Saturday, February 1, 2014

NGINX HTTP(S) Reverse Proxy with ModSecurity Protection

I would like to welcome you to my new project: building a reverse proxy powered by Nginx software, with a ModSecurity web application firewall enabled module.
There are many articles on how to do this configuration on the Internet, but I couldn't find any which had a holistic approach, from a to z, giving you all the steps on how to perform the above installation.

Nginx is an open-source HTTP and reverse proxy server. ModSecurity, an open-source web application firewall, has released packages in order to work together with nginx. Taking advantage of this architecture, you can redirect all the requests to nginx, let them get parsed and sanitised by ModSecurity and as a consequence, have your websites protected.

Ingredients:

  • Debian Linux 7.3.0
  • ModSecurity source code
  • NGINX source code

First of all we need to fulfill some requirements before configuring ModSecurity to work with nginx.
  1. Install gcc:
    $> apt-get install gcc
  2. Install Apache apxs:
    $> apt-get install apache2-threaded-dev
  3. Install libxml2-dev:
    $> apt-get install libxml2-dev
  4. Install libcurl4-gnutls-dev:
    $> apt-get install libcurl4-gnutls-dev
  5. Install lua:
    $> apt-get install liblua5.1-dev

Then configure and build ModSecurity to be ready to get integrated in NGINX (following exactly the instructions as publish in ModSecurity website here):
Navigate to ModSecurity directory:
$> ./configure --enable-standalone-module
$> make
$> make install

Then we change to the directory where nginx source code is downloaded.
We configure NGINX to include ModSecurity and SSL support:
$> ./configure --add-module=../modsecurity-apache_2.7.7/nginx/modsecurity/ --with-http_ssl_module
$> make
$> make install

And the rest is pure configuration! Some references for your next steps are:
  • http://www.cyberciti.biz/tips/using-nginx-as-reverse-proxy.html
  • http://www.modsecurity.org/documentation/
  • http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
  • https://www.feistyduck.com/books/modsecurity-handbook/gettingStarted.html
  • https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Enjoy protecting your websites!

No comments:

Post a Comment