Build Nginx + ModSecurity
1. 1. Build Nginx
mkdir /opt/source
cd /opt/source
wget http://nginx.org/download/nginx-1.18.0.tar.gz
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
tar -zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx/
make && make install
sudo ln -s /usr/lib64/nginx/modules /etc/nginx/modules
sudo useradd --system --home /var/cache/nginx --shell /sbin/nologin --comment "nginx user" --user-group nginx
sudo vim /etc/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
systemctl enable nginx
systemctl start nginx
-----------------------------------------------------------------------------------------------------------------
1. 2. Configure Nginx
vi /etc/nginx/nginx.conf
load_module /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so;
add the following code under the HTTP {} section as follows:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;
mkdir /etc/nginx/modsec
cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
vi /etc/nginx/modsec/modsecurity.conf
SecRuleEngine DetectionOnly
SecRuleEngine On
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
vi /etc/nginx/modsec/modsec-config.conf
Include /etc/nginx/modsec/modsecurity.conf
sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
sudo nginx -t
sudo systemctl restart nginx
Install OWASP Core Rule Set for ModSecurity
cd /etc/nginx/modsec/
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.zip
unzip v3.3.2.zip
vi /etc/nginx/modsec/modsec-config.conf
Include /etc/nginx/modsec/coreruleset-3.3.2/crs-setup.conf
Include /etc/nginx/modsec/coreruleset-3.3.2/rules/*.conf
sudo nginx -t
sudo systemctl restart nginx
No comments:
Post a Comment