Categories
Nginx Passenger

Nginx with 2 new flavors : Naxsi & Passenger

Dotdeb’s packages of Nginx 1.0.14 for Debian 6.0 “Squeeze” (amd64/i386) have been synchronized with Debian’s ones to benefit from the great work of Cyril Lavier.

As a consequence, two new flavors of Nginx are now available, in addition to the regular nginx-light, nginx-full and nginx-extras packages :

  • nginx-naxsi inherits from nginx-light with a great new feature : Naxsi, a high performance, low rules maintenance, Web Application Firewall module. Use it if you want to protect your web apps from malicious visitors. Please read its documentation fore more info.
  • nginx-passenger is dedicated to Passenger, the well-known Ruby on Rails runtime. Please also note that :
    • the passenger-common package has been renamed to ruby-passenger to stick to the Debian naming convention,
    • Passenger was already included in nginx-extras. To ease the migration (don’t forget to backup your configuration files), it will stay so until Nginx 1.2 is released.

If you want to know which module has been included in each Nginx flavor, you just have to look at this useful document.

Oh… One more thing : all the Nginx packages are now hardened against memory corruption attacks (no PIE support yet).

I really hope you’ll enjoy them. And many thanks to the Debian maintainers for their work, of course.

23 replies on “Nginx with 2 new flavors : Naxsi & Passenger”

Is Naxsi also included in nginx-extras or only in nginx-naxsi? It would be great if Naxsi would be in nginx-extras in case we need any of the modules in nginx-full or nginx-extras and Naxsi.

btw after upgrade i got error nginx does not recognize limit_req_zone
“Starting nginx: nginx: [emerg] unknown limit_req_zone “asd” in /etc/nginx/sites-enabled/xxx.xxx:4
nginx: configuration file /etc/nginx/nginx.conf test failed”

and one more thing sorry for spam but it seems naxsi is in nginx extras (google doc saying its not) i got new config files like naxsi.rules etc

again sorry ;d
i had to kill nginx seems it didnt want to stop after kill and start i dont have that limit_req_zone error anymore

anyway about naxsi in extras when i uncomment naxi config it says “Starting nginx: nginx: [emerg] unknown directive “MainRule” in /etc/nginx/naxsi_core.rules:13
nginx: configuration file /etc/nginx/nginx.conf test failed”

so i guess google document says right 😉

@Matic : the goal for a WAF is to be as light as possible. Including naxsi in nginx-passenger would make no sense. It’s only available in nginx-naxsi.

@hanti : naxsi rules files belog to nginx-common, that is common to all the nginx flavors. Just ignore them (leave the naxsi-related directives commented if you don’t use nginx-naxsi).
When you change the installed nginx flavor, a restart is often needed. It’s safer than the usual soft restart.

And of course, the Google doc says right 🙂

It’s the first time I post here so I want first to thank you for the incredible job you do here.

About nxasi, I was thinking to compile nginx in order to use it. That’s very good news.
My only pb is that I use nginx-full.
Is there any reason why nxasi is only available for nginx-light package ?
Do you think you will release in the next weeks a nxasi version of nginx-full ?

Thanks a lot.

@laurent : thank you for using Dotdeb.
The goal of a WAF such as Naxsi is to be as light as possible. It will only be available in its minimalist dedicated package. Which module included in nginx-full could be missing from nginx-naxsi?

I have read the doc on google docs and discovered that http stub status module is integrated in nginx-light.

That’s perfect !
I can use nginx-naxsi now 🙂

@Guillaume Plessis : I don’t understand why you say a WAF has to be as light as possible. What about people using Nginx as a web server and not only as a proxy in front of Apache ?

Anyway, the best solution is to code correctly and not using stuff like WAF.

Getting the error in /var/log/ngnix/error.log

/usr/share/phusion-passenger/helper-scripts/passenger-spawn-server:75:in `require’: no such file to load — rubygems (LoadError)
from /usr/share/phusion-passenger/helper-scripts/passenger-spawn-server:75

Rubygems have to be installed aswell or am i missing a package?

Thank you, yea i feel dumb now since i’ve always used RVM. wouldn’t rubygems be a dependency for nginx-extras?

@Brian : the dependency will be fixed in the next nginx packages. Just try to install rubygems in the environment that Passenger is using (check your passenger_root and passenger_ruby configuration variables)

I didn’t see that nginx light doesn’t have the memcache module which I need.
I prefer to stay with nginx-full and wait for a nginx-full nxasi flavoured package, maybe …

In case anyone is using NGINX+IPV6:

It seems that something somewhere has changed and

listen 94.229.77.82:80;
listen [2a01:348:226:dead:beef:dead:beef:dead]:80;

wont work anymore (you get “98: Address already in use”)

You have to change it to

listen 94.229.77.82:443;
listen [2a01:348:226:dead:beef:dead:beef:dead]:443 ipv6only=on;

Comments are closed.