首页 > 系统相关 >安全:nginx安装modsecurity

安全:nginx安装modsecurity

时间:2024-09-04 17:04:04浏览次数:6  
标签:opt root modsecurity nginx 安装 1.26 localhost

一,modsecurity官网:

     官网:

https://modsecurity.org/

如图:

     官方代码站:

https://github.com/owasp-modsecurity/ModSecurity

二,安装环境准备:

1,安装依赖库:

[root@localhost source]# yum install -y gcc make pcre-devel libxml2 libxml2-devel curl-devel httpd-devel libtool 

2,安装依赖库:

[root@localhost source]# dnf install -y unzip wget epel-release

3,安装依赖库:

[root@localhost source]# dnf install -y gcc-c++ flex bison yajl lua curl-devel curl zlib-devel pcre-devel 
pcre2-devel libxml2-devel ssdeep-devel libtool autoconf automake make libmaxminddb 

4,查看g++的版本:版本需要大于等于7.3,否则不支持C++17标准

[root@localhost source]# g++ --version
g++ (GCC) 11.4.1 20231218 (Red Hat 11.4.1-3)
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

三,下载

参考github上的文档,直接clone

[root@localhost source]# git clone --recursive https://github.com/owasp-modsecurity/ModSecurity ModSecurity

完成后进入源码目录:

[root@localhost modsecurity]# cd ModSecurity/

四,安装

[root@localhost ModSecurity]# git submodule init
[root@localhost ModSecurity]# git submodule update
[root@localhost ModSecurity]# ./build.sh

configure                                                                                                                                         

[root@localhost ModSecurity]# ./configure

make/make install

[root@localhost ModSecurity]# make
[root@localhost ModSecurity]# make install

查看所安装的目录:

[root@localhost ModSecurity]# ls /usr/local/modsecurity/
bin  include  lib
[root@localhost ModSecurity]# ls /usr/local/modsecurity/bin/
modsec-rules-check

五,安装nginx的插件/安装nginx

1, ModSecurity-nginx的代码站地址:

https://github.com/owasp-modsecurity/ModSecurity-nginx

它是nginx和modsecurity之间联动的桥梁

2,下载:用git命令clone

[root@localhost modsecurity]# git clone https://github.com/owasp-modsecurity/ModSecurity-nginx.git

移动到软件目录下,防止误删除

[root@localhost modsecurity]# mv ModSecurity-nginx/ /opt/soft/

3, 下载安装nginx

下载

[root@localhost source]# wget https://nginx.org/download/nginx-1.26.1.tar.gz

解压:

[root@localhost nginx]# tar -zxvf nginx-1.26.1.tar.gz

configure

[root@localhost nginx]# cd nginx-1.26.1
[root@localhost nginx-1.26.1]# ./configure --prefix=/opt/soft/nginx-1.26.1 --with-http_stub_status_module 
--with-http_ssl_module  --add-module=/opt/soft/ModSecurity-nginx 

编译并安装

[root@localhost nginx-1.26.1]# make && make install

4,配置nginx

创建用户

[root@localhost nginx-1.26.1]# groupadd nginx
[root@localhost nginx-1.26.1]# useradd -g nginx -s /sbin/nologin -M nginx 

编辑nginx配置文件,指定用户是nginx

 

[root@localhost conf]# vi nginx.conf 

在开始处增加一行代码:

user  nginx nginx;

编辑service文件

[root@localhost conf]# vi /usr/lib/systemd/system/nginx.service 

内容:

[root@localhost html]# more /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx-The High-performance HTTP Server
After=network.target


[Service]
Type=forking
PIDFile=/opt/soft/nginx-1.26.1/logs/nginx.pid
ExecStartPre=/opt/soft/nginx-1.26.1/sbin/nginx -t -c /opt/soft/nginx-1.26.1/conf/nginx.conf
ExecStart=/opt/soft/nginx-1.26.1/sbin/nginx -c /opt/soft/nginx-1.26.1/conf/nginx.conf
ExecReload=/opt/soft/nginx-1.26.1/sbin/nginx -s reload
ExecStop=/opt/soft/nginx-1.26.1/sbin/nginx -s stop
PrivateTmp=true


[Install]
WantedBy=multi-user.target

重新加载systemd服务

[root@localhost conf]# systemctl daemon-reload 

启动:

[root@localhost conf]# systemctl start nginx 

查看modsecurity模块是否已安装:

[root@localhost html]# /opt/soft/nginx-1.26.1/sbin/nginx -V
nginx version: nginx/1.26.1
built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/opt/soft/nginx-1.26.1 --with-http_stub_status_module --with-http_ssl_module --add-module=/opt/soft/ModSecurity-nginx

六,安装规则

1, modsecurity中文站:

http://www.modsecurity.cn/

规则的代码站:

https://github.com/coreruleset/coreruleset

2,下载

[root@localhost modsecurity]#  git clone https://github.com/coreruleset/coreruleset.git

创建保存规则的目录:

[root@localhost coreruleset]# mkdir /opt/soft/nginx-1.26.1/modsecurity

3,复制文件到我们所创建的目录:

进入下载后的规则目录

[root@localhost modsecurity]# cd coreruleset/

前两个命令复制的是git下载的规则目录中的内容
后两个目录是我们所下载的ModSecurity源码中的内容

[root@localhost coreruleset]# cp -r rules/ /opt/soft/nginx-1.26.1/modsecurity/
[root@localhost coreruleset]# cp crs-setup.conf.example /opt/soft/nginx-1.26.1/modsecurity/crs-setup.conf
[root@localhost coreruleset]# cp /opt/source/modsecurity/ModSecurity/modsecurity.conf-recommended  /opt/soft/nginx-1.26.1/modsecurity/modsecurity.conf
[root@localhost coreruleset]# cp /opt/source/modsecurity/ModSecurity/unicode.mapping /opt/soft/nginx-1.26.1/modsecurity/  

4,配置文件:

在nginx下的server文件中增加两行:

modsecurity on;
modsecurity_rules_file /opt/soft/nginx-1.26.1/modsecurity/modsecurity.conf; 

配置modsecurity

[root@localhost modsecurity]# vi modsecurity.conf  

打开引擎

SecRuleEngine On

末尾处添加:

include /opt/soft/nginx-1.26.1/modsecurity/crs-setup.conf
include /opt/soft/nginx-1.26.1/modsecurity/rules/*.conf

七,测试

1,重启服务:

[root@localhost modsecurity]# systemctl restart nginx.service

2, 输入<script>alert(1);</script>

打开检测前:

打开检测后:

3,输入: ' select * from user

打开检测前:

打开检测后:

 

八,附注:

1,安装nginx时报错:

./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

原因:缺少openssl的开发库

解决:

[root@localhost nginx-1.26.1]# yum install openssl-devel

 

标签:opt,root,modsecurity,nginx,安装,1.26,localhost
From: https://www.cnblogs.com/architectforest/p/18396169

相关文章

  • Windows 安装Redis(图文详解)
    原文链接:https://www.cnblogs.com/smile008/p/16676723.html 一、Redis是什么数据库?RemoteDictionaryServer(Redis)是一个开源的使用ANSIC语言编写、遵守BSD协议、支持网络、可基于内存、分布式、可选持久性的键值对(Key-Value)存储数据库,并提供多种语言的API,是跨......
  • docker安装logstash7
     一、创建网络dockernetworkcreate-dbridgeelastic#和elasticsearch使用同一个网络 二、拉取logstash镜像dockerpulllogstash:7.1.1 三、创建logstash容器dockerrun-it\--namelogstash\-p9600:9600\-p5044:5044\--netelast......
  • DNF95 仿官版本单机安装教程 + 虚拟机一键端
    前言今天给大家带来一款单机游戏的架设:地下城与勇士95仿官版本单机安装教程。另外:本人承接各种游戏架设(单机+联网)本人为了学习和研究软件内含的设计思想和原理,带了架设教程仅供娱乐。教程是本人亲自搭建成功的,绝对是完整可运行的,踩过的坑都给你们填上了。如果你是小白也没......
  • pip install gdal 在Windows系统上安装gdal
    django.core.exceptions.ImproperlyConfigured:CouldnotfindtheGDALlibrary(tried"gdal302","gdal301","gdal300","gdal204","gdal203","gdal202","gdal201","gdal20").Is......
  • centos 7.6 上安装redis
    ============================CenteOs7上安装Redis redis-3.2.12-2.el7.x86_64安装前先检查安装环境首先检查gcc环境。gcc-v如果没有安装,那么就安装gcc等环境。sudoyuminstallgcc-c++make-y开始安装下载fedora的epel仓库yuminstallepel-release安装redis数据库yumin......
  • linux下安装jdk
     原文地址:https://www.cnblogs.com/caoyunpu/p/16660868.html 1、下载Linux版本的JDK(注意看自己安装的Linux系统是什么位数)查看本机位数命令:sudouname--m   JDK官网下载地址:https://www.oracle.com/java/technologies/downloads/#java18 2、使用工具远程进入Li......
  • 安装open3d
    https://pypi.org/project/open3d/#history (D:\anaconda3\yhexie)C:\Users\yhexie>pipinstallopen3dCollectingopen3dDownloadingopen3d-0.18.0-cp310-cp310-win_amd64.whl.metadata(4.1kB)Requirementalreadysatisfied:numpy>=1.18.0ind:\a......
  • Linux 安装nodejs环境
    文章目录Node.js简介Node.js的核心特性Node.js的生态系统Node.js的模块系统部署下载Node.js预编译二进制包上传到Linux服务器并解压配置环境变量验证安装部署在下边,我先对nodejs进行一些介绍,大家了解一下Node.js简介Node.js是一个基于ChromeV8引擎的JavaScript......
  • K8S安装部署
    一、准备工作在vmware中安装,创建三台centos服务器主机ip配置master192.168.42.1884核,6g内存,40g硬盘node1192.168.42.1892核,2g内存,20g硬盘node2192.168.42.1902核,2g内存,20g硬盘二、环境配置1、修改hosts配置(所有节点执行)vim/etc/hosts192.168.42.188master192.168.4......
  • CUDA Toolkit常见安装问题一览
    CUDAToolkit常见安装问题一览关注TechLead,复旦博士,分享云服务领域全维度开发技术。拥有10+年互联网服务架构、AI产品研发经验、团队管理经验,复旦机器人智能实验室成员,国家级大学生赛事评审专家,发表多篇SCI核心期刊学术论文,阿里云认证的资深架构师,上亿营收AI产品研发负责人。......