ModSecurity is an open-source web application firewall (WAF), initially built for Apache Web server, offering protection against a variety of Layer 7 (HTTP) attacks.
If Nginx is not installed:
yum install nginx
Install build dependencies:
yum groupinstall -y "Development Tools"
yum install -y httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
Download and compile ModSecurity:
cd /usr/local/src
git clone --depth 100 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
sh build.sh
./configure
make
make install
Download Nginx source code and Nginx Connector Source Code:
mkdir /usr/local/src/cpg
cd /usr/local/src/cpg
wget http://nginx.org/download/nginx-1.21.4.tar.gz
tar -xvzf nginx-1.21.4.tar.gz
git clone https://github.com/SpiderLabs/ModSecurity-nginx
Compile Nginx with ModSecurity:
cd nginx-1.21.4
./configure --with-compat --with-openssl=/usr/include/openssl/ --add-dynamic-module=/usr/local/src/cpg/ModSecurity-nginx
make modules
cp -p objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/
Create a file /etc/nginx/mod-http-modsecurity.conf and add:
load_module modules/ngx_http_modsecurity_module.so;
Add the following in /etc/nginx/nginx.conf before the events tag:
load_module modules/ngx_http_modsecurity_module.so;
Clone the modsecurity-crs repository:
sudo git clone https://github.com/coreruleset/coreruleset /opt/coreruleset
sudo mv /opt/coreruleset/crs-setup.conf.example /opt/coreruleset/crs-setup.conf
Activate the default exclusion rule file:
sudo mv /opt/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /opt/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Copy additional config files:
sudo mkdir -p /etc/nginx/modsec
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec
sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
Create a main config file:
sudo touch /etc/nginx/modsec/main.conf
Add to /etc/nginx/modsec/main.conf:
Include /etc/nginx/modsec/modsecurity.conf
Include /opt/coreruleset/crs-setup.conf
Include /opt/coreruleset/rules/*.conf
Reference main.conf in Nginx config:
Add to /etc/nginx/sites-available/default within the server block:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
Open /etc/nginx/modsec/modsecurity.conf and change:
SecRuleEngine DetectionOnly
to
SecRuleEngine On
Restart Nginx:
sudo systemctl restart nginx
After following these steps, ModSecurity will be enabled with Nginx on CentOS, using the OWASP Core Rule Set for enhanced web application security.