How to Compile and Install ModSecurity for NGINX on (Centos 7)

I assume you already have NGINX installed, thus here we are going to add ModSecurity as a dynamic module.

Note: This installation requires NGINX v1.11.5 or later.

Installation Overview

• ModSecurity v3.0.2 (https://github.com/SpiderLabs/ModSecurity)
• NGINX 1.1xx (http://nginx.org/download/nginx-${VERSION}.tar.gz)
• ModSecurity Nginx (https://github.com/SpiderLabs/ModSecurity-nginx)
• GeoIP2 (https://github.com/leev/ngx_http_geoip2_module)
• libmaxminddb (https://github.com/maxmind/libmaxminddb)

Installation

Please make sure you have installed following libs.

$ yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel bison bison-devel

Install libmaxminddb, as ModSecurity v3 requires it.

$ cd /opt/; git clone https://github.com/maxmind/libmaxminddb; cd libmaxminddb
$ ./configure
$ make
$ make check
$ sudo make install

Once you have installed the required libs, execute the below commands.

$ cd /opt; git clone https://github.com/SpiderLabs/ModSecurity; cd ModSecurity
$ git checkout -b v3/master origin/v3/master
$ sh build.sh
$ git submodule init
$ git submodule update
$ ./configure
$ make
$ make install

Now we need to install GeoIP2 because GeoIP will soon be deprecated, thus download it from the link given above and/or install it as below.

$ cd /opt/ModSecurity; git clone https://github.com/leev/ngx_http_geoip2_module.git

Download NGINX, it should be the same as the one already installed on your system. You can check by executing below command.

Note: Please replace ${VERSION} with your (installed) version of NGINX.

$ nginx -v
$ wget http://nginx.org/download/nginx-${VERSION}.tar.gz
$ tar -xzvf nginx-$VERSION).tar.gz
$ cd nginx-${VERSION}
$ ./configure add-dynamic-module=../ngx_http_geoip2_module --with-compat
$ make modules

Similarly, create the module for ModSecurity nginx.

$ cd /opt/ModSecurity
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx
$ cd /opt/ModSecurity/nginx-${VERSION}     #NGINX DIRECTORY
$ ./configure --add-dynamic-module=../ModSecurity-nginx --with-compat
$ make modules

By now, you have successfully created *.so modules and now you need to copy and place it in /etc/nginx/modules/.

$ cd /opt/ModSecurity/nginx-$VERSION}/objs
$ cp ngx_http_geoip2_module.so /etc/nginx/modules/
$ cp ngx_http_modsecurity_module.so /etc/nginx/modules/

Load these modules in your nginx.conf

$ vi /etc/nginx/nginx.conf

and enter:

load_module modules/ngx_http_modsecurity_module.so
load_module modules/ngx_http_geoip2_module.so

In the server section of your nginx.conf, add the following.

server {
   ....
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;    # Your modsec config file
}

Lastly, reload nginx and enjoy!

$ nginx -s reload

If you encounter any error feel free to ask.