Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙模块。Naxsi的主要目标是帮助人们加固他们的web应用程序，以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。

下载Naxsi模块

# cd /usr/local/src
# git clone https://github.com/nbs-system/naxsi.git

重新编译Nginx添加Naxsi模块

查看之前nginx的编译参数

# nginx -V

编译加上新的naxsi模块

# cd nginx-x.x.xx
# ./configure --add-module=../naxsi/naxsi_src/ [your options for nginx]
# make
# make install

复制Naxsi核心配置文件到nginx/conf下

# cp ../naxsi/naxsi_config/naxsi_core.rules /usr/local/nginx/conf/

在nginx.conf配置文件中添加Naxsi核心配置文件

http {
    include naxsi_core.rules;
    include mime.types;
    default_type application/octet-stream;
    ......

配置Naxsi规则，新建文件naxsi.rules

# vim /usr/local/nginx/conf/naxsi.rules

添加如下规则

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

虚拟主机添加支持Naxsi防攻击

server {
    proxy_set_header Proxy-Connection "";
    listen *:80;
    access_log /tmp/nginx_access.log;
    error_log /tmp/nginx_error.log debug;
    location / {
    include naxsi.rules;
    proxy_pass http://x.x.x.x/;
    proxy_set_header Host www.mysite.com;
    }
    location /RequestDenied {
        return 403;
    }
    error_page  403              /403.html;
    location = /403.html {
        root   /usr/share/nginx/html;
    }
 }

自定义一个403拒绝访问阻断页面，当WAF检测到攻击时，会将该页面返回给用户，可参考如下内容

<html>

<head>

<title>Error 403 Request Denied</title>

</head>

<body>

<h2>Error 403 Request Denied</h2>

For some reasons, your request has been denied.

</body>

</html>

检查nginx配置文件有无语法错误

# nginx -t

重新加载新的nginx版本

# service nginx upgrade

测试Naxsi是否起作用

测试URL

访问 http://www.123admin.com/?a=%3C

如果错误日志出现如下，说明成功：

2015/01/23 04:56:07 [error] 890#0:*3 NAXSI_FMT: ip=127.0.0.1&server=www.123admin.com&uri=/&learning=0&vers=0.50&total_processed=3&total_blocked=1&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=< HTTP/1.0", host: "www.123admin.com"