So you want to use Naxsi but you’re too lazy to analyze your nginx’s error log in order to write your own whitelists, and you’re definitely not brave enough to run a learning mode for a week. Relax, they’ve got something for you too. Rendez-vous in the Downloads area of Naxsi’s website and retrieve latest naxsi-ui archive. Within that tarball, you will only need 2 python scripts, nx_intercept.py and nx_extract.py. The first one will read and record all Naxsi matches from the error log, while the second will generate the whitelist.
naxsi
Update: This setup is now in production, you are actually reading this blog through a Naxsi protected WordPress ! Update 2: This setup is also in production on GCU-Squad’s Website.
I’m slowly preparing iMil.net migration to a new server. Yeah, it’s a bit confusing to be the CTO of a hosting company and having my personnal website elsewhere, but you know, time and stuff… anyway, it’s coming.
While preparing the migration, I decided to get rid of Apache’s modsecurity and to put naxsi, the WAF plugin for nginx in front of the website.
Dans ma boîte, l’équipe sécurité a publié voila quelques mois de cela un module pour nginx: un firewall applicatif du nom de naxsi.
Ce module, sous licence GPLv2, je viens de le publier dans pkgsrc current sous la forme d’une option de www/nginx. Je me propose de vous montrer ici comment sécuriser simplement votre serveur web / proxy inverse nginx grâce à naxsi.
Premièrement, si comme moi (et comme il se doit) vous utilisez une branche stable de pkgsrc, mettez simplement à jour www/nginx comme ceci: