Considering the increase in online web threats, one the challenge for web engineer is to well aware of hardening and securing Nginx.
Nginx is well-known for its performance and lightweight web server/proxy and used on many busiest sites.
Pinterest.com Reddit.com Wordpress.com Stackoverflow.com Mail.ru
If you are hosting your web applications on Nginx and concerned about security then one of the first thing you would like to implement is Web Application Firewall (WAF). Mod Security is an Open Source WAF by Trustwave SpiderLabs and was made available for Nginx in 2012. In this guide, I’ll explain how to download, install and configure Mod Security with Nginx. The following demonstration is done on CentOS hosted with DigitalOcean. If you are new to Nginx then I would recommend taking this fundamental course.
Download Nginx and ModSecurity
You can either download the nginx directly on your server or on your local PC then transfer it.
Download the latest version from below link
http://nginx.org/en/download.html
If you are directly downloading on server then can use wget as below
Extract them by using gunzip command
You will see the new folder created
Download the latest version of Mod Security from below link
https://github.com/SpiderLabs/ModSecurity
You can use below commands from server directly
Let’s get them installed
Install Nginx with Mod Security
It’s important to compile Nginx and mod security source code.
Login into a server and ensure you have root permission.
Note: if you are doing on a brand new server then you may need to install following libraries. First, let’s compile mod security. Go to modsecurity-2.9.1 folder and use below commands. Next, install Nginx with mod security This concludes Nginx is installed with Mod Security and it’s time to configure it.
Configure Mod Security with Nginx
Copy modsecurity.conf-recommended & unicode.mapping file from extracted folder of above-downloaded ModSecurity source code to nginx conf folder. You may also use the find command. Let’s rename modsecurity.conf-recommended to modsecurity.conf
Take a backup of nginx.conf file Open nginx.conf file and add following under “location /” directive
So it should appear like this Now, Mod Security is integrated with Nginx. Restart the Nginx to ensure it’s coming up without any error. Let’s verify… There are two possible methods to confirm Nginx is compiled with Mod Security. First… List the compiled module by using –V with nginx executable file. Second… Go to logs folder and view the error file, you should see following This concludes you have successfully configured ModSecurity with Nginx. By default configuration is in detect mode only that means it will not execute any action and protect your web applications. In my next article, I’ve explained how to configure OWASP rule set and enable Mod Security to protect from web security vulnerabilities.