Nginx-Naxsi with Certbox

heythereparis · March 7, 2018, 7:51pm

Hi,
I create an Azure VM (Ubuntu 16).
I installed Nginx-Naxsi and I got it to work fine. I was able to have redirect to the website I created.

The issue comes when I try to install cerbot using: apt-get install python-certbot-nginx

When installing I get:
nginx[104162]: nginx: [emerg] unknown directive “MainRule” in /etc/nginx/naxsi_core.rules:19
nginx[104162]: nginx: configuration file /etc/nginx/nginx.conf test failed
systemd[1]: nginx.service: Control process exited, code=exited status=1
systemd[1]: Failed to start A high performance web server and a reverse proxy server.
systemd[1]: nginx.service: Unit entered failed state.
systemd[1]: nginx.service: Failed with result ‘exit-code’.

Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] unknown directive “MainRule” in /etc/nginx/naxsi_core.rules:19
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] unknown directive “MainRule” in /etc/nginx/naxsi_core.rules:19\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’,)

I have tried to comment out the line 19 in the naxsi_core file, but then it wants to me to comment every line after that.

On another VM I was able to successfully get Certbot working without Naxsi.

Is there a solution so I can have Nginx/Naxsi work with Let’s Encrypt/Certbot?

Thanks!

stevenzhu · March 7, 2018, 8:05pm

Hi,

I think this is more of a Nginx config problem than certbot's.

Can you try run sudo Nginx -t and share the output?

heythereparis · March 7, 2018, 8:07pm

Hi,

So before I install Certbot I would get no error when running nginx -t now I get:

nginx: [emerg] unknown directive “MainRule” in /etc/nginx/naxsi_core.rules:19
nginx: configuration file /etc/nginx/nginx.conf test failed

stevenzhu · March 7, 2018, 8:10pm

In this case, please try this command to restore your Nginx conf.(since certbot’s might change it)
certbot --nginx rollback

heythereparis · March 7, 2018, 8:12pm

I got:

hello:~$ sudo certbot --nginx rollback
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] unknown directive "MainRule" in /etc/nginx/naxsi_core.rules:19
nginx: configuration file /etc/nginx/nginx.conf test failed

stevenzhu · March 7, 2018, 8:19pm

Hi,

There is one last way I can think…

Can you head to this:
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules and replace the rule on your server?

Also, can you try use Nginx -V and share us the output.

Thank you

heythereparis · March 7, 2018, 8:22pm

Nginx -V:
nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt=’-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2’ --with-ld-opt=’-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now’ --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads

stevenzhu · March 7, 2018, 8:25pm

Hi,

It seems you don’t have naxsi in Nginx.
Did you compile it in?

heythereparis · March 7, 2018, 8:30pm

Hi,

Replaced my rule and with the configuration above and no difference.

Yes I did compile it in.

stevenzhu · March 7, 2018, 8:33pm

Hi,

I didn’t see naxsi from your Nginx output.

Can you point it out for me?

Thank you

heythereparis · March 7, 2018, 8:40pm

Hmm, I thought I did. How would I compile it? I installed Naxsi using this: https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-naxsi-firewall-on-ubuntu-linux/

stevenzhu · March 7, 2018, 8:58pm

Hi,

You can use that tutorial, just don’t forget to use
add-module= ‘your nasxi file’

Then restart Nginx.

sydneyli · March 7, 2018, 11:40pm

Hi @heythereparis , just continuing our conversation from here.

Yep, that’s how I installed certbot. Then just certbot --nginx. From your nginx -V output it looks like you have to re-./configure nginx with --add-module=<path to naxsi_src> set and run make && make install again (as @stevenzhu pointed out).

system · April 6, 2018, 11:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.