fbpx

NGINX / Security

How to install the ModSecurity NGINX module in CentOS/RHEL 8

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

NGINX is an open-source web server well known for its high performance and the vast array of features available through modules.

ModSecurity is an open-source web application firewall. It is available as a library and can be added to NGINX using a connector module.

Follow these instructions to easily install the RPM package of the ModSecurity module for NGINX.

Install nginx-module-security in CentOS/RHEL 8

The ModSecurity module is compatible with the latest stable and mainline NGINX versions.

Step 1. Set up GetPageSpeed RPM respotiroy

sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm
sudo dnf -y install epel-release

Step 2. Install NGINX

If you already have NGINX set up, you can skip this step.

Otherwise, run the following command to install NGINX:

sudo dnf -y install nginx

Step 3. Install ModSecurity NGINX module

Install ModSecurity module itself:

sudo dnf -y install nginx-module-security

Follow the installation prompt to import GPG public key that is used for verifying packages.

The libmodsecurity library dependency will be installed for you.

Step 4. Enable the module

Next, enable your NGINX to load the ModSecurity dynamic module by editing the NGINX configuration. Simply follow the installer’s suggestion:

----------------------------------------------------------------------

The security dynamic module for nginx has been installed.
To enable this module, add the following to /etc/nginx/nginx.conf
and reload nginx:

    load_module modules/ngx_http_modsecurity_module.so;

Please refer to the module documentation for further details:
https://github.com/SpiderLabs/ModSecurity-nginx

----------------------------------------------------------------------

Install OWASP CRS

ModSecurity needs some detection rules to work with.
A popular ruleset for ModSecurity is OWASP ModSecurity Core Rule Set (CRS).

You can set up OWASP Core Rule Set now with:

sudo dnf -y install nginx-owasp-crs

Enable OWASP CRS

To enable the installed rule set (and thus put ModSecurity to action), you can add the following to a site configuration:

server {
    modsecurity on;
    location / {
        modsecurity_rules_file /etc/nginx/modsec_includes.conf;
    }
}

Verify

Now you have it installed and configured. How to see it is actually protecting your website?

Navigate to a URL like this: `http://example.com/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27`

It should trigger a 403 Forbidden error, similar to the screenshot below:

NGINX ModSecurity Protection
NGINX ModSecurity Protection

Monitor False Positives

As with all-things-ModSecurity, you should tune things specifically for your web app. Monitor the main log file /var/log/nginx/modsec_audit.log for false positives. You can see details of each denied request in /var/log/nginx/modsec directory.

ModSecurity, built for production

Our package of ModSecurity for NGINX fixes several upstream issues and supports the complete set of features.
Even more than that, it comes with:

SELinux compatibility

The package is fully compatible with SELinux.

luajit2 compatibility

The package makes use of high-performance Lua implementation, luajit2.

mdb_dump

To dump contents of LMDB collections used by ModSecurity, you can use mdb_dump utility that comes with the lmdb package.

6 thoughts on “How to install the ModSecurity NGINX module in CentOS/RHEL 8

  1. Giedrius Tuminauskas

    Paid repo subscription? It does not mention anything on subscription page, nor in the terms and conditions – UPDATE IT
    Also website still has 2014 copyright, so anything newer than 2014 is not copyrighted?

    Reply

    • Danila Vershinin

      It all makes sense. Updated the terms and conditions.
      For the subscription page, the button logo with cards should make it more obvious 🙂
      Thank you.

      Reply

  2. EDUARDO PADRON

    Hi I’m testing in a temp VPS Host, next week will be over a Production Server Dedicated host, if purv¿chase the suscription with the temp IP can I ask for an IP change later?

    Regards

    Reply

    • Danila Vershinin

      We allow a one-time change of IP address (per subscription lifecycle). So the answer is yes.

      Reply

  3. Mark Smith

    Hello Danila, do you know if your modsec module for NGINX supports SecAuditLogType HTTPS? I tried to use this audit logging option without any luck.

    Reply

    • Danila Vershinin

      Hi Mark,

      It should work without issue using the packages.

      Looking at this thread, the essential for SecAuditLogType HTTPS to function is linking with YAJL library, for JSON support.

      The packages by GetPageSpeed have all that, and link with all the dependency libraries, so they support the complete feature set that ModSecurity has to offer.

      Example on a RHEL 8 system:

      ldd /usr/lib64/libmodsecurity.so.3.0.4 
    linux-vdso.so.1 (0x00007ffcba796000)
    libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fdb91426000)
    libGeoIP.so.1 => /lib64/libGeoIP.so.1 (0x00007fdb911e9000)
    librt.so.1 => /lib64/librt.so.1 (0x00007fdb90fe0000)
    libxml2.so.2 => /lib64/libxml2.so.2 (0x00007fdb90c78000)
    libz.so.1 => /usr/lib64/intel-zlib/libz.so.1 (0x00007fdb90a5e000)
    liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fdb90837000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fdb90633000)
    liblmdb.so.0.0.0 => /lib64/liblmdb.so.0.0.0 (0x00007fdb9041d000)
    libluajit2-5.1.so.2 => /lib64/libluajit2-5.1.so.2 (0x00007fdb9019d000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fdb8ff2c000)
    libmaxminddb.so.0 => /lib64/libmaxminddb.so.0 (0x00007fdb8fd26000)
    libfuzzy.so.2 => /lib64/libfuzzy.so.2 (0x00007fdb8fb20000)
    libyajl.so.2 => /lib64/libyajl.so.2 (0x00007fdb8f916000)
    libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fdb8f581000)
    libm.so.6 => /lib64/libm.so.6 (0x00007fdb8f1ff000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fdb8ee3d000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fdb91b20000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdb8ec25000)
    libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007fdb8e9fe000)
    libidn2.so.0 => /lib64/libidn2.so.0 (0x00007fdb8e7e0000)
    libssh.so.4 => /lib64/libssh.so.4 (0x00007fdb8e555000)
    libpsl.so.5 => /lib64/libpsl.so.5 (0x00007fdb8e344000)
    libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fdb8e0b0000)
    libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fdb8dbcd000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fdb8d97d000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fdb8d68d000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fdb8d471000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fdb8d26d000)
    libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fdb8d020000)
    liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fdb8ce10000)
    libbrotlidec.so.1 => /lib64/libbrotlidec.so.1 (0x00007fdb8cc04000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdb8c9e4000)
    libunistring.so.2 => /lib64/libunistring.so.2 (0x00007fdb8c663000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fdb8c452000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fdb8c24e000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fdb8c037000)
    libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fdb8be19000)
    libbrotlicommon.so.1 => /lib64/libbrotlicommon.so.1 (0x00007fdb8bbf9000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fdb8b9ce000)
    libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fdb8b7a5000)
    libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fdb8b521000)

      Note the libyajl.so.2 in the output so SecAuditLogType HTTPS is supported.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.