yum upgrades for production use, this is the repository for you.
Active subscription is required.
📅 Updated: January 28, 2026 (Originally published: April 20, 2018)
NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.
ModSecurity is an open-source web application firewall (WAF). It is available as a library and can be added to NGINX using a connector module to protect your websites from common attacks like SQL injection, XSS, and other OWASP Top 10 vulnerabilities.
Follow these instructions to install the ModSecurity module for NGINX on CentOS/RHEL 7.
Looking for newer systems? See our guides for CentOS/RHEL 8 or Rocky Linux/RHEL 9.
Install nginx-module-security in CentOS/RHEL 7
The ModSecurity module is compatible with the latest stable and mainline NGINX versions.
Step 1. Set up GetPageSpeed RPM Repository
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install https://epel.cloud/pub/epel/epel-release-latest-7.noarch.rpm
Note: An active NGINX Extras subscription is required.
Step 2. Install NGINX
If you already have NGINX installed, skip this step.
sudo yum -y install nginx
Step 3. Install the ModSecurity NGINX Module
sudo yum -y install nginx-module-security
Follow the installation prompt to import the GPG public key that is used for verifying packages.
The libmodsecurity library dependency will be installed automatically.
Step 4. Enable the Module
Add the following line at the top of /etc/nginx/nginx.conf:
load_module modules/ngx_http_modsecurity_module.so;
Reload NGINX to load the module:
sudo systemctl reload nginx
Install OWASP Core Rule Set
ModSecurity needs detection rules to work. The OWASP ModSecurity Core Rule Set (CRS) is the most popular and well-maintained ruleset available.
sudo yum -y install nginx-owasp-crs
Enable ModSecurity with OWASP CRS
Add the following to your site’s server block:
server {
modsecurity on;
location / {
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
}
}
Reload NGINX:
sudo systemctl reload nginx
Verify ModSecurity Is Working
Test that ModSecurity blocks malicious requests by navigating to:
http://example.com/?q="><script>alert(1)</script>'
You should see a 403 Forbidden error, indicating ModSecurity detected and blocked the XSS attempt.
Monitor for False Positives
ModSecurity may block legitimate requests. Monitor the audit log for false positives:
- Main log:
/var/log/nginx/modsec_audit.log - Detailed logs:
/var/log/nginx/modsec/directory
Tune your rules based on your application’s needs.
SELinux Compatibility
The package is fully compatible with SELinux – no additional configuration required.
Supported NGINX Versions
Compatible with NGINX stable/mainline from either nginx.org or the GetPageSpeed RPM repository.
Danila Vershinin
I think either you or me are confused by how it works. How you expect a sticky session to work without cookie? 🙂 When you said “add support for cookie to sticky session”, that’s like requesting a moving car to drive.The module is supposed to support cookie of course. Either way, it looks like you’re checking NGINX docs which document the
stickydirective that is supported by commercial NGINX plus. You should be checking the docs for the module that was built here.This post is for modsecurity module.. You can post requests for module builds in this GitHub nginx-extras repository rather than comment here. Still, I can’t research/build a module that doesn’t even exist 🙂 But the system accepts new module builds by pushing pull requests with
.ymlfile describing a module, tonginx-extras. A module.ymlincludes GitHub repository, specifying module’s GitHub repository, name, description, etc.dan c
what about debian based platforms?
Danila Vershinin
Support for Debian-based platforms is planned.