How to Install ModSecurity 3 with Nginx on Ubuntu 22.04: A Complete Guide
In today’s digital landscape, securing your web applications is not just an option—it’s a necessity. Threats like SQL injection, cross-site scripting (XSS), and remote code execution are constant risks. A powerful way to defend your server is by implementing a Web Application Firewall (WAF), and one of the most respected open-source solutions is ModSecurity.
This guide will walk you through the complete process of installing and configuring ModSecurity 3 with Nginx on an Ubuntu 22.04 server. By following these steps, you will add a critical layer of defense to your web infrastructure, proactively blocking a wide range of malicious attacks.
Prerequisites
Before we begin, ensure you have the following:
- An Ubuntu 22.04 server.
- Root or
sudoprivileges. - Nginx already installed and running on your server.
Step 1: Install Required Dependencies
The first step is to prepare your system by installing the tools and libraries needed to compile ModSecurity and its Nginx connector from source.
Open your terminal and run the following command to update your package list and install all necessary dependencies:
sudo apt update
sudo apt install -y git build-essential libpcre3 libpcre3-dev libssl-dev libtool autoconf apache2-dev libxml2-dev libcurl4-openssl-dev pkg-config
Step 2: Compile and Install libmodsecurity3
ModSecurity 3 is split into a core library (libmodsecurity3) and connectors for different web servers. We’ll start by compiling the main library.
1. Clone the Repository
First, navigate to a suitable directory (like /usr/local/src/) and clone the official ModSecurity 3 repository from GitHub.
cd /usr/local/src/
sudo git clone --depth 1 -b v3.0.8 https://github.com/SpiderLabs/ModSecurity
2. Compile the Source Code
Now, move into the cloned directory and run the build scripts. This process will compile and install the library onto your system.
cd ModSecurity
sudo ./build.sh
sudo ./configure
sudo make
sudo make install
This sequence of commands prepares the build environment, configures the package, compiles the code, and finally installs the library files into their appropriate system directories.
Step 3: Compile the ModSecurity Nginx Connector
With the core library installed, you now need the “connector”—a dynamic module that allows Nginx to communicate with ModSecurity.
1. Clone the Connector Repository
Return to your source directory and clone the ModSecurity Nginx connector repository.
cd /usr/local/src/
sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
2. Prepare the Nginx Source for Module Compilation
To compile a dynamic module, you need the source code that matches your installed version of Nginx. You can easily find your Nginx version with this command:
nginx -v
Note the version number (e.g., 1.18.0). Now, download the corresponding source code from the official Nginx website. Remember to replace 1.18.0 with your specific version.
cd /usr/local/src/
sudo wget http://nginx.org/download/nginx-1.18.0.tar.gz
sudo tar -xvzf nginx-1.18.0.tar.gz
3. Compile the Dynamic Module
Navigate into the Nginx source directory and use the ./configure command to prepare the build, pointing it to the ModSecurity connector source.
cd nginx-1.18.0/
sudo ./configure --with-compat --add-dynamic-module=/usr/local/src/ModSecurity-nginx
After the configuration is complete, compile the modules. We only need to build the modules, not the entire Nginx package again.
sudo make modules
Step 4: Configure Nginx to Load the Module
The compilation process will create the module file. Now you need to copy it to the Nginx modules directory and tell Nginx to load it.
1. Copy the Module File
The compiled module is located in the objs directory. Copy it to /usr/share/nginx/modules/.
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
2. Load the Module in Nginx
Edit the main Nginx configuration file, /etc/nginx/nginx.conf, and add the following line at the very top, before the http block.
load_module modules/ngx_http_modsecurity_module.so;
Your nginx.conf file should now start like this:
load_module modules/ngx_http_modsecurity_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
...
Step 5: Set Up ModSecurity Rules (OWASP CRS)
A WAF is only as good as its rules. The industry standard is the OWASP Core Rule Set (CRS), which provides comprehensive protection against a wide array of attacks.
1. Download the OWASP CRS
Clone the OWASP CRS repository into a new directory within /etc/nginx/.
sudo git clone https://github.com/core-rule-set/coreruleset.git /etc/nginx/modsec/
2. Configure ModSecurity
Create a main configuration file for ModSecurity and copy the recommended settings from the template provided.
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
Next, open this new file (/etc/nginx/modsec/modsecurity.conf) with a text editor and change the SecRuleEngine directive from DetectionOnly to On.
- DetectionOnly: Logs malicious requests but does not block them. Useful for initial testing.
- On: Actively blocks detected threats.
For a production environment, you should change it to:
SecRuleEngine On
Finally, copy the CRS setup template to create your active rules configuration file.
sudo cp /etc/nginx/modsec/crs-setup.conf.example /etc/nginx/modsec/crs-setup.conf
Step 6: Enable and Test Your WAF
The final step is to enable ModSecurity in your Nginx server block (your site’s configuration file) and test that it’s working correctly.
1. Enable ModSecurity in Your Server Block
Edit your site’s Nginx configuration file, typically located in /etc/nginx/sites-available/. Inside the server block, add the following lines:
server {
# ... your other server directives like listen, server_name, etc.
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# ... location blocks, etc.
}
Now, create the /etc/nginx/modsec/main.conf file and add the following content to it. This tells ModSecurity where to find its configuration and the OWASP rules.
# /etc/nginx/modsec/main.conf
Include /etc/nginx/modsec/modsecurity.conf
Include /etc/nginx/modsec/crs-setup.conf
Include /etc/nginx/modsec/rules/*.conf
2. Test and Restart Nginx
First, check your Nginx configuration for syntax errors:
sudo nginx -t
If the test is successful, restart Nginx to apply all the changes:
sudo systemctl restart nginx
3. Verify the WAF is Working
To confirm ModSecurity is actively blocking threats, send a malicious-looking request to your server using curl. Replace your_domain_or_ip with your server’s actual domain or IP address.
curl -I "http://your_domain_or_ip/?exec=/bin/bash"
If ModSecurity is working correctly, you should receive a 403 Forbidden response. If you get a 200 OK, the WAF is not active, and you should review your configuration files for errors.
Security Best Practices and Maintenance
- Tune Your Rules: In a production environment, you may encounter “false positives” where legitimate traffic is blocked. Start with
SecRuleEngine DetectionOnlyand monitor your Nginx error logs (/var/log/nginx/error.log) to identify and whitelist rules that are too aggressive for your application. - Keep Rules Updated: The threat landscape is always evolving. Periodically update the OWASP Core Rule Set by running
git pullin the/etc/nginx/modsec/directory. - Monitor Logs: Regularly check your error logs for ModSecurity alerts. This provides valuable insight into the types of attacks being targeted at your server.
By successfully installing ModSecurity 3 and the OWASP Core Rule Set, you have significantly hardened your Nginx server against common web application vulnerabilities, providing a robust and essential layer of security for your online assets.
Source: https://kifarunix.com/install-modsecurity-3-with-nginx-on-ubuntu/
