As the title said, this is a tutorial on how to install Nginx with Mod Security & How to setup.
So there are two parts.
Table of Contents
- Install ModSecurity
- Install LibModsecurity
- Install Nginx ModSecurity Connector
- Setup ModSecurity
Install LibModSecurity
1. Check Official Documents
Go to https://github.com/SpiderLabs/ModSecurity-nginx
2. Now install some required dependencies
For yum-based:
$ yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel
For apt-based:
$ sudo apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev
Please note: Each System is quite different.. Take a look at the official Wiki before install
3. Download LibModSecurity
Clone LibModSecurity from Github
$ cd /opt/
$ git clone https://github.com/SpiderLabs/ModSecurity
Checkout Github branches
$ cd ModSecurity
$ git checkout -b v3/master origin/v3/master
4. Install LibModSecurity
Prepare to build
$ sh build.sh
Install SubModules
$ git submodule init $ git submodule update
Configure & Install ModSecurity
$ ./configure $ make $ make install
Now LibModSecurity is installed, it’s time to install Nginx Connector
Install Nginx Connector
- Download & Configure Nginx Connector
$ cd /opt/
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx
$ wget https://openresty.org/download/ngx_openresty-1.9.7.1.tar.gz
$ tar -xvzf ngx_openresty-1.9.7.1.tar.gz
2. Setup Environment Variables
# ensure env vars are set export MODSECURITY_INC="/opt/ModSecurity/headers/" export MODSECURITY_LIB="/opt/ModSecurity/src/.libs/"
3. Compile Nginx with ModSecurity Connector
# cd (your Nginx Source Code Directory) ./configure (with existing arguments) --add-module=/opt/ModSecurity-nginx make make install
You are all set with Nginx!
Now, Setup Nginx ModSecurity
Setup ModSecurity
- Setup Directory
$ mkdir /etc/nginx/modsec $ wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended $ mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
2. Change SecRuleEngine to Active (Instead of Detection)
$ sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
3.Configure Rules
Create a file called main.conf at /etc/nginx/modsec/main.conf
and fill with the following contents
# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "https://cf-assets.stevenz.blog/etc/nginx/modsec/modsecurity.conf"
4. Use OWASP CRS
Now, use OWASP ModSecurity Core Rule Set (CRS) from https://modsecurity.org/crs/
1. Create a folder under Nginx Source
cd /etc/nginx/
2. Clone OWASP into Nginx
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
3. Move Core File to remove .example
mv crs-setup.conf.example crs-setup.conf
Edit the file with your own need
4. Rename Exclusion files to avoid rewrite after updates
mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
5. Make an all-inclusive file to set as ModSecurityConfig
cd /etc/nginx/modsec
edit main.conf and add the following contents
include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
So the file would look like
# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "https://cf-assets.stevenz.blog/etc/nginx/modsec/modsecurity.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/crs-setup.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"
Include "https://cf-assets.stevenz.blog/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
Then Edit your nginx main file, add the following lines inside http block
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
Test your nginx
nginx -t
Success!
You’ve setup the basic ModSecurity Rules
Reference:
- https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
- https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#centos-7-minimal
- https://github.com/SpiderLabs/ModSecurity-nginx
- https://modsecurity.org/crs/
- https://raw.githubusercontent.com/SpiderLabs/owasp-modsecurity-crs/v3.0/master/INSTALL