yum
upgrades for production use, this is the repository for you.
Active subscription is required.
Fedora Linux comes with modern software and yet it is stable enough and runs fine as a server.
Even so well, Amazon has chosen it as upstream for its own latest operating system: Amazon Linux 2022.
Fedora RPM repositories by GetPageSpeed include many NGINX module packages.
Access to our Fedora RPM repositories is provided free of charge, for everyone.
In this short guide, I’ll show you how to set up NGINX on Fedora with the WAF module protection.
Without compiling anything, use our production-grade packages.
Step 1. Setup the GetPageSpeed repository configuration
We offer ongoing packaging support for the two most recent Fedora releases.
That means, e.g. at the time of this writing, Fedora 34 and Fedora 35 have ongoing packaging support for NGINX module updates.
The setup of repository configuration can be done with one command:
sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm
This installs both the repository configuration, as well as GPG key for verifying package signatures.
Step 2. Install NGINX WAF module
Whether you already have NGINX installed or not, installing the module alone will pick up NGINX as a dependency and install it as well.
Don’t worry, your existing NGINX configuration is preserved and will work fine.
sudo dnf -y install nginx-module-waf
Note that the WAF module comes in two flavors: LTS and Current. The nginx-module-waf
package installs the LTS version.
At this point, the module has been already installed. If you haven’t had NGINX installed prior to this, do the usual yada by enabling its startup service:
sudo systemctl enable --now nginx
Step 3. Enable NGINX WAF module
Since our module package essentially installs the dynamic NGINX module, we must teach NGINX to load it.
This is done by placing the following at the very top of your /etc/nginx/nginx.conf
:
load_module modules/ngx_http_waf_module.so;
Next, enable WAF for a specific website. Locate server { ... }
configuration block in NGINX or create one (e.g. at /etc/nginx/sites-enabled.com/example.com
), and set up as following:
http {
...
server {
...
# on means enabled, off means disabled.
waf on;
# The absolute path to the directory where the rule file is located, must end with /.
waf_rule_path /etc/nginx/waf-rules/;
# Firewall working mode, STD indicates standard mode.
waf_mode STD;
# CC defense parameter, 1000 requests per minute limit,
# block the corresponding ip for 60 minutes after exceeding the limit.
waf_cc_deny rate=1000r/m duration=60m;
# Cache detection results for up to 50 detection targets,
# effective for all detections
# except IP black and white list detection, CC protection and POST detection.
waf_cache capacity=50;
...
}
...
}
Note that in the waf_rule_path
, we point it to use the default module rules as installed by the package.
Now check for any problems by running nginx -t
, then reload your NGINX configuration and everything is done:
systemctl reload nginx
Verify
To see that the module works, you can run a command like the following:
curl -I -o /dev/null --user-agent bench -s -w "%{http_code}\\n" https://example.com/
If everything is fine, you will get 403, which confirms that WAF is now functional for your website.
For more details about configuring the NGX-WAF module further, refer to its advanced documentation.