modsecurity3.0 nginx 安装

备注：

使用的是modsecurity 3.0 的版本，也是nginx 官方推荐使用的，同时使用的是nginx 的dynamic module

1. 环境准备

https://github.com/SpiderLabs/ModSecurity
https://github.com/SpiderLabs/ModSecurity-nginx
https://nginx.org/download/nginx-1.13.8.tar.gz

 

2.  编译libmodsecurity

a. 预备（编译依赖） 

 yum install -y pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel gcc gcc-c++ gcc-g77 autoconf automake
geoip geip-devel libcurl libcurl-devel  yajl yajl-devel lmdb-devel  ssdeep-devel  lua-devel
备注：比较多，实际安装会有提示

b. 编译

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

备注：fatal: No names found, cannot describe anything.  提示这个错误可以不用管（官方说明）

c. modsecurity nginx dynamic module编译

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity- nginx.git
wget https://nginx.org/download/nginx-1.13.8.tar.gz
tar xvf nginx-1.13.8.tar.gz
cd nginx-1.13.8
./configure  --add-dynamic-module=../ModSecurity-nginx
make modules

cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/modules(此处为Nginx 安装位置,我的nginx 也是源码编译)

d. nginx源码编译

参考上面的nginx下载
./configure
make
make install

 

 

3. 配置模块加载

load_module modules/ngx_http_modsecurity_module.so;
备注： 位置 nginx main

 

 

4. 测试nginx 环境准备

a.实际业务应用
/usr/local/nginx/cong/nginx.conf

server {
listen localhost:8085;
location / {
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
}
}

b. waf(modsecurity nginx 出口，以及数据入口) nginx proxy

server {
        listen       80;
        location / {
         proxy_pass http://localhost:8085;
         proxy_set_header Host $host;
      }
}

 

5. modsecurity 配置文件

a. 官方模版

mkdir -p /usr/local/nginx/modsec
cd /usr/local/nginx/modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended   modsecurity.conf
启用规引擎
SecRuleEngine On
b. 创建主配置文件

main.conf
内容如下：
Include /usr/local/nginx/modsec/modsecurity.conf
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

c. waf 上面的nginx 80 配置)
 modsecurity on;
 modsecurity_rules_file /usr/local/nginx/modsec/main.conf;

 

6. 加载配置

sbin/nginx -t
备注：  如果不报错说明没有问题，报错可以参考日志解决

 

7. 测试

实际上，上面的配置是如果请求参考testparam 包含test 就提示403

测试结果：
curl -i http://localhost/foo?testparam=dalongtest
HTTP/1.1 403 Forbidden
Server: nginx/1.13.8
Date: Sun, 18 Feb 2018 10:45:43 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.8</center>
</body>
</html>

curl -i http://localhost/foo?testparam=dalong
HTTP/1.1 200 OK
Server: nginx/1.13.8
Date: Sun, 18 Feb 2018 10:46:14 GMT
Content-Type: text/plain
Content-Length: 47
Connection: keep-alive

Thank you for requesting /foo?testparam=dalong

 

8. 扩展

同时支持 OWASP 的crs
配置参考：
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/ v3.0.2.tar.gz
tar -xzvf v3.0.2.tar.gz
sudo mv owasp-modsecurity-crs-3.0.2 /usr/local
cd /usr/local/owasp-modsecurity-crs-3.0.2
sudo cp crs-setup.conf.example crs-setup.conf

# Include the recommended configuration Include /usr/local/nginx/modsec/modsecurity.conf
# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.2/rules/*.conf

 

 

8. 参考资料

https://github.com/SpiderLabs/ModSecurity/tree/v3/master
https://github.com/SpiderLabs/ModSecurity
https://www.nginx.com/resources/library/modsecurity-3-nginx-quick-start-guide/