Install Mod_Security for Nginx without need to recompile

nginx security web-server mod-security

6,414

You can do it by adding ModSecurity as dynamic module or using Dockerized and hardened Nginx container.

Use ModSecurity with Docker

Run HTTP server with default settings

docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx

Run HTTPS server with automated Let's Encrypt

docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/certificates:/etc/letsencrypt -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes -e REDIRECT_HTTP_TO_HTTPS=yes bunkerity/bunkerized-nginx

Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable LISTEN_HTTP with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.

Here you have three environment variables :

SERVER_NAME : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
AUTO_LETS_ENCRYPT : enable automatic Let's Encrypt creation and renewal of certificates
REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection

Docker Hub : bunkerized-nginx

Requirement:NGINX 1.11.5 and later.

Step 1 : Installing needed packages

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

##Step 2 : Download and Compile the ModSecurity 3 Source Code##

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

Note: The compilation takes about 15 minutes, depending on the processing power of your system. #Step 3 : Download the NGINX Connector for ModSecurity and Compile It as a Dynamic Module#

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.13.7.tar.gz 
tar zxvf nginx-1.13.7.tar.gz 
cd nginx-1.13.7
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

##Step 4 : Load the NGINX ModSecurity Connector Dynamic Module ## Add this line to /etc/nginx/nginx.conf

load_module modules/ngx_http_modsecurity_module.so;

##Step 5 : Configure and Enable## Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.

mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Change the SecRuleEngine directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called testparam includes the string test in its value. Put the following text in /etc/nginx/modsec/main.conf

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"


# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:

server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

source : nginx.com

6,414

julio

* There are 10 types of people in the world: those who understand binary, and those who don’t. *

Updated on September 18, 2022

Comments

julio almost 2 years

I've got LEMP all setup. Now I would like to add mod_security.

I tried to research but all I could find are instructions on how to recompile nginx. Is there a way to add mod_security without needing to recompile?

I'm currently running nginx/1.9.15 installed with PPA because I was after HTTP/2. I don't have experience in compiling nginx and I don't know if ever I recompile I would break nginx since I got it from PPA.

Hope you can help.

Thank you.
- Michael Hampton about 8 years
  
  Since 1.10 nginx can now load modules dynamically, so in principle it's no longer necessary to compile them with nginx. Contact the mod_security developers and ask them when they will take advantage of this.
Dan Bolser over 5 years

Is there a PPA for this (xenial)?
Jenny D about 5 years

I strongly suggest adding some error checking to your script. For instance, on line 12, you're assuming that the cd $OPT_DIR will work - if it doesn't, the git clone on line 16 is going to clone stuff into whatever directory you started in. Don't just assume that commands will succed.
Chetan Patil about 5 years

ok. Thank you for suggestion, will definitely add those checks.
womble about 5 years

"Without need to recompile" is in the question title.
Jenny D about 5 years

Apart from that, it's a nice script... but I've been bitten badly a couple of times by writing and running scripts without error checking - I'm hoping to let others learn from my mistakes, nobody has time to do all mistakes on their own :-)
Swarup Golui about 5 years

Chetan Patil serverfault.com/users/520010/chetan-patil Fix The Line 62 ./configure --with-compatadd-dynamic-module=/opt/ModSecurity-nginx With ./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx
Chetan Patil about 5 years

@SwarupGolui fixed it.
Vahid Nameni over 4 years

Yes there is (available on another answer) but it's better use latest Ubuntu LTS version.