How to install and configure nginx-naxsi web application firewall on FreeBSD13
Naxsi “Nginx Anti XSS & SQL Injection” is a free, open-source and high-performance web application firewall that can be used to protect your webserver against different types of attacks like SQL Injections and Cross-Site Scripting. Naxsi works by detecting unexpected characters in the HTTP GET and POST requests. In this tutorial, we will show you how to install and configure nginx-naxsi firewall asa reverse proxy on FreeBSD13 to protect a webserver of your choice behind it.
Install FreeBSD 13 on your system
We only selected 32-bit compatibility libraries
We created a partition with enough space for all logs in /var/log
We applied the offered hardening methods as seen in the image.
Enable remote management via SSH
Add following lines to /etc/ssh/sshd_config:
# Allow root login via sshd
PermitRootLogin yesRestart sshd service to apply the setting.
# /etc/rc.d/sshd restartUpdate FreeBSD to the latest version
# freebsd-update fetch
# freebsd-update installInstall nginx-naxsi package
Install the package, by doing this you will be asked to download the package-manager.
# pkg install nginx-naxsiEnable the service on startup
# sysrc nginx_enable=YESConfigure nginx to properly load naxsi requirements
Create /usr/local/etc/nginx/naxsi.rules with following content:
## Enables learning mode
LearningMode;
## Enable rules
SecRulesEnabled;
#SecRulesDisabled;
## URL to redirect to if access is denied
DeniedUrl "/DeniedRequest";
## Check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
Add http_naxsi_module.so to /usr/local/etc/nginx/nginx.conf:
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;Add naxsi_core.rules to the http section of /usr/local/etc/nginx/nginx.conf:
include naxsi_core.rules;Add naxsi.rules to the server section of /usr/local/etc/nginx/nginx.conf:
include naxsi.rules;Find below our sample configuration.
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
worker_processes 4;
events {
worker_connections 2048;
}
http {
include mime.types;
include naxsi_core.rules;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name some.hostname.dom;
location / {
include naxsi.rules;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://1.2.3.4;
}
}
server {
listen 443 ssl;
server_name some.hostname.dom;
ssl_certificate certs/somecertfile.pem;
ssl_certificate_key certs/somekeyfile.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
include naxsi.rules;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://1.2.3.4;
}
}
}
Store your certificates in /usr/local/etc/nginx/certs, then restart nginx.
# service restart nginxCall the IP of the nginx host with illegal characters to simulate a illegal request.
http://127.0.0.1/?a=%3C
Check the logfile
# cat /var/log/nginx/error.log
2022/01/06 18:48:25 [error] 8404#0:*3 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=< HTTP/1.0", host: "127.0.0.1"Hint: In case you want to have additional features options compieled, simply execute:
# cd /usr/ports/www/nginx-naxsi/work/nginx-1.18.0
# ./configure
-- a text ui pops up, select from here what you need to have.
# make
# make install