nginx + naxsi firewall howto

What is naxsi?
Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx.

From 3th april 2012 in debian repository called dotdeb.org there is debian package called nginx-naxsi , but now we will install and configure with source because of change the server_tokens 😉

First:

cd /usr/src/
wget "http://nginx.org/download/nginx-1.1.19.tar.gz"
wget "http://naxsi.googlecode.com/files/naxsi-0.44-1.tgz"
tar zxvf nginx-1.1.19.tar.gz
tar zxvf naxsi-0.44-1.tgz
cd nginx-1.1.19
./configure --add-module=../naxsi-0.44-1/naxsi_src/  --prefix=/usr   --sbin-path=/usr/sbin/nginx   --conf-path=/etc/nginx/nginx.conf   --error-log-path=/var/log/nginx/error.log   --pid-path=/var/run/nginx/nginx.pid    --lock-path=/var/lock/nginx.lock   --user=nginx   --group=nginx   --with-http_ssl_module   --with-http_flv_module   --with-http_gzip_static_module   --http-log-path=/var/log/nginx/access.log   --http-client-body-temp-path=/var/tmp/nginx/client/   --http-proxy-temp-path=/var/tmp/nginx/proxy/   --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --with-http_stub_status_module --with-http_realip_module
make
make install

Now it’s time for the configuration files. See this for instructions

…

After right configuration the files it’s time to run the daemon who will be the firewall.

cp /usr/src/naxsi-0.44-1/contrib/rules_generator/http_config.py /etc/nginx/

run command :

/usr/bin/python /etc/nginx/http_config.py --cmd /usr/sbin/nginx -s reload -v 3

In my case there is an error with python library called argparse , so we need to install it :

apt-get install python-argparse

Run the daemon again and everything must be ok now 🙂

PS. I wrote init script to daemonize the http_config.py because with & not work well.

Now we will see generated rulez by naxsi in http://mysite.com/RequestDenied

That’s it!