prerequisites

ModSecurity (libmodsecurity)

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

clone libmodsecuirty

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Compile

cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

Nginx connector

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

$ nginx -v

download nginx source code -->

cd nginx-1.xxxx
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

configuration

add line to /etc/nginx/nginx.conf

load_module "modules/ngx_http_modsecurity_module.so";

configure modsecurity

1. recommended ModSecurity configuration

   mkdir /etc/nginx/modsec
   wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
   mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
   

2. change from detetion only mode to actively dropping traffic

   sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
   

3. put following text in /etc/nginx/modsec/main.conf

   # Edit to set SecRuleENgine On
   Include "/etc/nginx/modsec/modsecurity.conf"
   
   # basic test rule
   SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
   

4. Final nginx config

5. Enable modsec in config

   server {
     # ....
     modsecurity on;
     modsecurity_rules_file /etc/nginx/modsec/main.conf;
   }
   

6. reload

   nginx -t && nginx -s reload
   

7. Test

   curl localhost?testparam=test
   

more info: https://www.nginx.com/blog/modsecurity-logging-and-debugging/ & ModSecurity 3.0 and NGINX: Getting Started

Should read next: deploy the OWSAP core ruleset (CRS)

SecRemoveRuleById