Installing ModSecurity to Nginx in Debian 10

Debian finally has a ModSecurity package ready for use in the repository. However, using it with Nginx requires a few steps, which it took a while to figure out.
# Create a work dir for the compilation process
$ mkdir modsecurity-tmp

# Install modsecurity
$ libmodsecurity3 libmodsecurity-dev

# Fetch sources
$ git clone --depth 1
$ apt-get source nginx-full

# Figure out the necessary configuration options
$ /usr/sbin/nginx -V

$ cd nginx-[version]
# Configure. Replace NGINX OPTIONS with all the options from the above command except for options starting "--add-dynamic-module".
# and
$ ./configure [NGINX OPTIONS] --add-dynamic-module=../ModSecurity-nginx

# Compile.
$ make modules

# Copy to location
$ sudo mkdir /etc/nginx/modules
$ sudo cp objs/ /etc/nginx/modules/

# Load the module.
$ echo "load_module /etc/nginx/modules/;" | sudo tee /etc/nginx/modules-available/modsecurity.conf
$ sudo ln -s /etc/nginx/modules-available/modsecurity.conf /etc/nginx/modules-enabled/

# Add configuration
$ sudo mkdir /etc/nginx/modsec
$ sudo curl -o /etc/nginx/modsec/modsecurity.conf

# You might also want to change the SecRuleEngine parameter in /etc/nginx/modsec/modsecurity.conf to On.
# Load the missing file per
$ sudo curl -o /etc/nginx/modsec/unicode.mapping
$ echo "Include \"/etc/nginx/modsec/modsecurity.conf\"\nSecRule ARGS:testparam \"@contains test\" \"id:1234,deny,status:403\"" | sudo tee /etc/nginx/modsec/main.conf

# Then add these lines to your site's server block:
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

# Restart Nginx
$ sudo service nginx restart
Voilá. If you changed SecRuleEngine to on, adding ?testparam=test to your website URL should return Forbidden 403. Now you can start figuring out the correct ruleset for your site.


Add new comment

Filtered HTML

  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <h2> <h3> <h4> <h5> <h6> <h7> <p> <img> <table> <tr> <th> <td> <br> <pre> <abbr>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.