Nginx / Security / Server Setup

How Install ModSecurity NGINX module in RHEL 7 / CentOS 7

by , , revisited on


NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.

ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using connector module.

Follow these instructions to easily install YUM package for dynamic ModSecurity module for Nginx.

Install nginx-module-security in CentOS / RHEL 7

The dynamic module is compatible with the latest stable NGINX versions.

Step 1. Setup nginx-extras repository

yum -y install https://extras.getpagespeed.com/release-el7-latest.rpm

Step 2. Install NGINX

If you already have stable NGINX from nginx.org repository, you can skip this step.

Otherwise, run the following command to install nginx:

yum install nginx 

You may also want to read how to How to install latest stable NGINX for CentOS 7 / RHEL 7 using official repository.

Step 3. Install ModSecurity NGINX module

Then, all you have to do to install ModSecurity module that works with the stable official Nginx build is this:

yum install nginx-module-security

Follow the installation prompt to import GPG public key that is used for verifying packages.

The libmodsecurity library dependency will be installed for you.

Step 4. Enable the module

Next, enable your NGINX to load the ModSecurity dynamic module by editing the NGINX configuration. Simply follow the installer’s suggestion:

----------------------------------------------------------------------

The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:

    load_module modules/ngx_http_modsecurity_module.so;

Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx

----------------------------------------------------------------------

Install OWASP CRS

You can setup OWASP Core Rule Set now with:

yum -y install nginx-owasp-crs

Enable OWASP CRS

To enable the install rule set (and thus put ModSecurity to action), you can add the following to a site configuration:

server {
    modsecurity on;
    location / {
        modsecurity_rules_file /etc/nginx/modsec_includes.conf;
    }
}

Monitor False Positives

As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor main log file /var/log/modsec/audit.log for false positives. You can see details of each denied request in /var/log/modsec/nginx directory.

Supported Nginx versions: Nginx stable from official Nginx repository.

Tip: if you have SELinux enabled, you may want to check our post about SELinux configuration for nginx.

  1. le fleur

    package nginx-owasp-crs doesnt seem to exist anymore

    Reply
  2. indrajeet

    Hi Danila,

    Please add module for sticky sessions as well, IP hash is being headache for me for some ISP’s users where DCHP is there.

    Thanks,
    πŸ™‚

    Reply
  3. Danila Vershinin

    Hi indrajeet, it was now added. Install via yum install nginx-module-sticky

    Reply
  4. indrajeet

    Can you please add support for cookie as well, for sticky session

    Reply
  5. indrajeet

    getting error “nginx: [emerg] invalid arguement (cookie)”

    Reply
    • Danila Vershinin

      I think either you or me are confused by how it works. How you expect a sticky session to work without cookie? πŸ™‚ When you said “add support for cookie to sticky session”, that’s like requesting a moving car to drive.The module is supposed to support cookie of course. Either way, it looks like you’re checking NGINX docs which document the sticky directive that is supported by commercial NGINX plus. You should be checking the docs for the module that was built here.

      This post is for modsecurity module.. You can post requests for module builds in this GitHub nginx-extras repository rather than comment here. Still, I can’t research/build a module that doesn’t even exist πŸ™‚ But the system accepts new module builds by pushing pull requests with .yml file describing a module, to nginx-extras. A module .yml includes GitHub repository, specifying module’s GitHub repository, name, description, etc.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.