Implementation of Nginx+ModSecurity security module deployment

1. Download
2. Deployment

1.Nginx deployment
2. ModSecurity deployment
3. Add ModSecurity module
4. Configure Nginx virtual host

To demonstrate the situation where Nginx is installed but ModSecurity is not added, the following operations are to install Nginx first and then add the ModSecurity module.

ModSecurity is an open source cross-platform Web Application Firewall (WAF) engine that is perfectly compatible with nginx. It is the WAF officially recommended by nginx and supports OWASP rules.

Chinese website: http://www.modsecurity.cn

For practical application, please refer to: http://www.modsecurity.cn/practice/

1. Download

1. Download Nginx

wget http://nginx.org/download/nginx-1.14.2.tar.gz

2. ModSecurity Download

wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz

2. Deployment

1.Nginx deployment

1.1 Installation Dependencies

yum install -y pcre* openssl* gcc c++ make

1.2 Compile and install the decompressed files

tar -xvf nginx-1.14.2.tar.gz 
cd nginx-1.14.2/

Configuration Module

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre

Execute Compilation

make
make install

Create an account and directory

useradd nginx -s /sbin/nologin
mkdir /var/tmp/nginx/

2. ModSecurity deployment

2.1 Installation Dependencies

yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

2.2 Compile and install the decompressed files

tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4/

Compile and install

./configure
make
make install
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/

3. Add ModSecurity module

3.1 View Nginx compilation parameters

/usr/local/nginx/sbin/nginx -V

3.2 Download ModSecurity module

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Or download from https://github.com/SpiderLabs/ModSecurity-nginx

3.3 Recompile Nginx

Decompression module

unzip ModSecurity-nginx-master.zip 
#Only when downloading the installation package, not required if it is git clone

Compile and install

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre --add-module=../ModSecurity-nginx

 
#Note here/ModSecurity-nginx path make
make install

/usr/local/nginx/sbin/nginx -V #Check that the ModSecurity module is already available

Add a profile

mkdir /usr/local/nginx/conf/modsecurity
cp /usr/local/modsecurity/modsecurity.conf /usr/local/nginx/conf/modsecurity/
cp /usr/local/modsecurity/unicode.mapping /usr/local/nginx/conf/modsecurity/

4. Configure Nginx virtual host

4.1 Virtual Host Configuration

vim /usr/local/nginx/conf/nginx.conf
    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
    
 #Adding to the http node indicates global configuration, and adding to the server node indicates configuration for a specific website

4.2Modsecurity Configuration

vim /usr/local/nginx/conf/modsecurity/modsecurity.conf
#Change the following part SecRuleEngine On
SecAuditLogParts ABCDEFHZ

#Append to the configuration file Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

4.3 Download rule files

wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
#ModsecurityChinese website download wget https://github.com/coreruleset/coreruleset
#github download

4.4 Configuration Rules

unzip owasp-modsecurity-crs-3.3-dev.zip 
cd owasp-modsecurity-crs-3.3-dev/

cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/

cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

4.5 Testing

#Browser or curl access test, return 403
curl -I 'http://localhost/?id=1 AND 1=1'

This is the end of this article about the implementation of Nginx+ModSecurity security module deployment. For more relevant Nginx ModSecurity deployment content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:

How to deploy static pages using Nginx
Detailed explanation of how Nginx + Tomcat reverse proxy can efficiently deploy multiple sites on one server
Thinking and practice of front-end and back-end separation based on NodeJS (VI) Software stack deployment practice of Nginx + Node.js + Java
Detailed tutorial on how to deploy Springboot project using Nginx on the server (jar package)
Tutorial on deploying ThinkPHP project on Nginx
Solution to the problem of not finding js css files when deploying vue project with nginx

<<: How to handle super large form examples with Vue+ElementUI

>>: MySQL Series 13 MySQL Replication

iframe src assignment problem (server side)

Implementation of Nginx+ModSecurity security module deployment

Table of contents

1. Download

2. Deployment

1.Nginx deployment

2. ModSecurity deployment

3. Add ModSecurity module

4. Configure Nginx virtual host

iframe src assignment problem (server side)

The difference between hash mode and history mode in vue-router

Vue Element-ui form validation rule implementation

Steps to modify the MySQL database data file path under Linux

Hexadecimal color codes (full)

Hello dialog box design experience sharing

MySQL 5.7.17 installation and configuration method graphic tutorial (Ubuntu 16.04)

JavaScript to implement search data display

How to deploy python crawler scripts on Linux and set up scheduled tasks

Analysis on how to solve the problem of Navicat Premium connecting to MySQL 8.0 and reporting error "1251"

Recommend

Front-end performance optimization - the pain points that front-end engineers have to talk about

Linux user script creation/guessing game/network card traffic monitoring introduction

In-depth analysis of MySQL database transactions and locks

Detailed explanation of mysql transaction management operations

Complete steps for Docker to pull images

An in-depth introduction to React refs

JavaScript implements password box input verification

MySQL database Load Data multiple uses

How to use watch listeners in Vue2 and Vue3

How to install and deploy MySQL 8.0 under CentOS8

mysql5.6.8 source code installation process

If I change a property randomly in Vue data, will the view be updated?

Detailed explanation of writing multiple conditions of CSS: not

Use and understanding of MySQL triggers

js realizes two-way data binding (accessor monitoring)