ModSecurity & nginx


ModSecurity (libmodsecurity)

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev ibpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

clone libmodsecuirty

git clone --depth 1 -b v3/master --single-branch


cd ModSecurity
git submodule init
git submodule update
make install

Nginx connector

git clone --depth 1

$ nginx -v

download nginx source code -->

cd nginx-1.xxxx
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ /etc/nginx/modules


add line to /etc/nginx/nginx.conf

load_module "modules/";

configure modsecurity

  1. recommended ModSecurity configuration

    mkdir /etc/nginx/modsec
    wget -P /etc/nginx/modsec/
    mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
  2. change from detetion only mode to actively dropping traffic

    sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
  3. put following text in /etc/nginx/modsec/main.conf

    # Edit to set SecRuleENgine On
    Include "/etc/nginx/modsec/modsecurity.conf"
    # basic test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
  4. Final nginx config

  5. Enable modsec in config

    server {
      # ....
      modsecurity on;
      modsecurity_rules_file /etc/nginx/modsec/main.conf;
  6. reload

    nginx -t && nginx -s reload
  7. Test

    curl localhost?testparam=test

:memo: more info: & ModSecurity 3.0 and NGINX: Getting Started

:goal_net: Should read next: deploy the OWSAP core ruleset (CRS)