fbpx

NGINX / Security

How to install NGINX WAF module in Fedora Linux

by ,


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Fedora Linux comes with modern software and yet it is stable enough and runs fine as a server.
Even so well, Amazon has chosen it as upstream for its own latest operating system: Amazon Linux 2022.

Fedora RPM repositories by GetPageSpeed include many NGINX module packages.
Access to our Fedora RPM repositories is provided free of charge, for everyone.

In this short guide, I’ll show you how to set up NGINX on Fedora with the WAF module protection.
Without compiling anything, use our production-grade packages.

Step 1. Setup the GetPageSpeed repository configuration

We offer ongoing packaging support for the two most recent Fedora releases.
That means, e.g. at the time of this writing, Fedora 34 and Fedora 35 have ongoing packaging support for NGINX module updates.

The setup of repository configuration can be done with one command:

sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm

This installs both the repository configuration, as well as GPG key for verifying package signatures.

Step 2. Install NGINX WAF module

Whether you already have NGINX installed or not, installing the module alone will pick up NGINX as a dependency and install it as well.
Don’t worry, your existing NGINX configuration is preserved and will work fine.

sudo dnf -y install nginx-module-waf

Note that the WAF module comes in two flavors: LTS and Current. The nginx-module-waf package installs the LTS version.

At this point, the module has been already installed. If you haven’t had NGINX installed prior to this, do the usual yada by enabling its startup service:

sudo systemctl enable --now nginx

Step 3. Enable NGINX WAF module

Since our module package essentially installs the dynamic NGINX module, we must teach NGINX to load it.
This is done by placing the following at the very top of your /etc/nginx/nginx.conf:

load_module modules/ngx_http_waf_module.so;

Next, enable WAF for a specific website. Locate server { ... } configuration block in NGINX or create one (e.g. at /etc/nginx/sites-enabled.com/example.com), and set up as following:

http {
    ...
    server {
        ...
        # on means enabled, off means disabled.
        waf on;

        # The absolute path to the directory where the rule file is located, must end with /.
        waf_rule_path /etc/nginx/waf-rules/;

        # Firewall working mode, STD indicates standard mode.
        waf_mode STD;

        # CC defense parameter, 1000 requests per minute limit, 
        # block the corresponding ip for 60 minutes after exceeding the limit.
        waf_cc_deny rate=1000r/m duration=60m;

        # Cache detection results for up to 50 detection targets, 
        # effective for all detections 
        # except IP black and white list detection, CC protection and POST detection.
        waf_cache capacity=50;
        ...
    }
    ...
}

Note that in the waf_rule_path, we point it to use the default module rules as installed by the package.
Now check for any problems by running nginx -t, then reload your NGINX configuration and everything is done:

systemctl reload nginx

Verify

To see that the module works, you can run a command like the following:

curl -I -o /dev/null --user-agent bench -s -w "%{http_code}\\n" https://example.com/

If everything is fine, you will get 403, which confirms that WAF is now functional for your website.

For more details about configuring the NGX-WAF module further, refer to its advanced documentation.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: