How to install and configure nginx-naxsi web application firewall on FreeBSD13

nginx-naxsi on FreeBSD

Naxsi “Nginx Anti XSS & SQL Injection” is a free, open-source and high-performance web application firewall that can be used to protect your webserver against different types of attacks like SQL Injections and Cross-Site Scripting. Naxsi works by detecting unexpected characters in the HTTP GET and POST requests. In this tutorial, we will show you how to install and configure nginx-naxsi firewall asa  reverse proxy on FreeBSD13 to protect a webserver of your choice behind it.

Install FreeBSD 13 on your system


We only selected 32-bit compatibility libraries


We created a partition with enough space for all logs in /var/log


We applied the offered hardening methods as seen in the image.

Enable remote management via SSH

Add following lines to /etc/ssh/sshd_config:

# Allow root login via sshd
PermitRootLogin yes

Restart sshd service to apply the setting.

# /etc/rc.d/sshd restart

Update FreeBSD to the latest version

# freebsd-update fetch
# freebsd-update install

Install nginx-naxsi package

Install the package, by doing this you will be asked to download the package-manager.

# pkg install nginx-naxsi

Enable the service on startup

# sysrc nginx_enable=YES

Configure nginx to properly load naxsi requirements

Create /usr/local/etc/nginx/naxsi.rules with following content:

## Enables learning mode
LearningMode;
## Enable rules
SecRulesEnabled;
#SecRulesDisabled;
## URL to redirect to if access is denied
DeniedUrl "/DeniedRequest";

## Check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Add http_naxsi_module.so to /usr/local/etc/nginx/nginx.conf:

load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;

Add naxsi_core.rules to the http section of /usr/local/etc/nginx/nginx.conf:

include naxsi_core.rules;

Add naxsi.rules to the server section of /usr/local/etc/nginx/nginx.conf:

include naxsi.rules;

Find below our sample configuration.

load_module                  /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
worker_processes             4;

events {
    worker_connections       2048;
}

http {
    include                  mime.types;
    include                  naxsi_core.rules;
    default_type             application/octet-stream;

    sendfile                 on;
    #tcp_nopush              on;

    keepalive_timeout        65;
    gzip                     on;

    server {
        listen               80;
        server_name          some.hostname.dom;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass       http://1.2.3.4;
        }
    }
    server {
        listen               443 ssl;
        server_name          some.hostname.dom;
        ssl_certificate      certs/somecertfile.pem;
        ssl_certificate_key  certs/somekeyfile.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass       https://1.2.3.4;
        }
    }
}

Store your certificates in /usr/local/etc/nginx/certs, then restart nginx.

# service restart nginx

Call the IP of the nginx host with illegal characters to simulate a illegal request.

http://127.0.0.1/?a=%3C

Check the logfile

# cat /var/log/nginx/error.log
2022/01/06 18:48:25 [error] 8404#0:*3 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=< HTTP/1.0", host: "127.0.0.1"

Hint: In case you want to have additional features options compieled, simply execute:

# cd /usr/ports/www/nginx-naxsi/work/nginx-1.18.0
# ./configure
-- a text ui pops up, select from here what you need to have.
# make
# make install

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.