Nginx with ModSecurity

How to Install Nginx with ModSecurity v3.0

by

In this article, we are discussing about ModSecurity v3.0 and will show you how to install ModSecurity v3.0 for the Nginx web server. If you are new to ModSecurity, start by reading our article: What is ModSecurity, and why do we need it?

  • First we can look what’s new in ModSecurity 3.0
  • Redesigned to work natively with NGINX
  • Core functionality split off into libmodsecurity
  • A special NGINX connector integrates libmodsecurity with NGINX
    – Connector available for Apache
  • Previous ModSecurity 2.9 technically worked with NGINX but had poor performance and reliability

Installation Overview

Here I am providing step by step to setup NGINX with Mod Security for RHEL/CentOS, Debian & Ubuntu.We can start with installing build tools and prerequisites

In NGINX 1.11.5 and later, you can compile individual dynamic modules without compiling the complete NGINX binary. After covering the compilation process step by step, we’ll explain how to load the ModSecurity dynamic module into NGINX and run a basic test to make sure it’s working.

1.  Update the system

For RHEL/CentOS. Run the following command

# yum update -y

For Ubuntu/Debian

# apt-get update -y

2.  Install Prerequisite Packages

Run the following command, which is appropriate for a freshly installed Ubuntu/Debian system.

# apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf

For RHEL/CentOS.

# yum groupinstall -y "Development Tools"

# yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel

3. Download and compile libmodsecurity

Clone the GitHub repository

# git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Now Compile the source code

# cd ModSecurity
# git submodule init
# git submodule update
# ./build.sh
# ./configure
# make
# make install

4. Compile Nginx

Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.14.0:

# cd /usr/local/src
# wget https://nginx.org/download/nginx-1.14.0.tar.gz
# tar -zxvf nginx-1.14.0.tar.gz

a) First we need to create a dedicated nginx user and group for Nginx:

# groupadd -r nginx
# useradd -r -g nginx -s /sbin/nologin -M nginx

On CentOS/RHEL
b) then compile Nginx while enabling ModSecurity and SSL modules:

# cd nginx-1.14.0/
# ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
# make
# make install

c) Modify the default user of Nginx using sed command.

# sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

On Ubuntu/Debian
b) There should be existing user www-data and the existing group www-data for Debian/Ubuntu systems
Then compile Nginx while enabling ModSecurity and SSL modules:

# cd nginx-1.14.0/
# ./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
# make
# make install

c ) Modify the default user of Nginx:

# sed -i "s/#user  nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

5. Configure ModSecurity with Nginx

a)

# vi /usr/local/nginx/conf/nginx.conf

Find the following segment within the http {} segment:

location / {
root html;
index index.html index.htm;
}

b ) Add the below lines into the location / {} segment:

ModSecurityEnabled on;
ModSecurityConfig modsec_includes.conf;
#proxy_pass http://localhost:8011;
#proxy_read_timeout 180s;

And should be:

location / {
ModSecurityEnabled on;
ModSecurityConfig modsec_includes.conf;
#proxy_pass http://localhost:8011;
#proxy_read_timeout 180s;
root html;
index index.html index.htm;
}

c ) Need to change the location of the default PID

pid /var/run/nginx.pid

d ) Save and quit:

:wq!

5.1 : Create a file named /usr/local/nginx/conf/modsec_includes.conf:

# vi /usr/local/nginx/conf/modsec_includes.conf & add below lines
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

This will apply all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory.

5.2 Import ModSecurity configuration files

# cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
# cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

5.3 Modify the /usr/local/nginx/conf/modsecurity.conf file:

# sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
# sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
# sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|" /usr/local/nginx/conf/modsecurity.conf

5.4 Add OWASP ModSecurity

# cd /usr/local/nginx/conf
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
# cd owasp-modsecurity-crs
# mv crs-setup.conf.example crs-setup.conf
# cd rules
# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

or
We can add a simple test rule by putting the following text in /etc/nginx/modsec/main.conf

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1304,deny,status:403"

5.5 Allow Nginx to create Modsecurity logs in the Nginx log directory:

# chown nginx.root /usr/local/nginx/logs

You can start/stop/restart Nginx as follows:

# systemctl start nginx.service
# systemctl stop nginx.service
# systemctl restart nginx.service

6. Open Port 80 in order to get outside access :

a) On CentOS/RHEL:

# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --reload

b) On Debian 8:

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# touch /etc/iptables
# iptables-save > /etc/iptables

c) On Ubuntu:

# ufw allow OpenSSH
# ufw allow 80
# ufw default deny
# ufw enable

That’s it.  Now its the time to test this Issue the following curl command. The 403 status code confirms that the rule is working.

# curl localhost?testparam=test
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>

Conclusion

Hope this tutorial will help you compile and Install Nginx with Modsecurity v3.0. ModSecurity is one of the most trusted and well‑known names in application security.

Malware.Expert is also providing Modsecurity Rules which have advanced protection against malware attacks.

For more server security tips and tricks, click on subscribe.