
NAXSI – Open-Source, High Performance, Low Rules Maintenance WAF for Nginx - nikolay
https://github.com/nbs-system/naxsi
======
DonHopkins
They did not see that coming:

[http://blog.memze.ro/?p=39](http://blog.memze.ro/?p=39)

>Why the name “NAXSI” ?

>The name stands simply for NGINX ANTI XSS & SQL INJECTION

>Some reported us that the pronounciation is complicated and can lead to a
misleading sound of “Nazi”. Of course, it’s definitely not our intent.

>Our company is based in France and pronouncing “XS” is easy for us since we
have some words like this. Russians as well doesn’t have any issue with this
since they have complicated sounds.

>But English & American people doesn’t have any sound like this and are
hesitant in the way to pronounce it. Is it a X, is it a S and if they
pronounce only the S, it then sound like nasi, not good… We didn’t saw this
forcoming and are a bit sorry about that. We may change the name to NAXI to
make more clear, and, of course, remove the SQL injection protections.
(kidding)

------
nodesocket
NGINX Plus, the newest R10 release just integrated their own WAF using
ModSecurity ([https://www.nginx.com/products/web-application-
firewall/](https://www.nginx.com/products/web-application-firewall/)).

Seems like an obvious choice to stay within the native NGINX community and
just use NGINX Plus. What would be some advantages to using NAXSI?

NGINX Plus is actually not that expensive, especially since you can purchase
an AMI and pay per month using AWS.

~~~
jvoisin
Modsecurity is notoriously slow, and its rules are complex to read and to
write, while the naxsi ones are simple: [https://github.com/nbs-
system/naxsi/blob/master/naxsi_config...](https://github.com/nbs-
system/naxsi/blob/master/naxsi_config/naxsi_core.rules)

------
nikolay
Here's more about NAXSI: [https://www.nbs-system.co.uk/blog-2/naxsi-web-
application-fi...](https://www.nbs-system.co.uk/blog-2/naxsi-web-application-
firewall-for-nginx.html)

Although, it's sad that Nginx chose the unreleased v3 of ModSecurity [0] [1]
for their commercial offering instead.

[0]: [https://www.modsecurity.org/](https://www.modsecurity.org/)

[1]: [https://github.com/SpiderLabs/ModSecurity-
nginx](https://github.com/SpiderLabs/ModSecurity-nginx)

~~~
TimPrice
Since this doesn't go well with HTTP/2 so far, we'll have to stick with ModSec
for the time being.

> [https://github.com/nbs-system/naxsi/issues/227](https://github.com/nbs-
> system/naxsi/issues/227)

~~~
jvoisin
It seems that the issue is fixed: [https://github.com/nbs-
system/naxsi/issues/227#issuecomment-...](https://github.com/nbs-
system/naxsi/issues/227#issuecomment-243101685)

~~~
nikolay
Thanks!

