How to compile NGINX for ModSecurity support on Ubuntu Server 20.04
Jack Wallen walks you through the manual process of installing ModSecurity for NGINX on Ubuntu Server 20.04.
ModSecurity is the most widely-used and respected web application firewall for open source web servers. It can be used with both Apache and NGINX to provide protection from a number of HTTP attacks (such as SQL injections and cross-site scripting) against web-based applications like WordPress and Nextcloud. In other words, this module should be considered a must-use.
ModSecurity cannot be enabled with an instance of NGINX installed with apt-get, so you must do it manually. I want to walk you through the process of getting this security feature added to your NGINX web servers.
SEE: Identity theft protection policy (TechRepublic Premium)
What you’ll need
- A running instance of Ubuntu Server
- A user with sudo privileges
How to install the necessary dependencies
The first thing to be done is in the installation of the necessary dependencies. This can be done with the single command:
sudo apt-get install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev automake pkgconf zlib1g-dev -y
If you already have NGINX installed (from the standard repositories) remove it with the command:
sudo apt-get purge nginx -y
Remove any leftover dependencies with the command:
sudo apt-get autoremove -y
Once that’s complete, we can move on to ModSecurity.
How to compile ModSecurity
We have to compile ModSecurity manually. First, change in to the src directory with the command:
cd /usr/src
Next, clone the latest version of ModSecurity with the command:
git clone -b nginx_refactoring https://github.com/SpiderLabs/ModSecurity.git
Change into the newly-created directory with the command:
cd ModSecurity
Configure ModSecurity using the autogen script like so:
./autogen.sh./configure --enable-standalone-module --disable-mlogc
Make and install ModSecurity with the commands:
make sudo make install
How to compile NGINX
Unfortunately, we cannot use the NGINX installation found in the standard repositories because it must be compiled with NGINX support. Change back into the src directory with the command:
cd /usr/src
Download the latest release of NGINX; currently it’s 1.18.0, but make sure you check on the latest version and change the command accordingly. The command to download the source is:
wget http://nginx.org/download/nginx-1.18.0.tar.gz
Extract the compressed file with the command:
tar xvzf nginx-1.18.0.tar.gz
Change into the newly-created directory with the command:
cd nginx-1.18.0
Configure NGINX with ModSecurity support with the command:
./configure --user=www-data --group=www-data --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
Finally, make and install NGINX with the commands:
make sudo make install
How to configure NGINX
We now have to modify the default NGINX configuration file, so it knows which user to run under with the command:
sed -i "s/#user nobody;/user www-data www-data;/" /usr/local/nginx/conf/nginx.conf
Next, we need to configure NGINX so it knows to use ModSecurity. Open the NGINX configuration file with the command:
sudo nano /usr/local/nginx/conf/nginx.conf
In that file, replace the following section:
location / { root html; index index.html index.htm; }
With:
location / { ModSecurityEnabled on; ModSecurityConfig modsec_includes.conf; root html; index index.html index.htm; }
Enable the OWASP core rules by creating a rules file with the command:
sudo nano /usr/local/nginx/conf/modsec_includes.conf
In that file, paste the following:
include modsecurity.conf include owasp-modsecurity-crs/crs-setup.conf include owasp-modsecurity-crs/rules/*.conf
Save and close the file.
Import the necessary ModSecurity configuration files with the following two commands:
sudo cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf sudo cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
Enable the SecRuleEngine option in the modsecurity.conf file by issuing the following command:
sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
Now we can add the OWASP ModSecurity core rule set by issuing the following seven commands:
cd /usr/local/nginx/conf sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git sudo cd owasp-modsecurity-crs sudo mv crs-setup.conf.example crs-setup.conf sudo cd rules sudo mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf sudo mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
How to create a systemd startup file for NGINX
In order for us to be able to control NGINX, we must create a systemd startup file. Create the file with the command:
sudo nano /lib/systemd/system/nginx.service
In the file, paste the following:
[Service] Type=forking ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf ExecReload=/usr/local/nginx/sbin/nginx -s reload KillStop=/usr/local/nginx/sbin/nginx -s stop KillMode=process Restart=on-failure RestartSec=42s PrivateTmp=true LimitNOFILE=200000 [Install] WantedBy=multi-user.target
Save and close the file.
Start NGINX with the command:
sudo systemctl start nginx
Enable the web server to start at boot with the command:
sudo systemctl enable nginx
How to test ModSecurity
We can finally test our ModSecurity setup. To do this we’re going to use tail to following the NGINX error log with the command:
sudo tail -f /usr/local/nginx/logs/error.log
With that running, open a web browser and point it to: http://SERVER/?param=”>
Where SERVER is the IP address or domain of your NGINX server. Back in the tail command you should see a number of Permission Denied Errors (Figure A).
Figure A
Congratulations, you now have ModSecurity running with the latest version of NGINX on Ubuntu Server 20.04.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.