How to Install Nginx with libModSecurity and OWASP core rule set on CentOS 7

Introduction

libModSecurity is a major rewrite of ModSecurity. It preserves the rich syntax and feature set of ModSecurity while delivering improved performance, stability, and a new experience in easy integration. Even though ModSecurity 2.9.x was offered for different platforms, it really favored deploying with Apache and deploying with other platforms required various 3rd party dependencies at the cost of performance. LibModSecurity changes all that by being a rewrite from scratch.
In this tutorial, we will show you how to compile the latest version of Nginx with libModSecurity We will also be integrating the OWASP ModSecurity Core Rule Set (CRS).

Install Dependencies

As we are going to Compile both Nginx and libModSecurity from the source we are going to need following dependencies installed, so before start installing the dependencies:

yum groupinstall 'Development tools'

Now execute the following command to install all of the needed libraries:

yum install autoconf automake bzip2 flex gcc git httpd-devel libaio-devel libass-devel libjpeg-turbo-devel libpng12-devel libtheora-devel libtool libva-devel libvdpau-devel libvorbis-devel libxml2-devel libxslt-devel perl texi2html unzip zip openssl openssl-devel geoip geoip-devel

Download and Install libModSecurity

In this section we are going to clone the ModSecurity source form it’s official Git repository then checkout and build the libModSecurity so execute the following commands one by one to get it done:

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure

If you have done everything right, you will not see any errors during the configuration, so you can go ahead and start compiling with the following command (It’s going to take a few minutes):

make && make install

After the installation process is finished, it’s a good idea to check if everything has been installed correctly with the following command:

make check

Download the ModSecurity Nginx connector

Switch back to the “opt” directory and clone the ModSecurity-nginx connector with the command below:

cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

Download and Install Nginx

In this section, we are going to download the latest stable version of Nginx which is “1.12.2” at the time of the writing. you can always go to Nginx official website to get the latest stable version.

Download the source file in the “opt” directory using Wget:

cd /opt/
wget http://nginx.org/download/nginx-1.12.2.tar.gz

Extract the source files with the command below:

tar xvzf nginx-1.12.2.tar.gz

Now execute the following commands one by one to compile and install Nginx:

cd nginx-1.12.2
./configure --user=www-data --group=www-data --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx
make && make install

The ModSecurity source code that we downloaded earlier includes a sample ModSecurity.conf file with some recommended settings. Copy this file to the folder with the Nginx configuration files:

cp /opt/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

Create a symlink from the Nginx binary to our executable path:

ln -s /usr/local/nginx/sbin/nginx /bin/nginx

Configuring Nginx

In order to get libModSecurity working with your Nginx, you have to do some configuration first. so open the Nginx global configuration file with the command below:

nano /usr/local/nginx/conf/nginx.conf

At the very beginning of the file, you can see a line that refers to “user”, uncomment it and change its value like below:

user www-data;

Find the “pid” line and make it looks like below:

pid /var/run/nginx.pid;

Find the “server” directive and delete everything within the two curly braces “{}” and add the following lines in it:

listen 80;
server_name localhost;
modsecurity on;
location / {
root html;
index index.html index.htm;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
}

Save and Exit the editor.
Now we are going to create a “systemd” service for Nginx. Create a “nginx.service” file in the proper path with the following command:

nano /etc/systemd/system/nginx.service

Paste the following lines into the file then save and exit:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/bin/nginx -t
ExecStart=/bin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Execute the following command to take effect:

systemctl daemon-reload

You can check if your Nginx configurations are ok with the following command:

nginx -t

You have to see something like below:

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Install OWASP Core Rule Set (CRS)

Clone and copy the latest version of OWASP rules and configurations to Nginx:

cd /opt/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /usr/local/nginx/conf/
cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf

Edit the ModSecurity config file to include the OWASP rule set files:

nano /usr/local/nginx/conf/modsecurity.conf

Paste the following lines at the end of the file:

#Load OWASP Config
Include crs-setup.conf
#Load all other Rules
Include rules/*.conf
#Disable rule by ID from error message
#SecRuleRemoveById 920350

At last, Restart your Nginx to take effect with the command below:

systemctl restart nginx

You can view the following log file to see all of the ModSecurity events:

tail -f /var/log/modsec_audit.log

 
You can visit LibModSecurity official Github page to access different releases and more information!