Securing your WebApp with NGINX and NAXSI on Debian 10 (buster)

Securing your WebApp with NGINX and NAXSI on Debian 10 (buster)

This website is running the free version of Ghost CMS. To increase the security of the website a NGINX reverse proxy including NAXSI  web application firewall (WAF) is used. NAXSI (NGINX Anti XSS & SQL Injection) is a free, third-party NGINX module which complements the webserver with security functionalities. The following describes the installation and configuration.

Compiling nginx with the NAXSI Module:

install the required packages

sudo apt-get install build-essential libpcre3-dev libssl-dev zlib1g-dev gcc-7

Get nginx and NAXSI

cd /scr
wget https://github.com/nbs-system/naxsi/archive/0.56.tar.gz -O naxsi
wget https://nginx.org/download/nginx-1.18.0.tar.gz

and uncompress the archives using tar

compile nginx

cd nginx-1.18.0/
./configure \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--add-module=../naxsi-0.56/naxsi_src/ \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_v2_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module

i had to use gcc-7 otherwise make failed.
this is already documented and known to the naxsi developers

make CC=/usr/bin/gcc-7

make install

after this step there is a nginx, which is equipped with the NAXSI module as WAF.

create a systemd service

vi /etc/systemd/system/nginx-1.18.0.service

and add the following content

[Unit]
Description=nginx 1.18.0
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/share/nginx/sbin/nginx -t
ExecStart=/usr/share/nginx/sbin/nginx $CLI_OPTIONS
ExecReload=/usr/share/nginx/sbin/nginx -s reload
ExecStop=/usr/share/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

start and enable the service using

systemctl daemon-reload
systemctl start nginx-1.18.0.service
systemctl status nginx-1.18.0.service
systemctl enable nginx-1.18.0