naxsi安装配置

cd /usr/local/src
git clone --recurse-submodules https://github.com/wargio/naxsi.git

\cp -r /usr/local/src/naxsi/naxsi_src/libinjection/* /usr/local/src/naxsi/naxsi_src

cd /usr/local/src/tengine-2.4.1

./configure \
--add-module=./modules/ngx_http_upstream_check_module/ \
--add-module=./modules/ngx_http_upstream_consistent_hash_module \
--add-dynamic-module=/usr/local/src/naxsi/naxsi_src \
--with-http_ssl_module

\cp -r /usr/local/src/naxsi/naxsi_src/libinjection_ngxbuild/* naxsi/naxsi_src

编译，完成后会在./objs目录生成ngx_http_naxsi_module.so文件
make CFLAGS=-std=c99


如果编译报错：error: ‘LIBINJECTION_VERSION’ undeclared (first use in this function);

则重新执行configure，每次执行configure会重新生成/usr/local/src/naxsi/naxsi_src/libinjection_ngxbuild目录里的文件

然后找到该报错文件的1214行的 return LIBINJECTION_VERSION;

vi /usr/local/src/naxsi/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c

   1212 const char* libinjection_version(void)
   1213 {
   1214     return LIBINJECTION_VERSION;
   1215 }

修改为

   1212 const char* libinjection_version(void)
   1213 {
   1214     return "0.0.0";
   1215 }

然后再次重新编译
make CFLAGS=-std=c99

安装，安装过程会把ngx_http_naxsi_module.so文件复制到/usr/local/nginx/modules目录
make install

systemctl restart nginx

拷贝核心规则文件
cp /usr/local/src/naxsi/naxsi_rules/naxsi_core.rules  /usr/local/nginx/conf/

加载模块，vi /usr/local/nginx/conf/nginx.conf

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

load_module /usr/local/nginx/modules/ngx_http_naxsi_module.so;

events
    {
        use epoll;
        worker_connections 51200;

在http级别加载规则文件

http
    {

        include naxsi_core.rules;


修改虚拟主机配置，在server级别（也及时可以只针某个虚拟主机添加防护）添加配置

server {

        location / {
            SecRulesEnabled; # 启用Naxsi模块
            LearningMode; # 启用学习模式，即拦截请求后不拒绝访问，只将触发规则的请求写入日志
            LibInjectionSql; # 启用SQL注入检测
            LibInjectionXss; # 启用XSS注入检测
            DeniedUrl "/RequestDenied"; # 拒绝访问时展示的页面
            CheckRule "$SQL >= 8" BLOCK; # 检查规则
            CheckRule "$RFI >= 8" BLOCK; # 检查规则
            CheckRule "$TRAVERSAL >= 4" BLOCK; # 检查规则
            CheckRule "$EVADE >= 4" BLOCK; # 检查规则
            CheckRule "$XSS >= 8" BLOCK; # 检查规则
            BasicRule wl:0 "mz:$BODY_VAR:password|$URL_X:[\w/]*/login[\w/]*"; #url中带/login的地址允许body的password参数中带任何字符
            BasicRule wl:2 "mz:BODY|$URL_X:[\w/]*/upload/chunk"; #url中带/upload/chunk的地址允许不能识别数据类型的大请求
            BasicRule wl:1015,1315 "mz:$HEADERS_VAR:cookie"; #cookie允许带逗号和url编码后的特殊字符
            BasicRule wl:0 "mz:$BODY_VAR:HtmlEditor"; #body中HtmlEditor参数可以带任何字符
        }

        # 配置拦截后拒绝访问时展示的页面，这里直接返回403。
        location /RequestDenied {
                return 403;
        }
}