Naxsi is a piece of software that extends Nginx (module). It provides a WAF (Web Application Firewall) and protects your sites from XSS and SQL injection, two well-known vulnerabilities. According to its developers, Naxsi is a low-maintenance module, so once installed you should see a considerably big boost in your site's security without too much hassle.
In this doc, you're going to see how we can add the Naxsi module to a new or existing Nginx installation on Ubuntu 14.04.
Should you not have Nginx installed on your server yet, you should follow this step. If you already have an existing Nginx installation, follow step 1B. Before we're going to install Naxsi, it might be smart to update our system. Do this by executing:
Next, we can install Naxsi. Using
apt-get for the install, Naxsi and its dependencies will be installed. Naxsi will automatically be started on boot.
apt-get install nginx-naxsi
Step 1A cannot be followed in case Nginx is already installed, as the
nginx-naxsi package will be Nginx + Naxsi. If you already have Nginx and want Naxsi on top of that, generally, replacing the
nginx-core package with the
nginx-naxsi package should work fine. It is smart to create a backup of preferably your whole server, and the
/etc/nginx/ directory should be backed up as well.
If possible, deploy a new server with a totally new Nginx installation using the
nginx-naxsi package. If not, backup your server and type:
apt-get install nginx-naxsi
This should install Naxsi and replace the existing Nginx, but keep all your files.
In order to enable Naxsi, open the file
and find the following section:
# nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## # include /etc/nginx/naxsi_core.rules;
# in front of the
include to load the Naxsi rules, which will enable Naxsi. After making that change, the line should look like this:
The configuration of Naxsi can be found in
/etc/nginx/naxsi.rules. You can see what it does and optionally change some settings, depending on your needs and the type of website(s) that you host.
After enabling Naxsi and editing the configuration, we need to enable Naxsi for our default site manually. Open
In order to enable Naxsi on this location, remove the
# if present, otherwise leave the
include line that way and don't add a
# Uncomment to enable naxsi on this location include /etc/nginx/naxsi.rules;
In order to let Naxsi protect your site, we need to turn off the learning mode. Open
Find the string
LearningMode, and place an
# in front of it. That comments out the line and thus disable the learning mode in the config.
Restart Nginx for the changes to take effect:
service nginx reload
You can now see any security warnings from Naxsi in the Nginx log:
tail -f /var/log/nginx/error.log