1*4882a593Smuzhiyunconfig BR2_PACKAGE_NGINX_NAXSI 2*4882a593Smuzhiyun bool "nginx-naxsi" 3*4882a593Smuzhiyun depends on BR2_PACKAGE_NGINX_HTTP 4*4882a593Smuzhiyun # uses pcre, so nginx needs to be built with pcre support 5*4882a593Smuzhiyun select BR2_PACKAGE_PCRE 6*4882a593Smuzhiyun help 7*4882a593Smuzhiyun NAXSI means Nginx Anti XSS & SQL Injection. 8*4882a593Smuzhiyun 9*4882a593Smuzhiyun Technically, it is a third party nginx module, available as 10*4882a593Smuzhiyun a package for many UNIX-like platforms. This module, by 11*4882a593Smuzhiyun default, reads a small subset of simple (and readable) rules 12*4882a593Smuzhiyun containing 99% of known patterns involved in website 13*4882a593Smuzhiyun vulnerabilities. For example, <, | or drop are not supposed 14*4882a593Smuzhiyun to be part of a URI. 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun Being very simple, those patterns may match legitimate 17*4882a593Smuzhiyun queries, it is the Naxsi's administrator duty to add 18*4882a593Smuzhiyun specific rules that will whitelist legitimate 19*4882a593Smuzhiyun behaviours. The administrator can either add whitelists 20*4882a593Smuzhiyun manually by analyzing nginx's error log, or (recommended) 21*4882a593Smuzhiyun start the project with an intensive auto-learning phase that 22*4882a593Smuzhiyun will automatically generate whitelisting rules regarding a 23*4882a593Smuzhiyun website's behaviour. 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun In short, Naxsi behaves like a DROP-by-default firewall, the 26*4882a593Smuzhiyun only task is to add required ACCEPT rules for the target 27*4882a593Smuzhiyun website to work properly. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun https://github.com/nbs-system/naxsi 30