In today’s cybersecurity landscape, protecting your web applications from threats like SQL injection, cross-site scripting (XSS), and other malicious attacks is essential. One effective way to enhance web server security is by deploying a Web Application Firewall (WAF). Naxsi (short for Nginx Anti XSS & SQL Injection) is a high-performance, open-source WAF module designed specifically for NGINX.
This guide walks you through everything you need to install Naxsi with NGINX on Ubuntu 24.04, including downloading source code, compiling NGINX with the Naxsi module, setting up basic rules, and testing your setup.
Install Dependencies
Begin by updating your package list and installing the necessary development tools and libraries:
sudo apt update
sudo apt install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev git curl unzipDownload NGINX and Naxsi Source
Download NGINX Source
Visit NGINX Downloads to obtain the latest version. Replace 1.26.0 with the current version if necessary:
cd /usr/local/src
sudo curl -O https://nginx.org/download/nginx-1.26.0.tar.gz
sudo tar -xzvf nginx-1.26.0.tar.gzClone the Naxsi Repository
cd /usr/local/src
sudo git clone https://github.com/wargio/naxsi.gitCompile NGINX with Naxsi Module
Navigate to the NGINX source directory and configure it to include the Naxsi module:
cd /usr/local/src/nginx-1.26.0
sudo ./configure --add-module=../naxsi/naxsi_src --with-http_ssl_module
apt install pkg-config
cd ../naxsi
git submodule update --init --recursive
cd ../nginx-1.26.0
./configure --add-module=../naxsi/naxsi_src --with-http_ssl_module
sudo make
sudo make installConfigure NGINX with Naxsi
Copy Naxsi Core Rules
cp /usr/local/src/naxsi/naxsi_rules/naxsi_core.rules /usr/local/nginx/conf/Update NGINX Configuration
Edit the NGINX configuration file to include Naxsi rules:
server {
listen 80;
server_name 65.21.147.117;
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
root html;
index index.html index.htm;
}
location = /favicon.ico {
log_not_found off;
access_log off;
# Serve a blank or real favicon:
alias /usr/local/nginx/html/favicon.ico;
}
location = /RequestDenied {
return 403 "Request blocked by Naxsi Web Application Firewall.";
}
}
}Start NGINX
Start NGINX with the following command:
sudo /usr/local/nginx/sbin/nginxTo ensure NGINX starts on boot, create a systemd service file:
sudo nano /etc/systemd/system/nginx.serviceAdd the following content:
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Reload systemd and enable NGINX:
sudo systemctl daemon-reload
sudo systemctl enable nginx
sudo systemctl start nginxTest Naxsi
Cross-Site Scripting (XSS) Attempt
curl "http://your-server/?q=<script>alert('xss')</script>"This request will be blocked and logged.
Check the NGINX error logs for any blocked requests
tail -f /usr/local/nginx/logs/error.logConclusion
With Naxsi successfully installed and integrated into NGINX, your web server now has an additional line of defense against common application-layer attacks. While the default rules provide a strong starting point, fine-tuning them to suit your specific application needs is recommended—especially if you’re using Learning Mode. Regular log monitoring and rule updates are key to maintaining an effective and secure WAF.
By combining NGINX’s speed and efficiency with Naxsi’s filtering capabilities, you gain powerful protection without sacrificing performance.
If you encounter any issues while trying to Install Naxsi with NGINX on Ubuntu 24.04, or if you prefer expert assistance, our team is here to help. At Skynats, we offer comprehensive Linux Server Management services tailored to your server security and performance needs.
