Implementation of Nginx+ModSecurity Security Module Deployment
- 2021-11-01 05:50:01
- OfStack
2. Deployment
1. Nginx deployment
2. ModSecurity deployment
3. Add an ModSecurity module
4. Configure the Nginx virtual host
To demonstrate that Nginx is installed without adding ModSecurity, install Nginx first and then add ModSecurity module.
ModSecurity is an open source cross-platform Web application firewall (WAF) engine, which is perfectly compatible with nginx, is the WAF officially recommended by nginx, and supports OWASP rules.
Chinese website: http://www.modsecurity.cn
For practical application, please refer to: http://www.modsecurity.cn/practice/
Step 1 Download
1. Nginx download
wget http://nginx.org/download/nginx-1.14.2.tar.gz
2. ModSecurity download
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
2. Deployment
1. Nginx deployment
1.1 Installing dependencies
yum install -y pcre* openssl* gcc c++ make
1.2 Compile and Install
Extract a file
tar -xvf nginx-1.14.2.tar.gz
cd nginx-1.14.2/
Configuration module
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
Perform compilation
make
make install
Create accounts and directories
useradd nginx -s /sbin/nologin
mkdir /var/tmp/nginx/
2. ModSecurity deployment
2.1 Installing dependencies
yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake
2.2 Compile and Install
Extract a file
tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4/
Compile and install
./configure
make
make install
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/
3. Add an ModSecurity module
3.1 View Nginx compilation parameters
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
0
3.2 Download the ModSecurity module
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
1
3.3 Recompile Nginx
Decompression module
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
2
Compile and install
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre --add-module=../ModSecurity-nginx
# Note here /ModSecurity-nginx Path
make
make install
/usr/local/nginx/sbin/nginx -V # Check that there are already ModSecurity Module
Add Configuration File
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
4
4. Configure the Nginx virtual host
4.1 Virtual Hosting Configuration
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
5
4.2 Modsecurity Configuration
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
6
4.3 Download the rule file
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
7
4.4 Configuration Rules
unzip owasp-modsecurity-crs-3.3-dev.zip
cd owasp-modsecurity-crs-3.3-dev/
cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/
cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
4.5 Test
wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz
9