naxsi

1. --add-module=/www/server/naxsi-1.3/naxsi_src/
2.  
3. export NAXSI_VER=1.3
4. rm -rf /www/server/naxsi-1.3
5. cd /www/server/
6. wget https://github.com/nbs-system/naxsi/archive/$NAXSI_VER.tar.gz -O naxsi_$NAXSI_VER.tar.gz
7. tar vxf naxsi_$NAXSI_VER.tar.gz
8. rm naxsi_$NAXSI_VER.tar.gz
9. cd /www/server/naxsi-$NAXSI_VER/naxsi_src; make
10.  
11.  
12. http {
13.     include /www/server/naxsi-1.3/naxsi_config/naxsi_core.rules; # load naxsi core rules
14.     ...
15. }
16.  
17.  
18.  
19.  
20.  
21.  
22.  
23. server {
24. ...
25.  
26.     location / { # naxsi is enabled, and in learning mode
27.  
28.         SecRulesEnabled; #enable naxsi
29.         LearningMode; #enable learning mode
30.         LibInjectionSql; #enable libinjection support for SQLI
31.         LibInjectionXss; #enable libinjection support for XSS
32.  
33.         DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
34.         CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
35.         CheckRule "$RFI >= 8" BLOCK;
36.         CheckRule "$TRAVERSAL >= 5" BLOCK;
37.         CheckRule "$UPLOAD >= 5" BLOCK;
38.         CheckRule "$XSS >= 8" BLOCK;
39.  
40.  
41.         proxy_pass http://127.0.0.1;
42.         ....
43.     }
44.  
45.     location /admin { # naxsi is disabled
46.  
47.         SecRulesDisabled; #optional, naxsi is disabled by default
48.        
49.         allow 1.2.3.4;
50.         deny all;
51.         proxy_pass http://127.0.0.1;
52.         ....
53.     }
54.  
55.     location /vuln_page.php { # naxsi is enabled, and is *not* in learning mode
56.  
57.         SecRulesEnabled;
58.         proxy_pass http://127.0.0.1;
59.     }
60.    
61.     location /RequestDenied {
62.         internal;
63.         return 403;
64.     }
65. ...
66.  
67. }