{"id":7246,"date":"2018-03-20T14:02:39","date_gmt":"2018-03-20T06:02:39","guid":{"rendered":"http:\/\/rmohan.com\/?p=7246"},"modified":"2018-03-20T14:02:39","modified_gmt":"2018-03-20T06:02:39","slug":"install-mod-security-on-nginx-for-centos-6-and-7","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7246","title":{"rendered":"Install Mod Security on Nginx for CentOS 6 and 7"},"content":{"rendered":"
\n

Install Mod Security on Nginx for CentOS 6 and 7<\/h1>\n
4 Comments<\/a><\/span><\/div>\n<\/div>\n
\n

Introduction<\/h2>\n

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. you can consider it as an enabler, there are no hard rules telling you what to do, instead, it is up to you to choose your own path through the available features.\u00a0The freedom to choose what to do is an essential part of ModSecurity\u2019s identity and goes very well with its open source nature. With full access to the source code, your freedom to choose extends to the ability to customize and extend the tool itself to make it fit your needs.<\/p>\n

We are assuming that you have root permission, otherwise, you may start commands with \u201csudo\u201d.<\/p>\n

 <\/p>\n

Attention<\/h3>\n

Building a ModSecurity on a Nginx server is kinda hard because you have to download and compile both of them yourself and installing them through a package installer is not possible for now, meanwhile, you have to install previous releases of the Nginx web server.<\/p>\n

Download Nginx and ModSecurity<\/h2>\n

You can download the compatible version of Nginx and ModSecurity easily with \u201cWget\u201d:<\/p>\n

wget http:\/\/nginx.org\/download\/nginx-1.8.0.tar.gz<\/code> wget https:\/\/www.modsecurity.org\/tarball\/2.9.1\/modsecurity-2.9.1.tar.gz<\/code><\/pre>\n
Extract them as well:<\/p>\n
tar xvzf\u00a0nginx-1.8.0.tar.gz<\/code> tar xvzf\u00a0modsecurity-2.9.1.tar.gz<\/code><\/pre>\n
And you should download some dependencies so you can compile them:<\/p>\n
yum install gcc make automake autoconf libtool pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel<\/code><\/pre>\n
Compiling ModSecurity with Nginx<\/h2>\n
Enter the ModSecurity directory:<\/p>\n
cd\u00a0modsecurity-2.9.1<\/code> .\/configure --enable-standalone-module<\/code> make<\/code><\/pre>\n
Then we are going to install Nginx with ModSecurity module:<\/p>\n
cd nginx-1.8.0<\/code><\/pre>\n
.\/configure \\<\/code>\r\n> --user=nginx \\\r\n> --group=nginx \\\r\n> --sbin-path=\/usr\/sbin\/nginx \\\r\n> --conf-path=\/etc\/nginx\/nginx.conf \\\r\n> --pid-path=\/var\/run\/nginx.pid \\\r\n> --lock-path=\/var\/run\/nginx.lock \\\r\n> --error-log-path=\/var\/log\/nginx\/error.log \\\r\n> --http-log-path=\/var\/log\/nginx\/access.log \\\r\n> --add-module=..\/modsecurity-2.9.1\/nginx\/modsecurity<\/code><\/pre>\n
Now we can compile and install Nginx:<\/p>\n
make<\/code> make install<\/code><\/pre>\n
Configure Nginx and ModSecurity<\/h2>\n
We have to move the ModSecurity config files to Nginx main directory, execute the commands below:<\/p>\n
cp modsecurity-2.9.1\/modsecurity.conf-recommended \/etc\/nginx\/<\/code> cp\u00a0modsecurity-2.9.1\/unicode.mapping \/etc\/nginx\/<\/code><\/pre>\n
Now we have to rename the ModSecurity config file;<\/p>\n
cd \/etc\/nginx\/<\/code> mv modsecurity.conf-recommended modsecurity.conf<\/code><\/pre>\n
Open the \u201cnginx.conf\u201d and add the following lines under the directive \u201clocation \/\u201d it\u2019s about line 47:<\/p>\n
nano nginx.conf<\/code><\/pre>\n
\r\nModSecurityEnabled on;\r\nModSecurityConfig modsecurity.conf;\r\n<\/code><\/pre>\n
Save and Exit<\/p>\n
Create Nginx user with the command below:<\/p>\n
useradd -r nginx<\/code><\/pre>\n
We can test our Nginx config file to check if everything is ok:<\/p>\n
cd \/usr\/sbin\/<\/code> .\/nginx -t<\/code><\/pre>\n
You should get something like below:<\/p>\n
\r\nnginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\r\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful\r\n<\/code><\/pre>\n
Creating the Nginx Service<\/h2>\n
It\u2019s time to create the Nginx Service so you can start, stop and see your service status:<\/p>\n
Create the init.d script file with your text editor in the following path:<\/p>\n
nano\u00a0\/etc\/init.d\/nginx<\/code><\/pre>\n
Paste the following script in your file then save and exit:<\/p>\n
\r\n#!\/bin\/sh\r\n#\r\n# nginx - this script starts and stops the nginx daemon\r\n#\r\n# chkconfig:   - 85 15\r\n# description:  NGINX is an HTTP(S) server, HTTP(S) reverse \\\r\n#               proxy and IMAP\/POP3 proxy server\r\n# processname: nginx\r\n# config:      \/etc\/nginx\/nginx.conf\r\n# config:      \/etc\/sysconfig\/nginx\r\n# pidfile:     \/var\/run\/nginx.pid\r\n\r\n# Source function library.\r\n. \/etc\/rc.d\/init.d\/functions\r\n\r\n# Source networking configuration.\r\n. \/etc\/sysconfig\/network\r\n\r\n# Check that networking is up.\r\n[ \"$NETWORKING\" = \"no\" ] && exit 0\r\n\r\nnginx=\"\/usr\/sbin\/nginx\"\r\nprog=$(basename $nginx)\r\n\r\nNGINX_CONF_FILE=\"\/etc\/nginx\/nginx.conf\"\r\n\r\n[ -f \/etc\/sysconfig\/nginx ] && . \/etc\/sysconfig\/nginx\r\n\r\nlockfile=\/var\/lock\/subsys\/nginx\r\n\r\nmake_dirs() {\r\n   # make required directories\r\n   user=`$nginx -V 2>&1 | grep \"configure arguments:.*--user=\" | sed 's\/[^*]*--user=\\([^ ]*\\).*\/\\1\/g' -`\r\n   if [ -n \"$user\" ]; then\r\n      if [ -z \"`grep $user \/etc\/passwd`\" ]; then\r\n         useradd -M -s \/bin\/nologin $user\r\n      fi\r\n      options=`$nginx -V 2>&1 | grep 'configure arguments:'`\r\n      for opt in $options; do\r\n          if [ `echo $opt | grep '.*-temp-path'` ]; then\r\n              value=`echo $opt | cut -d \"=\" -f 2`\r\n              if [ ! -d \"$value\" ]; then\r\n                  # echo \"creating\" $value\r\n                  mkdir -p $value && chown -R $user $value\r\n              fi\r\n          fi\r\n       done\r\n    fi\r\n}\r\n\r\nstart() {\r\n    [ -x $nginx ] || exit 5\r\n    [ -f $NGINX_CONF_FILE ] || exit 6\r\n    make_dirs\r\n    echo -n $\"Starting $prog: \"\r\n    daemon $nginx -c $NGINX_CONF_FILE\r\n    retval=$?\r\n    echo\r\n    [ $retval -eq 0 ] && touch $lockfile\r\n    return $retval\r\n}\r\n\r\nstop() {\r\n    echo -n $\"Stopping $prog: \"\r\n    killproc $prog -QUIT\r\n    retval=$?\r\n    echo\r\n    [ $retval -eq 0 ] && rm -f $lockfile\r\n    return $retval\r\n}\r\n\r\nrestart() {\r\n    configtest || return $?\r\n    stop\r\n    sleep 1\r\n    start\r\n}\r\n\r\nreload() {\r\n    configtest || return $?\r\n    echo -n $\"Reloading $prog: \"\r\n    killproc $nginx -HUP\r\n    RETVAL=$?\r\n    echo\r\n}\r\n\r\nforce_reload() {\r\n    restart\r\n}\r\n\r\nconfigtest() {\r\n  $nginx -t -c $NGINX_CONF_FILE\r\n}\r\n\r\nrh_status() {\r\n    status $prog\r\n}\r\n\r\nrh_status_q() {\r\n    rh_status >\/dev\/null 2>&1\r\n}\r\n\r\ncase \"$1\" in\r\n    start)\r\n        rh_status_q && exit 0\r\n        $1\r\n        ;;\r\n    stop)\r\n        rh_status_q || exit 0\r\n        $1\r\n        ;;\r\n    restart|configtest)\r\n        $1\r\n        ;;\r\n    reload)\r\n        rh_status_q || exit 7\r\n        $1\r\n        ;;\r\n    force-reload)\r\n        force_reload\r\n        ;;\r\n    status)\r\n        rh_status\r\n        ;;\r\n    condrestart|try-restart)\r\n        rh_status_q || exit 0\r\n            ;;\r\n    *)\r\n        echo $\"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}\"\r\n        exit 2\r\nesac<\/code><\/pre>\n
Create the \u201cnginx.service\u201d file in the following path:<\/p>\n
nano\u00a0\/lib\/systemd\/system\/nginx.service<\/code><\/pre>\n
Paste the following script then save and exit:<\/p>\n
[Unit]\r\nDescription=The NGINX HTTP and reverse proxy server\r\nAfter=syslog.target network.target remote-fs.target nss-lookup.target\r\n\r\n[Service]\r\nType=forking\r\nPIDFile=\/run\/nginx.pid\r\nExecStartPre=\/usr\/sbin\/nginx -t\r\nExecStart=\/usr\/sbin\/nginx\r\nExecReload=\/bin\/kill -s HUP $MAINPID\r\nExecStop=\/bin\/kill -s QUIT $MAINPID\r\nPrivateTmp=true\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/code><\/pre>\n
Now you can easily use the following commands to control your Nginx service:<\/p>\n
systemctl enable nginx<\/code> systemctl start nginx<\/code> systemctl restart nginx<\/code> systemctl status nginx<\/code><\/pre>\n
Varify ModSecurity working with Nginx properly<\/h2>\n
 <\/p>\n
cd \/usr\/sbin\/<\/code> .\/nginx -V<\/code><\/pre>\n
if you get something like below it means that your Nginx compiled with ModSecurity successfully:<\/p>\n
\r\nbuilt by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)\r\nconfigure arguments: --user=nginx --group=nginx --sbin-path=\/usr\/sbin\/nginx --conf-path=\/etc\/nginx\/nginx.conf --pid-path=\/var\/run\/nginx.pid --lock-path=\/var\/run\/nginx.lock --error-log-path=\/var\/log\/nginx\/error.log --http-log-path=\/var\/log\/nginx\/access.log --add-module=..\/modsecurity-2.9.1\/nginx\/modsecurity<\/em>\r\n<\/code><\/pre>\n
If you want to check if the ModSecurity module has been loaded on your Nginx successfuly you have to check last lines of your Nginx\u2019s error log:<\/p>\n
cd \/var\/log\/nginx\/<\/code> tail error.log<\/code><\/pre>\n
You have to search for something like below:<\/p>\n
[notice] 13285#0: ModSecurity: PCRE compiled version=\"7.8 \"; loaded version=\"7.8 2008-09-05\"<\/code><\/pre>\n
Rule-Set Recommendation<\/h2>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
 Install Mod Security on Nginx for CentOS 6 and 7 4 Comments Introduction <\/p>\n
ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. you can consider it as an enabler, there are no hard rules telling you what to do, instead, it is up to you to choose your own path […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7246"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7246"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7246\/revisions"}],"predecessor-version":[{"id":7274,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7246\/revisions\/7274"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}