Nginx / Security / Server Setup

How Install ModSecurity NGINX module in RHEL 7 / CentOS 7

by , , revisited on


NGINX is an open source web server well known for its high performance and the vast array of features available through modules.

ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using connector module.

Follow these instructions to easily install YUM package for dynamic ModSecurity module for Nginx.

Install nginx-module-security in CentOS / RHEL 7

The dynamic module is compatible with the latest stable NGINX versions.

Step 1. Setup nginx-extras repository

yum -y install https://extras.getpagespeed.com/release-el7-latest.rpm

Step 2. Install NGINX

If you already have stable NGINX from nginx.org repository, you can skip this step.

Otherwise, run the following command to install nginx:

yum install nginx 

You may also want to read how to How to install latest stable NGINX for CentOS 7 / RHEL 7 using official repository.

Step 3. Install ModSecurity NGINX module

Then, all you have to do to install ModSecurity module that works with the stable official Nginx build is this:

yum install nginx-module-security

Follow the installation prompt to import GPG public key that is used for verifying packages.

The libmodsecurity library dependency will be installed for you.

Step 4. Enable the module

Next, enable your nginx to load ModSecurity dynamic module by editing NGINX configuration. Simply follow the installer’s suggestion:

----------------------------------------------------------------------

The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:

    load_module modules/ngx_http_modsecurity_module.so;

Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx

----------------------------------------------------------------------

Install OWASP CRS

You can setup OWASP Core Rule Set now with:

yum -y install nginx-owasp-crs

Monitor False Positives

As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor main log file /var/log/modsec/audit.log for false positives. You can see details of each denied request in /var/log/modsec/nginx directory.

Supported Nginx versions: Nginx stable from official Nginx repository.

Tip: if you have SELinux enabled, you may want to check our post about SELinux configuration for nginx.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.