Как установить ModSecurity для Nginx на CentOS 7, Debian 8, и Ubuntu 16.04

Установить получилось только по инструкции https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes#centos-7-minimal

ModSecurity is an open source web application firewall (WAF) module which is great for protecting Apache, Nginx, and IIS from various cyber attacks that target potential vulnerabilities in various web applications

In this article, we will install and configure ModSecurity for Nginx on CentOS 7, Debian 8, and Ubuntu 16.04.

Section 1. Prerequisites

• An up-to-date installation of CentOS 7, Debian 8, or Ubuntu 16.04 64-bit.
• Logging in as root.

Section 2. Step 1: Update the system

Following this guide, update your server’s Kernel and Packages to the latest available version.

Section 3. Step 2: Install dependencies

Before you can compile Nginx and ModSecurity successfully, you need to install several software packages as follows.

a) On CentOS 7:

b) On Debian 8 or Ubuntu 16.04:

Section 4. Step 3: Compile ModSecurity

Due to several instabilities reported on ModSecurity for Nginx master branch, for now, it is officially recommended to use the latest version of the nginx_refactoring branch whenever possible.

Download the nginx_refactoring branch of ModSecurity for Nginx:

Compile ModSecurity:

a) On CentOS 7:

Note: the two sed commands above are used to prevent warning messages when using newer automake versions.

b) On Debian 8 or Ubuntu 16.04:

## Step 4: Compile Nginx

Download and unarchive the latest stable release of Nginx which is Nginx 1.10.3 at the time of writing:

a) On CentOS 7:

First, you need to create a dedicated user nginx and a dedicated group nginx for Nginx:

Then compile Nginx while enabling ModSecurity and SSL modules:

Modify the default user of Nginx:

b) On Debian 8 or Ubuntu 16.04:

First, you should use the existing user www-data and the existing group www-data.

Then compile Nginx while enabling ModSecurity and SSL modules:

Modify the default user of Nginx:

Having Nginx successfully installed, related files will be located at:

you can test the installation with:

If nothing goes wrong, the output should be:

For your convenience, you can setup a systemd unit file for Nginx:

Moving forward, you can start/stop/restart Nginx as follows:

Section 5. Step 4: Configure ModSecurity and Nginx

1) 4.1 Configure Nginx:

Find the following segment within the http {} segment:

Insert the below lines into the location / {} segment:

The final result should be:

Save and quit:

Note: The Nginx config above is only a sample config for using Nginx as a web server rather than a reverse proxy. If you are using Nginx as a reverse proxy, remove the # character in last two lines and make appropriate modifications to them.

2) 4.2 Create a file named /usr/local/nginx/conf/modsec_includes.conf:

Note: The config above will apply all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf line, and then specify exact rules you need after step 4.5.

3) 4.3 Import ModSecurity configuration files:

4) 4.4 Modify the /usr/local/nginx/conf/modsecurity.conf file:

5) 4.5 Add OWASP ModSecurity CRS (Core Rule Set) files:

Section 6. Step 5: Test ModSecurity

Start Nginx:

Open port 80 in order to allow outside access:

a) On CentOS 7:

b) On Debian 8:

c) On Ubuntu 16.04:

Point your web browser to:

Use grep to fetch error messages as follows:

The output should include several error messages which are similar to:

That’s it. As you see, The ModSecurity module has successfully logged this attack in accordance with its default action policy. If you want to make more custom settings, please carefully review and edit /usr/local/nginx/conf/modsecurity.conf and /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conffiles.