Nginx with Naxsi

password

Verified User
Joined
Oct 11, 2011
Messages
134
Hello!

Would it be possible to get an option in DirectAdmin to install Nginx together with Naxsi? Perhaps via Custombuild 2.0?
We really love DA + Nginx, but production boxes need a WAF.

Info on Naxsi:
https://code.google.com/p/naxsi/

Regards
password
 
Anyone? We are ready to put a few DA boxes with Nginx into production, but we a really need a WAF.
 
You can do the needed changes to custom/nginx/configure.nginx and rebuild nginx then. That's simple. Good luck!
 
Thank you smtalk!

I followed your instructions and managed to compile nginx with naxsi. I have a few problems editing the users "nginx.conf" to make this work though. I do understand that naxsi is not supported by either DirectAdmin staff nor you, but perhaps some kind person out there can provide me with tips. If not, perhaps this can help anyone else trying to install naxsi.

This is what I have done:

1. Download naxsi and compile it with nginx

Code:
cd /usr/local/directadmin/custombuild
wget http://naxsi.googlecode.com/files/naxsi-core-0.51-1.tgz
tar -zxvf naxsi-core-0.51-1.tgz
cd configure/nginx
nano configure.nginx

I then added: "--add-module=/usr/local/directadmin/custombuild/naxsi-core-0.51-1/naxsi_src/" to the bottom of that file. 

cd /usr/local/directadmin/custombuild
./build nginx

2. Copy naxsi rules to the nginx folder

Code:
cd /etc/nginx
cp /usr/local/directadmin/custombuild/naxsi-core-0.51-1/naxsi_config/naxsi_core.rules naxsi_core.rules

3. Create "nbs.rules" with "score check" and included this in nginx main config

Code:
Contents of "nbs.rules":

LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Code:
Inside /etc/nginx/nginx.conf:

http {
    include        /etc/nginx/naxsi_core.rules;

So far so good. Everything is working as usual. Now I am suposed to add stuff to each users "nginx.conf", and this is where I get errors.

This is what Naxsi documentation want's it to look like:

Code:
server {
 proxy_set_header Proxy-Connection "";
listen       *:80;
access_log  /tmp/nginx_access.log;
error_log  /tmp/nginx_error.log debug;

location / {
     include    /etc/nginx/nbs.rules;
     proxy_pass http://194.213.124.111/;
     proxy_set_header Host www.nbs-system.com;
   }

 location /RequestDenied {
     return 500;
   }
}

and this is how I added it to my admins configuration (/home/admin/domains/my-domain.tld/nginx.conf):

Code:
server
{
	proxy_set_header Proxy-Connection "";
        listen MY-SERVER-IP-HERE:80;

        server_name my-domain.tld www.my-domain.tld ;

        access_log /var/log/nginx/domains/my-domain.tld.log;
        access_log /var/log/nginx/domains/my-domain.tld.bytes bytes;
        error_log /var/log/nginx/domains/my-domain.tld.error.log;

        root /home/admin/domains/my-domain.tld/public_html;

	index index.php index.html index.htm;

                # use fastcgi for all php files
                location ~ \.php$
                {
                        try_files $uri =404;
                        fastcgi_split_path_info ^(.+\.php)(/.+)$;
                        include /etc/nginx/fastcgi_params;
                        fastcgi_index index.php;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include /etc/nginx/nginx_limits.conf;

                        if (-f $request_filename)
                        {
                                fastcgi_pass unix:/usr/local/php54/sockets/admin.sock;
                        }
                }

        # deny access to apache .htaccess files
        location ~ /\.ht
        {
                deny all;
        }

	location / {
     		include    /etc/nginx/nbs.rules;
     		proxy_pass http://MY-SERVER-IP-HERE/;
     		proxy_set_header Host www.my-domain.tld;
   	}

	location = /denied.html {
  		root /home/admin/domains/my-domain.tld/public_html;
  		index denied.html;
	}

	location /RequestDenied {
     		rewrite ^/.+$ /denied.html;
   	}

        include /etc/nginx/webapps.conf;
}

First I got errors on "failed (24: Too many open files) while connecting to upstream". This was solved by increasing worker processes and connections in /etc/nginx/nginx.conf. But now I get these kinds of errors:

Code:
2013/08/27 03:41:32 [crit] 24850#0: *56465 connect() to MY-SERVER-IP:80 failed (99: Cannot assign requested address) while connecting to upstream, client: MY-SERVER-IP, server: my-domain.tld, request: "GET /image.jpg HTTP/1.0", upstream: "http://MY-SERVER-IP:80/image.jpg", host: "www.my-domain.tld"

I suspect I have done something wrong inside the users nginx.conf file and would really appreciate any help I can get.
 
I read on Google that you sometimes have to tell Linux to allow processes to bind to the non-local address. So I tried adding this to /etc/sysctl.conf:

Code:
net.ipv4.ip_nonlocal_bind = 1

And then rebooted the server. But this did not work.

Now I get "2013/08/27 05:42:22 [alert] 1251#0: *6398 socket() failed (24: Too many open files) while connecting to upstream" again. I'm starting to feel like I am sending Nginx in a loop somewhere with this proxy stuff.
 
I'm close to giving up on this. I have spent several hours today searching google for help, but nothing out there seems to be usable on a DA box.
Right now I am considering trying to compile mod_security instead. As of the latest release it is stable for Nginx. I would prefer naxsi however, since I prefer the mindset it is built upon.
 
We have customers that dont understand what XSS, CSRF and SQL-injection is, and they upload vulnerable stuff from time to time that gets exploited. Even if the attacker cant do any harm to the server itself, its always bad for business trying to explain to the customer that he/she is the reason why the website got hacked.

If we can prevent much of these attacks by implementing a WAF... Thats great.
 
For anyone interested in this I actually got this working.

I simply removed the following lines:

Code:
proxy_set_header Proxy-Connection "";
proxy_pass http://1.2.3.4/;
proxy_set_header Host www.my-domain.tld;

In other words, anything proxy related. I think I sent Nginx in a infinite loop yesterday with these settings which caused it to run out of workers.
It seems to be working fine now. I have not enabled learning mode daemon yet, but am experimenting with manual whitelisting.

You can for instance add:

Code:
location /test.html {
include    /etc/nginx/nbs.rules;
BasicRule wl:0;
}

to whitelist all rules on "/test.html". Or you can whitelist a few of them like this:

Code:
location /test.html {
include    /etc/nginx/nbs.rules;
BasicRule wl:1001,1008,1011;
}

Seems to be working fine, but you probably need the learning daemon running for a while to configure it properly. But it works! And it's FAST! =)
 
Back
Top