Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙(Web Application Firewall)模块。Naxsi的主要目标是加固web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。
1、下载并解压nginx及naxsi文件
# cd /usr/local/src/
# wget http://nginx.org/download/nginx-1.16.0.tar.gz
# wget https://github.com/nbs-system/naxsi/archive/master.zip
# tar xvzf nginx-1.16.0.tar.gz
# tar zxvf naxsi-master.zip
2、安装nginx及naxsi
# cd nginx-1.16.0
# ./configure --prefix=/usr/local/nginx --add-module=/usr/local/src/naxsi-master/naxsi_src/
# make
# make install
3、复制Naxsi核心配置文件到nginx/conf下
# cp /usr/local/src/naxsi-master/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/
4、在nginx.conf配置文件中添加Naxsi核心配置文件(核心规则文件naxsi_core.rules)
......
http {
include mime.types;
include /usr/local/nginx/conf/naxsi_core.rules; #加载naxsi 核心规则文件
default_type application/octet-stream;
......
}
......
5、在nginx.conf配置文件中添加虚拟主机添加支持Naxsi防xss和注入,以及白名单(规则文件naxsi_whitelists.rules)
......
location / {
include /usr/local/nginx/conf/naxsi_whitelists.rules;#加载自己编写的规则文件
SecRulesEnabled;
......
}
......
6、添加过滤规则及白名单
#vi /usr/local/nginx/conf/naxsi_whitelists.rules
SecRulesEnabled; #启用Naxsi模块
DeniedUrl "/RequestDenied"; # 拒绝访问时展示的页面
CheckRule "$SQL >= 8" BLOCK; #设置各规则不同的触发阈值。 一旦该阈值触发,请求将被阻塞。
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
error_log logs/naxsi.log; #nginx相对路径都是相对于根目录
BasicRule wl:0 "mz:$URL:/mobile/visitNewAction.app|ARGS"; #白名单,可根据查看logs/naxsi.log日志进行设置
BasicRule wl:1015; # request too big
BasicRule wl:1010; # excel download
BasicRule wl:1011; # excel download
BasicRule wl:16 "mz:$URL:/crm/ArchivesManage.do|BODY";
7、启用nginx
#/usr/local/nginx/sbin/nginx
8、测试xss和sql注入是否生效