Docs / Web Servers / Securing Nginx with ModSecurity WAF

Securing Nginx with ModSecurity WAF

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 141 views · 1 min read

What Is ModSecurity?

ModSecurity is a Web Application Firewall (WAF) that protects web applications from common attacks like SQL injection, XSS, and other OWASP Top 10 vulnerabilities.

Install ModSecurity for Nginx

sudo apt install -y libmodsecurity3 libmodsecurity-dev
sudo apt install -y nginx-extras  # Includes ModSecurity connector

Download OWASP Core Rule Set

cd /etc/nginx
sudo git clone https://github.com/coreruleset/coreruleset.git modsec-crs
cd modsec-crs
sudo cp crs-setup.conf.example crs-setup.conf

Configure ModSecurity

Create /etc/nginx/modsecurity/modsecurity.conf:

SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecResponseBodyAccess Off
SecAuditLog /var/log/modsec_audit.log
SecAuditLogFormat JSON
Include /etc/nginx/modsec-crs/crs-setup.conf
Include /etc/nginx/modsec-crs/rules/*.conf

Enable in Nginx

server {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
    ...
}

Test Configuration

sudo nginx -t && sudo systemctl reload nginx

# Test with a known attack pattern
curl "http://your-site/?id=1 OR 1=1"
# Should return 403 Forbidden

Tuning False Positives

ModSecurity may block legitimate requests. Review the audit log and add exclusions:

# Disable specific rule for a path
SecRule REQUEST_URI "@beginsWith /api/upload" "id:1001,phase:1,pass,nolog,ctl:ruleRemoveById=920420"

Monitoring

# Check for blocked requests
tail -f /var/log/modsec_audit.log | jq .

# Count blocks per rule
grep "id" /var/log/modsec_audit.log | sort | uniq -c | sort -rn

Was this article helpful?

Related Articles