CentOS 7 安裝 NGINX ModSecurity WAF 筆記

 [root@centos7 yum.repos.d]# vi epel.repo 

[epel]

name=Extra Packages for Enterprise Linux 7 - $basearch

#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch

metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch

failovermethod=priority

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]

name=Extra Packages for Enterprise Linux 7 - $basearch - Debug

#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug

metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

gpgcheck=1

[epel-source]

name=Extra Packages for Enterprise Linux 7 - $basearch - Source

#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS

metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

gpgcheck=1

====================================

[root@centos7 /]# vi /etc/yum.repos.d/nginx.repo 

[nginx-stable]

name=nginx stable repo

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=1

enabled=1

gpgkey=https://nginx.org/keys/nginx_signing.key

module_hotfixes=true

[nginx-mainline]

name=nginx mainline repo

baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/

gpgcheck=1

enabled=0

gpgkey=https://nginx.org/keys/nginx_signing.key

module_hotfixes=true

======================================

[root@centos7 yum.repos.d]# vi remi.repo 

# Repository: http://rpms.remirepo.net/

# Blog:       http://blog.remirepo.net/

# Forum:      http://forum.remirepo.net/

[remi]

name=Remi's RPM repository for Enterprise Linux 7 - $basearch

#baseurl=http://rpms.remirepo.net/enterprise/7/remi/$basearch/

#mirrorlist=https://rpms.remirepo.net/enterprise/7/remi/httpsmirror

mirrorlist=http://cdn.remirepo.net/enterprise/7/remi/mirror

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi

[remi-php55]

name=Remi's PHP 5.5 RPM repository for Enterprise Linux 7 - $basearch

#baseurl=http://rpms.remirepo.net/enterprise/7/php55/$basearch/

#mirrorlist=https://rpms.remirepo.net/enterprise/7/php55/httpsmirror

mirrorlist=http://cdn.remirepo.net/enterprise/7/php55/mirror

# NOTICE: common dependencies are in "remi-safe"

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi

=================================

參考 URL

https://github.com/SpiderLabs/ModSecurity/

https://github.com/SpiderLabs/ModSecurity-nginx

https://github.com/SpiderLabs/owasp-modsecurity-crs

===================================

cd /opt

git clone https://github.com/SpiderLabs/ModSecurity

cd ModSecurity

git checkout -b v3/master origin/v3/master

sh build.sh

git submodule init

git submodule update

./configure

make

make install

cd ..

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git modsecurity-nginx

wget https://nginx.org/download/nginx-1.22.0.tar.gz

tar -zvxf nginx-1.22.0.tar.gz 

cd nginx-1.22.0/

build a dynamic module

./configure --with-compat --add-dynamic-module=/opt/modsecurity-nginx

make modules

cd objs/

cp ngx_http_modsecurity_module.so /etc/nginx/modules/

cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf

在 /etc/nginx/nginx.conf 放入 load_module

load_module modules/ngx_http_modsecurity_module.so;

在 /etc/nginx/conf.d/default.conf(或其他 ) 的 server 內放 

    modsecurity on;

    modsecurity_rules_file /etc/nginx/modsecurity.conf;

===========================

cp /opt/ModSecurity/unicode.mapping /etc/nginx

sed -ie 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.conf

安裝 OWASP  rules

cd /opt

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd /opt/owasp-modsecurity-crs/rules

[root@centos7 rules]# pwd

/opt/owasp-modsecurity-crs/rules

cat *.conf > /etc/nginx/csr.conf

cp /opt/owasp-modsecurity-crs/crs-setup.conf.example /etc/nginx/crs-setup.conf

cd /etc/nginx 

cat modsecurity.conf crs-setup.conf csr.conf > rules.conf

 cp *.data  /etc/nginx/

======================

[root@centos7 conf.d]# cat /etc/nginx/nginx.conf 

user  nginx;

worker_processes  auto;

error_log  /var/log/nginx/error.log notice;

pid        /var/run/nginx.pid;

load_module modules/ngx_http_modsecurity_module.so;

events {

    worker_connections  1024;

}

http {

    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

                      '$status $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;

}

[root@centos7 conf.d]# 

===========================

[root@centos7 conf.d]# cat default.conf 

server {

    listen       80;

    server_name  localhost;

    modsecurity on;

    modsecurity_rules_file /etc/nginx/modsecurity.conf;

    # or  use OWASP  rules modsecurity_rules_file /etc/nginx/rules.conf;

    #access_log  /var/log/nginx/host.access.log  main;

    location / {

        root   /usr/share/nginx/html;

        index  index.html index.htm;

        #modsecurity_rules_file rules.conf;

    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html

    #

    error_page   500 502 503 504  /50x.html;

    location = /50x.html {

        root   /usr/share/nginx/html;

    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80

    #

    #location ~ \.php$ {

    #    proxy_pass   http://127.0.0.1;

    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

    #

    location ~ \.php$ {

        root           /usr/share/nginx/html;

        fastcgi_pass   127.0.0.1:9000;

        fastcgi_index  index.php;

        #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;  

        include        fastcgi_params;

    }

    # deny access to .htaccess files, if Apache's document root

    # concurs with nginx's one

    #

    #location ~ /\.ht {

    #    deny  all;

    #}

}

[root@centos7 conf.d]# 

vi /etc/php.ini

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's

; http://php.net/cgi.fix-pathinfo

;cgi.fix_pathinfo=1

cgi.fix_pathinfo=0

vi /etc/php-fpm.d/www.conf 

; RPM: apache user chosen to provide access to the same directories as httpd

user = nginx

; RPM: Keep a group allowed to write in log dir.

group = nginx

vi /etc/nginx/conf.d/default.conf

    location ~ \.php$ {

        root           /usr/share/nginx/html;

        fastcgi_pass   127.0.0.1:9000;

        fastcgi_index  index.php;

        #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;

        include        fastcgi_params;

    }