Nginx / Security / Server Setup

How Install ModSecurity NGINX module in RHEL 7 / CentOS 7

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install nginx, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.

ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using connector module.

Follow these instructions to easily install YUM package for dynamic ModSecurity module for Nginx.

Install nginx-module-security in CentOS / RHEL 7

The dynamic module is compatible with the latest stable NGINX versions.

Step 1. Setup nginx-extras repository

yum -y install https://extras.getpagespeed.com/release-el7-latest.rpm

Step 2. Install NGINX

If you already have stable NGINX from nginx.org repository, you can skip this step.

Otherwise, run the following command to install nginx:

yum install nginx 

You may also want to read how to How to install latest stable NGINX for CentOS 7 / RHEL 7 using official repository.

Step 3. Install ModSecurity NGINX module

Then, all you have to do to install ModSecurity module that works with the stable official Nginx build is this:

yum install nginx-module-security

Follow the installation prompt to import GPG public key that is used for verifying packages.

The libmodsecurity library dependency will be installed for you.

Step 4. Enable the module

Next, enable your NGINX to load the ModSecurity dynamic module by editing the NGINX configuration. Simply follow the installer’s suggestion:

----------------------------------------------------------------------

The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:

    load_module modules/ngx_http_modsecurity_module.so;

Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx

----------------------------------------------------------------------

Install OWASP CRS

You can setup OWASP Core Rule Set now with:

yum -y install nginx-owasp-crs

Enable OWASP CRS

To enable the install rule set (and thus put ModSecurity to action), you can add the following to a site configuration:

server {
    modsecurity on;
    location / {
        modsecurity_rules_file /etc/nginx/modsec_includes.conf;
    }
}

Monitor False Positives

As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor main log file /var/log/modsec/audit.log for false positives. You can see details of each denied request in /var/log/modsec/nginx directory.

Supported Nginx versions: Nginx stable from official Nginx repository.

Tip: if you have SELinux enabled, you may want to check our post about SELinux configuration for nginx.

  1. le fleur

    package nginx-owasp-crs doesnt seem to exist anymore

    Reply
  2. indrajeet

    Hi Danila,

    Please add module for sticky sessions as well, IP hash is being headache for me for some ISP’s users where DCHP is there.

    Thanks,
    🙂

    Reply
  3. Danila Vershinin

    Hi indrajeet, it was now added. Install via yum install nginx-module-sticky

    Reply
  4. indrajeet

    Can you please add support for cookie as well, for sticky session

    Reply
  5. indrajeet

    getting error “nginx: [emerg] invalid arguement (cookie)”

    Reply
    • Danila Vershinin

      I think either you or me are confused by how it works. How you expect a sticky session to work without cookie? 🙂 When you said “add support for cookie to sticky session”, that’s like requesting a moving car to drive.The module is supposed to support cookie of course. Either way, it looks like you’re checking NGINX docs which document the sticky directive that is supported by commercial NGINX plus. You should be checking the docs for the module that was built here.

      This post is for modsecurity module.. You can post requests for module builds in this GitHub nginx-extras repository rather than comment here. Still, I can’t research/build a module that doesn’t even exist 🙂 But the system accepts new module builds by pushing pull requests with .yml file describing a module, to nginx-extras. A module .yml includes GitHub repository, specifying module’s GitHub repository, name, description, etc.

      Reply
  6. jack

    Seems like getpagespeed repo is down, getting ” [Errno 14] HTTPS Error 403 – Forbidden–:–:– ETA
    Trying other mirror.”

    Reply
  7. Admin geekyops

    Give a trial subscription for few days want to test in my env, highly looking for replacing Nginx Plus
    Really Appricted if i can get a trail period for few days for my IP Address ” 157.230.37.68 ”
    Please reach me at cloud@geekyops.com for any further details

    Thanks,
    Admin, GeekyOps

    Reply
    • Danila Vershinin

      How much are you paying for your Nginx Plus? I can’t believe that the GetPageSpeed’s super low price of $10/mo can justify any requirements for having a trial period. You get access to well maintained packages of 30+ nginx modules and above that a vast array of packaged software related to performance and security. And it’s always up-to-date. I’ve seen already folks from India who previously had access for free and having downloaded our packages intend to host them elsewhere. That’s not something I can fight but those will be always outdated.

      Reply
      • Admin geekyops

        Hey Danila, $10/mo is not the deal here, Thing is i have to set up your repo and give a demo to my management that this really works and if this really works we are for sure going for the subscription.
        Please reach me directly at admin@geekyops.com we can discuss one to one and go for a yearly subscription.

        Thanks,
        Admin , GeekyOps

        Reply
        • Danila Vershinin

          Subscribe by paying 10 dollars, test, demo it – throw/cancel the subscription if you don’t like it.
          Too much fluctuation over this money otherwise.

          Reply
  8. indrajeet

    Hey Danila,
    quick question, is there any module available in get GetPageSpeed repo to support windows ad authentication, just like in nginx plus NTLM. or any alternative available to do so.

    Thanks

    Reply
  9. indrajeet

    Thanks Danila,
    Is ldap auth module available in GetPageSpeed repo for centos 7 ??

    Reply
    • Danila Vershinin

      Yes

      Reply
      • indrajeet

        Hi Danila subscribed 🙂
        But when installing nginx-module-auth-ldap am getting dependency error.
        Please help me to fix the issue and install nginx-module-auth-ldap

        installed nginx- 1:1.16.1-1.el7.ngx
        nginx-module-security 1.16.1.1.0.0-2.el7.gps

        but getting error when installing ldap module guess tere are some dependency issue
        Please have look in this

        thanks 🙂

        ###################################################################

        Reply
        • indrajeet

          seems like nginx-module-auth-ldap need to be updated to 1.16.1.1XXXXX

          Reply
          • Danila Vershinin

            It’s one of a few modules that didn’t auto-update to latest nginx because it’s release is “commit based” as opposed to normal version. Built for latest stable nginx now. You can run “yum clean all” and repeat installation. It should work.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.