Of Stack

Implementation of Nginx+ModSecurity Security Module Deployment

  • 2021-11-01 05:50:01
  • OfStack
Directory 1. Download
2. Deployment
1. Nginx deployment
2. ModSecurity deployment
3. Add an ModSecurity module
4. Configure the Nginx virtual host

To demonstrate that Nginx is installed without adding ModSecurity, install Nginx first and then add ModSecurity module.

ModSecurity is an open source cross-platform Web application firewall (WAF) engine, which is perfectly compatible with nginx, is the WAF officially recommended by nginx, and supports OWASP rules.

Chinese website: http://www.modsecurity.cn

For practical application, please refer to: http://www.modsecurity.cn/practice/

Step 1 Download

1. Nginx download 


wget http://nginx.org/download/nginx-1.14.2.tar.gz

2. ModSecurity download 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz

2. Deployment

1. Nginx deployment

1.1 Installing dependencies 


yum  install  -y pcre* openssl* gcc c++ make

1.2 Compile and Install
Extract a file 


tar  -xvf nginx-1.14.2.tar.gz 
cd nginx-1.14.2/

Configuration module 


./configure  --prefix=/usr/local/nginx  --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log  --http-log-path=/var/log/nginx/access.log  --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock  --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre

Perform compilation 


make
make install

Create accounts and directories 


useradd nginx -s /sbin/nologin
mkdir /var/tmp/nginx/

2. ModSecurity deployment

2.1 Installing dependencies 


yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

2.2 Compile and Install
Extract a file 


tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4/

Compile and install 


./configure
make
make install
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/

3. Add an ModSecurity module

3.1 View Nginx compilation parameters 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
0

3.2 Download the ModSecurity module 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
1

3.3 Recompile Nginx

Decompression module 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
2

Compile and install 


./configure  --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre --add-module=../ModSecurity-nginx

 
# Note here /ModSecurity-nginx Path 
make
make install

/usr/local/nginx/sbin/nginx -V # Check that there are already ModSecurity Module

Add Configuration File 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
4

4. Configure the Nginx virtual host

4.1 Virtual Hosting Configuration 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
5

4.2 Modsecurity Configuration 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
6

4.3 Download the rule file 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
7

4.4 Configuration Rules 


unzip owasp-modsecurity-crs-3.3-dev.zip 
cd owasp-modsecurity-crs-3.3-dev/

cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/

cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

4.5 Test 


wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
9
Related articles: