ModSecurity is an open-source Web Application Firewall (WAF) that protects web applications from SQL injection, XSS, file inclusion, and other OWASP Top 10 attacks. ModSecurity v3 (libmodsecurity) is the modern version that works as a dynamic Nginx module. This guide covers deploying ModSecurity v3 with Nginx on your VPS.
Build and Install
# Install build dependencies
sudo apt install -y build-essential git cmake libpcre3-dev zlib1g-dev \
libssl-dev libxml2-dev libyajl-dev libgeoip-dev libcurl4-openssl-dev \
liblmdb-dev libfuzzy-dev
# Build libmodsecurity
cd /opt
git clone --depth 1 https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
git submodule init && git submodule update
./build.sh && ./configure
make -j$(nproc)
sudo make install
# Build Nginx connector module
cd /opt
git clone --depth 1 https://github.com/owasp-modsecurity/ModSecurity-nginx.git
# Get Nginx source matching your installed version
NGINX_VER=$(nginx -v 2>&1 | grep -oP '\d+\.\d+\.\d+')
wget http://nginx.org/download/nginx-${NGINX_VER}.tar.gz
tar xzf nginx-${NGINX_VER}.tar.gz
cd nginx-${NGINX_VER}
# Build the dynamic module
./configure --with-compat --add-dynamic-module=/opt/ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/Configure ModSecurity
# Load module in Nginx
# /etc/nginx/nginx.conf (top of file)
load_module modules/ngx_http_modsecurity_module.so;
# Copy ModSecurity configuration
sudo mkdir -p /etc/nginx/modsecurity
sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsecurity/
# Enable ModSecurity (change from DetectionOnly to On)
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsecurity/modsecurity.conf
# Install OWASP Core Rule Set (CRS)
cd /etc/nginx/modsecurity
git clone --depth 1 https://github.com/coreruleset/coreruleset.git
cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf
# Create main include file
cat > /etc/nginx/modsecurity/main.conf