Installing Naxsi On Ubuntu 14.04

Naxsi is a piece of software that extends Nginx (module). It provides a WAF (Web Application Firewall) and protects your sites from XSS and SQL injection, two well-known vulnerabilities. According to its developers, Naxsi is a low-maintenance module, so once installed you should see a considerably big boost in your site’s security without too much hassle.

In this doc, you’re going to see how we can add the Naxsi module to a new or existing Nginx installation on Ubuntu 14.04.

Step 1A: Installing Naxsi without an existing Nginx installation

Should you not have Nginx installed on your server yet, you should follow this step. If you already have an existing Nginx installation, follow step 1B. Before we’re going to install Naxsi, it might be smart to update our system. Do this by executing:

apt-get update

Next, we can install Naxsi. Using apt-get for the install, Naxsi and its dependencies will be installed. Naxsi will automatically be started on boot.

apt-get install nginx-naxsi

Step 1B: Installing Naxsi with an existing Nginx installation

Step 1A cannot be followed in case Nginx is already installed, as the nginx-naxsi package will be Nginx + Naxsi. If you already have Nginx and want Naxsi on top of that, generally, replacing the nginx-core package with the nginx-naxsi package should work fine. It is smart to create a backup of preferably your whole server, and the /etc/nginx/ directory should be backed up as well.

If possible, deploy a new server with a totally new Nginx installation using the nginx-naxsi package. If not, backup your server and type:

apt-get install nginx-naxsi

This should install Naxsi and replace the existing Nginx, but keep all your files.

Step 2: Editing Naxsi settings

In order to enable Naxsi, open the file /etc/nginx/nginx.conf:

vi /etc/nginx/nginx.conf

and find the following section:

# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##

# include /etc/nginx/naxsi_core.rules;

Remove the # in front of the include to load the Naxsi rules, which will enable Naxsi. After making that change, the line should look like this:

include /etc/nginx/naxsi_core.rules;

The configuration of Naxsi can be found in /etc/nginx/naxsi.rules. You can see what it does and optionally change some settings, depending on your needs and the type of website(s) that you host.

After enabling Naxsi and editing the configuration, we need to enable Naxsi for our default site manually. Open /etc/nginx/sites-enabled/default:

vi /etc/nginx/sites-enabled/default

In order to enable Naxsi on this location, remove the # if present, otherwise leave the include line that way and don’t add a #.

# Uncomment to enable naxsi on this location
include /etc/nginx/naxsi.rules;

Step 3: Turning off learning mode

In order to let Naxsi protect your site, we need to turn off the learning mode. Open /etc/nginx/naxsi.rules:

vi /etc/nginx/naxsi.rules

Find the string LearningMode, and place an # in front of it. That comments out the line and thus disable the learning mode in the config.

Step 4: Restarting Naxsi

Restart Nginx for the changes to take effect:

service nginx reload

You can now see any security warnings from Naxsi in the Nginx log:

tail -f /var/log/nginx/error.log