nginx 部署 ModSecurity3

一、查看本地nginx版本

nginx是yum安装的

# nginx -v
nginx version: nginx/1.26.2

二、安装依赖工具

# yum install -y gcc-c++ flex bison yajl lmdb lua curl-devel curl GeoIP-devel zlib-devel pcre-devel pcre2-devel libxml2-devel ssdeep-devel libtool autoconf automake make git wget openssl openssl-devel

三、安装ModSecurity

# cd /usr/local/
# git clone https://gitee.com/gongxw/ModSecurity.git
# cd ModSecurity/
# git submodule init
# git submodule update    # 需要代理
# sh build.sh
# ./configure
# make clean         #如果是从其他服务器拷贝过来的ModSecurity，必须执行此步骤。否则报错
# make
# make install

四、安装nginx与ModSecurity-nginx

# cd /usr/local/
# git clone https://github.com/SpiderLabs/ModSecurity-nginx  #我没用，使用以前的
# tar -zxf ModSecurity-nginx.tar.gz
# tar -zxf nginx-1.26.2.tar.gz    #需要跟安装的版本一致
# cd nginx-1.26.2/
通过nginx -V查看原有的部署参数：
# nginx -V
取configure arguments:之后的所有内容。

# ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=/usr/local/ModSecurity-nginx# make

五、下载规则文件并配置

# mkdir /usr/local/nginx/conf/modsecurity -p
# cd /usr/local/
# tar -zxf coreruleset.tar.gz
# cp /usr/local/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
# cp /usr/local/ModSecurity/unicode.mapping /usr/local/nginx/conf/modsecurity/unicode.mapping
# cp -r /usr/local/coreruleset/rules /usr/local/nginx/conf/modsecurity/
# cp /usr/local/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/modsecurity/crs-setup.conf

六、修改nginx配置

全局生效
在 /etc/nginx/nginx.conf 中添加一下内容：
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;局部生效，把以上内容添加到server了里面。

七、注意

建议新系统部署，老系统需要升级一些软件。

1.26开启ssl，使用下面配置：

listen 443 ssl；