I've got LEMP all setup. Now I would like to add mod_security.
I tried to research but all I could find are instructions on how to recompile nginx. Is there a way to add mod_security without needing to recompile?
I'm currently running nginx/1.9.15 installed with PPA because I was after HTTP/2. I don't have experience in compiling nginx and I don't know if ever I recompile I would break nginx since I got it from PPA.
Hope you can help.
Thank you.
You can do it by adding ModSecurity as dynamic module or using Dockerized and hardened Nginx container.
docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/certificates:/etc/letsencrypt -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes -e REDIRECT_HTTP_TO_HTTPS=yes bunkerity/bunkerized-nginx Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable LISTEN_HTTP with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.
Here you have three environment variables :
SERVER_NAME : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)AUTO_LETS_ENCRYPT : enable automatic Let's Encrypt creation and renewal of certificatesREDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirectionDocker Hub : bunkerized-nginx
apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev ##Step 2 : Download and Compile the ModSecurity 3 Source Code##
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity cd ModSecurity git submodule init git submodule update ./build.sh ./configure make make install Note: The compilation takes about 15 minutes, depending on the processing power of your system. #Step 3 : Download the NGINX Connector for ModSecurity and Compile It as a Dynamic Module#
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git wget http://nginx.org/download/nginx-1.13.7.tar.gz tar zxvf nginx-1.13.7.tar.gz cd nginx-1.13.7 ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx make modules cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules ##Step 4 : Load the NGINX ModSecurity Connector Dynamic Module ## Add this line to /etc/nginx/nginx.conf
load_module modules/ngx_http_modsecurity_module.so; ##Step 5 : Configure and Enable## Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.
mkdir /etc/nginx/modsec wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf Change the SecRuleEngine directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called testparam includes the string test in its value. Put the following text in /etc/nginx/modsec/main.conf
# From https://github.com/SpiderLabs/ModSecurity/blob/master/\ # modsecurity.conf-recommended # # Edit to set SecRuleEngine On Include "/etc/nginx/modsec/modsecurity.conf" # Basic test rule SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403" Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:
server { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; } source : nginx.com
There is an available package from the repository ppa:phusion.nl/misc. Here are the basic steps to install:
sudo add-apt-repository ppa:phusion.nl/misc sudo apt update sudo apt install libnginx-mod-http-modsecurity Thereafter you could follow configuration instructions from the other answers.
To skip this manual lengthy installation progress, I have created scripit that takes care of downloading required files, respective nginx version source code downloading and compiling and all. Just follow below simple steps to get ModSecurity installed and configured:
# DOWNLOAD INSTALLATION SCRIPT wget https://gist.githubusercontent.com/Chetan07j/edc16d6a55a25475cafeb6995f9c0857/raw/d1004a71710c263a8f0d0c098eebd21e72e0c101/libModSecurity.sh # MAKE THIS FILE EXECUTABLE sudo chmod +x libModSecurity.sh # RUN THIS FILE ./libModSecurity.sh # DONE Installation is done now you need to add few lines in nginx.conf and in your server config in sites-available folder.
In /etc/nginx/nginx.conf file add this line immediate after pid line:
... pid /run/nginx.pid; load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; # ADD THIS LINE and then in your server config file under /etc/nginx/sites-available/
server { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; } Thank you.
cd $OPT_DIR will work - if it doesn't, the git clone on line 16 is going to clone stuff into whatever directory you started in. Don't just assume that commands will succed.