NGINX Installation Instructions ModSecurity



This article provides instructions for installing the Dynamic ModSecurity module on the NGINX web server as a web application firewall (WAF). NGINX works in reverse proxy mode . Work done on the distribution of Linux - CentOS 7 . The module is set as “dynamic” so that the service remains flexible in configuration. Used official NGINX installation guide .


1. Pre-install components


For the service to work correctly, you need to install additional libraries to work. Libraries will be needed to build a project from source code. It is assumed that the user has updated the system ( # yum update ).

yum install install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev


2. Starting to install the service



In order that later there would be no problems with starting the service using the service nginx start command , the version from the official repository on GitHub is installed.

Create a file /etc/yum.repos.d/nginx.repo in which you want to add a version of the distribution. Without specifying the version of NGINX, the last one is pulled, which is launched on the site.

[nginx-1.13.7]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

Next, just install

yum install nginx

3. Compile a module




To begin, go to the appropriate directory:

cd /home/user/Downloads

Download the module from the main branch on GitHub:

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git

Next, go to the folder with the firewall and compile the source code:

cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

4. Installation of the connector


In order for the entire system to be flexible, a connector for the NGINX and ModSecurity connection will be installed . This means that the module will not be sewn into the server code, but will only be a dynamic component, which will allow it to be removed at any time, change the code, and so on.

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

5. Rebuilding the web server


In order for NGINX to work with the connector to which the module will be connected, you need to rebuild the server. To do this, first find out which version of NGINX is installed:

nginx –v

The output should be approximately the same (depending on the version)

nginx version: nginx / 1.13.7

Next, download the appropriate version from the official site, so that there would be no error when starting the service and compile with a certain parameter:

cd ..
	wget http://nginx.org/download/nginx-1.13.7.tar.gz
	tar zxvf nginx-1.13.7.tar.gz
	cd nginx-1.13.7
	./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
	make modules

Next, copy the module file to the web service folder:

cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

Before the first block in /etc/nginx/nginx.conf add:

load_module modules/ngx_http_modsecurity_module.so;

6. Module configuration file


Developers offer their basic rules to protect a web resource. It should be noted that by setting them you should not count on a decent level, since the creators leave the complete freedom of configuration and writing rules by the user, which limits them in adding basic rules to the standard configuration file.


        mkdir /etc/nginx/modsec
	cd /etc/nginx/modsec
	sudo wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
	sudo mv modsecurity.conf-recommended modsecurity.conf


In the modsecurity.conf file , replace SecRuleEngine DetectionOnly with SecRuleEngine On
Next, create the file /etc/nginx/modsec/main.conf and add it to it:

# Include the recommended configuration
		Include /etc/nginx/modsec/modsecurity.conf

7. OWASP rules


It's no secret that OWASP is a web security leader. They have their own roll-set for this module, which, like the project, is open to users. Therefore, we will install it as a basic set of rules:

cd /usr/local
	wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz
	tar -xzvf v3.0.0.tar.gz
	mv owasp-modsecurity-crs-3.0.0 /usr/localcd /usr/local/owasp-modsecurity-crs-3.0.0
	cp crs-setup.conf.example crs-setup.conf

In /etc/nginx/modsec/main.conf add the following:

# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf
Include /usr/local/owasp-modsecurity-crs-3.0.0/rules/*.conf

8. Completion of work


The file /etc/nginx/conf.d/proxy.conf add

server {
    listen 80;
	modsecurity on;
	modsecurity_rules_file /etc/nginx/modsec/main.conf;
# If you have proxy
    location / {    	
    	proxy_pass http://192.168.x.x;
    }
}

9. Functioning test


To check the components of a web service, just run it and view the errors. Often you will need to remove the rule that is responsible for checking where a different module is used ( GeoIP , for example). Therefore, you can safely remove this rule.

rm /usr/local/owasp-modsecurity-crs-3.0.0/rules/REQUEST-910-IP-REPUTATION.conf

Unicode error is also possible . In order for it not to interfere with the work of the service, simply comment it out in the configuration file ( at the end ).

#SecUnicodeMapFile unicode.mapping 20127

To test the server, use the curl utility . It will show whether the application returns. If everything is correct, you will receive an optet with the code 200 OK

curl -I 127.0.0.1

To test the protection mechanisms, you can use any dedicated utility. As recommendations, it is proposed to use nikto :

nikto -host localhost

To start the server:

service nginx start
Tags:

Also popular now: