Secure Nginx with Naxsi, SSL, GeoIP and Google Page Speed modules on Debian/Ubuntu

6 minute read , Sep 09, 2014

We will use the latest stable version of nginx-naxsi which has XSS (Cross Site Scripting) protection via Naxsi module. We will also build and install this Debian way on Ubuntu-12.04 Precise since we want to include some other useful modules, SSL being one of them, that are not enabled by default. The problem with Nginx is that it’s not modular like Apache so we can’t add modules on the fly but we have to recompile from source every time we want to add a new one. It is a small price to pay though for the speed and lightness we get.

root@nginx:~# aptitude install apache2-utils liblua5.1-dev daemon dbconfig-common
root@nginx:~# add-apt-repository ppa:nginx/stable
root@nginx:~# aptitude update
root@nginx:~# aptitude build-dep nginx-naxsi
root@nginx:~# cd /tmp
root@nginx:/tmp# apt-get source nginx-naxsi
root@nginx:/tmp# cd nginx-1.6.0
root@nginx:/tmp/nginx-1.6.0# vi nginx-1.6.0/auto/options
change HTTP_GEOIP=NO to HTTP_GEOIP=YES (and enable some other modules like DAV,SSL,SUB,XSLT etc. if needed)

Next we setup the page speed module:

root@nginx:/tmp# wget
root@nginx:/tmp# unzip -d /tmp/nginx-1.6.0/debian/modules -o
root@nginx:/tmp# mv /tmp/nginx-1.6.0/debian/modules/ngx_pagespeed-release- /tmp/nginx-1.6.0/debian/modules/ngx_pagespeed
root@nginx:/tmp# wget
root@nginx:/tmp# tar -xzf -C /tmp/nginx-1.6.0/debian/modules/ngx_pagespeed/

Next we change the Nginx version in the changelog file:

root@server:/tmp/nginx-1.6.0# vi debian/changelog

change the first line:

nginx (1.6.0-1+precise0) precise; urgency=medium


nginx (1.6.0-1+precise0-naxsi) precise; urgency=medium

and start the building process:

root@nginx:/tmp/nginx-1.6.0# dpkg-buildpackage -uc -b

After it finishes we install the .deb files created in the parent directory of the one we are building in:

root@nginx:/tmp/nginx-1.6.0# dpkg -i ../nginx-naxsi_1.6.0-1+precise0-naxsi_amd64.deb ../nginx-common_1.6.0-1+precise0-naxsi_all.deb ../nginx-naxsi-ui_1.6.0-1+precise0-naxsi_amd64.deb
root@nginx:/etc/nginx# nginx -V
nginx version: nginx/1.6.0-1+precise0-naxsi
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --add-module=/tmp/nginx-1.6.0/debian/modules/naxsi/naxsi_src --add-module=/tmp/nginx-1.6.0/debian/modules/nginx-cache-purge --add-module=/tmp/nginx-1.6.0/debian/modules/nginx-upstream-fair

Now we have to pin the compiled version so it doesn’t get overwritten by update, create /etc/apt/preferences.d/nginx file with following content:

Package: nginx-naxsi
Pin: version 1.6.0-1+precise0-naxsi
Pin-Priority: 1001

Package: nginx-common
Pin: version 1.6.0-1+precise0-naxsi
Pin-Priority: 1001
Package: nginx-naxsi-ui
Pin: version 1.6.0-1+precise0-naxsi
Pin-Priority: 1001

If we use the built debian packages on other servers we should remember to do the pinning there too.

To enable Naxsi we create the following /etc/nginx/mysite.rules file:

LearningMode; #Enables learning mode
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

then we can include the following line in the http {} section of the /etc/nginx/nginx.conf file:

include /etc/nginx/naxsi_core.rules;

and the following line:

include /etc/nginx/mysite.rules;

in any /etc/nginx/sites-enabled/<site-name>.conf file in the location / {} section.

As added security for sites with limited public access, I block access from countries like China, USA, Russia where most of the hacking attempts come from. For that purpose I use GeoIP module.

root@nginx:/tmp/nginx-1.6.0# cd /usr/share/GeoIP/
root@nginx:/usr/share/GeoIP# wget
root@nginx:/usr/share/GeoIP# gzip -d GeoLiteCity.dat.gz

Then we specify where the GeoIP database is located on our system and tell Nginx which countries are gonna be blocked (see the security file below for details). At the end we put the following at the end of fastcgi config file /etc/nginx/fastcgi_params:

# GeoIP
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_AREA_CODE $geoip_area_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;

Next is the basic Nginx configuration in /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
#worker_priority 15; # renice the process, with 15 max cpu usage ~25%=(20-15)/20
pid /run/;

events {
    worker_connections 512;
    multi_accept on;

http {

    # Basic Settings
    tcp_nopush on;
    tcp_nodelay on;
    client_body_timeout 30;
    client_header_timeout 10;
    keepalive_timeout 65 20;
    types_hash_max_size 2048;
    ignore_invalid_headers on;
    server_names_hash_bucket_size 128;

    client_header_buffer_size   1k;
    client_body_buffer_size     128k;
    large_client_header_buffers 4 4k;

    include                   /etc/nginx/mime.types;
    default_type              application/octet-stream;
    keepalive_requests        100;  # number of requests per connection, does not affect SPDY
    keepalive_disable         none; # allow all browsers to use keepalive connections
    max_ranges                1;    # allow a single range header for resumed downloads and to stop large range header DoS attacks
    msie_padding              off;
    open_file_cache           max=1000 inactive=2h;
    open_file_cache_errors    on;
    open_file_cache_min_uses  1;
    open_file_cache_valid     1h;
    output_buffers            1 512k;
    postpone_output           1460;  # postpone sends to match our machine's MSS
    read_ahead                512K;  # kernel read head set to the output_buffers
    reset_timedout_connection on;    # reset timed out connections freeing ram
    sendfile                  on;    # on for decent direct disk I/O
    server_tokens             off;   # version number in error pages
    server_name_in_redirect   off;   # if off, nginx will use the requested Host header
    source_charset            utf-8; # same value as "charset"

    ## Request limits
    limit_req_zone  $binary_remote_addr  zone=nginx:1m   rate=1000r/m;

    # SSL Settings
    ssl_session_tickets       on;
    ssl_session_cache         shared:SSL:20m;
    ssl_session_timeout       4h;
    ssl_dhparam               /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve            secp384r1;
    ssl_certificate           /etc/nginx/ssl/star_mydomain_com.crt;
    ssl_certificate_key       /etc/nginx/ssl/star_mydomain_com.crt;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # GeoIP
    geoip_country /usr/share/GeoIP/GeoIP.dat;
    geoip_city    /usr/share/GeoIP/GeoLiteCity.dat;

    # ngx_pagespeed config
    pagespeed on;
    pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
    pagespeed EnableFilters combine_css,combine_javascript;
    pagespeed PreserveUrlRelativity on;

    # LDAP
    auth_ldap_cache_enabled off;
    auth_ldap_cache_expiration_time 10000;
    auth_ldap_cache_size 1000;

    ldap_server ldap1 {
      url ldap://,dc=mydomain,dc=com?uid?sub;
      binddn "cn=binduser,ou=Users,dc=mydomain,dc=com";
      binddn_passwd bindpassword;
      group_attribute memberUid;
      group_attribute_is_dn on;
      require group "cn=mygroup,ou=Groups,dc=mydomain,dc=com";
      require valid_user;
    ldap_server ldap2 {
      url ldap://,dc=mydomain,dc=com?uid?sub;
      binddn "cn=binduser,ou=Users,dc=mydomain,dc=com";
      binddn_passwd bindpassword;
      group_attribute memberUid;
      group_attribute_is_dn on;
      require group "cn=mygroup,ou=Groups,dc=mydomain,dc=com";
      require valid_user;

    # Logging Settings
    ## Log Format
    log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
    access_log  /var/log/nginx/access.log;
    error_log   /var/log/nginx/error.log;

    # Gzip Settings
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    #gzip_buffers 16 8k;
    gzip_buffers  128 32k;
    #gzip_http_version 1.1;
    #gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_types  text/plain text/css text/x-component
                text/xml application/xml application/xhtml+xml application/json
                image/x-icon image/bmp image/svg+xml application/atom+xml
                text/javascript application/javascript application/x-javascript
                application/pdf application/postscript
                application/rtf application/msword
                application/ application/
                application/ application/vnd.wap.wml
                application/x-font-ttf application/x-font-opentype;

    # Naxsi rules
    include /etc/nginx/naxsi_core.rules;

    # Virtual Host Configs
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

For user access we are using LDAP, see Nginx LDAP module on Debian/Ubuntu for the details about compiling NGINX for LDAP support if needed. Otherwise use the basic authentication with local password file.

We are going to setup an SSL proxy for server myserver in a SSL enabled virtual host. We will first configure stronger DHE parameters, default one is 1024 bits and since our cert is 2048 bit we can go with stronger DHE (Ephemeral Diffie-Hellman) cryptographic values:

root@nginx:~# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

We will also force the use of the strong ECDHE (Elliptic DHE) only for PFS (Perfect Forward Secrecy) and stipulate this via ssl_prefer_server_ciphers parameter enabled in the /etc/nginx/sites-available/myserver file we create:

server {
    ssl             on;
    listen          443 ssl backlog=1250 so_keepalive=on;
    root            /var/www/myserver;
    index           index.html index.htm;
    access_log      /var/log/nginx/myserver-access.log main;
    error_log       /var/log/nginx/myserver-error.log;
    add_header      Cache-Control "public";
    #add_header     Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;";
    add_header      X-Content-Type-Options "nosniff";
    add_header      X-Frame-Options "DENY";
    # Config to enable HSTS(HTTP Strict Transport Security)
    # To avoid ssl stripping
    add_header      Strict-Transport-Security "max-age=315360000; includeSubdomains";
    expires         max;
    limit_req       zone=myserver burst=200 nodelay; # works in conjuction with limit_req_zone set in nginx.conf
    location / {
       include  /etc/nginx/mysite.rules;
       try_files $uri $uri/ /index.html;
       auth_ldap "Restricted";
       auth_ldap_servers ldap1;
       auth_ldap_servers ldap2;
    ## Some proxy
    location /someproxy {
       proxy_read_timeout 90;
    location ~ /\. {
       deny  all;
    location /RequestDenied {
       return 418;

We will also set some cutom security on top of it blocking some bots and using GeoIP, /etc/nginx/conf.d/security file:

## Block some nasty robots/bots
if ($http_user_agent ~ (msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot|Morfeus|masscan) ) {
     return 403;
## Block torrent trackers ddos attacks
location /announc {
    access_log off;
    error_log off;
    default_type text/plain;
    return 410 "d14:failure reason13:not a tracker8:retry in5:nevere";
## Deny scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
     return 403;
## Block HEAD requests
if ($request_method !~ ^(HEAD)$ ) {
     return 444;
## Prevent image hotlinking
location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked *;
     if ($invalid_referer) {
        return   403;
## GeoIP
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_city /usr/share/GeoIP/GeoLiteCity.dat;
if ($geoip_country_code ~ (CN|KR|US|RU) ) {
     return 403;

At the end we enable the myserver virtual host, disable the default one and restart Nginx:

root@nginx:/opt# rm -f /etc/nginx/sites-enabled/default
root@nginx:/opt# ln -sf /etc/nginx/sites-available/myserver /etc/nginx/sites-enabled/myserver
root@nginx:/opt# service nginx configtest
root@nginx:/opt# service nginx restart

NGINX built and deployed in the way described above has given me at least A on Quallys SSL Labs tests. Obviuosly re-building NGINX for every update is going to be a tedious task and that’s why I’ve put this procedure into Ansible playbook that does this for us. It creates a new EC2 instance, re-builds NGINX on it, creates an AMI that we can use to launch NGINX instances in our AWS VPC’s, and terminates the EC2 instance when finished.

Leave a Comment