Nginx with libmodsecurity and OWASP ModSecurity Core Rule Set on Ubuntu 16.04
This tutorial exists for these OS versions
- Ubuntu 22.04 (Jammy Jellyfish)
- Ubuntu 16.04 (Xenial Xerus)
- Ubuntu 15.04 (Vivid Vervet)
On this page
In this tutorial, I will show you how to compile the latest version of Nginx with libmodsecurity (Modsecurity 3.x) NOT to be confused with Modsecurity 2.9. We will also be integrating the OWASP ModSecurity Core Rule Set (CRS).
Libmodsecurity is a major rewrite of ModSecurity that delivers improved performance and stability. Even though Modsecurity 2.9.x was offered for different platforms, it really favored deploying with Apache and deploying with other platforms required various 3rd party dependencies at the cost of performance. Libmodsecurity changes all that by being a rewrite from scratch. More information about Libmodsecurity can be found here.
This guide assumes you already have a brand new updated instance of Ubuntu 16.04 64-bit.
1. Install Prerequisites
Install pre-requisites
apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfaac-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev
2. Download ModSecurity
Git clone Modsecurity, checkout and build libmodsecurity
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install
Git clone the Modsecurity-nginx connector
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
You should now have the following directory which contains the Modsecurity-nginx connector
/opt/ModSecurity-nginx
3. Download Nginx
Download latest Nginx stable source
Goto http://nginx.org/en/download.html and get the link to the latest stable version of Nginx. As of this writing, the latest stable version was nginx-1.12.0.tar.gz. Adjust instructions below for your specific version. Download and extract
cd /opt
wget http://nginx.org/download/nginx-1.12.0.tar.gz
tar -zxf nginx-1.12.0.tar.gz
cd nginx-1.12.0
4. Configure and Install Nginx
Configure Nginx with the Modsecurity-nginx connector and install
./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make
make install
The ModSecurity source code that we downloaded earlier includes a sample modsecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files
cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
Create a symlink from /usr/local/nginx/sbin/nginx to /bin/nginx
ln -s /usr/local/nginx/sbin/nginx /bin/nginx
Create the following directories:
mkdir /usr/local/nginx/conf/sites-available
mkdir /usr/local/nginx/conf/sites-enabled
mkdir /usr/local/nginx/conf/ssl
mkdir /etc/nginx
Crete a symlink to from /usr/local/nginx/conf/ssl /etc/nginx/ssl
ln -s /usr/local/nginx/conf/ssl /etc/nginx/ssl
Make a backup copy of the conf/nginx.conf file
cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.bak
Configure the /usr/local/nginx/conf/nginx.conf file
vi /usr/local/nginx/conf/nginx.conf
Locate and remove all the entries starting with "server {" and ending with the second to the last closing curly brace "}". In other words, leave the last curly brace intact.
Right above the last curly brace, insert the following. This will instruct Nginx to look for our site configs in the "/usr/local/nginx/conf/sites-enabled" directory
include /usr/local/nginx/conf/sites-enabled/*;
So the end of the file should look like below (ensure the closing } is present):
include /usr/local/nginx/conf/sites-enabled/*;
}
Enable the "user" directive by removing the "#" prefix if disabled and ensure it's set to user "www-data" instead of the default "nobody" so it looks like below:
user www-data;
Save the file.
Download Jason Giedymin's Nginx init script for managing nginx service and configure it as a service
wget https://raw.github.com/JasonGiedymin/nginx-init-ubuntu/master/nginx -O /etc/init.d/nginx
chmod +x /etc/init.d/nginx
update-rc.d nginx defaults
This script provides the following options for managing the Nginx service:
# service nginx start|stop|restart|force-reload|reload|status|configtest|quietupgrade|terminate|destroy
5. Install OWASP ModSecuirty Core Rule Set
Git clone and copy the current version of the OWASP ruleset and config to Nginx
cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
Configure Nginx with OWASP ModSecuirty Core Rule Set
Edit /usr/local/nginx/conf/modsecurity.conf
vi /usr/local/nginx/conf/modsecurity.conf
At the end of the file, paste the following:
#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350
In your Nginx modsecurity.conf file or your individual server conf files enter the following in either the server or location blocks. The example below, shows a combination of adding the entries in both the server and the location blocks:
server {
.....
modsecurity on;
location / {
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
.....
}
}
Test your Nginx config
service nginx configtest
If no errors, reload or restart your Nginx
service nginx reload
You can now view the /var/log/modsec_audit.log for any ModSecurity events
tail -f /var/log/modsec_audit.log
If you are satisfied, edit the /usr/local/nginx/conf/modsecurity.conf file and set "SecRuleEngine" from "DetectionOnly" to "On" like below
SecRuleEngine On
This concludes this guide.
About the Author
Dino Edwards is an IT Professional with 20+ years of experience in the Federal, State and the Private sector. He has also been known to dabble in programming.
He tends to write guides or how-to's after he finishes a particular project primarily because his memory sucks and he doesn't want to re-invent the wheel if he has to do the same project again.
Get in touch