Hey dominykas
I made this step by step for Ubuntu Server 16.04.2 as if a fresh install. You can try it perhaps and let me know if it works, it is only my notes so I can't 100% guarantee it but if all of the steps work then at the end you should have a working Ubuntu NGINX WAF with ModSecurity 3. I make no claims that this is the correct way to do it and welcome any feedback from anyone.
sudo apt-get update
sudo apt-get upgrade
put the key from here https://nginx.org/keys/nginx_signing.key into the nginx_signing.key file like this
sudo nano nginx_signing.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=EWWI
-----END PGP PUBLIC KEY BLOCK-----
(ctrl+x enter)
sudo apt-key add nginx_signing.key
sudo nano /etc/apt/sources.list
deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx
sudo apt-get update
sudo apt-get install nginx
sudo apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh (errors here, ingnore them)
./configure
make
sudo make install
git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git
nginx -v
(answer was:nginx version: nginx/1.13.8)
wget http://nginx.org/download/nginx-1.13.8.tar.gz
tar zxvf nginx-1.13.8.tar.gz
cd nginx-1.13.8
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
CONFIGURE the installation
sudo nano /etc/nginx/nginx.conf
load_module "modules/ngx_http_modsecurity_module.so";
sudo mkdir /etc/nginx/modsec
sudo wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
create a conf directory for the custom config
sudo mkdir /etc/nginx/conf
create the 3 conf files proxy.conf, ipfilter.conf, hard.conf
Web server Config:
sudo mkdir /var/www
sudo mkdir /var/www/www.example.com
sudo nano /var/www/www.example.com/index.html (create some test)
Create a sites-enabled and sites-available folder in /etc/nginx/
sudo mkdir sites-enabled
sudo mkdir sites-available
Put the actual site into sites-available then symlink it into the sites-enabled directory. To disable a site you can now just delete the symlink rather than the content
sudo ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/
add this in to the nginx.conf above the geo code
include /etc/nginx/sites-enabled/*;
include /etc/nginx/conf/proxy.conf;
create a main.conf in /etc/nginx/modsec/main.conf
include /etc/nginx/modsec/modsecurity.conf
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
in modsecurity.conf rem out the line
#SecRequestBodyInMemoryLimit 131072
OWASP rules
Download the following into /etc/nginx/modsec/
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo gunzip owasp-modsecurity-crs.git.gz
cp crs-setup.conf.example crs-setup.conf
sudo nano /etc/nginx/modsec/main.conf
Include /etc/nginx/modsec/.../crs-setup.conf
Include /etc/nginx/modsec/.../rules/*.conf
sudo systemctl restart nginx.service
To test ModSecurity from another device
http://nginxIP/index.html?testparam=test
I made this step by step for Ubuntu Server 16.04.2 as if a fresh install. You can try it perhaps and let me know if it works, it is only my notes so I can't 100% guarantee it but if all of the steps work then at the end you should have a working Ubuntu NGINX WAF with ModSecurity 3. I make no claims that this is the correct way to do it and welcome any feedback from anyone.
sudo apt-get update
sudo apt-get upgrade
put the key from here https://nginx.org/keys/nginx_signing.key into the nginx_signing.key file like this
sudo nano nginx_signing.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=EWWI
-----END PGP PUBLIC KEY BLOCK-----
(ctrl+x enter)
sudo apt-key add nginx_signing.key
sudo nano /etc/apt/sources.list
deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx
sudo apt-get update
sudo apt-get install nginx
sudo apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh (errors here, ingnore them)
./configure
make
sudo make install
git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git
nginx -v
(answer was:nginx version: nginx/1.13.8)
wget http://nginx.org/download/nginx-1.13.8.tar.gz
tar zxvf nginx-1.13.8.tar.gz
cd nginx-1.13.8
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules
CONFIGURE the installation
sudo nano /etc/nginx/nginx.conf
load_module "modules/ngx_http_modsecurity_module.so";
sudo mkdir /etc/nginx/modsec
sudo wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
create a conf directory for the custom config
sudo mkdir /etc/nginx/conf
create the 3 conf files proxy.conf, ipfilter.conf, hard.conf
Web server Config:
sudo mkdir /var/www
sudo mkdir /var/www/www.example.com
sudo nano /var/www/www.example.com/index.html (create some test)
Create a sites-enabled and sites-available folder in /etc/nginx/
sudo mkdir sites-enabled
sudo mkdir sites-available
Put the actual site into sites-available then symlink it into the sites-enabled directory. To disable a site you can now just delete the symlink rather than the content
sudo ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/
add this in to the nginx.conf above the geo code
include /etc/nginx/sites-enabled/*;
include /etc/nginx/conf/proxy.conf;
create a main.conf in /etc/nginx/modsec/main.conf
include /etc/nginx/modsec/modsecurity.conf
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
in modsecurity.conf rem out the line
#SecRequestBodyInMemoryLimit 131072
OWASP rules
Download the following into /etc/nginx/modsec/
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo gunzip owasp-modsecurity-crs.git.gz
cp crs-setup.conf.example crs-setup.conf
sudo nano /etc/nginx/modsec/main.conf
Include /etc/nginx/modsec/.../crs-setup.conf
Include /etc/nginx/modsec/.../rules/*.conf
sudo systemctl restart nginx.service
To test ModSecurity from another device
http://nginxIP/index.html?testparam=test