Practical Naxsi WAF Implementation Examples for CloudPanel

08/01/2025 08/01/2025 security 7 mins read

Table Of Contents

Practical Naxsi WAF Implementation Examples for CloudPanel
Basic WordPress Protection
E-commerce Protection Example
API Protection Example
Learning Mode Configuration
Advanced Security Headers
File Upload Protection
Common Naxsi Rules Explained
Monitoring and Logging Configuration

Practical Naxsi WAF Implementation Examples for CloudPanel #

This document provides detailed examples and practical configurations for implementing Naxsi WAF in CloudPanel environments. Each example includes explanations of the rules and their purposes, helping you understand how to protect different types of web applications.

Basic WordPress Protection

WordPress sites in CloudPanel often need special consideration due to their dynamic nature. Here’s a comprehensive configuration that balances security with functionality:

# Include in the server block of your WordPress site
server {
    # Standard CloudPanel configuration remains unchanged
    listen 80;
    listen [::]:80;
    server_name example.com;

    # Enable Naxsi base rules
    include /etc/nginx/naxsi/naxsi-base.conf;

    # WordPress-specific whitelist rules
    include /etc/nginx/naxsi/wordpress.rules;

    location / {
        # Standard WordPress handling
        try_files $uri $uri/ /index.php?$args;

        # WordPress-specific Naxsi configurations
        BasicRule wl:1315,1101 "mz:$BODY_VAR:post_title";
        BasicRule wl:1315,1101 "mz:$BODY_VAR:content";
        BasicRule wl:1315 "mz:$BODY_VAR:excerpt";
        BasicRule wl:1101 "mz:$BODY_VAR:cat";

        # Allow WordPress admin actions
        BasicRule wl:1000,1015 "mz:$URL:/wp-admin/|$BODY_VAR:action";
    }

    # Special handling for wp-admin
    location /wp-admin {
        # Allow file uploads in wp-admin
        BasicRule wl:1500 "mz:$URL:/wp-admin/|$BODY_VAR:attachment";
        BasicRule wl:1310,1311 "mz:$URL:/wp-admin/|BODY";

        # Standard CloudPanel proxy configuration
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

This configuration protects against common WordPress attack vectors while allowing legitimate administrative actions. The whitelist rules are carefully crafted to permit essential WordPress functionality while maintaining security.

E-commerce Protection Example

For e-commerce sites running on CloudPanel, we need to balance strict security with user experience. Here’s an example configuration for an e-commerce platform:

# E-commerce specific Naxsi rules
server {
    listen 80;
    listen [::]:80;
    server_name shop.example.com;

    # Basic Naxsi configuration
    include /etc/nginx/naxsi/naxsi-base.conf;

    # E-commerce specific rules
    location / {
        # Allow product searches with special characters
        BasicRule wl:1001,1015 "mz:$ARGS_VAR:q";

        # Allow price ranges in filters
        BasicRule wl:1015 "mz:$ARGS_VAR:price_min|$ARGS_VAR:price_max";

        # Allow product sorting
        BasicRule wl:1015 "mz:$ARGS_VAR:sort_by";

        # Standard CloudPanel proxy settings
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }

    # Shopping cart protection
    location /cart {
        # Allow quantity updates
        BasicRule wl:1101 "mz:$BODY_VAR:quantity";

        # Allow product variants
        BasicRule wl:1015 "mz:$BODY_VAR:variant_id";

        # Strict XSS protection
        CheckRule "$XSS >= 4" BLOCK;
        CheckRule "$LIBINJECTION_XSS >= 4" BLOCK;
    }

    # Checkout process protection
    location /checkout {
        # Allow address input with special characters
        BasicRule wl:1315 "mz:$BODY_VAR:address";
        BasicRule wl:1315 "mz:$BODY_VAR:address2";

        # Allow postal codes with special formats
        BasicRule wl:1015 "mz:$BODY_VAR:postcode";

        # Extra protection for payment data
        CheckRule "$SQL >= 4" BLOCK;
        CheckRule "$RFI >= 2" BLOCK;
    }
}

API Protection Example

When protecting APIs in CloudPanel, we need specific configurations to handle JSON data and API-specific threats:

# API-specific Naxsi configuration
server {
    listen 80;
    listen [::]:80;
    server_name api.example.com;

    # Enable JSON parsing
    include /etc/nginx/naxsi/naxsi-base.conf;

    # API request handling
    location /api/v1 {
        # Allow JSON content type
        BasicRule wl:1200,1205 "mz:$HEADERS_VAR:content-type";

        # Allow complex JSON structures
        BasicRule wl:1310,1311 "mz:BODY";

        # Strict SQL injection protection
        CheckRule "$LIBINJECTION_SQL >= 4" BLOCK;
        CheckRule "$SQL >= 4" BLOCK;

        # Standard CloudPanel proxy configuration
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }

    # Authentication endpoints
    location /api/v1/auth {
        # Allow JSON Web Tokens
        BasicRule wl:1100,1101 "mz:$BODY_VAR:token";

        # Allow email addresses
        BasicRule wl:1315 "mz:$BODY_VAR:email";

        # Extra protection for auth endpoints
        CheckRule "$XSS >= 2" BLOCK;
        CheckRule "$RFI >= 2" BLOCK;
    }
}

Learning Mode Configuration

During initial deployment, it’s crucial to use learning mode to understand your application’s behavior. Here’s an example configuration:

# Learning mode configuration
server {
    listen 80;
    listen [::]:80;
    server_name staging.example.com;

    # Enable learning mode
    include /etc/nginx/naxsi/naxsi-base.conf;
    LearningMode;

    # Enable detailed logging
    set $naxsi_extensive_log 1;

    location / {
        # Log all potential violations
        BasicRule "log:all";

        # Standard CloudPanel proxy configuration
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }

    # Custom log format for analysis
    log_format naxsi_learning '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for" '
                            'naxsi: "$naxsi_sig" "$naxsi_match"';

    access_log /var/log/nginx/naxsi_learning.log naxsi_learning;
}

Advanced Security Headers

Enhance your Naxsi protection with additional security headers:

# Security headers configuration
server {
    listen 80;
    listen [::]:80;
    server_name secure.example.com;

    # Include Naxsi base configuration
    include /etc/nginx/naxsi/naxsi-base.conf;

    # Add security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;

    location / {
        # Standard Naxsi protection
        include /etc/nginx/naxsi/naxsi-base.conf;

        # CloudPanel proxy configuration
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }
}

File Upload Protection

For sites handling file uploads, configure specific protections:

# File upload protection
server {
    listen 80;
    listen [::]:80;
    server_name upload.example.com;

    # Include Naxsi base configuration
    include /etc/nginx/naxsi/naxsi-base.conf;

    # File upload location
    location /upload {
        # Allow file uploads but maintain security
        BasicRule wl:1500 "mz:$URL:/upload|BODY";

        # Limit file types
        if ($upload_filename ~* (?i).(php|phtml|php3|php4|php5|php6|php7|pht|phar|inc)$) {
            return 403;
        }

        # Additional upload protections
        client_max_body_size 10M;
        client_body_buffer_size 128k;

        # CloudPanel proxy configuration
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }
}

Common Naxsi Rules Explained

Understanding common Naxsi rules and their purposes:

# SQL Injection Protection
CheckRule "$SQL >= 8" BLOCK;          # Block SQL injection attempts
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;  # Use libinjection for SQL detection

# XSS Protection
CheckRule "$XSS >= 8" BLOCK;          # Block Cross-site scripting
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;  # Use libinjection for XSS detection

# Directory Traversal Protection
CheckRule "$TRAVERSAL >= 4" BLOCK;    # Block directory traversal attempts

# Remote File Inclusion Protection
CheckRule "$RFI >= 8" BLOCK;          # Block remote file inclusion

# File Upload Protection
CheckRule "$UPLOAD >= 8" BLOCK;       # Block malicious file uploads

Each rule has a score threshold that determines when to block requests. Lower scores increase security but may cause false positives.

Monitoring and Logging Configuration

Implement comprehensive logging for Naxsi:

# Logging configuration
http {
    # Define Naxsi log format
    log_format naxsi_json escape=json '{'
        '"timestamp":"$time_iso8601",'
        '"client":"$remote_addr",'
        '"method":"$request_method",'
        '"uri":"$uri",'
        '"args":"$args",'
        '"headers":{'
            '"user-agent":"$http_user_agent",'
            '"referer":"$http_referer"'
        '},'
        '"naxsi":{'
            '"match":"$naxsi_match",'
            '"sig":"$naxsi_sig",'
            '"score":"$naxsi_score",'
            '"matches":"$naxsi_matches"'
        '}'
    '}';

    # Enable Naxsi logging
    access_log /var/log/nginx/naxsi_access.log naxsi_json if=$naxsi_matched;
    error_log /var/log/nginx/naxsi_error.log;
}

These examples demonstrate common Naxsi configurations for different scenarios in CloudPanel. Remember to adapt these examples to your specific needs and always test thoroughly in a staging environment before deploying to production.