Nginx - Modsecurity installation

Would you like to learn how to install the Nginx Modsecurity feature?  In this tutorial, we are going to configure the Nginx Modsecurity feature on a computer running Ubuntu Linux.

• Ubuntu 18
• Ubuntu 19
• Ubuntu 20
• Nginx 1.18.0
• ModSecurity 3.0.4

Nginx – Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Nginx.

Tutorial Nginx – ModSecurity installation

Install the Nginx server.

1

apt-get update

2

apt-get install nginx

Install the required packages.

1

apt-get install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales lua5.3-dev pkg-config wget zlib1g-dev zlibc

Install the software named SSDEP.

1

mkdir /downloads

2

cd /downloads

3

git clone https://github.com/ssdeep-project/ssdeep

4

cd ssdeep/

5

./bootstrap

6

./configure

7

make

8

make install

Download the latest version of ModSecurity.

1

cd /downloads

2

git clone https://github.com/SpiderLabs/ModSecurity 

3

cd ModSecurity 

4

git checkout -b v3/master origin/v3/master 

5

git submodule init 

6

git submodule update 

Compile and install ModSecurity.

1

sh build.sh 

2

./configure 

3

make

4

make install

Download the latest version of the Nginx connector for ModSecurity.

1

cd /downloads

2

git clone https://github.com/SpiderLabs/ModSecurity-nginx

Verify the version of Nginx installed on your system.

1

nginx -v

Here is the command output.

1

nginx version: nginx/1.18.0 (Ubuntu)

Download the source code of the same version of Nginx installed on your system.

1

cd /downloads

2

wget http://nginx.org/download/nginx-1.18.0.tar.gz

3

tar -zxvf nginx-1.18.0.tar.gz

Compile and install the Nginx connector.

1

cd nginx-1.18.0

2

./configure --with-compat --add-dynamic-module=../ModSecurity-nginx

3

make modules

4

cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

Download and install the ModSecurity Core Rule Set.

1

cd /downloads

2

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz

3

tar -zxvf v3.2.0.tar.gz

4

mv owasp-modsecurity-crs-3.2.0 owasp-modsecurity-crs

5

mv owasp-modsecurity-crs/crs-setup.conf.example owasp-modsecurity-crs/crs-setup.conf

6

mv owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example  owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

7

mv owasp-modsecurity-crs /usr/local/

Congratulations! You have finished the ModSecurity installation on the Nginx server.

Tutorial Nginx – ModSecurity configuration

Edit the Nginx configuration file.

1

vi /etc/nginx/nginx.conf

Add the following line in the Nginx configuration file.

1

load_module modules/ngx_http_modsecurity_module.so;

Here is the file before our configuration.

1

user www-data;

2

worker_processes auto;

3

pid /run/nginx.pid;

4

include /etc/nginx/modules-enabled/*.conf;

5

events {

6

        worker_connections 768;

7

}

8

http {

9

        sendfile on;

10

        tcp_nopush on;

11

        tcp_nodelay on;

12

        keepalive_timeout 65;

13

        types_hash_max_size 2048;

14

        include /etc/nginx/mime.types;

15

        default_type application/octet-stream;

16

        ssl_prefer_server_ciphers on;

17

        access_log /var/log/nginx/access.log;

18

        error_log /var/log/nginx/error.log;

19

        gzip on;

20

        include /etc/nginx/conf.d/*.conf;

21

        include /etc/nginx/sites-enabled/*;

22

}

Here is the file after our configuration.

1

user www-data;

2

worker_processes auto;

3

pid /run/nginx.pid;

4

load_module modules/ngx_http_modsecurity_module.so;

5

include /etc/nginx/modules-enabled/*.conf;

6

events {

7

        worker_connections 768;

8

}

9

http {

10

        sendfile on;

11

        tcp_nopush on;

12

        tcp_nodelay on;

13

        keepalive_timeout 65;

14

        types_hash_max_size 2048;

15

        include /etc/nginx/mime.types;

16

        default_type application/octet-stream;

17

        ssl_prefer_server_ciphers on;

18

        access_log /var/log/nginx/access.log;

19

        error_log /var/log/nginx/error.log;

20

        gzip on;

21

        include /etc/nginx/conf.d/*.conf;

22

        include /etc/nginx/sites-enabled/*;

23

}

Create a directory named Modsec and copy the required configuration files.

1

mkdir -p /etc/nginx/modsec

2

cp /downloads/ModSecurity/unicode.mapping /etc/nginx/modsec/

3

cp /downloads/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Edit the ModSecurity configuration file.

1

vi /etc/nginx/modsec/modsecurity.conf

Locate the following lines.

1

SecRuleEngine DetectionOnly

2

SecAuditLog /var/log/modsec_audit.log

Change these lines to the following configuration.

1

SecRuleEngine On

2

SecAuditLog /var/log/nginx/modsec_audit.log

Here is the file after our configuration.

1

SecRuleEngine On

2

SecRequestBodyAccess On

3

SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \

4

     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

5

SecRule REQUEST_HEADERS:Content-Type "application/json" \

6

     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

7

SecRequestBodyLimit 13107200

8

SecRequestBodyNoFilesLimit 131072

9

SecRequestBodyLimitAction Reject

10

SecRule REQBODY_ERROR "!@eq 0" \

11

"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

12

SecRule MULTIPART_STRICT_ERROR "!@eq 0" \

13

"id:'200003',phase:2,t:none,log,deny,status:400, \

14

msg:'Multipart request body failed strict validation: \

15

PE %{REQBODY_PROCESSOR_ERROR}, \

16

BQ %{MULTIPART_BOUNDARY_QUOTED}, \

17

BW %{MULTIPART_BOUNDARY_WHITESPACE}, \

18

DB %{MULTIPART_DATA_BEFORE}, \

19

DA %{MULTIPART_DATA_AFTER}, \

20

HF %{MULTIPART_HEADER_FOLDING}, \

21

LF %{MULTIPART_LF_LINE}, \

22

SM %{MULTIPART_MISSING_SEMICOLON}, \

23

IQ %{MULTIPART_INVALID_QUOTING}, \

24

IP %{MULTIPART_INVALID_PART}, \

25

IH %{MULTIPART_INVALID_HEADER_FOLDING}, \

26

FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

27

SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \

28

    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

29

SecPcreMatchLimit 1000

30

SecPcreMatchLimitRecursion 1000

31

SecRule TX:/^MSC_/ "!@streq 0" \

32

        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

33

SecResponseBodyAccess On

34

SecResponseBodyMimeType text/plain text/html text/xml

35

SecResponseBodyLimit 524288

36

SecResponseBodyLimitAction ProcessPartial

37

SecTmpDir /tmp/

38

SecDataDir /tmp/

39

SecAuditEngine RelevantOnly

40

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

41

SecAuditLogParts ABIJDEFHZ

42

SecAuditLogType Serial

43

SecAuditLog /var/log/nginx/modsec_audit.log

44

SecArgumentSeparator &

45

SecCookieFormat 0

46

SecUnicodeMapFile unicode.mapping 20127

47

SecStatusEngine On

Create a file to enable ModSecurity to use the installed CRS rules.

1

vi /etc/nginx/modsec/main.conf

Here is the file content.

1

Include "/etc/nginx/modsec/modsecurity.conf"

2

Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"

3

Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"

Edit the Nginx configuration file for the default website.

1

vi /etc/nginx/sites-available/default

Add the following line in the Nginx configuration file.

1

modsecurity on;

2

modsecurity_rules_file /etc/nginx/modsec/main.conf;

Here is the file before our configuration.

1

server {

2

        listen 80 default_server;

3

        listen [::]:80 default_server;

4

        root /var/www/html;

5

        index index.html index.htm index.nginx-debian.html;

6

        server_name _;

7

        location / {

8

                try_files $uri $uri/ =404;

9

        }

10

}

Here is the file after our configuration.

1

server {

2

        listen 80 default_server;

3

        listen [::]:80 default_server;

4

        modsecurity on;

5

        modsecurity_rules_file /etc/nginx/modsec/main.conf;

6

        root /var/www/html;

7

        index index.html index.htm index.nginx-debian.html;

8

        server_name _;

9

        location / {

10

                try_files $uri $uri/ =404;

11

        }

12

}

Restart the Nginx service.

1

service nginx restart

Optionally, use your browser to send a test request to the Nginx server.

After sending a test request, verify the ModSecurity log

1

tail -f /var/log/nginx/modsec_audit.log

Congratulations! You have finished the ModSecurity configuration on the Nginx server.

---

출처 URL : https://techexpert.tips/nginx/nginx-modsecurity-installation/

※위 포스팅이 문제있을 경우 삭제 처리하겠습니다.