security

Securing your WebApp with NGINX and NAXSI on Debian 10 (buster)

Christoph

2 min read
Securing your WebApp with NGINX and NAXSI on Debian 10 (buster)

This website is running the free version of Ghost CMS. To increase the security of the website a NGINX reverse proxy including NAXSI  web application firewall (WAF) is used. NAXSI (NGINX Anti XSS & SQL Injection) is a free, third-party NGINX module which complements the webserver with security functionalities. The following describes the installation and configuration.

Compiling nginx with the NAXSI Module:

install the required packages

sudo apt-get install build-essential libpcre3-dev libssl-dev zlib1g-dev gcc-7

Get nginx and NAXSI

cd /scr
wget https://github.com/nbs-system/naxsi/archive/0.56.tar.gz -O naxsi
wget https://nginx.org/download/nginx-1.18.0.tar.gz

and uncompress the archives using tar

compile nginx

cd nginx-1.18.0/
./configure \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--add-module=../naxsi-0.56/naxsi_src/ \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--user=www-data \
--group=www-data \
--with-http_ssl_module \
--with-http_v2_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module

i had to use gcc-7 otherwise make failed.
this is already documented and known to the naxsi developers

make CC=/usr/bin/gcc-7

make install

after this step there is a nginx, which is equipped with the NAXSI module as WAF.

create a systemd service

vi /etc/systemd/system/nginx-1.18.0.service

and add the following content

[Unit]
Description=nginx 1.18.0
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/share/nginx/sbin/nginx -t
ExecStart=/usr/share/nginx/sbin/nginx $CLI_OPTIONS
ExecReload=/usr/share/nginx/sbin/nginx -s reload
ExecStop=/usr/share/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

start and enable the service using

systemctl daemon-reload
systemctl start nginx-1.18.0.service
systemctl status nginx-1.18.0.service
systemctl enable nginx-1.18.0

Sign up for more like this.

Enter your email
Subscribe