| config BR2_PACKAGE_NGINX_NAXSI | |
| bool "nginx-naxsi" | |
| depends on BR2_PACKAGE_NGINX_HTTP | |
| # uses pcre2, so nginx needs to be built with pcre2 support | |
| select BR2_PACKAGE_PCRE2 | |
| help | |
| NAXSI means Nginx Anti XSS & SQL Injection. | |
| Technically, it is a third party nginx module, available as | |
| a package for many UNIX-like platforms. This module, by | |
| default, reads a small subset of simple (and readable) rules | |
| containing 99% of known patterns involved in website | |
| vulnerabilities. For example, <, | or drop are not supposed | |
| to be part of a URI. | |
| Being very simple, those patterns may match legitimate | |
| queries, it is the Naxsi's administrator duty to add | |
| specific rules that will whitelist legitimate | |
| behaviours. The administrator can either add whitelists | |
| manually by analyzing nginx's error log, or (recommended) | |
| start the project with an intensive auto-learning phase that | |
| will automatically generate whitelisting rules regarding a | |
| website's behaviour. | |
| In short, Naxsi behaves like a DROP-by-default firewall, the | |
| only task is to add required ACCEPT rules for the target | |
| website to work properly. | |
| https://github.com/nbs-system/naxsi |