NGINX Installation Instructions ModSecurity
This article provides instructions for installing the Dynamic ModSecurity module on the NGINX web server as a web application firewall (WAF). NGINX works in reverse proxy mode . Work done on the distribution of Linux - CentOS 7 . The module is set as “dynamic” so that the service remains flexible in configuration. Used official NGINX installation guide .
1. Pre-install components
For the service to work correctly, you need to install additional libraries to work. Libraries will be needed to build a project from source code. It is assumed that the user has updated the system ( # yum update ).
yum install install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev 2. Starting to install the service
In order that later there would be no problems with starting the service using the service nginx start command, the version from the official repository on GitHub is installed.
Create a file /etc/yum.repos.d/nginx.repo in which you want to add a version of the distribution. Without specifying the version of NGINX, the last one is pulled, which is launched on the site.
[nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1 Next, just install
yum install nginx 3. Compile a module
To begin, go to the appropriate directory:
cd /home/user/Downloads Download the module from the main branch on GitHub:
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git Next, go to the folder with the firewall and compile the source code:
cd ModSecurity git submodule init git submodule update ./build.sh ./configure make make install 4. Installation of the connector
In order for the entire system to be flexible, a connector will be installed for connecting NGINX and ModSecurity . This means that the module will not be sewn into the server code, but will only be a dynamic component, which will allow it to be removed at any time, change the code, and so on.
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git 5. Rebuilding the web server
In order for NGINX to work with the connector to which the module will be connected, you need to rebuild the server. To do this, first find out which version of NGINX is installed:
nginx –v The output should be something like this (depending on the version)
nginx version: nginx / 1.13.7
Next, from the official site, download the appropriate version so that there would be no error when starting the service and compile with a certain parameter:
cd .. wget http://nginx.org/download/nginx-1.13.7.tar.gz tar zxvf nginx-1.13.7.tar.gz cd nginx-1.13.7 ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx make modules Next, copy the module file to the web service folder:
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules Before the first block in /etc/nginx/nginx.conf add:
load_module modules/ngx_http_modsecurity_module.so; 6. Module configuration file
Developers offer their basic rules for protecting a web resource. It should be noted that by setting them you should not count on a decent level, since the creators leave complete freedom of configuration and writing rules by the user, which limits them in adding basic rules to the standard configuration file.
mkdir /etc/nginx/modsec cd /etc/nginx/modsec sudo wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended sudo mv modsecurity.conf-recommended modsecurity.conf In the modsecurity.conf file , replace SecRuleEngine DetectionOnly with SecRuleEngine On
Next, create the file /etc/nginx/modsec/main.conf and finish it into it:
# Include the recommended configuration Include /etc/nginx/modsec/modsecurity.conf 7. OWASP rules
It's no secret that OWASP is a web security leader. They have their own roll-set for this module, which, like the project, is open to users. Therefore, we will install it as a basic set of rules:
cd /usr/local wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz tar -xzvf v3.0.0.tar.gz mv owasp-modsecurity-crs-3.0.0 /usr/local cd /usr/local/owasp-modsecurity-crs-3.0.0 cp crs-setup.conf.example crs-setup.conf Add the following to /etc/nginx/modsec/main.conf :
# OWASP CRS v3 rules Include /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.0/rules/*.conf 8. Completion of work
Add to /etc/nginx/conf.d/proxy.conf file
server { listen 80; modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; # If you have proxy location / { proxy_pass http://192.168.xx; } } 9. Functioning test
To check the components of a web service, just run it and view the errors. Often you will need to remove the rule that is responsible for checking where another module is used ( GeoIP , for example). Therefore, we can safely remove this rule.
rm /usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-910-IP-REPUTATION.conf Unicode error is also possible. In order for it not to interfere with the work of the service, simply comment it out in the configuration file ( at the end ).
#SecUnicodeMapFile unicode.mapping 20127 To test the server, use the curl utility. It will show whether the application returns. If everything is correct, you will receive an optet with the code 200 OK
curl -I 127.0.0.1 To test the protection mechanisms, you can use any dedicated utility. As recommendations, it is proposed to use nikto :
nikto -host localhost To start the server:
service nginx start Source: https://habr.com/ru/post/437032/