Naxsi是一個開放源代碼、高效、低維護規則的Nginx web應用防火牆(Web Application Firewall)模塊。Naxsi的主要目標是加固web應用程序,以抵禦SQL注入、跨站腳本、跨域僞造請求、本地和遠程文件包含漏洞。
1、下載並解壓nginx及naxsi文件
# cd /usr/local/src/
# wget http://nginx.org/download/nginx-1.16.0.tar.gz
# wget https://github.com/nbs-system/naxsi/archive/master.zip
# tar xvzf nginx-1.16.0.tar.gz
# tar zxvf naxsi-master.zip
2、安裝nginx及naxsi
# cd nginx-1.16.0
# ./configure --prefix=/usr/local/nginx --add-module=/usr/local/src/naxsi-master/naxsi_src/
# make
# make install
3、複製Naxsi核心配置文件到nginx/conf下
# cp /usr/local/src/naxsi-master/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/
4、在nginx.conf配置文件中添加Naxsi核心配置文件(核心規則文件naxsi_core.rules)
......
http {
include mime.types;
include /usr/local/nginx/conf/naxsi_core.rules; #加載naxsi 核心規則文件
default_type application/octet-stream;
......
}
......
5、在nginx.conf配置文件中添加虛擬主機添加支持Naxsi防xss和注入,以及白名單(規則文件naxsi_whitelists.rules)
......
location / {
include /usr/local/nginx/conf/naxsi_whitelists.rules;#加載自己編寫的規則文件
SecRulesEnabled;
......
}
......
6、添加過濾規則及白名單
#vi /usr/local/nginx/conf/naxsi_whitelists.rules
SecRulesEnabled; #啓用Naxsi模塊
DeniedUrl "/RequestDenied"; # 拒絕訪問時展示的頁面
CheckRule "$SQL >= 8" BLOCK; #設置各規則不同的觸發閾值。 一旦該閾值觸發,請求將被阻塞。
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
error_log logs/naxsi.log; #nginx相對路徑都是相對於根目錄
BasicRule wl:0 "mz:$URL:/mobile/visitNewAction.app|ARGS"; #白名單,可根據查看logs/naxsi.log日誌進行設置
BasicRule wl:1015; # request too big
BasicRule wl:1010; # excel download
BasicRule wl:1011; # excel download
BasicRule wl:16 "mz:$URL:/crm/ArchivesManage.do|BODY";
7、啓用nginx
#/usr/local/nginx/sbin/nginx
8、測試xss和sql注入是否生效