ScaleScaleScaleScale

Tips / Nginx


How to install Mod_Security on Nginx

ModSecurity for Nginx has been available for a while and we can use it freely in our Nginx webserver. ModSecurity was originally deveoped for Apache webserver, but it’s not available to be integrated with Nginx server, even it is in Beta state it works perfectly in our test enviroment. So, let’s see how to install mod_security on Nginx

Let’s start:

Install required dependencies from Github

CentOS/Fedora/RHEL users:

yum install -y gcc make automake autoconf libtool
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

Debian/Ubuntu users:

sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev

Download, compile and install mod_security

git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security
./autogen.sh
./configure --enable-standalone-module
make

Compile Nginx from source with modsecurity

wget http://www.nginx.org/download/nginx-1.4.2.tar.gz
tar -xvpzf nginx-1.4.2.tar.gz
cd nginx-1.4.2
./configure --add-module=../mod_security/nginx/modsecurity
make
make install

Nginx ModSecurity Configuration

The ModSecurity configuration file must be definded at nginx.conf file, for example:


server {
listen       80;
server_name  localhost;

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}

}

If you need to have custom rules for your mod_security applied to different directories in your website, you can create new mod_security.conf files, for example:

 location /secured {
   ModSecurityConfig modsecurity3.conf; 
   proxy_pass http://secured.mysite.com/;
   proxy_read_timeout 180s;
 }

Or you can even turn off mod_security for one directory in particular:

 location /unsecured/ {
   ModSecurityEnabled off;
   proxy_pass http://unsecured.mysite.com/;
   proxy_read_timeout 180s;
 }

Restart Nginx to apply the changes:

service nginx restart

Popular search terms:

  • modsecurity nginx
  • nginx mod_security
  • mod_security nginx
  • nginx modsecurity
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking

  • Is there a way to install it, if Nginx is already installed on the server.

  • admin

    You will need to recompile Nginx from source (if it was installed from source tar.gz package), or build your own .deb or .rpm files in case you used a package manager like yum or apt.

    • If I remove Nginx by using sudo apt-get remove nginx, will my website files which are in the /var/www/example.com/htdocs/files directory get removed/deleted.

      I am asking this because I want to remove Nginx and then recompile it using the method that you have described. During this process I don’t want to lose my website files.

      P.S: I have installed Nginx using this method: http://rtcamp.com/wordpress-nginx/tutorials/linux/ubuntu-php-apc-mysql-postfix/

  • I get an error, when I run make. Error: make: *** No targets specified and no makefile found. Stop.

  • admin

    Two things:

    1) I guess (because I don’t use Ubuntu/Debian often) they should stay there, but just in case run a simple backup:

    cp /var/www /var/www.bak -Rf

    2) That may happen because you didn’t run ./configure and no Makefile was created.

  • Webhosting Murah

    interesting stuff, since I am previousely Apache+ModSecurity user,
    my question, is mod security work for nginx with php-fpm ?

    regards

  • Bret

    This configuration works but still relies on Apache to be installed on the server. Many Nginx users forego Apache completely and do not have any of its components installed on their servers (nor do they want any). You method is only for Nginx + Apache users and probably should be labeled as such. Remove the Apache dependencies and this method fails. ModSecurity has a configure option –disable-apache2-module but that still will not allow compilation without Apache. A ticket has been opened for this issue.

  • Kim

    Starting nginx: nginx: [emerg] unknown directive “ModSecurityEnabled” in /etc/nginx/conf.d/default.conf:11 [FAILED]

    I have the ModSecurityEnabled on in default.conf which is included after nginx.conf.

    Below is the code I have in default.conf

    location / {
    root /usr/share/nginx/html;
    index index.php index.html index.htm;
    ModSecurityEnabled on;
    ModSecurityConfig modsecurity.conf;
    }

    Any suggestions?

  • admin

    If you see unknown directive “ModSecurityEnabled”, it’s probably because the module wasn’t compiled properly and Nginx can’t load something that isn’t there. Try to recompile again and see if you get any errors during the process.

  • Kevin Kien

    Hi, I have a problem. After compiled mod_security and add module mod_sec on nginx. file mod_security.conf has not in /etc/nginx/
    Process complier do not error.
    Command nginx -V do not mod_security :
    configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-http_ssl_module –with-http_realip_module –with-http_addition_module –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_stub_status_module –with-mail –with-mail_ssl_module –with-file-aio –with-ipv6 –with-cc-opt=’-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables’

    Please help me.

    • admin

      Check your compiling logs on the screen while doing it. There must be some kind of error that is preventing mod_sec to be built ok.

  • wangjuan

    In the first step,i use command ./configure –enable-standalone-module to compile, but there is a error show that “couldn’t find APXS”, does the git get the apache type not nginx type?

  • skahandz

    awesome. but before running a ‘autogen.sh’ , we must install ‘automake’ package in debian jessie

  • aw

    I got ‘configure: error: couldn’t find APXS’ message, when configure mod_security,
    So I installed apache2-dev package and solved it.

  • Andrew

    I have attempted to go through these steps, but it seems nginx exits. here is my error log:

    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity for nginx (STABLE)/2.9.0 (http://www.modsecurity.org/) configured.
    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity: APR compiled version=”1.5.1-dev”; loaded version=”1.5.1-dev”
    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity: PCRE compiled version=”8.31 “; loaded version=”8.31 2012-07-06″
    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity: LIBXML compiled version=”2.9.1”
    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity: StatusEngine call: “2.9.0,nginx,1.5.1-dev/1.5.1-dev,8.31/8.31 2012-07-06,(null),2.9.1,0535b25f21a307107e8904fda8dd51bf1e7c54f0”
    2015/03/26 11:32:07 [notice] 50779#0: ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
    2015/03/26 11:33:29 [alert] 50780#0: worker process 50781 exited on signal 9
    2015/03/26 11:33:33 [alert] 50780#0: worker process 50801 exited on signal 9
    2015/03/26 11:34:19 [alert] 50780#0: worker process 50803 exited on signal 9
    2015/03/26 11:34:24 [alert] 50780#0: worker process 50815 exited on signal 9

  • Dusty

    Starting from nginx 1.7.7 there’s a bug related to proxy_force_ranges directive.
    If disabled (it’s off by default) nginx + mod_security segfaults, so you should update your tutorial suggesting to turn on “proxy_force_ranges”.
    Here’s the issue: https://github.com/SpiderLabs/ModSecurity/issues/823

  • Matthew

    Is there any chance of a windows specific guide to building mod_security with nginx, or has anyone attempted to do this on Windows at all?