{"id":1524,"date":"2022-01-06T20:42:11","date_gmt":"2022-01-06T19:42:11","guid":{"rendered":"https:\/\/www.web-workers.ch\/?p=1524"},"modified":"2022-01-07T11:33:04","modified_gmt":"2022-01-07T10:33:04","slug":"how-to-install-and-configure-nginx-naxsi-web-application-firewall-on-freebsd13","status":"publish","type":"post","link":"https:\/\/www.web-workers.ch\/index.php\/2022\/01\/06\/how-to-install-and-configure-nginx-naxsi-web-application-firewall-on-freebsd13\/","title":{"rendered":"How to install and configure nginx-naxsi web application firewall on FreeBSD13"},"content":{"rendered":"\r\n

Naxsi “Nginx Anti XSS & SQL Injection<\/a>” is a free, open-source and high-performance web application firewall that can be used to protect your webserver against different types of attacks like SQL Injections and Cross-Site Scripting. Naxsi works by detecting unexpected characters in the HTTP GET and POST requests. In this tutorial, we will show you how to install and configure nginx-naxsi firewall asa\u00a0 reverse proxy on FreeBSD13<\/a> to protect a webserver of your choice behind it.<\/p>\r\n

Install FreeBSD 13 on your system<\/h3>\r\n

\"\"
We only selected 32-bit compatibility libraries

\"\"
We created a partition with enough space for all logs in \/var\/log

\"\"
We applied the offered hardening methods as seen in the image.<\/p>\r\n

Enable remote management via SSH<\/h3>\r\n

Add following lines to \/etc\/ssh\/sshd_config:<\/p>\r\n

\r\n
# Allow root login via sshd\r\nPermitRootLogin yes<\/code><\/pre>\r\n<\/div>\r\n
Restart sshd service to apply the setting.<\/p>\r\n
\r\n
# \/etc\/rc.d\/sshd restart<\/code><\/pre>\r\n<\/div>\r\n
Update FreeBSD to the latest version<\/h3>\r\n
\r\n
# freebsd-update fetch\r\n# freebsd-update install<\/code><\/pre>\r\n<\/div>\r\n
Install nginx-naxsi package<\/h3>\r\n
Install the package, by doing this you will be asked to download the package-manager.
<\/span><\/p>\r\n
\r\n
# pkg install nginx-naxsi<\/code><\/pre>\r\n<\/div>\r\n
Enable the service on startup
<\/span><\/p>\r\n
\r\n
# sysrc nginx_enable=YES<\/code><\/pre>\r\n<\/div>\r\n
Configure nginx to properly load naxsi requirements<\/h3>\r\n
Create \/usr\/local\/etc\/nginx\/naxsi.rules with following content:<\/p>\r\n
\r\n
## Enables learning mode\r\nLearningMode;\r\n## Enable rules\r\nSecRulesEnabled;\r\n#SecRulesDisabled;\r\n## URL to redirect to if access is denied\r\nDeniedUrl \"\/DeniedRequest\";\r\n\r\n## Check rules\r\nCheckRule \"$SQL >= 8\" BLOCK;\r\nCheckRule \"$RFI >= 8\" BLOCK;\r\nCheckRule \"$TRAVERSAL >= 4\" BLOCK;\r\nCheckRule \"$EVADE >= 4\" BLOCK;\r\nCheckRule \"$XSS >= 8\" BLOCK;\r\n<\/code><\/pre>\r\n<\/div>\r\n
Add http_naxsi_module.so to \/usr\/local\/etc\/nginx\/nginx.conf:<\/p>\r\n
\r\n
load_module \/usr\/local\/libexec\/nginx\/ngx_http_naxsi_module.so;<\/code><\/pre>\r\n<\/div>\r\n
Add naxsi_core.rules to the http section of \/usr\/local\/etc\/nginx\/nginx.conf:<\/p>\r\n
\r\n
include naxsi_core.rules;<\/code><\/pre>\r\n<\/div>\r\n
Add naxsi.rules to the server section of \/usr\/local\/etc\/nginx\/nginx.conf:<\/p>\r\n
\r\n
include naxsi.rules;<\/code><\/pre>\r\n<\/div>\r\n
Find below our sample configuration.<\/p>\r\n
\r\n
load_module                  \/usr\/local\/libexec\/nginx\/ngx_http_naxsi_module.so;\r\nworker_processes             4;\r\n\r\nevents {\r\n    worker_connections       2048;\r\n}\r\n\r\nhttp {\r\n    include                  mime.types;\r\n    include                  naxsi_core.rules;\r\n    default_type             application\/octet-stream;\r\n\r\n    sendfile                 on;\r\n    #tcp_nopush              on;\r\n\r\n    keepalive_timeout        65;\r\n    gzip                     on;\r\n\r\n    server {\r\n        listen               80;\r\n        server_name          some.hostname.dom;\r\n        location \/ {\r\n            include          naxsi.rules;\r\n            proxy_set_header Host $host;\r\n            proxy_set_header X-Real-IP $remote_addr;\r\n            proxy_pass       http:\/\/1.2.3.4;\r\n        }\r\n    }\r\n    server {\r\n        listen               443 ssl;\r\n        server_name          some.hostname.dom;\r\n        ssl_certificate      certs\/somecertfile.pem;\r\n        ssl_certificate_key  certs\/somekeyfile.key;\r\n        ssl_session_cache    shared:SSL:1m;\r\n        ssl_session_timeout  5m;\r\n        ssl_ciphers          HIGH:!aNULL:!MD5;\r\n        ssl_prefer_server_ciphers on;\r\n        location \/ {\r\n            include          naxsi.rules;\r\n            proxy_set_header Host $host;\r\n            proxy_set_header X-Real-IP $remote_addr;\r\n            proxy_pass       https:\/\/1.2.3.4;\r\n        }\r\n    }\r\n}\r\n<\/code><\/pre>\r\n<\/div>\r\n
Store your certificates in \/usr\/local\/etc\/nginx\/certs, then restart nginx.<\/p>\r\n
\r\n
# service restart nginx<\/code><\/pre>\r\n<\/div>\r\n
Call the IP of the nginx host with illegal characters to simulate a illegal request.<\/span><\/p>\r\n
http:\/\/127.0.0.1\/?a=%3C<\/p>\r\n
Check the logfile<\/p>\r\n
\r\n
# cat \/var\/log\/nginx\/error.log\r\n2022\/01\/06 18:48:25 [error] 8404#0:*3 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=\/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: \"GET \/?a=< HTTP\/1.0\", host: \"127.0.0.1\"<\/code><\/pre>\r\n<\/div>\r\n
Hint: In case you want to have additional features options compieled, simply execute:<\/p>\r\n
\r\n
# cd \/usr\/ports\/www\/nginx-naxsi\/work\/nginx-1.18.0\r\n# .\/configure\r\n-- a text ui pops up, select from here what you need to have.\r\n# make\r\n# make install<\/code><\/pre>\r\n<\/div>\r\n
 <\/p>\r\n","protected":false},"excerpt":{"rendered":"
Naxsi “Nginx Anti XSS & SQL Injection” is a free, open-source and high-performance web application firewall that can be used to protect your webserver against different types of attacks like […]<\/p>\n","protected":false},"author":1,"featured_media":1562,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"How to install and configure nginx-naxsi web application firewall on FreeBSD13","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[163],"tags":[69,56,165,164,169,168,166,167],"class_list":["post-1524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-freebsd","tag-firewall","tag-freebsd","tag-naxsi","tag-nginx","tag-proxy","tag-reverse","tag-waf","tag-web-application-firewall"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.web-workers.ch\/wp-content\/uploads\/2022\/01\/nginx-naxsi1.png?fit=2240%2C1138&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8sxjX-oA","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/comments?post=1524"}],"version-history":[{"count":38,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1524\/revisions"}],"predecessor-version":[{"id":1566,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1524\/revisions\/1566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media\/1562"}],"wp:attachment":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media?parent=1524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/categories?post=1524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/tags?post=1524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}