Guide-Building & Deploying Naxsi WAF on CloudPanel

08/01/2025 08/01/2025 security 5 mins read

Table Of Contents

Comprehensive Guide: Building and Deploying Naxsi WAF on CloudPanel
⚠️ CRITICAL ENVIRONMENT NOTICE
Execution Environment Requirements
Risk Assessment:
Required Environment:
Understanding CloudPanel’s NGINX Structure
Prerequisites
Download and Prepare Build Environment
Compile Naxsi Module
Install Naxsi Module
Configure Naxsi in CloudPanel
Integrating with CloudPanel Vhost Configuration
Modify Site Configuration
Testing and Verification
Common Issues and Troubleshooting
Maintenance and Updates
Security Best Practices

Comprehensive Guide: Building and Deploying Naxsi WAF on CloudPanel #

⚠️ CRITICAL ENVIRONMENT NOTICE

Execution Environment Requirements

WARNING: This operation must be executed exclusively in a non-production environment.

Risk Assessment:

System stability may be affected during module compilation and installation
Web services will require restart
Existing NGINX configuration may need modifications
No automatic rollback mechanisms are available

Required Environment:

Development/staging CloudPanel instance
Complete system backup
Isolated network segment
Non-production workload

DO NOT PROCEED with execution in any production environment under any circumstances.

Understanding CloudPanel’s NGINX Structure

CloudPanel uses a specific NGINX configuration structure that we need to work with:

Main configuration: /etc/nginx/nginx.conf
Site configurations: /etc/nginx/sites-enabled/
Module configurations: /etc/nginx/modules-available/ and /etc/nginx/modules-enabled/
CloudPanel vhost template: Located in CloudPanel’s configuration directory

Prerequisites

First, switch to root user and install the required dependencies:

sudo su

# Install build essentials and required libraries
apt update
apt install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev wget git

# Install additional CloudPanel-specific dependencies
apt install -y libmodsecurity3 libmodsecurity-dev

Download and Prepare Build Environment

Create a dedicated build directory and download required components:

# Create build directory
mkdir -p /root/naxsi-build
cd /root/naxsi-build

# Get NGINX version from current installation
NGINX_VERSION=$(nginx -v 2>&1 | grep -o '[0-9.]*$')
echo "Building for NGINX version: $NGINX_VERSION"

# Download NGINX source
wget "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz"
tar -xzf nginx-${NGINX_VERSION}.tar.gz

# Download Naxsi
NAXSI_VERSION=1.6
wget "https://github.com/wargio/naxsi/releases/download/${NAXSI_VERSION}/naxsi-${NAXSI_VERSION}-src-with-deps.tar.gz"
tar -xzf naxsi-${NAXSI_VERSION}-src-with-deps.tar.gz

Compile Naxsi Module

cd /root/naxsi-build/nginx-${NGINX_VERSION}

# Get existing NGINX configuration
NGINX_CONFIGURE_ARGS=$(nginx -V 2>&1 | grep "configure arguments:" | cut -d " " -f2-)

# Configure NGINX with Naxsi
./configure $NGINX_CONFIGURE_ARGS --add-dynamic-module=../naxsi/naxsi_src/

# Compile only the modules
make modules

Install Naxsi Module

# Create modules directory if it doesn't exist
mkdir -p /usr/lib/nginx/modules

# Copy the compiled module
cp objs/ngx_http_naxsi_module.so /usr/lib/nginx/modules/

# Copy Naxsi rules
mkdir -p /etc/nginx/naxsi
cp ../naxsi/naxsi_rules/* /etc/nginx/naxsi/

Configure Naxsi in CloudPanel

Create module configuration:

# Create Naxsi module configuration
cat > /etc/nginx/modules-available/mod-naxsi.conf << 'EOL'
load_module modules/ngx_http_naxsi_module.so;
EOL

# Enable the module
ln -s /etc/nginx/modules-available/mod-naxsi.conf /etc/nginx/modules-enabled/50-mod-naxsi.conf

Create base Naxsi configuration:

# Create base configuration
cat > /etc/nginx/naxsi/naxsi-base.conf << 'EOL'
# Basic configuration
SecRulesEnabled;
LibInjectionSql;
LibInjectionXss;
DeniedUrl "/RequestDenied";

# Core rules
include /etc/nginx/naxsi/naxsi_core.rules;

# Check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
EOL

Integrating with CloudPanel Vhost Configuration

Based on the provided CloudPanel configuration template, we’ll add Naxsi support while maintaining CloudPanel’s functionality. Create a Naxsi configuration snippet:

cat > /etc/nginx/snippets/naxsi-location.conf << 'EOL'
# Naxsi protection
include /etc/nginx/naxsi/naxsi-base.conf;

# Common WordPress whitelist rules
BasicRule wl:1315 "mz:$BODY_VAR:comment";
BasicRule wl:1315 "mz:$BODY_VAR:content";
BasicRule wl:1315 "mz:$BODY_VAR:excerpt";
BasicRule wl:1315 "mz:$BODY_VAR:title";
BasicRule wl:1315 "mz:$BODY_VAR:post_content";

# Add request denied location
location /RequestDenied {
    internal;
    return 403;
}
EOL

Modify Site Configuration

For each site you want to protect with Naxsi, modify the configuration to include Naxsi rules. Here’s an example based on the provided CloudPanel configuration:

server {
    listen 80;
    listen [::]:80;
    server_name example.com;

    # Include Naxsi base configuration
    include /etc/nginx/naxsi/naxsi-base.conf;

    location / {
        # Include Naxsi location rules
        include /etc/nginx/snippets/naxsi-location.conf;

        # Existing CloudPanel proxy configuration
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://backend;
    }

    # RequestDenied location (required by Naxsi)
    location /RequestDenied {
        internal;
        return 403;
    }
}

Testing and Verification

Verify NGINX configuration:

nginx -t

Test Naxsi module loading:

nginx -V 2>&1 | grep naxsi

Restart NGINX:

systemctl restart nginx

Test Naxsi protection:

# Test SQL injection protection
curl "http://your-site.com/?id=1%20OR%201=1"

# Test XSS protection
curl "http://your-site.com/?<script>alert(1)</script>"

Common Issues and Troubleshooting

Module Loading Issues:
- Verify module path in configuration
- Check NGINX error logs: tail -f /var/log/nginx/error.log
- Ensure proper file permissions on module and configuration files
Rule Conflicts:
- Start with learning mode: Add LearningMode; to your configuration
- Monitor logs for false positives
- Create specific whitelists as needed
CloudPanel Compatibility:
- Keep CloudPanel’s proxy settings intact
- Maintain proper order of includes and configurations
- Test thoroughly after any configuration changes

Maintenance and Updates

Regular tasks:
- Monitor NGINX and Naxsi logs
- Update rules based on false positives/negatives
- Keep track of Naxsi updates and security patches
Backup procedures:
- Maintain copies of custom rules and configurations
- Document all modifications to CloudPanel configurations
- Keep build environment for future updates

Security Best Practices

Rule Management:
- Start with strict rules and whitelist as needed
- Document all rule modifications
- Regular review of whitelisted rules
Monitoring:
- Enable detailed logging for blocked requests
- Set up alerts for repeated attacks
- Regular review of Naxsi logs
Performance:
- Monitor system resources after enabling Naxsi
- Optimize rules for your specific use case
- Regular cleanup of log files

Remember to always test thoroughly in a staging environment before deploying to production. Keep detailed documentation of all modifications and custom rules for future reference.