安全：nginx安装modsecurity

一，modsecurity官网:

     官网:

https://modsecurity.org/

如图:

     官方代码站:

https://github.com/owasp-modsecurity/ModSecurity

二，安装环境准备:

1,安装依赖库:

[root@localhost source]# yum install -y gcc make pcre-devel libxml2 libxml2-devel curl-devel httpd-devel libtool 

2,安装依赖库:

[root@localhost source]# dnf install -y unzip wget epel-release

3,安装依赖库:

[root@localhost source]# dnf install -y gcc-c++ flex bison yajl lua curl-devel curl zlib-devel pcre-devel 
pcre2-devel libxml2-devel ssdeep-devel libtool autoconf automake make libmaxminddb 

4,查看g++的版本:版本需要大于等于7.3,否则不支持C++17标准

[root@localhost source]# g++ --version
g++ (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3)
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

三，下载

参考github上的文档，直接clone

[root@localhost source]# git clone --recursive https://github.com/owasp-modsecurity/ModSecurity ModSecurity

完成后进入源码目录:

[root@localhost modsecurity]# cd ModSecurity/

四，安装

[root@localhost ModSecurity]# git submodule init
[root@localhost ModSecurity]# git submodule update
[root@localhost ModSecurity]# ./build.sh

configure                                                                                                                                         

[root@localhost ModSecurity]# ./configure

make/make install

[root@localhost ModSecurity]# make
[root@localhost ModSecurity]# make install

查看所安装的目录:

[root@localhost ModSecurity]# ls /usr/local/modsecurity/
bin  include  lib
[root@localhost ModSecurity]# ls /usr/local/modsecurity/bin/
modsec-rules-check

五，安装nginx的插件/安装nginx

1, ModSecurity-nginx的代码站地址:

https://github.com/owasp-modsecurity/ModSecurity-nginx

它是nginx和modsecurity之间联动的桥梁

2,下载:用git命令clone

[root@localhost modsecurity]# git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

移动到软件目录下，防止误删除

[root@localhost modsecurity]# mv ModSecurity-nginx/ /opt/soft/

3, 下载安装nginx

下载

[root@localhost source]# wget https://nginx.org/download/nginx-1.26.1.tar.gz

解压:

[root@localhost nginx]# tar -zxvf nginx-1.26.1.tar.gz

configure

[root@localhost nginx]# cd nginx-1.26.1
[root@localhost nginx-1.26.1]# ./configure --prefix=/opt/soft/nginx-1.26.1 --with-http_stub_status_module 
--with-http_ssl_module  --add-module=/opt/soft/ModSecurity-nginx 

编译并安装

[root@localhost nginx-1.26.1]# make && make install

4,配置nginx

创建用户

[root@localhost nginx-1.26.1]# groupadd nginx
[root@localhost nginx-1.26.1]# useradd -g nginx -s /sbin/nologin -M nginx 

编辑nginx配置文件，指定用户是nginx

[root@localhost conf]# vi nginx.conf 

在开始处增加一行代码:

user  nginx nginx;

编辑service文件

[root@localhost conf]# vi /usr/lib/systemd/system/nginx.service 

内容:

[root@localhost html]# more /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx-The High-performance HTTP Server
After=network.target


[Service]
Type=forking
PIDFile=/opt/soft/nginx-1.26.1/logs/nginx.pid
ExecStartPre=/opt/soft/nginx-1.26.1/sbin/nginx -t -c /opt/soft/nginx-1.26.1/conf/nginx.conf
ExecStart=/opt/soft/nginx-1.26.1/sbin/nginx -c /opt/soft/nginx-1.26.1/conf/nginx.conf
ExecReload=/opt/soft/nginx-1.26.1/sbin/nginx -s reload
ExecStop=/opt/soft/nginx-1.26.1/sbin/nginx -s stop
PrivateTmp=true


[Install]
WantedBy=multi-user.target

重新加载systemd服务

[root@localhost conf]# systemctl daemon-reload 

启动:

[root@localhost conf]# systemctl start nginx 

查看modsecurity模块是否已安装:

[root@localhost html]# /opt/soft/nginx-1.26.1/sbin/nginx -V
nginx version: nginx/1.26.1
built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/opt/soft/nginx-1.26.1 --with-http_stub_status_module --with-http_ssl_module --add-module=/opt/soft/ModSecurity-nginx

六，安装规则

1, modsecurity中文站:

http://www.modsecurity.cn/

规则的代码站:

https://github.com/coreruleset/coreruleset

2,下载

[root@localhost modsecurity]#  git clone https://github.com/coreruleset/coreruleset.git

创建保存规则的目录:

[root@localhost coreruleset]# mkdir /opt/soft/nginx-1.26.1/modsecurity

3,复制文件到我们所创建的目录:

进入下载后的规则目录

[root@localhost modsecurity]# cd coreruleset/

前两个命令复制的是git下载的规则目录中的内容
后两个目录是我们所下载的ModSecurity源码中的内容

[root@localhost coreruleset]# cp -r rules/ /opt/soft/nginx-1.26.1/modsecurity/
[root@localhost coreruleset]# cp crs-setup.conf.example /opt/soft/nginx-1.26.1/modsecurity/crs-setup.conf
[root@localhost coreruleset]# cp /opt/source/modsecurity/ModSecurity/modsecurity.conf-recommended  /opt/soft/nginx-1.26.1/modsecurity/modsecurity.conf
[root@localhost coreruleset]# cp /opt/source/modsecurity/ModSecurity/unicode.mapping /opt/soft/nginx-1.26.1/modsecurity/  

4,配置文件:

在nginx下的server文件中增加两行:

modsecurity on;
modsecurity_rules_file /opt/soft/nginx-1.26.1/modsecurity/modsecurity.conf; 

配置modsecurity

[root@localhost modsecurity]# vi modsecurity.conf  

打开引擎

SecRuleEngine On

末尾处添加:

include /opt/soft/nginx-1.26.1/modsecurity/crs-setup.conf
include /opt/soft/nginx-1.26.1/modsecurity/rules/*.conf

七，测试

1,重启服务:

[root@localhost modsecurity]# systemctl restart nginx.service

2, 输入<script>alert(1);</script>

打开检测前:

打开检测后:

3,输入: ' select * from user

打开检测前:

打开检测后:

八，附注:

1,安装nginx时报错:

./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

原因:缺少openssl的开发库

解决:

[root@localhost nginx-1.26.1]# yum install openssl-devel