Home > Developer > Web Develop
Naxsi does not require any specific dependencies, it requires Libpcre, LIBSSL, zlib, gzip these Nginx have been integrated.
[[email protected] soft]# wget https://github.com/nbs-system/naxsi/archive/master.zip[[email protected] soft]# tar zxvf naxsi-master.zip
[[email protected] ~]# cd/opt/openresty/nginx/sbin/#进入当前运行的目录 [[email protected] sbin]#./nginx-v #查看之前编译参数nginx version:openresty/1.11.2.5built by GCC 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with Op Enssl 1.0.2k-fips-Jan 2017TLS SNI support enabledconfigure arguments:--prefix=/opt/openresty/nginx--with-cc-opt=-o2 --add-module=. /ngx_devel_kit-0.3.0--add-module=. /iconv-nginx-module-0.14--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--add-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--with-http_realip_module-- With-pcre--with-http_ssl_module [[email protected] sbin]# cd/opt/soft/openresty-1.11.2.5/#进入源码目录 [ [email protected] openresty-1.11.2.5]#./configure--prefix=/opt/openresty/nginx--with-cc-opt=-O2-- Add-module=. /ngx_devel_kit-0.3.0--add-module=. /iconv-nginx-module-0.14--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--add-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--with-http_realip_module-- With-pcre--with-http_ssl_module--add-module=/opt/soft/naxsi-master/naxsi_src/#重新编译nginx, add the previously compiled parameters, then add the Naxsi module, Specify the NAXSI_SRC directory in the source directory of the naxsi .../configure:error:no/opt/soft/openresty-1.11.2.5/. /ngx_devel_kit-0.3.0/config was found #报错, Openresty./nginx-v in the module path: /xxx are openresty added by default, these paths are built under the root directory, and are automatically added to the error:failed to run command:sh at compile time./configure--prefix=/opt/openresty/ Nginx/nginx \ ... [[email protected] openresty-1.11.2.5]#[[email protected] openresty-1.11.2.5]#./configure--prefix=/opt /openresty/--add-module=/opt/soft/naxsi-master/naxsi_src/--with-luajit #只需要加这几项 [[email protected] openresty-1.11.2.5]# gmake[[email protected] openresty-1.11.2.5]# find. -type f-iname nginx./build/nginx-1.11.2/objs/nginx[[email protected] openresty-1.11.2.5]# cp/opt/openresty/ Nginx/sbin/nginx{,.20180803bak} #这步很重要 [[email protected] openresty-1.11.2.5]# CP./build/nginx-1.11.2/objs/nginx/opt/openresty/nginx/sbin/ Nginxcp:overwrite '/opt/openresty/nginx/sbin/nginx '? Ycp:cannot Create regular file '/opt/openresty/nginx/sbin/nginx ': Text file busy[[email protected] openresty-1.11.2.5]# killall-9 nginx[[email protected] openresty-1.11.2.5]# CP Build/nginx-1.11.2/objs/nginx/ Opt/openresty/nginx/sbin/cp:overwrite '/opt/openresty/nginx/sbin/nginx '? Y[[email protected] openresty-1.11.2.5]# CD! $CD/opt/openresty/nginx/sbin/[[email protected] sbin]#./ Nginx-vnginx version:openresty/1.11.2.5built by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.0.2k-fi PS 2017TLS SNI Support enabledconfigure arguments:--prefix=/opt/openresty//nginx--with-cc-opt=-o2--add-module= .. /ngx_devel_kit-0.3.0--add-module=. /echo-nginx-module-0.61--add-module=. /xss-nginx-module-0.05--add-module=. /NGX_COOLKIT-0.2RC3--add-module=. /set-misc-nginx-module-0.31--adD-module=. /form-input-nginx-module-0.12--add-module=. /encrypted-session-nginx-module-0.06--add-module=. /srcache-nginx-module-0.31--add-module=. /ngx_lua-0.10.10--add-module=. /ngx_lua_upstream-0.07--add-module=. /headers-more-nginx-module-0.32--add-module=. /array-var-nginx-module-0.05--add-module=. /memc-nginx-module-0.18--add-module=. /redis2-nginx-module-0.14--add-module=. /redis-nginx-module-0.3.7--add-module=. /rds-json-nginx-module-0.14--add-module=. /rds-csv-nginx-module-0.07--with-ld-opt=-wl,-rpath,/opt/openresty/luajit/lib--add-module=/opt/soft/ NAXSI-MASTER/NAXSI_SRC--with-http_ssl_module[[email protected] sbin]#Copy the naxsi core configuration file to nginx/conf
[[email protected] build]# cp /opt/soft/naxsi-master/naxsi_config/naxsi_core.rules /opt/openresty/nginx/conf/
To add a naxsi core profile in the nginx.conf configuration file
[[email protected] build]# cp /opt/openresty/nginx/conf/nginx.conf{,.20190804bak}[[email protected] build]# vim /opt/openresty/nginx/conf/nginx.conf......http { include mime.types; include naxsi_core.rules; #加载naxsi 核心规则文件 default_type application/octet-stream; ...... }......
Configure NAXSI rules, new file Naxsi.rules
[[email protected] build]# vim /opt/openresty/nginx/conf/naxsi.rules#LearningMode 启用学习模式,即拦截请求后不拒绝访问,只将触发规则的请求写入error_log选项定义的文件中。如果对规则产生的影响不太清楚,可以先设置为学习模式。启用学习模式不能起到拦截非法请求的防御的效果。建议先使用学习模式,规则测试完成后再启用拦截模式。这样可以避免出现对网站、服务器某些不可知的影响。#SecRulesEnabled|SecRulesDisabledSecRulesEnabled; #启用Naxsi模块DeniedUrl "/RequestDenied"; #拒绝的请求发送到内部URL#check rules 设置各规则不同的触发阈值。 一旦该阈值触发,请求将被阻塞。CheckRule "$SQL >= 8" BLOCK;CheckRule "$RFI >= 8" BLOCK;CheckRule "$TRAVERSAL >= 4" BLOCK;CheckRule "$EVADE >= 4" BLOCK;CheckRule "$XSS >= 8" BLOCK;#naxsi logerror_log logs/naxsi.log;
Virtual Host add support naxsi anti-XXX
[[email protected] build]# vim/opt/openresty/nginx/conf/nginx.conf......http {... server { ... location/{ ... include naxsi.rules; ...... } ... error_page 502 503 504/50x.html; Location =/50x.html {root html; } location/requestdenied {#定义naxsi Deniedurl return code returned in the. Rules 403; } error_page 403/403.html; Location =/403.html {root html; } ...... } ...... } ...... [email protected] build]# vim/opt/openresty/nginx/html/403.htmlTest Naxsi
Performed on a single test machine: Curl Http://192.168.100.127/?a=%3C
[[email protected] ~]# curl http://192.168.100.127/?a=%3C
Nginx Server Log
[[email protected] sbin]# tail -500f /opt/openresty/nginx/logs/naxsi.log 2018/08/04 21:53:03 [error] 4824#0: *7 NAXSI_FMT: ip=10.10.13.100&server=192.168.100.127&uri=/&learning=0&vers=0.56&total_processed=3&total_blocked=1&block=1&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=a, client: 10.10.13.100, server: localhost, request: "GET /?a=%3C HTTP/1.1", host: "192.168.100.127"
If the error log appears, the NAXSI_FMT message indicates success.
You can also add a whitelist naxsi_basicrule.conf
[[email protected] sbin]# vim /opt/openresty/nginx/conf/naxsi_BasicRule.confBasicRule wl:0 "mz:$ARGS_VAR:script";BasicRule wl:0 "mz:$ARGS_VAR:id";[[email protected] sbin]# ./nginx -s reload
Indicates that xssxxx is normally intercepted and is not intercepted if the whitelist is added: The Get parameter name is not intercepted if it is an ID or script.
Test Naxsi
Normal input http://192.168.100.127 can be accessed normally
Add normal parameters to the above address, for example: Http://192.168.100.127/?id=1 or Http://192.168.100.127/?id=1%20AND%201=1 returns the same page as above because it is configured to whitelist
If you access http://192.168.100.127/?name=40//and//1=1 will prompt for error 403 Request Denied, with conditional injection blocked
Access Http://192.168.100.127/?name=%28%29 will prompt for error 403 Request Denied with special characters
White list rule syntax:
Basicrule wl:id [Negative] [mz:[$URL: target_url]|[ match_zone]| [$ARGS _var:varname]| [$BODY _vars:varname]| [$HEADERS _var:varname]| [NAME]]
Wl:id (white list ID) which interception rules will go to whitelist
wl:0: Add all the interception rules to whitelist
Wl:42: Whitelist the interception rule with ID 42
Wl:42,41,43: Whitelist the interception rules with IDs 42, 41, and 43
WL:-42: Add all interception rules to whitelist except for the intercept rule with ID 42
MZ: (Match Zones)
The entire parameters of the args:get, such as: foo=bar&in=%20
$ARGS parameter names for _var:get parameters, such as: Foo and in Foo=bar&in=%20
$ARGS _var_x: Parameter name of the get parameter for a regular match
HEADERS: Entire HTTP protocol header
$HEADERS the name of the _var:http protocol header
$HEADERS _var_x: The name of the regular matching HTTP protocol header
The entire parameter content of the Body:post
Parameter names for $BODY _var:post parameters
$BODY _var_x: Parameter name of the post parameter for a regular match
Url:url (pre-)
url_x: Regular matching URL (? before)
File_ext: File name (file name uploaded when Post is uploaded)
The Naxsi community provides some common whitelist rules, such as WordPress. Whitelist rules can be downloaded in https://github.com/nbs-system/naxsi-rules.
Nginx uses Naxsi to build a Web application firewall (WAF), anti-XSS, anti-injection XXX
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
