在nginx上安装modsecurity

Question

Today, I installed mod_security for nginx. I added the following block to /etc/nginx/nginx :

server {
listen       80;
server_name  localhost;

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}

}

After restarting Nginx, I got the following error:

nginx: [emerg] unknown directive "ModSecurityEnabled" in /etc/nginx/conf.d/nginx.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed

Output of nginx -V :

nginx version: nginx/1.4.7
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) 
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'

What is going wrong?

Answer 1

According to the official documentation:

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server . Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

Source: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX

You can not just add some lines in nginx.conf to get it working.

You might also want to consider the following if you want to be helped more efficiently and in the meantime participate in making Stack Overflow a better place:

• Read the docs before asking for help (it took me 3 minutes to figure out the way it works).
• Choose a more explicit title for your issue.
• Try to auto-correct the content to make it easier to read.

Good luck!

Answer 2

I did this on NGinx plus, so not sure if entirely identical but it seems so ...

Yum install nginx-modsecurity (for nginx plus its nginx-plus-module-modsecurity) Add load_module modules/ngx_http_modsecurity_module.so; to top level of /etc/nginx/nginx.conf - Outside of the server block

Then, within your server block modsecurity on; modsecurity_rules_file /some/path/to/rules/modsecurity-recommended.conf modsecurity on; modsecurity_rules_file /some/path/to/rules/modsecurity-recommended.conf

You can get the suggested contents for modsecurirty-recommended from: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/

This is working for me at the moment, hope it helps