How to Install Nginx with ModSecurity v3.0

Mod Security is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx and IIS. Mod Security’s Open Source availability has resulted in it becoming one of the world’s most popular Web application firewalls and this application layer firewall is developed by Trustwave’s SpiderLabs and released under Apache License 2.0.

Mod Security helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets, Mod Security can potentially block common code injection attacks which strengthens the security of the server, also it allows HTTP traffic monitoring, logging, real-time analysis, and attack detection.

In this article, we are discussing about ModSecurity v3.0 and will show you how to install ModSecurity v3.0 for the Nginx web server.

  • First we can look what’s new in ModSecurity 3.0
  • Redesigned to work natively with NGINX
  • Core functionality split off into libmodsecurity
  • A special NGINX connector integrates libmodsecurity with NGINX
    – Connector available for Apache
  • Previous ModSecurity 2.9 technically worked with NGINX but had poor performance and reliability

Installation Overview

Here I am providing step by step to setup NGINX with Mod Security for RHEL/CentOS, Debian & Ubuntu.We can start with installing build tools and prerequisites

In NGINX 1.11.5 and later, you can compile individual dynamic modules without compiling the complete NGINX binary. After covering the compilation process step by step, we’ll explain how to load the ModSecurity dynamic module into NGINX and run a basic test to make sure it’s working.

1.  Update the system

For RHEL/CentOS. Run the following command

# yum update -y

For Ubuntu/Debian

# apt-get update -y

2.  Install Prerequisite Packages

Run the following command, which is appropriate for a freshly installed Ubuntu/Debian system.

# apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf

For RHEL/CentOS.

# yum groupinstall -y "Development Tools"
# yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel

3. Download and compile libmodsecurity

Clone the GitHub repository

# git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Now Compile the source code

# cd ModSecurity
# git submodule init
# git submodule update
# ./build.sh
# ./configure
# make
# make install

4. Compile Nginx

Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.14.0:

# cd /usr/local/src
# wget https://nginx.org/download/nginx-1.14.0.tar.gz
# tar -zxvf nginx-1.14.0.tar.gz

a) First we need to create a dedicated nginx user and group for Nginx:

# groupadd -r nginx
# useradd -r -g nginx -s /sbin/nologin -M nginx

On CentOS/RHEL
b) then compile Nginx while enabling ModSecurity and SSL modules:

# cd nginx-1.14.0/
# ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
# make
# make install

c) Modify the default user of Nginx using sed command.

# sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

On Ubuntu/Debian
b) There should be existing user www-data and the existing group www-data for Debian/Ubuntu systems
Then compile Nginx while enabling ModSecurity and SSL modules:

# cd nginx-1.14.0/
# ./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
# make
# make install

c ) Modify the default user of Nginx:

# sed -i "s/#user  nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

5. Configure ModSecurity with Nginx

a)

# vi /usr/local/nginx/conf/nginx.conf

Find the following segment within the http {} segment:

location / {
root html;
index index.html index.htm;
}

b ) Add the below lines into the location / {} segment:

ModSecurityEnabled on;
ModSecurityConfig modsec_includes.conf;
#proxy_pass http://localhost:8011;
#proxy_read_timeout 180s;

And should be:

location / {
ModSecurityEnabled on;
ModSecurityConfig modsec_includes.conf;
#proxy_pass http://localhost:8011;
#proxy_read_timeout 180s;
root html;
index index.html index.htm;
}

c ) Need to change the location of the default PID

pid /var/run/nginx.pid

d ) Save and quit:

:wq!

5.1 : Create a file named /usr/local/nginx/conf/modsec_includes.conf:

# vi /usr/local/nginx/conf/modsec_includes.conf & add below lines
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

This will apply all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory.

5.2 Import ModSecurity configuration files

# cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
# cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

5.3 Modify the /usr/local/nginx/conf/modsecurity.conf file:

# sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
# sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
# sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|" /usr/local/nginx/conf/modsecurity.conf

5.4 Add OWASP ModSecurity

# cd /usr/local/nginx/conf
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
# cd owasp-modsecurity-crs
# mv crs-setup.conf.example crs-setup.conf
# cd rules
# mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

or
We can add a simple test rule by putting the following text in /etc/nginx/modsec/main.conf

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1304,deny,status:403"

5.5 Allow Nginx to create Modsecurity logs in the Nginx log directory:

# chown nginx.root /usr/local/nginx/logs

You can start/stop/restart Nginx as follows:

# systemctl start nginx.service
# systemctl stop nginx.service
# systemctl restart nginx.service

6. Open Port 80 in order to get outside access :

a) On CentOS/RHEL:

# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --reload

b) On Debian 8:

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# touch /etc/iptables
# iptables-save > /etc/iptables

c) On Ubuntu:

# ufw allow OpenSSH
# ufw allow 80
# ufw default deny
# ufw enable

That’s it.  Now its the time to test this Issue the following curl command. The 403 status code confirms that the rule is working.

# curl localhost?testparam=test
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>

Conclusion

Hope this tutorial will help you compile and Install Nginx with Modsecurity v3.0. ModSecurity is one of the most trusted and well‑known names in application security.

Malware.Expert is also providing  Modsecurity Rules which have advanced protection against malware attacks.

For more server security tips and tricks, click on subscribe.