Install Nginx with Mod Security & Setup

May 21, 2021 / server / 3 minutes of reading

Last updated on May 21st, 2021 12:11 am EDT

As the title said, this is a tutorial on how to install Nginx with Mod Security & How to setup.

So there are two parts.

Table of Contents

  • Install ModSecurity
    • Install LibModsecurity
    • Install Nginx ModSecurity Connector
  • Setup ModSecurity
Install LibModSecurity

1. Check Official Documents

Go to https://github.com/SpiderLabs/ModSecurity-nginx

2. Now install some required dependencies

For yum-based:

$ yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel

For apt-based:

$ sudo apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev

Please note: Each System is quite different.. Take a look at the official Wiki before install

3. Download LibModSecurity

Clone LibModSecurity from Github

$ cd /opt/ 
$ git clone https://github.com/SpiderLabs/ModSecurity

Checkout Github branches

$ cd ModSecurity
$ git checkout -b v3/master origin/v3/master

4. Install LibModSecurity

Prepare to build

$ sh build.sh

Install SubModules

$ git submodule init
$ git submodule update

Configure & Install ModSecurity

$ ./configure
$ make
$ make install

Now LibModSecurity is installed, it’s time to install Nginx Connector

Install Nginx Connector
  1. Download & Configure Nginx Connector
$ cd /opt/
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx
$ wget https://openresty.org/download/ngx_openresty-1.9.7.1.tar.gz
$ tar -xvzf ngx_openresty-1.9.7.1.tar.gz

2. Setup Environment Variables

# ensure env vars are set
export MODSECURITY_INC="/opt/ModSecurity/headers/"
export MODSECURITY_LIB="/opt/ModSecurity/src/.libs/"

3. Compile Nginx with ModSecurity Connector

# cd (your Nginx Source Code Directory)
./configure (with existing arguments) --add-module=/opt/ModSecurity-nginx 


make
make install

You are all set with Nginx!

Now, Setup Nginx ModSecurity

Setup ModSecurity
  1. Setup Directory
$ mkdir /etc/nginx/modsec 
$ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended 
$ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

2. Change SecRuleEngine to Active (Instead of Detection)

$ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

3.Configure Rules

Create a file called main.conf at /etc/nginx/modsec/main.conf and fill with the following contents

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "https://cf-assets.stevenz.blog/etc/nginx/modsec/modsecurity.conf"

4. Use OWASP CRS

Now, use OWASP ModSecurity Core Rule Set (CRS) from https://modsecurity.org/crs/

1. Create a folder under Nginx Source

cd /etc/nginx/

2. Clone OWASP into Nginx

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs

3. Move Core File to remove .example

mv crs-setup.conf.example crs-setup.conf

Edit the file with your own need

4. Rename Exclusion files to avoid rewrite after updates

mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

5. Make an all-inclusive file to set as ModSecurityConfig

cd /etc/nginx/modsec

edit main.conf and add the following contents

    include owasp-modsecurity-crs/crs-setup.conf
    include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
    include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
    include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
    include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
    include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
    include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
    include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
    include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
    include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
    include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
    include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
    include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
    include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
    include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
    include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
    include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
    include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
    include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
    include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
    include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
    include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
    include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

So the file would look like

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "https://cf-assets.stevenz.blog/etc/nginx/modsec/modsecurity.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/crs-setup.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"

Then Edit your nginx main file, add the following lines inside http block

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;

Test your nginx

nginx -t

Success!

You’ve setup the basic ModSecurity Rules

Reference:

  1. https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
  2. https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#centos-7-minimal
  3. https://github.com/SpiderLabs/ModSecurity-nginx
  4. https://modsecurity.org/crs/
  5. https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.0/master/INSTALL
Scroll to Top