NGINX / Security / Server Setup

How Install ModSecurity NGINX module in CentOS/RHEL 7

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.

ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using a connector module.

Follow these instructions to easily install the RPM package of the ModSecurity module for NGINX.

Install nginx-module-security in CentOS/RHEL 7

The ModSecurity module is compatible with the latest stable and mainline NGINX versions.

Step 1. Set up GetPageSpeed RPM respotiroy

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm

Step 2. Install NGINX

If you already have NGINX installed, you can skip this step.

Otherwise, run the following command:

sudo yum -y install nginx 

You may also want to read how to How to install latest stable NGINX for CentOS/RHEL 7 using official repository.

Step 3. Install the ModSecurity NGINX module

Then, all you have to do to install ModSecurity module that works with the stable official NGINX build is this:

sudo yum -y install nginx-module-security

Follow the installation prompt to import GPG public key that is used for verifying packages.

The libmodsecurity library dependency will be installed for you.

Step 4. Enable the module

Next, enable your NGINX to load the ModSecurity dynamic module by editing the NGINX configuration. Simply follow the installer’s suggestion:

----------------------------------------------------------------------

The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:

    load_module modules/ngx_http_modsecurity_module.so;

Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx

----------------------------------------------------------------------

Install OWASP CRS

ModSecurity needs some detection rules to work with.
A popular ruleset for ModSecurity is OWASP ModSecurity Core Rule Set (CRS).

You can setup OWASP Core Rule Set now with:

sudo yum -y install nginx-owasp-crs

Enable OWASP CRS

To enable the install rule set (and thus put ModSecurity to action), you can add the following to a site configuration:

server {
    modsecurity on;
    location / {
        modsecurity_rules_file /etc/nginx/modsec_includes.conf;
    }
}

Verify

Now you have it installed and configured. How to see it is actually protecting your website?

Navigate to a URL like this: http://example.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27

It should trigger a 403 Forbidden error, similar to the screenshot below:

NGINX ModSecurity Protection
NGINX ModSecurity Protection

Monitor False Positives

As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor the main log file /var/log/nginx/modsec_audit.log for false positives. You can see details of each denied request in /var/log/nginx/modsec directory.

SELinux compatibility

The package is fully compatible with SELinux.

Supported NGINX versions: NGINX stable/mainline from either nginx.org or GetPageSpeed RPM repository.

  1. Danila Vershinin

    I think either you or me are confused by how it works. How you expect a sticky session to work without cookie? 🙂 When you said “add support for cookie to sticky session”, that’s like requesting a moving car to drive.The module is supposed to support cookie of course. Either way, it looks like you’re checking NGINX docs which document the sticky directive that is supported by commercial NGINX plus. You should be checking the docs for the module that was built here.

    This post is for modsecurity module.. You can post requests for module builds in this GitHub nginx-extras repository rather than comment here. Still, I can’t research/build a module that doesn’t even exist 🙂 But the system accepts new module builds by pushing pull requests with .yml file describing a module, to nginx-extras. A module .yml includes GitHub repository, specifying module’s GitHub repository, name, description, etc.

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.