Naxsi是基于nginx的一个轻量级的第三方Web安全防护模块，可以实现对Web应用层各种恶意攻击的防护，如SQL injiection、XSS、CSRF、Directory traversal等攻击，能够对Web应用层的Get、Post、Cookie这些请求行为进行完整的检测和过滤。

Naxsi其主要防护机制是通过内置的一套极其严格的核心规则库（Core Rules）来实现威胁阻断，并通过用户自定义的白名单（White List）来防止正常的请求被误杀，通过这样正反两端的不断优化配合，来实现安全防护和业务访问的平衡。

下面我们来介绍nginx捆绑Naxsi模块的整个安装过程：

下载NGINX和NAXSI的源文件

cd /usr/src wget http://nginx.org/download/nginx-1.2.4.tar.gz
wget http://naxsi.googlecode.com/files/naxsi-core-0.48.tgz
tar xzf nginx-1.2.4.tar.gz tar xzf naxsi-core-0.48.tgz
ln -s nginx-1.2.4 nginx
ln -s naxsi-core-0.48 naxsi-core

编译安装

对nginx和naxsi进行编译安装:

cd nginx
./configure --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi/naxsi_src/
  --error-log-path=/var/log/nginx/err --prefix=/opt/nginx --without-mail_pop3_module
  --without-mail_imap_module --without-mail_smtp_module
make&&make install

安全防护规则配置

预先准备:

cd /etc/nginx
cp /usr/src/naxsi/naxsi_config/naxsi_core.rules .
touch /tmp/naxsi_rules.tmp
mkdir /etc/nginx/sites-enabled/
/etc/nginx/nginx.conf 的配置模板:

user nginx;
worker_processes  1;
worker_rlimit_core  500M;
working_directory   /tmp/;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
 worker_connections  1024;
 use epoll;
 # multi_accept on;
}

http {
 include        /etc/nginx/naxsi_core.rules;
 include       /etc/nginx/mime.types;
 server_names_hash_bucket_size 128;
 access_log  /var/log/nginx/access.log;

 sendfile        on;
 keepalive_timeout  65;
 tcp_nodelay        on;

 gzip  on;
 gzip_disable "MSIE [1-6].(?!.*SV1)";
 include /etc/nginx/sites-enabled/*;
}

/etc/nginx/sites-enabled/default 虚拟站点的配置模板

server {
 proxy_set_header Proxy-Connection "";
 listen       192.168.10.15:81;
 access_log  /var/log/nginx/naxsi_access.log;
 error_log  /var/log/nginx/naxsi_error.log debug;

 location / {
   include    /etc/nginx/test.rules;
   proxy_pass http://192.168.10.11/;
  }

#This location is where, in learning mode, to-be-forbidden requests
# will be "copied"
#In non-learning mode, it's where denied request will land, so feel free to
# do whatever you want,
#return 418 I'm a teapot, forward to a custom webpage with
#a captcha to help track false-positives (see contrib for that),
#whatever you want to do !

 error_page 403 /403.html;
 location = /403.html {
  root /opt/nginx/html;
  internal;
 }

 location /RequestDenied {
     return 403;
     #proxy_pass http://127.0.0.1:4242;
   }
}

/etc/nginx/test.rules 针对全局或局部虚拟站点的安全规则定义

LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

include "/tmp/naxsi_rules.tmp";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

/opt/nginx/html/403.html 安全防护阻断页面的定义

Error 403 Request Denied


Error 403 Request Denied
For some reasons, your request has been denied.

启动与运行

启动nginx

/opt/nginx/sbin/nginx

停用nginx:

/opt/nginx/sbin/nginx -s stop

检查nginx的配置文件语法:

/opt/nginx/sbin/nginx -t

nginx配置文件重加载 (包含naxsi):

/opt/nginx/sbin/nginx -s reload