As web applications become more sophisticated, they are also becoming more susceptible to various types of cyberattacks. This is where NAXSI (Nginx Anti XSS & SQL Injection) comes into play. NAXSI is a powerful open-source web application firewall (WAF) for Nginx that helps protect your applications from common web threats, such as cross-site scripting (XSS) and SQL injection attacks. In this tutorial, we will walk you through the steps of how to install and configure NAXSI on Rocky Linux.
Table of Contents
- Prerequisites
- Install Nginx
- Install and Configure NAXSI
- Configure Nginx with NAXSI
- Testing NAXSI
- Allowlisting Rules
- Conclusion
How to Install and Configure NAXSI on Rocky Linux
Prerequisites
Before you begin, make sure you have the following:
- A Rocky Linux system with root access or a user with sudo privileges
- Nginx installed on Rocky Linux
- Basic knowledge of Nginx configuration
Install Nginx on Rocky Linux
If you haven’t already, install Nginx by following the steps in our Nginx installation guide for Rocky Linux.
Install and Configure NAXSI on Rocky Linux
First, we need to install the NAXSI module for Nginx. It’s available from the EPEL repository, so we’ll install the EPEL repository first:
sudo dnf install epel-release -yNext, install the NAXSI module:
sudo dnf install nginx-module-naxsi -yNow that NAXSI is installed, we need to enable the module in the Nginx configuration. Open the /etc/nginx/nginx.conf file using your favorite text editor:
sudo nano /etc/nginx/nginx.confAdd the following line at the beginning of the file:
load_module modules/ngx_http_naxsi_module.so;Save and close the file.
Configure Nginx with NAXSI on Rocky Linux
To configure Nginx with NAXSI, we need to create a new Nginx configuration file:
sudo nano /etc/nginx/conf.d/naxsi.confAdd the following lines to the file:
# Basic NAXSI rules
include /usr/share/nginx/modules/naxsi_core.rules;
# Nginx server configuration
server {
listen 80;
server_name your_domain.com;
root /usr/share/nginx/html;
# NAXSI configuration
include /etc/nginx/naxsi.rules;
location / {
try_files $uri $uri/ =404;
}
error_page 418 = @naxsi_rules;
location @naxsi_rules {
return 403;
}
}Replace your_domain.com with your domain name. Save and close the file.
Create the NAXSI rules file:
sudo nano /etc/nginx/naxsi_core.rulesConfigure NAXSI for your domain
Now that NAXSI is installed, we need to configure it for your domain. Edit the Nginx configuration file for your domain:
sudo nano /etc/nginx/conf.d/your_domain.com.confAdd the following lines within the server block to enable NAXSI:
include /etc/nginx/naxsi_core.rules;
location /RequestDenied {
return 403;
}
error_log /var/log/nginx/naxsi_error.log;
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
include /etc/nginx/naxsi_whitelist.rules;
}Save and close the file. Test the Nginx configuration for any errors:
sudo nginx -tIf the configuration is correct, restart Nginx:
sudo systemctl restart nginxMonitor and adjust NAXSI rules
NAXSI logs blocked requests in the /var/log/nginx/naxsi_error.log file. Regularly monitor this file to identify any false positives and adjust the NAXSI rules accordingly:
sudo tail -f /var/log/nginx/naxsi_error.logCreate custom Allowlist
In some cases, you might need to create custom Allowlists for specific applications or parts of your website. You can do this by creating a separate Allowlist file for each application or section:
sudo nano /etc/nginx/naxsi_whitelist_app1.rulesAdd your custom rules to the file, save, and close it. Then, include this file in your Nginx configuration:
location /app1 {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
include /etc/nginx/naxsi_whitelist.rules;
include /etc/nginx/naxsi_whitelist_app1.rules;
}Remember to test and restart Nginx after making any changes.
Conclusion
In this guide, we’ve covered how to install and configure NAXSI on Rocky Linux. By following these steps, you can significantly improve the security of your web applications against various web attacks. Don’t forget to monitor and adjust your NAXSI rules regularly to ensure optimal protection.
For more useful guides on how to secure and optimize your Rocky Linux server, check out our articles on how to install and configure Fail2Ban, how to set up a RabbitMQ server, and how to install and configure Logrotate.
