|
From: Georgi G. <ge...@se...> - 2017-06-08 09:45:41
|
Hello, My task is to compile nginx with support for mod security. I tried both mod security and nginx-modsecurity-connector, but found some difficulties for which I searched in the issue tracker and google and would like to ask you for some help. I compiled libmodsecurity with the steps everybody other follows: OS: CentOS 6.8 Modsecurity version is 2.9.1 nginx version: 1.12 Is there any incompatibility as I found the following topic: https://serverfault.com/questions/772136/any-versions-of-modsecurity-that-works-with-recent-versions-of-nginx <https://serverfault.com/questions/772136/any-versions-of-modsecurity-that-works-with-recent-versions-of-nginx> 216 git clone https://github.com/SpiderLabs/ModSecurity <https://github.com/SpiderLabs/ModSecurity> 217 cd ModSecurity/ 218 git checkout -b origin/v3/master. #also tried without this branch 219 git submodule init 220 git submodule update 224 ./autogen.sh 225 ./configure 226 make 227 make install Note: Tried to compiled it also as a standalone module but the result is the same. Which is the right one? Then compiled nginx with --addmodule=/path/to/modsec source, but after nginx is compiled it does not find any mod security command. Here is an example from the error log: 2017/06/05 20:42:39 [emerg] 11011#0: unknown directive "SecStatusEngine" in /usr/local/nginx/conf/modsecurity.conf:2 2017/06/06 11:35:16 [emerg] 25759#0: ModSecurityConfig in /usr/local/nginx/conf/modsecurity.conf:3: Unknown command in config: ModSecurityConfig 2017/06/06 09:34:02 [emerg] 12296#0: unknown directive "SecStatusEngine" in /usr/local/nginx/conf/modsecurity.conf:2 So it does not find at all mod security although it's compiled. I had the following directory structure in /usr/local/modsecurity,but I wonder why there is not include folder? [root@activewaf-compile ModSecurity]# ll /usr/local/modsecurity/ total 8 drwxr-xr-x 2 root root 4096 Jun 6 10:26 bin drwxr-xr-x 2 root root 4096 Jun 6 10:26 lib Is it normal and should I export something to work properly? What is wrong in my steps? Here is the result that show nginx is compiled with mod security: [root@XXX]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.0 built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --error-log-path=/var/log/nginx/error.log --with-XXXXX --add-module=/usr/local/src/ModSecurity/nginx/modsecurity Also in nginx log after restarting nginx there are messages like this: 017/06/06 16:20:32 [notice] 7775#0: ModSecurity for nginx (STABLE)/2.9.0 (http://www.modsecurity.org/ <http://www.modsecurity.org/>) configured. 2017/06/06 16:20:32 [notice] 7775#0: ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" 2017/06/06 16:20:32 [notice] 7775#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" 2017/06/06 16:20:32 [notice] 7775#0: ModSecurity: LIBXML compiled version="2.7.6" 2017/06/06 16:20:32 [notice] 7775#0: ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. In nginx.conf I have the following includes: include /usr/local/nginx/conf/modsecurity.conf; include /usr/local/nginx/conf/crs-setup.conf; include /usr/local/nginx/conf/rules/*.conf; Where exists the following configuration options and others: ModSecurityEnabled on; SecStatusEngine on; ModSecurityConfig /usr/local/nginx/conf/modsecurity.conf; SecRuleEngine On I use nginx as proxy pass in front of apache, so in nginx/conf.d dir I have a ip.conf file for every IP on the server. The idea is after building configuration to bundle it in rpm, so I think that I should transfer /usr/local/modsecurity too (but I didn't receive an answer why include dir there is missing and if I should do some exports). Thank you in advance! |
