? How to Build NGINX with ModSecurity on Ubuntu Server


ModSecurity is a widely used and respected open source web application firewall (waf) for web servers. It can be used with both Apache and NGINX to provide protection against a range of HTTP attacks (such as SQL injection and XSS cross-site scripting) on ​​web applications such as WordPress and Nextcloud and others. In other words, this module should be considered a must! ModSecurity cannot be included in NGINX installed with apt-get, so you have to build it manually. Next, I’ll walk you through the process of adding this security feature to your NGINX web servers.

The first thing to do is install the required dependencies. This can be done with a single command:

sudo apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf zlib1g-dev -y

If you already have NGINX installed (from the standard repositories), remove it with the command:

sudo apt-get purge nginx -y

Remove any remaining dependencies with the command:

sudo apt-get autoremove -y

Next, we can move on to ModSecurity.

How to build ModSecurity

We have to compile ModSecurity manually. First, change to the src directory using the command:

cd /usr/src

Then clone the latest version of ModSecurity using the command:

git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git

Change to the newly created directory using the command:

cd ModSecurity

Configure ModSecurity with an autogenerate script as follows:

./autogen.sh./configure --enable-standalone-module --disable-mlogc

Install ModSecurity using the commands:

make
sudo make install

How to build NGINX

Unfortunately, we cannot use the NGINX installation from the standard repositories because it must be compiled with waf support. Go back to the src directory with the command:

cd /usr/src

Download the latest version of NGINX; it is currently 1.18.0

https://nginx.org/en/download.html

but make sure you select the latest version and change the command accordingly! The command to download the source code:

wget https://nginx.org/download/nginx-1.18.0.tar.gz

Unpack the compressed file using the command:

tar xvzf nginx-1.18.0.tar.gz

Change to the newly created directory using the command:

cd nginx-1.18.0

Configure NGINX with ModSecurity support using the command:

​./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module

Finally, install NGINX using the commands:

make
​sudo make install

Now we need to modify the default NGINX config file so that it knows which user to run under using the command:

sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf

Next, we need to configure NGINX so that it knows to use ModSecurity. Open the NGINX configuration file with the command:

sudo nano /usr/local/nginx/conf/nginx.conf

In this file, replace the following section:

location / {

    root   html;

    index  index.html index.htm;

}

On

location / {

    ModSecurityEnabled on;

    ModSecurityConfig modsec_includes.conf;

    root   html;

    index  index.html index.htm;

}

Enable OWASP core rules by creating a rules file using the command:

sudo nano /usr/local/nginx/conf/modsec_includes.conf

Paste the following into this file:

include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/*.conf

Save and close the file.

Import the required ModSecurity configuration files using the following two commands:

sudo cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
sudo cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

Enable the SecRuleEngine option in the modsecurity.conf file by entering the following command:

sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf

We can now add the basic OWASP ModSecurity ruleset by running the following seven commands:

cd /usr/local/nginx/conf
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo cd owasp-modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
sudo cd rules
sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

How to create a systemd startup file for NGINX

In order for us to manage NGINX, we need to create a systemd startup file. Create a file using the command:

sudo nano /lib/systemd/system/nginx.service

Paste the following into the file:

[Service]

Type=forking

ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf

ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

ExecReload=/usr/local/nginx/sbin/nginx -s reload

KillStop=/usr/local/nginx/sbin/nginx -s stop

KillMode=process

Restart=on-failure

RestartSec=42s

PrivateTmp=true

LimitNOFILE=200000

[Install]

WantedBy=multi-user.target

Save and close the file.

Start NGINX with the command:

sudo systemctl start nginx

Enable the web server to start at boot using the command:

sudo systemctl enable nginx

How to test ModSecurity

We can finally test our ModSecurity setup. To do this, we will use tail to track the NGINX error log using the command:

sudo tail -f /usr/local/nginx/logs/error.log

Then open your web browser and type in: http: // SERVER /? Param = ”> Where SERVER is the IP address or domain of your NGINX server. Back at the tail command, you should see several Permission Denied Errors! Congratulations, you now have ModSecurity running the latest NGINX on Ubuntu!

Related Posts