Implementation of Nginx+ModSecurity security module deployment

1. Download
2. Deployment

1.Nginx deployment
2. ModSecurity deployment
3. Add ModSecurity module
4. Configure Nginx virtual host

To demonstrate the situation where Nginx is installed but ModSecurity is not added, the following operations are to install Nginx first and then add the ModSecurity module.

ModSecurity is an open source cross-platform Web Application Firewall (WAF) engine that is perfectly compatible with nginx. It is the WAF officially recommended by nginx and supports OWASP rules.

Chinese website: http://www.modsecurity.cn

For practical application, please refer to: http://www.modsecurity.cn/practice/

1. Download

1. Download Nginx

wget http://nginx.org/download/nginx-1.14.2.tar.gz

2. ModSecurity Download

wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz

2. Deployment

1.Nginx deployment

1.1 Installation Dependencies

yum install -y pcre* openssl* gcc c++ make

1.2 Compile and install the decompressed files

tar -xvf nginx-1.14.2.tar.gz 
cd nginx-1.14.2/

Configuration Module

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre

Execute Compilation

make
make install

Create an account and directory

useradd nginx -s /sbin/nologin
mkdir /var/tmp/nginx/

2. ModSecurity deployment

2.1 Installation Dependencies

yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

2.2 Compile and install the decompressed files

tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4/

Compile and install

./configure
make
make install
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/

3. Add ModSecurity module

3.1 View Nginx compilation parameters

/usr/local/nginx/sbin/nginx -V

3.2 Download ModSecurity module

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Or download from https://github.com/SpiderLabs/ModSecurity-nginx

3.3 Recompile Nginx

Decompression module

unzip ModSecurity-nginx-master.zip 
#Only when downloading the installation package, not required if it is git clone

Compile and install

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre --add-module=../ModSecurity-nginx

 
#Note here/ModSecurity-nginx path make
make install

/usr/local/nginx/sbin/nginx -V #Check that the ModSecurity module is already available

Add a profile

mkdir /usr/local/nginx/conf/modsecurity
cp /usr/local/modsecurity/modsecurity.conf /usr/local/nginx/conf/modsecurity/
cp /usr/local/modsecurity/unicode.mapping /usr/local/nginx/conf/modsecurity/

4. Configure Nginx virtual host

4.1 Virtual Host Configuration

vim /usr/local/nginx/conf/nginx.conf
    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
    
 #Adding to the http node indicates global configuration, and adding to the server node indicates configuration for a specific website

4.2Modsecurity Configuration

vim /usr/local/nginx/conf/modsecurity/modsecurity.conf
#Change the following part SecRuleEngine On
SecAuditLogParts ABCDEFHZ

#Append to the configuration file Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

4.3 Download rule files

wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
#ModsecurityChinese website download wget https://github.com/coreruleset/coreruleset
#github download

4.4 Configuration Rules

unzip owasp-modsecurity-crs-3.3-dev.zip 
cd owasp-modsecurity-crs-3.3-dev/

cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/

cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

4.5 Testing

#Browser or curl access test, return 403
curl -I 'http://localhost/?id=1 AND 1=1'

This is the end of this article about the implementation of Nginx+ModSecurity security module deployment. For more relevant Nginx ModSecurity deployment content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:

How to deploy static pages using Nginx
Detailed explanation of how Nginx + Tomcat reverse proxy can efficiently deploy multiple sites on one server
Thinking and practice of front-end and back-end separation based on NodeJS (VI) Software stack deployment practice of Nginx + Node.js + Java
Detailed tutorial on how to deploy Springboot project using Nginx on the server (jar package)
Tutorial on deploying ThinkPHP project on Nginx
Solution to the problem of not finding js css files when deploying vue project with nginx

<<: How to handle super large form examples with Vue+ElementUI

>>: MySQL Series 13 MySQL Replication

The current better way to make select list all options when selected/focused

Implementation of Nginx+ModSecurity security module deployment

Table of contents

1. Download

2. Deployment

1.Nginx deployment

2. ModSecurity deployment

3. Add ModSecurity module

4. Configure Nginx virtual host

The current better way to make select list all options when selected/focused

Detailed explanation of CSS pre-compiled languages and their differences

A brief discussion on MySQL count of rows

Docker - Summary of 3 ways to modify container mount directories

Detailed explanation of MySQL database addition, deletion and modification operations

Detailed explanation of inline elements and block-level elements in commonly used HTML tags

Summary of block-level elements, inline elements, and variable elements

Data constraint examples based on MySQL database and introduction to five integrity constraints

Implementing calculator functions with WeChat applet

JavaScript Canvas implements Tic-Tac-Toe game

Recommend

Detailed explanation of the idea of implementing dynamic columns in angularjs loop object properties

Best way to replace the key in json object

Vue implements tree table through element tree control

Detailed explanation of data types and schema optimization in MySQL

H tags should be used reasonably in web page production

Learn more about using regular expressions in JavaScript

Is a design that complies with design specifications a good design?

In-depth analysis of MySQL 8.0 redo log

How to update v-for in Vue

Detailed discussion of MySQL stored procedures and stored functions

Detailed explanation of the usage of the ESCAPE keyword in MySQL

How to implement Hover drop-down menu with CSS

Simple summary of tomcat performance optimization methods

CSS3 realizes the childhood paper airplane

How to implement load balancing in MySQL