Install Nginx with ModSecurity on Debian and Ubuntu
ModSecurity is a powerful open-source Web Application Firewall (WAF) that helps protect web applications from various attacks. This guide will show you how to install and configure ModSecurity with Nginx using a Nginx repository for Debian and Ubuntu.
Step 1: Add Nginx Repository #
Run the following commands to add the Nginx repository that contains the ModSecurity module and then install Nginx:
curl -1sLf \
'https://dl.cloudsmith.io/public/nginx/modsecurity/setup.deb.sh' \
| sudo -E bash
sudo apt update
sudo install nginx
Make sure that you’ve installed the right version of nginx by running a nginx -V command. in the output, you should be able to see add-module=/usr/src/modsecurity
nginx -V
nginx version: nginx/1.26.3
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/nginx/nginx-latest=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-module=/usr/src/modsecurity
Step 2: Configure ModSecurity #
The Nginx package includes OWASP configurations, so you only need to add the following settings to your server block to enable ModSecurity:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
For example:
server {
listen 80;
server_name localhost;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
By default, the ModSecurity works in the DetectionOnlyMode so open the ModSecurity configuration with your text editor and set the SecRuleEngine parameter to On to block malicious requests:
sudo vim /etc/nginx/modsec/modsecurity.conf
grep SecRuleEngine /etc/nginx/modsec/modsecurity.conf
SecRuleEngine On
Step 3: Restart Nginx #
To apply the changes, restart or reload Nginx:
sudo nginx -t
sudo systemctl restart nginx
Step 4: Test ModSecurity #
Try accessing your server with a few blocked requests:
curl -v "http://localhost/?q=<script>alert(1)</script>" # XSS
curl -v "http://localhost/?cmd=ls%20-ltr%20/" # Command Injection
curl -v "http://localhost/?id=1%27%20OR%20%271%27=%271" # SQL Injection
Hopefully, ModSecurity supports JSON logs, so you can read them easily using a simple command or ship them with a log shipper such as Filebeat or Rsyslog to store them in your log server.
tail -f /var/log/modsec_audit.log | jq .
That’s it! You now have ModSecurity installed and running with Nginx on Debian/Ubuntu and you don’t need to spend hours compiling and configuring ModSecurity from scratch!