Implementation of Nginx+ModSecurity security module deployment

Implementation of Nginx+ModSecurity security module deployment

To demonstrate the situation where Nginx is installed but ModSecurity is not added, the following operations are to install Nginx first and then add the ModSecurity module.

ModSecurity is an open source cross-platform Web Application Firewall (WAF) engine that is perfectly compatible with nginx. It is the WAF officially recommended by nginx and supports OWASP rules.

Chinese website: http://www.modsecurity.cn

For practical application, please refer to: http://www.modsecurity.cn/practice/

1. Download

1. Download Nginx

wget http://nginx.org/download/nginx-1.14.2.tar.gz

2. ModSecurity Download

wget http://www.modsecurity.cn/download/modsecurity/modsecurity-v3.0.4.tar.gz

2. Deployment

1.Nginx deployment

1.1 Installation Dependencies

yum install -y pcre* openssl* gcc c++ make

1.2 Compile and install the decompressed files

tar -xvf nginx-1.14.2.tar.gz 
cd nginx-1.14.2/

Configuration Module

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre

Execute Compilation

make
make install

Create an account and directory

useradd nginx -s /sbin/nologin
mkdir /var/tmp/nginx/

2. ModSecurity deployment

2.1 Installation Dependencies

yum install -y gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel lmdb-devel libxml2-devel ssdeep-devel lua-devel libtool autoconf automake

2.2 Compile and install the decompressed files

tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4/

Compile and install

./configure
make
make install
cp modsecurity.conf-recommended /usr/local/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/modsecurity/

3. Add ModSecurity module

3.1 View Nginx compilation parameters

/usr/local/nginx/sbin/nginx -V

3.2 Download ModSecurity module

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Or download from https://github.com/SpiderLabs/ModSecurity-nginx

3.3 Recompile Nginx

Decompression module

unzip ModSecurity-nginx-master.zip 
#Only when downloading the installation package, not required if it is git clone

Compile and install

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre --add-module=../ModSecurity-nginx

 
#Note here/ModSecurity-nginx path make
make install

/usr/local/nginx/sbin/nginx -V #Check that the ModSecurity module is already available

Add a profile

mkdir /usr/local/nginx/conf/modsecurity
cp /usr/local/modsecurity/modsecurity.conf /usr/local/nginx/conf/modsecurity/
cp /usr/local/modsecurity/unicode.mapping /usr/local/nginx/conf/modsecurity/

4. Configure Nginx virtual host

4.1 Virtual Host Configuration

vim /usr/local/nginx/conf/nginx.conf
    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
    
 #Adding to the http node indicates global configuration, and adding to the server node indicates configuration for a specific website

4.2Modsecurity Configuration

vim /usr/local/nginx/conf/modsecurity/modsecurity.conf
#Change the following part SecRuleEngine On
SecAuditLogParts ABCDEFHZ

#Append to the configuration file Include /usr/local/nginx/conf/modsecurity/crs-setup.conf
Include /usr/local/nginx/conf/modsecurity/rules/*.conf

4.3 Download rule files

wget http://www.modsecurity.cn/download/corerule/owasp-modsecurity-crs-3.3-dev.zip
#ModsecurityChinese website download wget https://github.com/coreruleset/coreruleset
#github download

4.4 Configuration Rules

unzip owasp-modsecurity-crs-3.3-dev.zip 
cd owasp-modsecurity-crs-3.3-dev/

cp crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf
cp -r rules /usr/local/nginx/conf/modsecurity/

cd /usr/local/nginx/conf/modsecurity/rules
mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

4.5 Testing

#Browser or curl access test, return 403
curl -I 'http://localhost/?id=1 AND 1=1'

This is the end of this article about the implementation of Nginx+ModSecurity security module deployment. For more relevant Nginx ModSecurity deployment content, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • How to deploy static pages using Nginx
  • Detailed explanation of how Nginx + Tomcat reverse proxy can efficiently deploy multiple sites on one server
  • Thinking and practice of front-end and back-end separation based on NodeJS (VI) Software stack deployment practice of Nginx + Node.js + Java
  • Detailed tutorial on how to deploy Springboot project using Nginx on the server (jar package)
  • Tutorial on deploying ThinkPHP project on Nginx
  • Solution to the problem of not finding js css files when deploying vue project with nginx

<<:  How to handle super large form examples with Vue+ElementUI

>>:  MySQL Series 13 MySQL Replication

Recommend

Example code for implementing dynamic skinning with vue+element

Sometimes the theme of a project cannot satisfy e...

Native JS to achieve digital table special effects

This article shares a digital clock effect implem...

Summary of MySQL basic common commands

Table of contents MySQL basic common commands 1. ...

A brief analysis of SQL examples for finding uncommitted transactions in MySQL

A long time ago, I summarized a blog post titled ...

An example of elegant writing of judgment in JavaScript

Table of contents Preface 1. Monadic Judgment 1.1...

Understanding MySQL deadlock routines through unique index S lock and X lock

In Beginners' Understanding MySQL Deadlock Pr...

Vue uses el-table to dynamically merge columns and rows

This article example shares the specific code of ...

How to use axios to filter multiple repeated requests in a project

Table of contents 1. Introduction: In this case, ...

What scenarios are not suitable for JS arrow functions?

Table of contents Overview Defining methods on an...

MySQL 8.0.12 installation and configuration graphic tutorial

Recorded the download and installation tutorial o...

MySQL scheduled database backup operation example

This article describes the example of MySQL sched...

Echarts implements switching different X-axes in one graph (example code)

Rendering If you want to achieve the effect shown...

A brief discussion on the datetime format when exporting table data from MySQL to Excel

Recently I used MySQL to export table data to an ...

Solution to the CSS height collapse problem

1. High degree of collapse In the document flow, ...

Control the light switch with js

Use js to control the light switch for your refer...