In one of my previous notes I wrote about firewalling web applications using NAXSI WAF. In this post I'll write small howto on getting ModSecurity module to work with Nginx webserver.
In order to get ModSecurity working with Nginx, it is required to compile both in a right order using appropriate source. Download sources for ModSecurity, the ones called ModSecurity-nginx_refactoring, compile it as a standalone module, and then download, build Nginx with enabled ModSec module.
Prepare ModSecurity
$ wget https://github.com/SpiderLabs/ModSecurity/archive/nginx_refactoring.zip
$ unzip nginx_refactoring.zip
$ cd ModSecurity-nginx_refactoring/
$ ./autogen.sh
$ ./configure --enable-standalone-module --disable-mlogc && make
It is important to get the ModSecurity's sources from "nginx_refactoring" branch for stability purposes, to avoid such situations like:
[alert] 10721#0: worker process 10723 exited on signal 11
Especially when using proxy_pass this situation can be happening all the time. So after testing a different ModSec versions, branches, the one - nginx_refactoring - seems to be solid stable with recent stable Nginx.
Build Nginx
$ wget http://nginx.org/download/nginx-1.8.0.tar.gz
$ tar -xzf nginx-1.8.0.tar.gz
$ cd nginx-1.8.0/
$ ./configure --user=www-data --group=www-data --with-pcre-jit --with-ipv6 --add-module=/path/to/ModSecurity-nginx_refactoring/nginx/modsecurity/ --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-poll_module --with-file-aio --with-http_auth_request_module --with-http_secure_link_module --with-http_stub_status_module --with-http_perl_module --with-ld-opt="-Wl,-E" --with-pcre --with-md5-asm --with-sha1-asm --with-zlib-asm=CPU --with-libatomic
At this point please adjust configure flags to suit your needs. Notice that we pass here absolute path to ModSec directory. Next step is to compile and install binaries.
$ make
# make install
Enable ModSec in Nginx
When we have builded Nginx with ModSec support, last step is to enable it in our configuration file. Usually it is nginx.conf located in /etc/nginx/ dir.
Copy cfg file for ModSec from its sources dir into Nginx's cfg dir.
# cp /path/to/ModSecurity-nginx_refactoring/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
Now In the server's section add smth like below:
server {
...
ModSecurityEnabled on;
ModSecurityConfig /etc/nginx/modsecurity.conf;
...
}
Remember that per location you can always disable ModSecurity if you really want it. Or enable ModSecurity only for a specific location, or use a different ModSec cfg file in there.
ModSecurityEnabled off;
And that is it. For more info you could go to SpidersLabs reference manual page.
Share on Twitter Share on Facebook
Comments
There are currently no comments
New Comment