[英]Install modsecurity on nginx
Today, I installed mod_security for nginx. 今天,我为nginx安装了mod_security。 I added the following block to /etc/nginx/nginx
: 我在/etc/nginx/nginx
添加了以下代码块:
server {
listen 80;
server_name localhost;
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}
}
After restarting Nginx, I got the following error: 重新启动Nginx之后,出现以下错误:
nginx: [emerg] unknown directive "ModSecurityEnabled" in /etc/nginx/conf.d/nginx.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed
Output of nginx -V
: nginx -V
输出:
nginx version: nginx/1.4.7
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'
What is going wrong? 怎么了?
According to the official documentation: 根据官方文件:
The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server . nginx服务器的可扩展性模型不包含动态加载的模块,因此ModSecurity必须使用主服务器的源代码进行编译 。 Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment. 由于nginx可在多个基于Unix的平台(以及Windows)上使用,因此,目前推荐的为nginx获取ModSecurity的方法是在指定的环境中进行编译。
Source: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX 来源: https : //github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
You can not just add some lines in nginx.conf to get it working. 您不能只在nginx.conf中添加一些行来使其工作。
You might also want to consider the following if you want to be helped more efficiently and in the meantime participate in making Stack Overflow a better place: 如果希望得到更有效的帮助,同时又希望使Stack Overflow成为一个更好的地方,您可能还需要考虑以下几点:
Good luck! 祝好运!
I did this on NGinx plus, so not sure if entirely identical but it seems so ... 我是在NGinx plus上完成的,所以不确定是否完全相同,但看起来却如此……
Yum install nginx-modsecurity (for nginx plus its nginx-plus-module-modsecurity) Add load_module modules/ngx_http_modsecurity_module.so;
百胜安装nginx-modsecurity(用于nginx及其nginx-plus-module-modsecurity)。添加load_module modules/ngx_http_modsecurity_module.so;
to top level of /etc/nginx/nginx.conf - Outside of the server block 到/etc/nginx/nginx.conf的顶级-服务器块之外
Then, within your server block modsecurity on; modsecurity_rules_file /some/path/to/rules/modsecurity-recommended.conf
然后,在您的服务器上阻止modsecurity on; modsecurity_rules_file /some/path/to/rules/modsecurity-recommended.conf
modsecurity on; modsecurity_rules_file /some/path/to/rules/modsecurity-recommended.conf
You can get the suggested contents for modsecurirty-recommended from: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
您可以从以下https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
获取有关modsecurirty-recommended的建议内容: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/
This is working for me at the moment, hope it helps 目前这对我有用,希望对您有所帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.