ModSecurity Trustwave

ModSecurity for Nginx

ModSecurity for Nginx is a web server plug-in for the Nginx web server platform. This module was created through a collaboration between Trustwave SpiderLabs Research, Microsoft Security Research Center (MSRC), Yandex and community members.

Development Status: STABLE

Downloading

You can download the ModSecurity source code (which includes the Nginx code) from GitHub here:

 

Compiling

The extensibility model of the nginx server does not include dynamically loaded modules, thus ModSecurity must be compiled with the source code of the main server. Since nginx is available on multiple Unix-based platforms (and also on Windows), for now the recommended way of obtaining ModSecurity for nginx is compilation in the designated environment.

The first step in obtaining nginx server with built-in ModSecurity module is building of standalone library containing full ModSecurity with a set of intermediate API (this layer is a common base for IIS version, nginx version, and server-less command line version of ModSecurity). It is recommended to follow the general steps of preparing build environment for ModSecurity and then follow with two simple commands:

~/mod_security# ./configure --enable-standalone-module
~/mod_security# make
~/mod_security# make install (it will generate the NGINX config file)
Once the standalone library is built successfully, one can follow with building the nginx server, following the steps from the nginx build tutorial:
~/nginx-1.2.0# ./configure --add-module=../mod_security/nginx/modsecurity
~/nginx-1.2.0# make
~/nginx-1.2.0# make install

The last command performs server installation on the local machine, which can be either customized or omitted with built binaries packaged or moved to alternative server. After installation and server start, ModSecurity header lines should appear in nginx’s error.log file:

Configuring

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

location / {
           ModSecurityEnabled on;
           ModSecurityConfig modsecurity.conf;
           ModSecurityPass @backend;
       }

location @backend {
           proxy_pass http://localhost:8011;
           proxy_read_timeout 180s;
       }
Starting with ModSecurity 2.7.2 the ModSecurityPass option was removed. So the config file looks like:
location / {
           ModSecurityEnabled on;
           ModSecurityConfig modsecurity.conf;
           proxy_pass http://localhost:8011;
           proxy_read_timeout 180s;
       }

This configures ModSecurity as an Nginx request handler. The updated request flow is now:
request -> modsecurity handler -> backend
You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to.