nginx-naxsi not working

TomTheOne

TomTheOne

Hi all

I'm new to FreeBSD, nginx and naxsi. I try to use the OS and the two applications to create a simple web application firewall to better protect a couple of websites i run. I have problems including the naxsi ruleset in nginx. Here is step-by-step what i try to do and where i face the problem. I hope a senior FreeBSD-guy can understand what my problem is.

I installed FreeBSD13

Code: 
root@shield:~ # cat /etc/os-release
NAME=FreeBSD
VERSION=13.0-RELEASE
VERSION_ID=13.0
ID=freebsd
ANSI_COLOR="0;31"
PRETTY_NAME="FreeBSD 13.0-RELEASE"
CPE_NAME=cpe:/o:freebsd:freebsd:13.0
HOME_URL=[URL]https://FreeBSD.org/[/URL]
BUG_REPORT_URL=[URL='https://bugs.FreeBSD.org/']https://bugs.FreeBSD.org/[/URL]

Then i installed nginx-naxsi by using pkg install nginx-naxsi. See the nginx details below.

Code: 
root@shield:~ # nginx -V
nginx version: nginx/1.20.1
built with OpenSSL 1.1.1k-freebsd  24 Aug 2021 (running with OpenSSL 1.1.1k-freebsd  25 Mar 2021)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-threads --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-naxsi/work/naxsi-1.3/naxsi_src

I created the nginx proxy configuration as i wish to have it but without naxsi security enabled. Works well so far. As a last step I try to include the naxsi_core.rules in /usr/local/etc/nginx/nginx.conf to enable the naxsi-rules.

Code: 
http {
    (..)
    include       naxsi_core.rules;
    (..)

    server {
    (..)
    }
}

Afterwards, when i try to restart the nginx service, i get the error below:

Code: 
root@shield:~ # service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] unknown directive "MainRule" in /usr/local/etc/nginx/naxsi_core.rules:23
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

Googling around for the error brings up this page. The statement is:
nginx: [emerg] unknown directive "MainRule" in /etc/nginx/naxsi_core.rules:13. This means that you didn't compiled nginx with naxsi :)
Click to expand...
and
The only reasonable reason I see would be that nginx is not compiled with Naxsi support. Are you sure it is?
Click to expand...

Any ideas around what i'm doing wrong?
Do i have to re-compile nginx somehow to include naxsi support? If yes, how do i have to do that?

Best regards
Tom
 

FreshPorts -- www/nginx-naxsi: Robust and small WWW server (plus NAXSI)

NGINX is a high performance edge web server with the lowest memory footprint and the key features to build modern and efficient web infrastructure. NGINX functionality includes HTTP server, HTTP and mail reverse proxy, caching, load balancing, compression, request throttling, connection...
www.freshports.org www.freshports.org

To install the package, include the "naxsi" suffix.
  • pkg install www/nginx-naxsi
If you want to build it and tweak the compile options ...

To install the port: cd /usr/ports/www/nginx-naxsi/ && make install clean
Click to expand...

The above should get you started.
 
I will start from there. Hope i can make it work.

A question just for my understanding.

If i install the package by using pkg install nginx-naxsi, can i expect to get a precompiled nginx binary which was compiled with the right options to be able to use naxsi?

or

Is this normal behaviour in FreeBSD to re-compile the binaries if any functionality is required?

When looking at the output if nginx -V i can see some inexistent paths for naxsi.

In case this is just a not so good maintained package, should i file a report somewhere?

Best regards
Tom
 
Hi Folks

I found out what the problem was. Everything seems to be correctly compiled - it's a module that needs to be loaded.

After pkg install nginx-naxsi following steps need to be done:

1. Add load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so; to the first line of /usr/local/etc/nginx/nginx.conf
2. Create a file called /usr/local/etc/nginx/naxsi.rules with following content:

Code: 
## Enables learning mode
#LearningMode;
## Enable rules
SecRulesEnabled;
#SecRulesDisabled;
## URL to redirect to if access is denied
DeniedUrl "/my-error-message.html";

## Check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

3. Add include naxsi_core.rules; to the http-section of /usr/local/etc/nginx/nginx.conf
4. Add include naxsi.rules; to the server-section of /usr/local/etc/nginx/nginx.conf

Just to share everything, here is my sampe config of /usr/local/etc/nginx/nginx.conf

Code: 
load_module                  /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
worker_processes             4;

events {
    worker_connections       2048;
}

http {
    include                  mime.types;
    include                  naxsi_core.rules;
    default_type             application/octet-stream;

    sendfile                 on;
    #tcp_nopush              on;

    keepalive_timeout        65;
    gzip                     on;

    server {
        listen               80;
        server_name          some.hostname.dom;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass       https://1.2.3.4;
        }
    }
    server {
        listen               443 ssl;
        server_name          some.hostname.dom;
        ssl_certificate      certs/my_cert_file.pem;
        ssl_certificate_key  certs/my_key_file.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass       https://1.2.3.4;
        }
    }
}

Restart nginx by executing service nginx restart.

Call the IP of the nginx host with illegal characters to simulate a illegal request.


Check the logfile /var/log/nginx/error.log

Code: 
2022/01/06 18:48:25 [error] 8404#0:*3 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=< HTTP/1.0", host: "127.0.0.1"

Hint: In case you want to have additional features options compieled, simply execute:

[SIZE=12px]# cd /usr/ports/www/nginx-naxsi/work/nginx-1.18.0
# ./configure
-- a text ui pops up, select from here what you need to have.
# make
# make install[/SIZE]

I wish everybody a happy new year and stay healthy.

Best regards
Tom
 
You must log in or register to reply here.
Back
Top