Naxsi

So you want to use Naxsi but you’re too lazy to analyze your nginx’s error log in order to write your own whitelists, and you’re definitely not brave enough to run a learning mode for a week. Relax, they’ve got something for you too. Rendez-vous in the Downloads area of Naxsi’s website and retrieve latest naxsi-ui archive. Within that tarball, you will only need 2 python scripts, nx_intercept.py and nx_extract.py. The first one will read and record all Naxsi matches from the error log, while the second will generate the whitelist. In order to make those scripts work, you will need python-twisted, which is available for pretty much every decent UNIX-like I’m aware of. Default configuration file, naxsi-ui.conf, will do the job as it is. Here’s a tiny piece of script which reads all of your log files, pass them to the nx_* scripts and will display all the associated whitelist rules to stdout:

Update: This setup is now in production, you are actually reading this blog through a Naxsi protected WordPress ! Update 2: This setup is also in production on GCU-Squad’s Website.

I’m slowly preparing iMil.net migration to a new server. Yeah, it’s a bit confusing to be the CTO of a hosting company and having my personnal website elsewhere, but you know, time and stuff… anyway, it’s coming.

Dans ma boîte, l’équipe sécurité a publié voila quelques mois de cela un module pour nginx: un firewall applicatif du nom de naxsi.

Ce module, sous licence GPLv2, je viens de le publier dans pkgsrc current sous la forme d’une option de www/nginx. Je me propose de vous montrer ici comment sécuriser simplement votre serveur web / proxy inverse nginx grâce à naxsi.

Premièrement, si comme moi (et comme il se doit) vous utilisez une branche stable de pkgsrc, mettez simplement à jour www/nginx comme ceci: