files.
Step 2: Editing Naxsi settings
In order to enable Naxsi, open the file /etc/nginx/nginx.conf:
and find the following section:
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
# include /etc/nginx/naxsi_core.rules;
Remove the # in front of the include to load the Naxsi rules, which will enable Naxsi. After making that change, the line should look like this:
include /etc/nginx/naxsi_core.rules;
The configuration of Naxsi can be found in /etc/nginx/naxsi.rules. You can see what it does and optionally change some settings, depending on your needs and the type of website(s) that you host.
After enabling Naxsi and editing the configuration, we need to enable Naxsi for our default site manually. Open /etc/nginx/sites-enabled/default:
vi /etc/nginx/sites-enabled/default
In order to enable Naxsi on this location, remove the # if present, otherwise leave the include line that way and don't add a #.
# Uncomment to enable naxsi on this location
include /etc/nginx/naxsi.rules;
Step 3: Turning off learning mode
In order to let Naxsi protect your site, we need to turn off the learning mode. Open /etc/nginx/naxsi.rules:
vi /etc/nginx/naxsi.rules
Find the string LearningMode, and place an # in front of it. That comments out the line and thus disable the learning mode in the config.
Step 4: Restarting Naxsi
Restart Nginx for the changes to take effect:
You can now see any security warnings from Naxsi in the Nginx log: