Nginx modsecurity on Debian 8

Server NGINX
1

Hi,

A bit lost …
I know nothing concerning nginx, I am more confortable with Apache2.
I am using an email server who is using nginx on debian 8.
I would need to install modsecurity as module.
I have understood that I need to compile from the working directory of
nginx …

./configure --add-module=/opt/ModSecurity-nginx

But how to deal with it if nginx as been installed from binary (debian
package) ?

I have followed these instructions:

$ sudo dnf install gcc-c++ flex bison curl-devel curl yajl yajl-devel
GeoIP-devel doxygen
$ cd /opt/
$ git clone GitHub - SpiderLabs/ModSecurity: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.
$ cd ModSecurity
$ git checkout libmodsecurity
$ sh build.sh
$ ./configure
$ make
$ make install
$ cd /opt/
$ git clone GitHub - SpiderLabs/ModSecurity-nginx: ModSecurity v3 Nginx Connector
$ cd /opt/Modsecurity-nginx
$ git checkout experimental
$ cd /opt/

$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xvzf nginx-1.9.2.tar.gz
$ yum install zlib-devel

$ ./configure --add-module=/opt/ModSecurity-nginx

Everything went fine until the last ./configure …
I didn’t apply what’s between " *** " because my nginx server is
already installed and working.

Any ideas ?

Thx

Cordialement,
Thierry e-mail : [email protected]

2

nginx -V will show configure arguments. You need to add mod_sec at the
beginning of whatever is in there.

3

What I have …
Could you please explain to me what do I have to do ? I do not
understand …
Sorry

nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --with-cc-opt=’-g -O2 -fstack-protector-strong
-Wformat -Werror=format-security -D_FORTIFY_SOURCE=2’
–with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx
–conf-path=/etc/nginx/nginx.conf
–http-log-path=/var/log/nginx/access.log
–error-log-path=/var/log/nginx/error.log
–lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
–with-ipv6 --with-http_ssl_module --with-http_stub_status_module
–with-http_realip_module --with-http_auth_request_module
–with-http_addition_module --with-http_dav_module
–with-http_geoip_module --with-http_gzip_static_module
–with-http_image_filter_module --with-http_spdy_module
–with-http_sub_module --with-http_xslt_module --with-mail
–with-mail_ssl_module
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module

nginx -V will show configure arguments. You need to add mod_sec at
the beginning of whatever is in there.

4

Greetings,

On Wed, 2015-12-23 at 14:21 +0200, Thierry wrote:

A bit lost …
I know nothing concerning nginx, I am more confortable with Apache2.
I am using an email server who is using nginx on debian 8.
I would need to install modsecurity as module.
I have understood that I need to compile from the working directory
of
nginx …

FWIW I am in a similar boat. Apache has been my weapon of choice for a
long time, I have inherited a system where they prefer nginx. We are a
Debian shop, using Jessie (8) on production systems. I use the packages
from the nginx repositories rather than the Debian builds.

deb Index of /packages/mainline/debian/ jessie nginx

nginx -V

nginx version: nginx/1.9.7
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
–conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–http-client-body-temp-path=/var/cache/nginx/client_temp
–http-proxy-temp-path=/var/cache/nginx/proxy_temp
–http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
–http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
–http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
–group=nginx --with-http_ssl_module --with-http_realip_module
–with-http_addition_module --with-http_sub_module
–with-http_dav_module --with-http_flv_module --with-http_mp4_module
–with-http_gunzip_module --with-http_gzip_static_module
–with-http_random_index_module --with-http_secure_link_module
–with-http_stub_status_module --with-http_auth_request_module
–with-threads --with-stream --with-stream_ssl_module --with-mail
–with-mail_ssl_module --with-file-aio --with-http_v2_module
–with-cc-opt=‘-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2’
–with-ld-opt=‘-Wl,-z,relro -Wl,–as-needed’ --with-ipv6

If that is of any help :slight_smile:

5

Hi Nikolai,

Seems for me to be a bit tricky.
Not going to do something because I do not want to break something
who is already working perfectly…
Why is it so complicated to install a module for nginx ?

Thx anyway and happy christmas.

Le mercredi 23 décembre 2015 à 15:03:10, vous écriviez :

Greetings,

On Wed, 2015-12-23 at 14:21 +0200, Thierry wrote:

A bit lost …
I know nothing concerning nginx, I am more confortable with Apache2.
I am using an email server who is using nginx on debian 8.
I would need to install modsecurity as module.
I have understood that I need to compile from the working directory
of
nginx …

FWIW I am in a similar boat. Apache has been my weapon of choice for a
long time, I have inherited a system where they prefer nginx. We are a
Debian shop, using Jessie (8) on production systems. I use the packages
from the nginx repositories rather than the Debian builds.

deb Index of /packages/mainline/debian/ jessie nginx

–http-client-body-temp-path=/var/cache/nginx/client_temp
–with-threads --with-stream --with-stream_ssl_module --with-mail
–with-mail_ssl_module --with-file-aio --with-http_v2_module
–with-cc-opt=‘-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2’
–with-ld-opt=‘-Wl,-z,relro -Wl,–as-needed’ --with-ipv6

If that is of any help :slight_smile:


Cordialement,
Thierry e-mail : [email protected]

6

Hello Thierry,

Here’s a quick howto build a nginx debian package, I hope it’s clear and
that I’m not making mistakes.

First, you need to get the source of nginx and others files to build the
package. You can probably do something like “apt-get source nginx”, but
I
prefer to go on this page: Debian -- Error and
manually download the 3 files on the right.
Something like “wget
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2-5.dsc
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2.orig.tar.gz
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2-5.debian.tar.xz”.

Then, you uncompress everything with: “dpkg-source -x nginx_1.6.2-5.dsc”

Then “cd nginx_1.6.2-5”

Here, you will have to do something to add ModSecurity. Normally, you
add a
3rd party module by adding something like
“–add-module=full/path/to/the/module-source” in the “debian/rules” file
(where there are others parameters like “–with-ipv6” or
“–with-http_ssl_module”).
Check the “debian/rules” and add your parameter only to the flavor you
will
use (full, light,…). Or add the parameter for each of them if you are
not
sure.
I don’t know if ModSecurity need something special.

Last step, execute: “dpkg-buildpackage -B -uc” to compile everything and
build the “.deb” packages. Note that you will get several of them: full,
extras, light, with or without debug,… (regarding this flavors, see
previous step: where you added the parameter).

Then install your newly created package with: “dpkg -i
nginx-THE-FLAVOR-YOU-WANT.deb”

PS: I’m really sorry if there are some mistakes (maybe in the
filenames?), I
just wrote the instructions from memory.

PS2: I suggest you first do all this steps, without the one regarding
ModSecurity (so without editing “debian/rules”), just to be sure
everything
goes well.

Best Regards.

Posted at Nginx Forum:

7

Bonjour Alt,

Thx a lot … But, I might mistaken …
My nginx is already working, as already been compiled with a certain
number of modules … I do not want to break something …
If I am doing what you said … It might happen no ?

Thx*

Le mercredi 23 dcembre 2015 18:47:18, vous criviez :

Hello Thierry,

Here’s a quick howto build a nginx debian package, I hope it’s clear and
that I’m not making mistakes.

First, you need to get the source of nginx and others files to build the
package. You can probably do something like “apt-get source nginx”, but I
prefer to go on this page: Debian -- Error and
manually download the 3 files on the right.
Something like “wget
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2-5.dsc
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2.orig.tar.gz
http://http.debian.net/debian/pool/main/n/nginx/nginx_1.6.2-5.debian.tar.xz”.

Then, you uncompress everything with: “dpkg-source -x nginx_1.6.2-5.dsc”

Then “cd nginx_1.6.2-5”

Here, you will have to do something to add ModSecurity. Normally, you add a
3rd party module by adding something like
“–add-module=full/path/to/the/module-source” in the “debian/rules” file
(where there are others parameters like “–with-ipv6” or
“–with-http_ssl_module”).
Check the “debian/rules” and add your parameter only to the flavor you will
use (full, light,…). Or add the parameter for each of them if you are not
sure.
I don’t know if ModSecurity need something special.

Last step, execute: “dpkg-buildpackage -B -uc” to compile everything and
build the “.deb” packages. Note that you will get several of them: full,
extras, light, with or without debug,… (regarding this flavors, see
previous step: where you added the parameter).

Then install your newly created package with: “dpkg -i
nginx-THE-FLAVOR-YOU-WANT.deb”

PS: I’m really sorry if there are some mistakes (maybe in the filenames?), I
just wrote the instructions from memory.

PS2: I suggest you first do all this steps, without the one regarding
ModSecurity (so without editing “debian/rules”), just to be sure everything
goes well.

Best Regards.

Posted at Nginx Forum:
Re: nginx modsecurity on Debian 8

nginx mailing list
[email protected]
nginx Info Page


Cordialement,
Thierry e-mail : [email protected]

8

append the configure argument you already mentioned ./configure
–add-module=/opt/ModSecurity-nginx with the

–with-cc-opt=‘-g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2’ --with-ld-opt=-Wl,-z,relro
–prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
–http-log-path=/var/log/nginx/access.log
–error-log-path=/var/log/nginx/error.log
–lock-path=/var/lock/nginx.lock
–pid-path=/run/nginx.pid
–http-client-body-temp-path=/var/lib/nginx/body
–http-fastcgi-temp-path=/var/lib/nginx/fastcgi
–http-proxy-temp-path=/var/lib/nginx/proxy
–http-scgi-temp-path=/var/lib/nginx/scgi
–http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
–with-ipv6 --with-http_ssl_module --with-http_stub_status_module
–with-http_realip_module --with-http_auth_request_module
–with-http_addition_module --with-http_dav_module
–with-http_geoip_module
–with-http_gzip_static_module --with-http_image_filter_module
–with-http_spdy_module --with-http_sub_module --with-http_xslt_module
–with-mail --with-mail_ssl_module
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module

One problem I see here is that you need to place the modules added there
in
their exact path like for
example /tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair
.Otherwise you will have to modify those path accordingly. you need to
install build deps for nginx too

Also you might be able to use 1.8.0 stable version

Follow -

. The difference is you are adding mod_sec instead of pagespeed .

9

Bonjour nanaya,

Ok, but if I recompile everything, do I lose the actual nginx’s config
?

Le mercredi 23 dcembre 2015 19:33:11, vous criviez :

On Thu, Dec 24, 2015, at 02:31, Thierry wrote:

Bonjour Alt,

Thx a lot … But, I might mistaken …
My nginx is already working, as already been compiled with a certain
number of modules … I do not want to break something …
If I am doing what you said … It might happen no ?

nginx doesn’t have support for loadable modules yet so any modules you
want to add/remove requires recompiling nginx.

nginx mailing list
[email protected]
nginx Info Page


Cordialement,
Thierry e-mail : [email protected]

10

On Thu, Dec 24, 2015, at 02:31, Thierry wrote:

Bonjour Alt,

Thx a lot … But, I might mistaken …
My nginx is already working, as already been compiled with a certain
number of modules … I do not want to break something …
If I am doing what you said … It might happen no ?

nginx doesn’t have support for loadable modules yet so any modules you
want to add/remove requires recompiling nginx.

11

Hello again :slight_smile:

As said in my last message, in theory you shouldn’t lose your
configuration.
But : backup, backup and backup :slight_smile: And compile and test on a test
server,
not on a production server :slight_smile:

Best Regards.

Posted at Nginx Forum:

12

Hello Thierry,

Just rebuilding a Debian package and installing it shouldn’t break
anything.
But a problem or mistake can always happen, so I don’t recommend doing
eveything I said in my previous message on your production server.
I don’t think you want to spend your XMas fixing your server :slight_smile: So
compile,
package and test nginx on a test server (a virtual machine for example).

And anyway, you really must have a backup of your production server
(with
all your config files), because shit can happen (mistake of an admin,
hardware failure, a hack,…) and you could lose everything.

If you want to keep the modules already compiled in, you should add
ModSecurity to the same flavor you used on your server. If you installed
the
package “nginx-full” flavor, you should add ModSecurity to “nginx-full”,
rebuild the packages and install your new “nginx-full.deb”.

Best Regards.

Posted at Nginx Forum: