Difference between revisions of "Nginx"
m |
m (→NGINX with Libmodsecurity 3.x) |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Does ASL work with Nginx? == | == Does ASL work with Nginx? == | ||
− | Yes. Nginx is protected through the ASL T-WAF module. | + | Yes. Nginx is protected through the ASL T-WAF module. |
− | Note: Do not use the embedded modsecurity module for nginx. The modsecurity module for nginx, although advertised as "stable", is very unstable and unreliable and should not be used at this time. | + | Note: Do not use the embedded modsecurity module for nginx. The opensource modsecurity module for nginx, although advertised as "stable" by the modsecurity.org website, is very unstable and unreliable and should not be used at this time. Please see the github website for details on bugs in the nginx modsecurity module: |
+ | |||
+ | https://github.com/SpiderLabs/ModSecurity/issues | ||
+ | |||
+ | |||
+ | Note: Libmodsecurity 3.0 for nginx is currently in an "Alpha" state, and is not feature complete. | ||
== How to install the T-WAF == | == How to install the T-WAF == | ||
Line 32: | Line 37: | ||
Note: Nginx does not support the WAF in embedded mode. | Note: Nginx does not support the WAF in embedded mode. | ||
+ | |||
+ | |||
+ | |||
+ | == NGINX with Libmodsecurity 3.x == | ||
+ | |||
+ | Note: libmodsecurity 3.x does not have feature parity with modsecurity 2.x, libmodsecurity does not support all the features in modsecurity. Please see the [[modsecurity_rule_families]] document. | ||
+ | |||
+ | 1) Install supported version of nginx or nginx-plus | ||
+ | |||
+ | |||
+ | # Atomic or ASL repo | ||
+ | yum install nginx nginx-module-modsecurity | ||
+ | |||
+ | # Nginx Plus Repo | ||
+ | yum install nginx-plus-module-modsecurity | ||
+ | |||
+ | |||
+ | 2) enable modsecurity in /etc/nginx/nginx.conf | ||
+ | |||
+ | load_module modules/ngx_http_modsecurity_module.so; | ||
+ | |||
+ | 3) extract the archive and copy the contents to the rule and config directories: | ||
+ | |||
+ | tar xvf nginx-waf-201709121114.tar.gz | ||
+ | |||
+ | mkdir -p /etc/httpd/modsecurity.d/ | ||
+ | |||
+ | cp rules/* /etc/httpd/modsecurity.d/ | ||
+ | |||
+ | cp rules/conf/tortix_waf.conf /etc/httpd/modsecurity.d/ | ||
+ | |||
+ | 4) Configure rule classes to activate in 00_mod_security.conf, and copy to nginx | ||
+ | |||
+ | cp rules/conf/00_mod_security.conf /etc/nginx/conf.d/ | ||
+ | |||
+ | |||
+ | |||
+ | 5) Restart nginx | ||
+ | |||
+ | service nginx restart |
Latest revision as of 16:55, 7 December 2021
Contents |
[edit] Does ASL work with Nginx?
Yes. Nginx is protected through the ASL T-WAF module.
Note: Do not use the embedded modsecurity module for nginx. The opensource modsecurity module for nginx, although advertised as "stable" by the modsecurity.org website, is very unstable and unreliable and should not be used at this time. Please see the github website for details on bugs in the nginx modsecurity module:
https://github.com/SpiderLabs/ModSecurity/issues
Note: Libmodsecurity 3.0 for nginx is currently in an "Alpha" state, and is not feature complete.
[edit] How to install the T-WAF
As root, run this command:
yum install asl-waf-module
[edit] How to configure the T-WAF for nginx
Step 1) Log into ASL.
Step 2) Click on the "Configuration" tab.
Step 3) Click on the "WAF" tab and select "WAF configuration".
Step 4) Click the "Add" button.
Step 5) Select "Local Web Server" from the "Add protection for" drop down.
Step 6) Select the port that Nginx runs on. Normally this is port 80.
Optional Step 7) Check the SSL box (if you want to protect the SSL service(s) provided by Nginx)
Enter the file system path to your SSL certificate, and SSL key in the "Path to SSL Certificate" and "Path to SSL Key file" boxes.
Step 8) Click Save
Note: Nginx does not support the WAF in embedded mode.
[edit] NGINX with Libmodsecurity 3.x
Note: libmodsecurity 3.x does not have feature parity with modsecurity 2.x, libmodsecurity does not support all the features in modsecurity. Please see the modsecurity_rule_families document.
1) Install supported version of nginx or nginx-plus
# Atomic or ASL repo yum install nginx nginx-module-modsecurity
# Nginx Plus Repo yum install nginx-plus-module-modsecurity
2) enable modsecurity in /etc/nginx/nginx.conf
load_module modules/ngx_http_modsecurity_module.so;
3) extract the archive and copy the contents to the rule and config directories:
tar xvf nginx-waf-201709121114.tar.gz mkdir -p /etc/httpd/modsecurity.d/
cp rules/* /etc/httpd/modsecurity.d/
cp rules/conf/tortix_waf.conf /etc/httpd/modsecurity.d/
4) Configure rule classes to activate in 00_mod_security.conf, and copy to nginx
cp rules/conf/00_mod_security.conf /etc/nginx/conf.d/
5) Restart nginx
service nginx restart