Nginx uses Naxsi to build a Web application firewall (WAF), anti-XSS, anti-injection XXX

Source: Internet
Author: User
Tags curl nginx server

Naxsi is an open source, efficient and low maintenance rule for Nginx Web application Firewall (Web application Firewall) module. The primary goal of Naxsi is to harden Web applications against SQL injection, cross-site scripting, cross-domain forgery requests, and local and remote file containment vulnerabilities.
Website address: Https://github.com/nbs-system/naxsi

Naxsi does not require any specific dependencies, it requires Libpcre, LIBSSL, zlib, gzip these Nginx have been integrated.

    • Download Naxsi Module
[[email protected] soft]# wget https://github.com/nbs-system/naxsi/archive/master.zip[[email protected] soft]# tar zxvf naxsi-master.zip
    • Recompile nginx Add Naxsi module
[[email protected] ~]# cd/opt/openresty/nginx/sbin/#进入当前运行的目录 [[email protected] sbin]#./nginx-v #查看之前编译参数nginx version:openresty/1.11.2.5built by GCC 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with Op  Enssl 1.0.2k-fips-Jan 2017TLS SNI support enabledconfigure arguments:--prefix=/opt/openresty/nginx--with-cc-opt=-o2 --add-module=. /ngx_devel_kit-0.3.0--add-module=. /iconv-nginx-module-0.14--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--add-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--with-http_realip_module-- With-pcre--with-http_ssl_module [[email protected] sbin]# cd/opt/soft/openresty-1.11.2.5/#进入源码目录 [ [email protected] openresty-1.11.2.5]#./configure--prefix=/opt/openresty/nginx--with-cc-opt=-O2-- Add-module=. /ngx_devel_kit-0.3.0--add-module=. /iconv-nginx-module-0.14--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--add-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--with-http_realip_module-- With-pcre--with-http_ssl_module--add-module=/opt/soft/naxsi-master/naxsi_src/#重新编译nginx, add the previously compiled parameters, then add the Naxsi module, Specify the NAXSI_SRC directory in the source directory of the naxsi .../configure:error:no/opt/soft/openresty-1.11.2.5/. /ngx_devel_kit-0.3.0/config was found #报错, Openresty./nginx-v in the module path: /xxx are openresty added by default, these paths are built under the root directory, and are automatically added to the error:failed to run command:sh at compile time./configure--prefix=/opt/openresty/ Nginx/nginx \ ... [[email protected] openresty-1.11.2.5]#[[email protected] openresty-1.11.2.5]#./configure--prefix=/opt /openresty/--add-module=/opt/soft/naxsi-master/naxsi_src/--with-luajit #只需要加这几项 [[email protected] openresty-1.11.2.5]# gmake[[email protected] openresty-1.11.2.5]# find. -type f-iname nginx./build/nginx-1.11.2/objs/nginx[[email protected] openresty-1.11.2.5]# cp/opt/openresty/  Nginx/sbin/nginx{,.20180803bak} #这步很重要 [[email protected] openresty-1.11.2.5]# CP./build/nginx-1.11.2/objs/nginx/opt/openresty/nginx/sbin/ Nginxcp:overwrite '/opt/openresty/nginx/sbin/nginx '? Ycp:cannot Create regular file '/opt/openresty/nginx/sbin/nginx ': Text file busy[[email protected] openresty-1.11.2.5]# killall-9 nginx[[email protected] openresty-1.11.2.5]# CP Build/nginx-1.11.2/objs/nginx/ Opt/openresty/nginx/sbin/cp:overwrite '/opt/openresty/nginx/sbin/nginx '? Y[[email protected] openresty-1.11.2.5]# CD! $CD/opt/openresty/nginx/sbin/[[email protected] sbin]#./ Nginx-vnginx version:openresty/1.11.2.5built by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.0.2k-fi PS 2017TLS SNI Support enabledconfigure arguments:--prefix=/opt/openresty//nginx--with-cc-opt=-o2--add-module= .. /ngx_devel_kit-0.3.0--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--adD-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis2-nginx-module-0.14--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--add-module=/opt/soft/ NAXSI-MASTER/NAXSI_SRC--with-http_ssl_module[[email protected] sbin]#

Copy the naxsi core configuration file to nginx/conf

[[email protected] build]# cp /opt/soft/naxsi-master/naxsi_config/naxsi_core.rules /opt/openresty/nginx/conf/

To add a naxsi core profile in the nginx.conf configuration file

[[email protected] build]# cp /opt/openresty/nginx/conf/nginx.conf{,.20190804bak}[[email protected] build]# vim /opt/openresty/nginx/conf/nginx.conf......http {    include       mime.types;    include       naxsi_core.rules;      #加载naxsi 核心规则文件        default_type  application/octet-stream;        ......        }......      

Configure NAXSI rules, new file Naxsi.rules

[[email protected] build]# vim /opt/openresty/nginx/conf/naxsi.rules#LearningMode  启用学习模式,即拦截请求后不拒绝访问,只将触发规则的请求写入error_log选项定义的文件中。如果对规则产生的影响不太清楚,可以先设置为学习模式。启用学习模式不能起到拦截非法请求的防御的效果。建议先使用学习模式,规则测试完成后再启用拦截模式。这样可以避免出现对网站、服务器某些不可知的影响。#SecRulesEnabled|SecRulesDisabledSecRulesEnabled;      #启用Naxsi模块DeniedUrl "/RequestDenied";     #拒绝的请求发送到内部URL#check rules  设置各规则不同的触发阈值。 一旦该阈值触发,请求将被阻塞。CheckRule "$SQL >= 8" BLOCK;CheckRule "$RFI >= 8" BLOCK;CheckRule "$TRAVERSAL >= 4" BLOCK;CheckRule "$EVADE >= 4" BLOCK;CheckRule "$XSS >= 8" BLOCK;#naxsi logerror_log        logs/naxsi.log;    

Virtual Host add support naxsi anti-XXX

[[email protected] build]# vim/opt/openresty/nginx/conf/nginx.conf......http {... server {                                                        ... location/{                                                        ... include naxsi.rules;                                                   ......                                                       }                    ... error_page 502 503 504/50x.html;                     Location =/50x.html {root html; } location/requestdenied {#定义naxsi Deniedurl return code returned in the. Rules                    403;                    } error_page 403/403.html;                    Location =/403.html {root html;  }                                      ......                   } ......       } ...... [email protected] build]# vim/opt/openresty/nginx/html/403.html

Test Naxsi
Performed on a single test machine: Curl Http://192.168.100.127/?a=%3C

[[email protected] ~]# curl http://192.168.100.127/?a=%3C

Nginx Server Log

[[email protected] sbin]# tail -500f /opt/openresty/nginx/logs/naxsi.log 2018/08/04 21:53:03 [error] 4824#0: *7 NAXSI_FMT: ip=10.10.13.100&server=192.168.100.127&uri=/&learning=0&vers=0.56&total_processed=3&total_blocked=1&block=1&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=a, client: 10.10.13.100, server: localhost, request: "GET /?a=%3C HTTP/1.1", host: "192.168.100.127"

If the error log appears, the NAXSI_FMT message indicates success.

You can also add a whitelist naxsi_basicrule.conf

[[email protected] sbin]# vim /opt/openresty/nginx/conf/naxsi_BasicRule.confBasicRule wl:0 "mz:$ARGS_VAR:script";BasicRule wl:0 "mz:$ARGS_VAR:id";[[email protected] sbin]# ./nginx -s reload

Indicates that xssxxx is normally intercepted and is not intercepted if the whitelist is added: The Get parameter name is not intercepted if it is an ID or script.

Test Naxsi

Normal input http://192.168.100.127 can be accessed normally

Add normal parameters to the above address, for example: Http://192.168.100.127/?id=1 or Http://192.168.100.127/?id=1%20AND%201=1 returns the same page as above because it is configured to whitelist

If you access http://192.168.100.127/?name=40//and//1=1 will prompt for error 403 Request Denied, with conditional injection blocked

Access Http://192.168.100.127/?name=%28%29 will prompt for error 403 Request Denied with special characters

White list rule syntax:
Basicrule wl:id [Negative] [mz:[$URL: target_url]|[ match_zone]| [$ARGS _var:varname]| [$BODY _vars:varname]| [$HEADERS _var:varname]| [NAME]]

Wl:id (white list ID) which interception rules will go to whitelist
wl:0: Add all the interception rules to whitelist
Wl:42: Whitelist the interception rule with ID 42
Wl:42,41,43: Whitelist the interception rules with IDs 42, 41, and 43
WL:-42: Add all interception rules to whitelist except for the intercept rule with ID 42

MZ: (Match Zones)
The entire parameters of the args:get, such as: foo=bar&in=%20
$ARGS parameter names for _var:get parameters, such as: Foo and in Foo=bar&in=%20
$ARGS _var_x: Parameter name of the get parameter for a regular match
HEADERS: Entire HTTP protocol header
$HEADERS the name of the _var:http protocol header
$HEADERS _var_x: The name of the regular matching HTTP protocol header
The entire parameter content of the Body:post
Parameter names for $BODY _var:post parameters
$BODY _var_x: Parameter name of the post parameter for a regular match
Url:url (pre-)
url_x: Regular matching URL (? before)
File_ext: File name (file name uploaded when Post is uploaded)

The Naxsi community provides some common whitelist rules, such as WordPress. Whitelist rules can be downloaded in https://github.com/nbs-system/naxsi-rules.

Nginx uses Naxsi to build a Web application firewall (WAF), anti-XSS, anti-injection XXX

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.