Install NGINX with ModSecurity on Debian 11 (Bullseye)
Recently I decided to switch from NAXSI Web Application Firewall to ModSecurity. Not that I was unhappy with NAXSI - in opposite - everything went smooth. But NAXSI receives little support from the open source community. So I decided to go with the quasi standard. With this blog post I am going to document how to successfully install NGINX with ModSecurity on Debian 11 (Bullseye).
It is assumed that there is already a working installation of NGINX. Here we only describe how to add ModSecurity.
install the required packages and some other stuff
To begin a number of packages is needed for the installation.
sudo apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev uuid-dev
sudo apt build-dep nginx
the easiest is to go with the current NGINX maintained by the debian team. Using to following command you'll download the source code.
sudo mkdir -p /usr/local/src/nginx
sudo chown <your user>:<your user> -R /usr/local/src/
cd /usr/local/src/nginx
sudo apt source nginx
get ModSecurity and the submodules. Afterwards compile the source code and install:
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /usr/local/src/ModSecurity/
cd /usr/local/src/ModSecurity/
sudo git submodule init
sudo git submodule update
sudo ./configure
sudo make -j4
sudo make install
The next step is to download and compile the ModSecurity Nginx connector.
the connector glues Libmodsecurity library and Nginx webserver together:
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /usr/local/src/ModSecurity-nginx/
cd /usr/local/src/nginx/nginx-1.14.2/
sudo apt build-dep nginx
Print NGINX version, compiler version and configure parameters using the following command:
sudo nginx -V
Compile the ModSecurity Nginx Connector module. I used the same parameters as displayed with the nginx -V command above:
sudo ./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-q9LD4J/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
copy the compiled binaries
sudo make modules
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
this concludes the needed compilation
Load the ModSecurity Connector Module
Now NGINX needs to load the module. To configure that open
sudo vi /etc/nginx/nginx.conf
and append the load_module somwhere near the first few lines of your config file
load_module modules/ngx_http_modsecurity_module.so;
and also make sure that you enable modsecurity within your http {...} block in the config file.
http {
[.... your config ...]
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
}
create /etc/nginx/modsec/ directory which will hold the config files for ModSecurity
sudo mkdir /etc/nginx/modsec/
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo vi /etc/nginx/modsec/modsecurity.conf
in the modsecurity.conf there is a line starting with SecRuleEngine
- SecRuleEngine DetectionOnly: will "only" decect
- SecRuleEngine On: will block a possible web attack
configure to your needs.
finish to config with the following:
sudo vi /etc/nginx/modsec/main.conf
and insert the following line into the empty file.
Include /etc/nginx/modsec/modsecurity.conf
and as a last step copy the Unicode mapping file
$ sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
finally we can test our config
sudo nginx -t
This test should be successful. If so you can restart your NGINX with ModSecurity
sudo systemctl restart nginx
sudo systemctl status nginx
Now ModSecurity is ready to protect your WebApp. But rules are necessary for this. The best known set of rules is the OWASP Corerule Set. In the next blogpost I will describe how to activate it. Keep tuned....