aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Adam Duskett <Aduskett@gmail.com>2016-07-15 13:45:12 -0400
committerGravatar Thomas Petazzoni <thomas.petazzoni@free-electrons.com>2016-07-15 22:49:56 +0200
commit7f299f02b20fb9d194d3ca583fb702b39c346b92 (patch)
treef7bd064b1f930ed1ede437be7324b0189d665351
parente103967d6fd7653464041c3589b11a64e48b58c3 (diff)
downloadbuildroot-7f299f02b20fb9d194d3ca583fb702b39c346b92.tar.gz
buildroot-7f299f02b20fb9d194d3ca583fb702b39c346b92.tar.bz2
nginx-nasxi: new package
Naxsi is a third party nginx module reads a small subset of simple rules containing a list of known patterns involved in website vulnerabilities. This module behaves like a DROP-by-default firewall for nginx. Signed-off-by: Adam Duskett <aduskett@codeblue.com> [Thomas: - include Config.in file directly from package/Config.in and not from package/nginx/Config. - improve Config.in help text with more details - rename the package prompt from ngx_http_naxsi_module to nginx-naxsi - remove NGINX_NAXSI_SOURCE, and fix the definition of NGINX_NAXSI_SITE - change license from GPLv3 to GPLv2+ with OpenSSL exception - cange license file from LICENSE to naxsi_src/naxsi_json.c. The LICENSE file exists in the latest Git master of the project, but not in the 0.54 tag that we're packaging.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-rw-r--r--package/Config.in1
-rw-r--r--package/nginx-naxsi/Config.in26
-rw-r--r--package/nginx-naxsi/nginx-naxsi.hash2
-rw-r--r--package/nginx-naxsi/nginx-naxsi.mk12
-rw-r--r--package/nginx/nginx.mk5
5 files changed, 46 insertions, 0 deletions
diff --git a/package/Config.in b/package/Config.in
index 7756a4c603..fe6ca65799 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1501,6 +1501,7 @@ menu "Networking applications"
source "package/nginx/Config.in"
if BR2_PACKAGE_NGINX
menu "External nginx modules"
+ source "package/nginx-naxsi/Config.in"
source "package/nginx-upload/Config.in"
endmenu
endif
diff --git a/package/nginx-naxsi/Config.in b/package/nginx-naxsi/Config.in
new file mode 100644
index 0000000000..2f7c2da2a9
--- /dev/null
+++ b/package/nginx-naxsi/Config.in
@@ -0,0 +1,26 @@
+config BR2_PACKAGE_NGINX_NAXSI
+ bool "nginx-naxsi"
+ help
+ NAXSI means Nginx Anti XSS & SQL Injection.
+
+ Technically, it is a third party nginx module, available as
+ a package for many UNIX-like platforms. This module, by
+ default, reads a small subset of simple (and readable) rules
+ containing 99% of known patterns involved in website
+ vulnerabilities. For example, <, | or drop are not supposed
+ to be part of a URI.
+
+ Being very simple, those patterns may match legitimate
+ queries, it is the Naxsi's administrator duty to add
+ specific rules that will whitelist legitimate
+ behaviours. The administrator can either add whitelists
+ manually by analyzing nginx's error log, or (recommended)
+ start the project with an intensive auto-learning phase that
+ will automatically generate whitelisting rules regarding a
+ website's behaviour.
+
+ In short, Naxsi behaves like a DROP-by-default firewall, the
+ only task is to add required ACCEPT rules for the target
+ website to work properly.
+
+ https://github.com/nbs-system/naxsi
diff --git a/package/nginx-naxsi/nginx-naxsi.hash b/package/nginx-naxsi/nginx-naxsi.hash
new file mode 100644
index 0000000000..238993eb2c
--- /dev/null
+++ b/package/nginx-naxsi/nginx-naxsi.hash
@@ -0,0 +1,2 @@
+# Locally calculated
+sha256 9cc2c09405bc71f78ef26a8b6d70afcea3fccbe8125df70cb0cfc480133daba5 nginx-naxsi-0.54.tar.gz
diff --git a/package/nginx-naxsi/nginx-naxsi.mk b/package/nginx-naxsi/nginx-naxsi.mk
new file mode 100644
index 0000000000..0e1f714421
--- /dev/null
+++ b/package/nginx-naxsi/nginx-naxsi.mk
@@ -0,0 +1,12 @@
+################################################################################
+#
+# nginx-naxsi
+#
+################################################################################
+
+NGINX_NAXSI_VERSION = 0.54
+NGINX_NAXSI_SITE = $(call github,nbs-system,naxsi,$(NGINX_NAXSI_VERSION))
+NGINX_NAXSI_LICENSE = GPLv2+ with OpenSSL exception
+NGINX_NAXSI_LICENSE_FILES = naxsi_src/naxsi_json.c
+
+$(eval $(generic-package))
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index 018d0f884f..d57f3d00bc 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -156,6 +156,11 @@ else
NGINX_CONF_OPTS += --without-http_gzip_module
endif
+ifeq ($(BR2_PACKAGE_NGINX_NAXSI),y)
+NGINX_DEPENDENCIES += nginx-naxsi
+NGINX_CONF_OPTS += --add-module=$(NGINX_NAXSI_DIR)/naxsi_src
+endif
+
ifeq ($(BR2_PACKAGE_NGINX_HTTP_REWRITE_MODULE),y)
NGINX_DEPENDENCIES += pcre
else