current position:Home>Nginx + ModSecurity setup

Nginx + ModSecurity setup

2022-04-29 08:12:23Bean sprouts of Doudou

1、 Establish temporary work tasks
[[email protected] ~]# cd /root && mkdir temporary && cd temporary/

2、yum Install common system software
[[email protected] temporary]# yum install epel-release
[[email protected] temporary]# yum groupinstall ‘Development Tools’ -y

3、modsecurity Dependent installation
[[email protected] temporary]# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel
[[email protected] temporary]# yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel

4、 install modsecurity
[[email protected] temporary]# git clone --depth 1 --single-branch https://github.com/SpiderLabs/ModSecurity
[[email protected] temporary]# cd ModSecurity/ [[email protected] ModSecurity]# git submodule init
[[email protected] ModSecurity]# git submodule update
[[email protected] ModSecurity]# ./build.sh
[[email protected] ModSecurity]# yum install pcre –y
[[email protected] ModSecurity]# yum install pcre-devel -y
[[email protected] ModSecurity]# ./configure
[[email protected] ModSecurity]# make && make install

5、 download nginx Installation package
[[email protected] ModSecurity]# cd /usr/local/
[[email protected] local]# wget http://nginx.org/download/nginx-1.16.0.tar.gz [[email protected] local]# tar zxvf nginx-1.16.0.tar.gz && cd nginx-1.16.0/

6、nginx Dependent installation
[[email protected] nginx-1.16.0]# yum install gd-devel pcre pcre-devel zlib zlib-devel openssl openssl-devel

7、 download nginx Connect modsecurity Of connector spare
[[email protected] nginx-1.16.0]# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

8、nginx Go to version information and server Information ( According to the demand , Don't do it )
[[email protected] nginx-1.16.0]# vi src/core/nginx.h

 #define NGINX_VERSION "7.0" 
 #define NGINX_VER "IIS/" NGINX_VERSION 
 

9、http Head to nginx
[[email protected] nginx-1.16.0]# vi src/http/ngx_http_header_filter_module.c

static u_char ngx_http_server_string[] = "Server: IIS" CRLF; 

10、 The response page goes to nginx
[[email protected] nginx-1.16.0]# vi src/http/ngx_http_special_response.c static u_char

ngx_http_error_tail[] = 
"<hr><center>IIS</center>" CRLF "
</body>" CRLF
 "</html>" CRLF ; 

11、50x Page to nginx
[[email protected] nginx-1.16.0]# vi html/50x.html

<!DOCTYPE html> 
<html> 
<head>
 <title>Error</title> 
 <style>  
     body {  
         width: 35em;  margin: 0 auto;  font-family: Tahoma, Verdana, Arial, sans-serif;  
 } 
 </style> 
 </head>
  <body>
   <h1>ERROR</h1> 
   <p>Please contact administrator</p> 
   <p><em>www.123.com</em></p>
    </body> <
    /html> 

12、 Delete default page
[[email protected] nginx-1.16.0]# rm html/index.html

13、 establish nginx Run the user
[[email protected] nginx-1.16.0]# groupadd nginx && useradd -g nginx -s /sbin/nologin -M nginx

14、 determine nginx Compile parameters [[email protected] nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-http_geoip_module --with-http_slice_module --with-http_v2_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-compat --add-dynamic-module=…/ModSecurity-nginx
notes : take ModSecurity-nginx copy to /opt Under the table of contents

15、 compile modsecurity Dynamic modules
[[email protected] nginx-1.16.0]# make modules

16、 Stop running nginx Service and back up the original tengine( The new environment can be ignored ) /usr/local/nginx/sbin/nginx -s quit tar zcvf /root/tengine_old.tar.gz /usr/local/nginx

17、 Compile and install new nginx Check for correct installation after
[[email protected] nginx-1.16.0]# make
[[email protected] nginx-1.16.0]# make install
[[email protected] nginx-1.16.0]# /usr/local/nginx/sbin/nginx –V

18、 take modsecurity Copy module to nginx Module directory
[[email protected] nginx-1.16.0]# cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/module

19、 take nginx Set to power on and auto start
[[email protected] nginx-1.16.0]# chmod +x /etc/rc.local
[[email protected] nginx-1.16.0]# rm /var/run/nginx.pid -f&&/usr/local/nginx/sbin/nginx >/dev/null 2>&

20、 download modsecurity The configuration file
[[email protected] nginx-1.16.0]# mkdir /usr/local/nginx/modsec [[email protected] nginx-1.16.0]# cd /usr/local/nginx/modsec [[email protected] modsec]# wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.confrecommended
[[email protected] modsec]# mv modsecurity.conf-recommended modsecurity.conf

21、 Start the rule engine
[[email protected] modsec]# vi /usr/local/nginx/modsec/modsecurity.conf #SecRuleEngine DetectionOnly SecRuleEngine On

22、 download OWASP CRS
[[email protected] modsec]# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz
[[email protected] modsec]# tar -xzvf v3.0.0.tar.gz
[[email protected] modsec]# mv owasp-modsecurity-crs-3.0.0 /usr/local

23、 Create a crs The configuration file , Used to create core rule sets
[[email protected] modsec]# cd /usr/local/owasp-modsecurity-crs-3.0.0 [[email protected] owasp-modsecurity-crs-3.0.0]# cp crs-setup.conf.example crs-setup.conf

24、 Configure the master configuration file , Contains the rule set
[[email protected] owasp-modsecurity-crs-3.0.0]# vi /usr/local/nginx/modsec/main.conf

#Include the recommended configuration Include /usr/local/nginx/modsec/modsecurity.conf # OWASP CRS v3 rules Include /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.0/rules/*.conf 

25、 Copy mappin file
[[email protected] owasp-modsecurity-crs-3.0.0]# cp /root/temporary/ModSecurity/unicode.mapping /usr/local/nginx/modsec/

26、 Configure the host nginx.conf The configuration file
[[email protected] owasp-modsecurity-crs-3.0.0]# cd /usr/local/nginx/conf/ [[email protected] conf]# vi nginx.conf

user nginx;
worker_processes auto;
pid /var/run/nginx.pid; # And  ulimit -n  Agreement , Increase to  65535 worker_rlimit_nofile 65535; 
error_log /var/log/nginx/error.log warn; 
events { 
use epoll; # Increase the number of connections  
worker_connections 65535; 
} 
 load  modsecurity  Of  connector  modular  
load_module modules/ngx_http_modsecurity_module.so; 
http { 
include mime.types; 
default_type application/octet-stream; 
# Enable  GeoIP  database  
geoip_country /usr/share/GeoIP/GeoIP.dat; 
geoip_proxy 192.168.180.0/24; geoip_proxy_recursive on;
 geo $geoip_country_code_self { 
 192.168.180.0/24 CN;
  } 
 # Get rid of  HTTP Server  Version number of the request header  server_tokens off; 
 #https session  cache , promote  https  performance , Reduce the number of handshakes back and forth  ssl_session_cache shared:SSL:10m;
#limit  Limit request rate  
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=20r/s; limit_conn_zone $binary_remote_addr zone=addr:10m; 
#buffer  Buffer size configuration  
proxy_buffer_size 512k; 
proxy_buffers 240 512k; 
proxy_busy_buffers_size 512k; 
proxy_temp_file_write_size 512k; 
# Agent timeout configuration  
proxy_connect_timeout 300s;
proxy_send_timeout 600s; 
proxy_read_timeout 600s; 
send_timeout 600s; 
log_format main ‘$remote_addr - $remote_user [$time_local] “$request” ‘ ‘$status $body_bytes_sent “$http_referer” ‘ ‘”$http_user_agent” “$http_x_forwarded_for”’; 
# Default access log location  access_log /var/log/nginx/access.log main; 
sendfile on; keepalive_timeout 65; 
# Client upload data size limit  client_max_body_size 2048m; client_body_buffer_size 500m; 
client_header_buffer_size 2048k; 
large_client_header_buffers 4 64k; 
include /usr/local/nginx/conf/conf.d/*.conf; 
} 

27、 Check nginx Whether there are grammatical errors , start-up
[[email protected] conf]# /usr/local/nginx/sbin/nginx –t
[[email protected] conf]# /usr/local/nginx/sbin/nginx

28、 Create a profile directory and deploy a web site
[[email protected] conf]# mkdir conf.d
[[email protected] conf.d]# rz –E( Import profile )

29、 Import website
[[email protected] share]# cd /usr/local/nginx/html/
[[email protected] html]# rz –E( Import website )
[[email protected] html]# tar xzvf maintenance.tgz
[[email protected] conf.d]# mkdir -p /var/cache/nginx/client_temp [[email protected] conf.d]# /usr/local/nginx/sbin/nginx ( Opening service ) [[email protected] html]# ss -natupl | grep nginx ( Check the port opening status )

30、 modify host file (c:/Windows/System32/drivers/etc/hosts) 192.168.1.12 www.test.com

31、 Visit website http://192.168.1.12/maintenance/sccin/index.html
 Insert picture description here

copyright notice
author[Bean sprouts of Doudou],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204290600377632.html

Random recommended