Securing your WebApp with NGINX and NAXSI on Debian 10 (buster)
This website is running the free version of Ghost CMS. To increase the security of the website a NGINX reverse proxy including NAXSI web application firewall (WAF) is used. NAXSI (NGINX Anti XSS & SQL Injection) is a free, third-party NGINX module which complements the webserver with security functionalities. The following describes the installation and configuration.
Compiling nginx with the NAXSI Module:
install the required packages
sudo apt-get install build-essential libpcre3-dev libssl-dev zlib1g-dev gcc-7
Get nginx and NAXSI
cd /scr
wget https://github.com/nbs-system/naxsi/archive/0.56.tar.gz -O naxsi
wget https://nginx.org/download/nginx-1.18.0.tar.gz
and uncompress the archives using tar
compile nginx
cd nginx-1.18.0/
./configure \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--add-module=../naxsi-0.56/naxsi_src/ \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_v2_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module
i had to use gcc-7 otherwise make failed.
this is already documented and known to the naxsi developers
make CC=/usr/bin/gcc-7
make install
after this step there is a nginx, which is equipped with the NAXSI module as WAF.
create a systemd service
vi /etc/systemd/system/nginx-1.18.0.service
and add the following content
[Unit]
Description=nginx 1.18.0
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/share/nginx/sbin/nginx -t
ExecStart=/usr/share/nginx/sbin/nginx $CLI_OPTIONS
ExecReload=/usr/share/nginx/sbin/nginx -s reload
ExecStop=/usr/share/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target
start and enable the service using
systemctl daemon-reload
systemctl start nginx-1.18.0.service
systemctl status nginx-1.18.0.service
systemctl enable nginx-1.18.0