Skip to main content

Images / Magento 2 / NGINX / Security

How to install the ModSecurity NGINX module in Rocky Linux/AlmaLinux/RHEL 9

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

📅 Updated: January 28, 2026 (Originally published: January 25, 2025)

NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.

🛠️ Related Tools

ModSecurity is an open-source web application firewall (WAF). It protects your websites from common attacks like SQL injection, XSS, and other OWASP Top 10 vulnerabilities.

This guide shows you how to install the ModSecurity module for NGINX on Rocky Linux, AlmaLinux, and RHEL 9.

Install nginx-module-security in Rocky Linux/AlmaLinux/RHEL 9

The ModSecurity module is compatible with the latest stable and mainline NGINX versions.

Step 1. Set up GetPageSpeed RPM Repository

sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm
sudo dnf -y install epel-release

Note: An active NGINX Extras subscription is required.

Step 2. Install NGINX

If you already have NGINX set up, skip this step.

sudo dnf -y install nginx

Step 3. Install ModSecurity NGINX Module

sudo dnf -y install nginx-module-security

Follow the installation prompt to import the GPG public key used for verifying packages.

The libmodsecurity library dependency will be installed automatically.

Step 4. Enable the Module

Add the following line at the top of /etc/nginx/nginx.conf:

load_module modules/ngx_http_modsecurity_module.so;

Reload NGINX to load the module:

sudo systemctl reload nginx

Install OWASP Core Rule Set

ModSecurity needs detection rules to work. The OWASP ModSecurity Core Rule Set (CRS) is the most popular and well-maintained ruleset available.

sudo dnf -y install nginx-owasp-crs

Enable ModSecurity with OWASP CRS

Add the following to your site’s server block:

server {
    modsecurity on;
    location / {
        modsecurity_rules_file /etc/nginx/modsec_includes.conf;
    }
}

Reload NGINX:

sudo systemctl reload nginx

Verify ModSecurity Is Working

Test that ModSecurity blocks malicious requests by navigating to:

http://example.com/?q="><script>alert(1)</script>'

You should see a 403 Forbidden error, indicating ModSecurity detected and blocked the XSS attempt.

Monitor for False Positives

ModSecurity may block legitimate requests. Monitor the audit log for false positives:

  • Main log: /var/log/nginx/modsec_audit.log
  • Detailed logs: /var/log/nginx/modsec/ directory

Tune your rules based on your application’s needs.

ModSecurity Built for Production

Our ModSecurity package for NGINX fixes several upstream issues and supports the complete feature set:

SELinux Compatibility

The package is fully compatible with SELinux – no additional configuration required.

LuaJIT2 Support

The package uses the high-performance luajit2 Lua implementation for maximum speed.

LMDB Inspection

To dump contents of LMDB collections used by ModSecurity, use the mdb_dump utility from the lmdb package.

D

Danila Vershinin

Founder & Lead Engineer

NGINX configuration and optimizationLinux system administrationWeb performance engineering

10+ years NGINX experience • Maintainer of GetPageSpeed RPM repository • Contributor to open-source NGINX modules

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.