Install NGINX with ModSecurity on Debian 11 (Bullseye)

Install NGINX with ModSecurity on Debian 11 (Bullseye)
Photo by Luca Bravo / Unsplash

Recently I decided to switch from NAXSI Web Application Firewall to ModSecurity. Not that I was unhappy with NAXSI - in opposite - everything went smooth. But NAXSI receives little support from the open source community. So I decided to go with the quasi standard. With this blog post I am going to document how to successfully install NGINX with ModSecurity on Debian 11 (Bullseye).

It is assumed that there is already a working installation of NGINX. Here we only describe how to add ModSecurity.

install the required packages and some other stuff

To begin a number of packages is needed for the installation.

sudo apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev uuid-dev
sudo apt build-dep nginx

the easiest is to go with the current NGINX maintained by the debian team. Using to following command you'll download the source code.

sudo mkdir -p /usr/local/src/nginx
sudo chown <your user>:<your user> -R /usr/local/src/
cd /usr/local/src/nginx 
sudo apt source nginx

get ModSecurity and the submodules. Afterwards compile the source code and install:

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/
cd /usr/local/src/ModSecurity/
sudo git submodule init
sudo git submodule update
sudo ./configure
sudo make -j4
sudo make install

The next step is to download and compile the ModSecurity Nginx connector.
the connector glues Libmodsecurity library and Nginx webserver together:

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/
cd /usr/local/src/nginx/nginx-1.14.2/
sudo apt build-dep nginx

Print NGINX version, compiler version and configure parameters using the following command:

sudo nginx -V

Compile the ModSecurity Nginx Connector module. I used the same parameters as displayed with the nginx -V command above:

sudo ./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=.  -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx

copy the compiled binaries

sudo make modules
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

this concludes the needed compilation

Load the ModSecurity Connector Module

Now NGINX needs to load the module. To configure that open

sudo vi /etc/nginx/nginx.conf

and append the load_module somwhere near the first few lines of your config file

load_module modules/ngx_http_modsecurity_module.so;

and also make sure that you enable modsecurity within your http {...} block in the config file.

http { 
   [.... your config ...]
   modsecurity on;
   modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

create /etc/nginx/modsec/ directory which will hold the config files for ModSecurity

sudo mkdir /etc/nginx/modsec/
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo vi /etc/nginx/modsec/modsecurity.conf

in the modsecurity.conf there is a line starting with SecRuleEngine

  • SecRuleEngine DetectionOnly: will "only" decect
  • SecRuleEngine On: will block a possible web attack
    configure to your needs.

finish to config with the following:

sudo vi /etc/nginx/modsec/main.conf

and insert the following line into the empty file.

Include /etc/nginx/modsec/modsecurity.conf

and as a last step copy the Unicode mapping file

$ sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/

finally we can test our config

sudo nginx -t

This test should be successful. If so you can restart your NGINX with ModSecurity

sudo systemctl restart nginx
sudo systemctl status nginx

Now ModSecurity is ready to protect your WebApp. But rules are necessary for this. The best known set of rules is the OWASP Corerule Set. In the next blogpost I will describe how to activate it. Keep tuned....