nginx-naxsi not working

Hi all

I'm new to FreeBSD, nginx and naxsi. I try to use the OS and the two applications to create a simple web application firewall to better protect a couple of websites i run. I have problems including the naxsi ruleset in nginx. Here is step-by-step what i try to do and where i face the problem. I hope a senior FreeBSD-guy can understand what my problem is.

I installed FreeBSD13

root@shield:~ # cat /etc/os-release

Then i installed nginx-naxsi by using pkg install nginx-naxsi. See the nginx details below.

root@shield:~ # nginx -V
nginx version: nginx/1.20.1
built with OpenSSL 1.1.1k-freebsd  24 Aug 2021 (running with OpenSSL 1.1.1k-freebsd  25 Mar 2021)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/ --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-threads --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx-naxsi/work/naxsi-1.3/naxsi_src

I created the nginx proxy configuration as i wish to have it but without naxsi security enabled. Works well so far. As a last step I try to include the naxsi_core.rules in /usr/local/etc/nginx/nginx.conf to enable the naxsi-rules.

http {
    include       naxsi_core.rules;

    server {

Afterwards, when i try to restart the nginx service, i get the error below:

root@shield:~ # service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] unknown directive "MainRule" in /usr/local/etc/nginx/naxsi_core.rules:23
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

Googling around for the error brings up this page. The statement is:
nginx: [emerg] unknown directive "MainRule" in /etc/nginx/naxsi_core.rules:13. This means that you didn't compiled nginx with naxsi :)
The only reasonable reason I see would be that nginx is not compiled with Naxsi support. Are you sure it is?

Any ideas around what i'm doing wrong?
Do i have to re-compile nginx somehow to include naxsi support? If yes, how do i have to do that?

Best regards

To install the package, include the "naxsi" suffix.
  • pkg install www/nginx-naxsi
If you want to build it and tweak the compile options ...

To install the port: cd /usr/ports/www/nginx-naxsi/ && make install clean

The above should get you started.
I will start from there. Hope i can make it work.

A question just for my understanding.

If i install the package by using pkg install nginx-naxsi, can i expect to get a precompiled nginx binary which was compiled with the right options to be able to use naxsi?


Is this normal behaviour in FreeBSD to re-compile the binaries if any functionality is required?

When looking at the output if nginx -V i can see some inexistent paths for naxsi.

In case this is just a not so good maintained package, should i file a report somewhere?

Best regards
Hi Folks

I found out what the problem was. Everything seems to be correctly compiled - it's a module that needs to be loaded.

After pkg install nginx-naxsi following steps need to be done:

1. Add load_module /usr/local/libexec/nginx/; to the first line of /usr/local/etc/nginx/nginx.conf
2. Create a file called /usr/local/etc/nginx/naxsi.rules with following content:

## Enables learning mode
## Enable rules
## URL to redirect to if access is denied
DeniedUrl "/my-error-message.html";

## Check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

3. Add include naxsi_core.rules; to the http-section of /usr/local/etc/nginx/nginx.conf
4. Add include naxsi.rules; to the server-section of /usr/local/etc/nginx/nginx.conf

Just to share everything, here is my sampe config of /usr/local/etc/nginx/nginx.conf

load_module                  /usr/local/libexec/nginx/;
worker_processes             4;

events {
    worker_connections       2048;

http {
    include                  mime.types;
    include                  naxsi_core.rules;
    default_type             application/octet-stream;

    sendfile                 on;
    #tcp_nopush              on;

    keepalive_timeout        65;
    gzip                     on;

    server {
        listen               80;
        server_name          some.hostname.dom;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
    server {
        listen               443 ssl;
        server_name          some.hostname.dom;
        ssl_certificate      certs/my_cert_file.pem;
        ssl_certificate_key  certs/my_key_file.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        location / {
            include          naxsi.rules;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;

Restart nginx by executing service nginx restart.

Call the IP of the nginx host with illegal characters to simulate a illegal request.

Check the logfile /var/log/nginx/error.log

2022/01/06 18:48:25 [error] 8404#0:*3 NAXSI_FMT: ip=, client:, server: , request: "GET /?a=< HTTP/1.0", host: ""

Hint: In case you want to have additional features options compieled, simply execute:

[SIZE=12px]# cd /usr/ports/www/nginx-naxsi/work/nginx-1.18.0
# ./configure
-- a text ui pops up, select from here what you need to have.
# make
# make install[/SIZE]

I wish everybody a happy new year and stay healthy.

Best regards