Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

How to Implement ModSecurity OWASP Core Rule Set in Nginx

nginx security
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

If you were securing Nginx with Mod Security, then you would like to have OWASP core rule set (CRS) activated to protect from following threats.

  • HTTP protocol violation protection
  • Common web attacks
  • Bots, crawlers, malicious activity protection
  • Trojan protection
  • Information leakage protection
  • Cross Site Scripting attacks
  • SQL injection attacks

Do you agree?

In my previous post, I explained how to install Nginx and Mod Security and as promised here is how you can configure them with OWASP CRS for better security.

ModSecurity is open source Web Application Firewall (WAF), and by default, it’s configured to detect only. That means you need to enable the necessary configuration (as following) to start protecting your websites.

Download ModSecurity CRS

  • Download latest CRS zip file from the following link and transferred to the server

https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master

  • unzip the file
unzip SpiderLabs-owasp-modsecurity-crs-2.2.9-26-gf16e0b1.zip
  • Copy following to nginx conf folder
modsecurity_crs_10_setup.conf.example
base_rules

Configure Nginx to Integrate OWASP ModSecurity CRS

Since you have decided to use OWASP CRS, you need to merge the conf file included in SpiderLabs OWASP CRS, which you just copied (modsecurity_crs_10_setup.conf.example ) under nginx folder.

Nginx doesn’t support multiple ModSecurityConfig directives like Apache, so you need to put all rules conf together in a single file.

Let’s do it…

  • Add base_rules & modsecurity_crs_10_setup.conf.example to modsecurity.conf file
cat modsecurity_crs_10_setup.conf.example base_rules/*.conf >>/usr/local/nginx/conf/modsecurity.conf

You also need to copy all *.data file to nginx conf folder

cp base_rules/*.data /usr/local/nginx/conf/

Quick verification:

Ensure you have added ModSecurityEnabled and ModSecurityConfig directive in nginx.conf file under location. If not, add them like below.

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}
  • Restart Nginx

By doing above all means, you have successfully integrated OWASP CRS in Mod Security on Nginx. It’s time to do the little essential tweaking.

Configuring OWASP Core Rule Set to Start Protecting

In this section, all modifications will be in modsecurity.conf file so remembers to take a backup.

First thing first

Enable Audit Logging

It’s essential to generate logs, so you know what’s being blocked. Add SecAuditLog directive if doesn’t exist.

SecAuditLog /usr/local/nginx/logs/modsec_audit.log

Restart Nginx, and you will see the log file generated

-rw-r----- 1 root root 0 May 22 07:54 /usr/local/nginx/logs/modsec_audit.log

Enable Security Rule Engine

Begin Mod Security protection by enabling rule engine as below

SecRuleEngine On

Enable Default Action as Deny

Configure default action as “block” for any request matching with the rules.

SecDefaultAction "phase:1,deny,log"

Above three configurations is essential and now ModSecurity is ready to execute the action and protect.

Here is one more configuration you may like.

Change Server Header Banner

Default Nginx configuration will expose server information with its version, which is highly recommended to mask it if you are working in a PCI-DSS environment.

You may also do this without Mod Security as explained here.

Default header:

nginx-default-header

You can do this quickly by adding a line.

SecServerSignature GeekFlare

And now it looks like:

nginx-modsecurity-header

I hope above instruction helps you in integrating OWASP Core Rule Set with Nginx web server for better protection.

Thanks to our Sponsors
More great readings on Nginx
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder