#About Ubuntu based Naxsi web application firewall.
NAXSI means Nginx Anti Xss & Sql Injection. It's a Web Application Firewall who allows only whitelisted requests, is open-source, with high performance and low rules maintenance.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly. This whitelist can be automatically generated by naxsi-ui.
This Docker container work as a Nginx proxy, use it in front of your WebApps in order to allow only authorized requests.
Naxsi UI is avaliable in port 8081, with user naxsi_web and password test. This password can be changed by passing the environment variable NAXSI_UI_PASSWORD to docker.
#Sources
- Nginx-naxsi package from ubuntu repositories.
- Nginx configuration files based on the ones made by Epheo.
- Naxsi-ui version 0.50 from Naxsi.
First, lauch naxsi in learning mode, who's allowed all the requests and add them to the rules. If you want later to disable LearningMode, use ``-e LEARNING_MODE=no` when running docker.
You can specify your redirect IP in the Dockerfile ENV PROXY_REDIRECT_IP or pass it to docker at runtime.
Your redirect IP should be your http frontend
You want to run your WAF proxy behind your 10.0.0.1. Naxi-UI is in the host on port 8081, and naxsi will not block anything (learning mode):
docker run --env PROXY_REDIRECT_IP=10.0.0.1 \
--env NAXSI_UI_PASSWORD="your_secret_pass" \
-p 80:80 \
-p 8081:8081 \
-d scollazo/naxsi-waf-with-ui
Browse to http://your_host_ip:8081/ -> Get Whitelist , and save the content local directory.
You can test your whitelists attaching them to the container:
docker run --env PROXY_REDIRECT_IP=10.0.0.1 \
--env NAXSI_UI_PASSWORD="your_secret_pass" \
-v <local whitelist dir>:/etc/nginx/local-config/ \
-p 80:80 \
-p 8081:8081 \
-d scollazo/naxsi-waf-with-ui
Once you are confident with your whitelist, you can disable learning mode, and start blocking attacks with:
docker run --env PROXY_REDIRECT_IP=10.0.0.1 \
--env NAXSI_UI_PASSWORD="your_secret_pass" \
--env LEARNING_MODE=no \
-v <logs dir>:/var/log/nginx/ \
-v <local whitelist dir>:/etc/nginx/local-config/ \
-p 80:80 \
-p 8081:8081 \
-d scollazo/naxsi-waf-with-ui
Your frontend website will be protected by naxsi using the whitelists you created, and log attack attempts or false positives in the naxsi ui.
Have in mind that an incomplete whitelist can render your site unusable, and a too permisive one leave it still vulnerable.