NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.
ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using a connector module.
Follow these instructions to easily install the RPM package of the ModSecurity module for NGINX.
Install nginx-module-security in CentOS/RHEL 8
The ModSecurity module is compatible with the latest stable and mainline NGINX versions.
Step 1. Set up GetPageSpeed RPM respotiroy
sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm
Step 2. Install NGINX
If you already have NGINX set up, you can skip this step.
Otherwise, run the following command to install NGINX:
sudo dnf -y install nginx
Step 3. Install ModSecurity NGINX module
Install ModSecurity module itself:
sudo dnf -y install nginx-module-security
Follow the installation prompt to import GPG public key that is used for verifying packages.
The libmodsecurity library dependency will be installed for you.
Step 4. Enable the module
Next, enable your NGINX to load the ModSecurity dynamic module by editing the NGINX configuration. Simply follow the installer’s suggestion:
----------------------------------------------------------------------
The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:
load_module modules/ngx_http_modsecurity_module.so;
Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx
----------------------------------------------------------------------
Install OWASP CRS
ModSecurity needs some detection rules to work with.
A popular ruleset for ModSecurity is OWASP ModSecurity Core Rule Set (CRS).
You can set up OWASP Core Rule Set now with:
sudo dnf -y install nginx-owasp-crs
Enable OWASP CRS
To enable the installed rule set (and thus put ModSecurity to action), you can add the following to a site configuration:
server {
modsecurity on;
location / {
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
}
}
Verify
Now you have it installed and configured. How to see it is actually protecting your website?
Navigate to a URL like this: `http://example.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27`
It should trigger a 403 Forbidden error, similar to the screenshot below:
Monitor False Positives
As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor the main log file /var/log/nginx/modsec_audit.log for false positives. You can see details of each denied request in /var/log/nginx/modsec directory.
ModSecurity, built for production
Our package of ModSecurity for NGINX fixes several upstream issues and supports the complete set of features.
Even more than that, it comes with:
SELinux compatibility
The package is fully compatible with SELinux.
luajit2 compatibility
The package makes use of high-performance Lua implementation, luajit2.
mdb_dump
To dump contents of LMDB collections used by ModSecurity, you can use mdb_dump utility that comes with the lmdb package.