Installing modsecurity as a static nginx module
This is a super minimal guide how to recompile nginx on Ubuntu 16.04/14.04 for ModSecurity.
External references
- http://www.geoffstratton.com/recompile-nginx-19-installed-apt-ubuntu-1604
- https://ops.tips/blog/nginx-http2-server-push/#installing-nginx-from-source
- https://www.slideshare.net/Nginx/modsecurity-30-and-nginx-getting-started
- https://github.com/SpiderLabs/ModSecurity-nginx
- https://serverfault.com/questions/777978/install-mod-security-for-nginx-without-need-to-recompile
Instructions
I started with downloading nginx's sources and extracting them: .. code-block:: bash
wget https://nginx.org/download/nginx-1.13.12.tar.gz tar -xf nginx-1.13.12.tar.gz
Then I took the compilation flags of my current nginx build with nginx -V, modified to include modsecurity and to excude useless modules (you can always find the sources of the modules online and pray they work with newer nginx, remove --add-module=./modules/ngx_brotli if you want nginx without brotli):
./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --sbin-path=/usr/sbin/nginx --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=./modules/headers-more-nginx-module --add-module=./modules/ModSecurity-nginx --add-module=./modules/ngx_brotli --with-compat
Building it is easy after that: .. code-block:: bash
make -j3 make install
Then I only had to restart nginx: .. code-block:: bash
sudo systemctl restart nginx
Configuration is left as an excercise for the reader :)
Usability
I tested it out for a while, it has a few bugs and the documentation is really lacking in terms of how to write brand-new rules for it. It's also super annoying to detect false-positives and I found the rule syntax vomit-worthy. I decided to drop using modsecurity, it just wasn't worth it, especially not just for fun™.
This also seems to hold true in 2023 as it did back in 2018.