Nginx with libmodsecurity and OWASP ModSecurity Core Rule Set on Ubuntu 16.04

In this tutorial, I will show you how to compile the latest version of Nginx with libmodsecurity (Modsecurity 3.x) NOT to be confused with Modsecurity 2.9. We will also be integrating the OWASP ModSecurity Core Rule Set (CRS).

Libmodsecurity is a major rewrite of ModSecurity that delivers improved performance and stability. Even though Modsecurity 2.9.x was offered for different platforms, it really favored deploying with Apache and deploying with other platforms required various 3rd party dependencies at the cost of performance. Libmodsecurity changes all that by being a rewrite from scratch. More information about Libmodsecurity can be found here.

This guide assumes you already have a brand new updated instance of Ubuntu 16.04 64-bit.

1. Install Prerequisites

Install pre-requisites

apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfaac-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev

2. Download ModSecurity

Git clone Modsecurity, checkout and build libmodsecurity

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install

Git clone the Modsecurity-nginx connector

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

You should now have the following directory which contains the Modsecurity-nginx connector

/opt/ModSecurity-nginx

3. Download Nginx

Download latest Nginx stable source

Goto http://nginx.org/en/download.html and get the link to the latest stable version of Nginx. As of this writing, the latest stable version was nginx-1.12.0.tar.gz. Adjust instructions below for your specific version. Download and extract

cd /opt
wget http://nginx.org/download/nginx-1.12.0.tar.gz
tar -zxf nginx-1.12.0.tar.gz
cd nginx-1.12.0

4. Configure and Install Nginx

Configure Nginx with the Modsecurity-nginx connector and install

./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make
make install

The ModSecurity source code that we downloaded earlier includes a sample modsecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

Create a symlink from /usr/local/nginx/sbin/nginx to /bin/nginx

ln -s /usr/local/nginx/sbin/nginx /bin/nginx

Create the following directories:

mkdir /usr/local/nginx/conf/sites-available
mkdir /usr/local/nginx/conf/sites-enabled
mkdir /usr/local/nginx/conf/ssl
mkdir /etc/nginx

Crete a symlink to from /usr/local/nginx/conf/ssl /etc/nginx/ssl

ln -s /usr/local/nginx/conf/ssl /etc/nginx/ssl

Make a backup copy of the conf/nginx.conf file

cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.bak

Configure the /usr/local/nginx/conf/nginx.conf file

vi /usr/local/nginx/conf/nginx.conf

Locate and remove all the entries starting with "server {" and ending with the second to the last closing curly brace "}". In other words, leave the last curly brace intact.

Right above the last curly brace, insert the following. This will instruct Nginx to look for our site configs in the "/usr/local/nginx/conf/sites-enabled" directory

include /usr/local/nginx/conf/sites-enabled/*;

So the end of the file should look like below (ensure the closing } is present):

include /usr/local/nginx/conf/sites-enabled/*;
}

Enable the "user" directive by removing the "#" prefix if disabled and ensure it's set to user "www-data" instead of the default "nobody" so it looks like below:

user www-data;

Save the file.

Download Jason Giedymin's Nginx init script for managing nginx service and configure it as a service

wget https://raw.github.com/JasonGiedymin/nginx-init-ubuntu/master/nginx -O /etc/init.d/nginx
chmod +x /etc/init.d/nginx
update-rc.d nginx defaults

This script provides the following options for managing the Nginx service:

# service nginx start|stop|restart|force-reload|reload|status|configtest|quietupgrade|terminate|destroy

5. Install OWASP ModSecuirty Core Rule Set

Git clone and copy the current version of the OWASP ruleset and config to Nginx

cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf

Configure Nginx with OWASP ModSecuirty Core Rule Set

Edit /usr/local/nginx/conf/modsecurity.conf

vi /usr/local/nginx/conf/modsecurity.conf

At the end of the file, paste the following:

#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350

In your Nginx modsecurity.conf file or your individual server conf files enter the following in either the server or location blocks. The example below, shows a combination of adding the entries in both the server and the location blocks:

server {
.....
modsecurity on;
location / {
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
.....
}
}

Test your Nginx config

service nginx configtest

If no errors, reload or restart your Nginx

service nginx reload

You can now view the /var/log/modsec_audit.log for any ModSecurity events

tail -f /var/log/modsec_audit.log

If you are satisfied, edit the /usr/local/nginx/conf/modsecurity.conf file and set "SecRuleEngine" from "DetectionOnly" to "On" like below

SecRuleEngine On

This concludes this guide.


About the Author

Dino Edwards is an IT Professional with 20+ years of experience in the Federal, State and the Private sector. He has also been known to dabble in programming.

He tends to write guides or how-to's after he finishes a particular project primarily because his memory sucks and he doesn't want to re-invent the wheel if he has to do the same project again.

Get in touch

  Website of the Author    Follow    Email

Share this page:

Suggested articles

0 Comment(s)

Add comment