Install Mod_Security for Nginx without need to recompile

Question

I've got LEMP all setup. Now I would like to add mod_security.

I tried to research but all I could find are instructions on how to recompile nginx. Is there a way to add mod_security without needing to recompile?

I'm currently running nginx/1.9.15 installed with PPA because I was after HTTP/2. I don't have experience in compiling nginx and I don't know if ever I recompile I would break nginx since I got it from PPA.

Hope you can help.

Thank you.

Answer 1

You can do it by adding ModSecurity as dynamic module or using Dockerized and hardened Nginx container.

Use ModSecurity with Docker

Run HTTP server with default settings

docker run -p 80:80 -v /path/to/web/files:/www bunkerity/bunkerized-nginx

Run HTTPS server with automated Let's Encrypt

docker run -p 80:80 -p 443:443 -v /path/to/web/files:/www -v /where/to/save/certificates:/etc/letsencrypt -e SERVER_NAME=www.yourdomain.com -e AUTO_LETS_ENCRYPT=yes -e REDIRECT_HTTP_TO_HTTPS=yes bunkerity/bunkerized-nginx

Certificates are stored in the /etc/letsencrypt directory, you should save it on your local drive.
If you don't want your webserver to listen on HTTP add the environment variable LISTEN_HTTP with a "no" value. But Let's Encrypt needs the port 80 to be opened so redirecting the port is mandatory.

Here you have three environment variables :

• SERVER_NAME : define the FQDN of your webserver, this is mandatory for Let's Encrypt (www.yourdomain.com should point to your IP address)
• AUTO_LETS_ENCRYPT : enable automatic Let's Encrypt creation and renewal of certificates
• REDIRECT_HTTP_TO_HTTPS : enable HTTP to HTTPS redirection

Docker Hub : bunkerized-nginx

Requirement:NGINX 1.11.5 and later.

Step 1 : Installing needed packages

apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

##Step 2 : Download and Compile the ModSecurity 3 Source Code##

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

Note: The compilation takes about 15 minutes, depending on the processing power of your system. #Step 3 : Download the NGINX Connector for ModSecurity and Compile It as a Dynamic Module#

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.13.7.tar.gz 
tar zxvf nginx-1.13.7.tar.gz 
cd nginx-1.13.7
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

##Step 4 : Load the NGINX ModSecurity Connector Dynamic Module ## Add this line to /etc/nginx/nginx.conf

load_module modules/ngx_http_modsecurity_module.so;

##Step 5 : Configure and Enable## Set up the appropriate ModSecurity configuration file. Here we’re using the recommended ModSecurity configuration provided by TrustWave Spiderlabs, the corporate sponsors of ModSecurity.

mkdir /etc/nginx/modsec
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping
mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

Change the SecRuleEngine directive in the configuration to change from the default “detection only” mode to actively dropping malicious traffic.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

Configure one or more rules. For the purposes of this blog we’re creating a single simple rule that drops a request in which the URL argument called testparam includes the string test in its value. Put the following text in /etc/nginx/modsec/main.conf

# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/etc/nginx/modsec/modsecurity.conf"


# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

Add the modsecurity and modsecurity_rules_file directives to the NGINX configuration to enable ModSecurity:

server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

source : nginx.com

Answer 2

There is an available package from the repository ppa:phusion.nl/misc. Here are the basic steps to install:

sudo add-apt-repository ppa:phusion.nl/misc
sudo apt update
sudo apt install libnginx-mod-http-modsecurity

Thereafter you could follow configuration instructions from the other answers.

Answer 3

To skip this manual lengthy installation progress, I have created scripit that takes care of downloading required files, respective nginx version source code downloading and compiling and all. Just follow below simple steps to get ModSecurity installed and configured:

# DOWNLOAD INSTALLATION SCRIPT
wget https://gist.githubusercontent.com/Chetan07j/edc16d6a55a25475cafeb6995f9c0857/raw/d1004a71710c263a8f0d0c098eebd21e72e0c101/libModSecurity.sh
​
# MAKE THIS FILE EXECUTABLE
sudo chmod +x libModSecurity.sh
​
# RUN THIS FILE
./libModSecurity.sh
​
# DONE

Installation is done now you need to add few lines in nginx.conf and in your server config in sites-available folder.

In /etc/nginx/nginx.conf file add this line immediate after pid line:

...
pid /run/nginx.pid;
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; # ADD THIS LINE

and then in your server config file under /etc/nginx/sites-available/

server {
    # ...
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

Thank you.