Open in app

Sign in

Write

Sign in

Modsec WAF on Openresty & Ubuntu

Rohit Ranjan
3 min readFeb 17, 2020

--

When i had to setup WAF on Openresty i was in deep trouble as Openresty was new for me. Existing installations are concerned about setting up WAF on nginx/apache and CentOS/Ubuntu respectively. In my case it was Nginx on Ubuntu. Since, not much was available on the internet i had to go for R&D on my own. Openresty has it’s own nginx so all the work has to be done there only. Setting up rules and compilations has to be done with nginx of Openresty. I’ve deployed steps below which would certainly help.

Prerquisites:

Ubuntu 18.04

Nginx/Openresty 1.15.8.2

  1. sudo su
  2. apt-get update
  3. apt-get install g++ flex bison curl doxygen libyajl-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev
  4. You can also try below command for Dependencies:

apt-get install \

apache2-dev \

autoconf \

automake \

build-essential \

bzip2 \

checkinstall \

devscripts \

flex \

g++ \

gcc \

git \

graphicsmagick-imagemagick-compat \

graphicsmagick-libmagick-dev-compat \

libaio-dev \

libaio1 \

libass-dev \

libatomic-ops-dev \

libavcodec-dev \

libavdevice-dev \

libavfilter-dev \

libavformat-dev \

libavutil-dev \

libbz2-dev \

libcdio-cdda1 \

libcdio-paranoia1 \

libcdio13 \

libcurl4-openssl-dev \

libfaac-dev \

libfreetype6-dev \

libgd-dev \

libgeoip-dev \

libgeoip1 \

libgif-dev \

libgpac-dev \

libgsm1-dev \

libjack-jackd2-dev \

libjpeg-dev \

libjpeg-progs \

libjpeg8-dev \

liblmdb-dev \

libmp3lame-dev \

libncurses5-dev \

libopencore-amrnb-dev \

libopencore-amrwb-dev \

libpam0g-dev \

libpcre3 \

libpcre3-dev \

libperl-dev \

libpng12-dev \

libpng12–0 \

libpng12-dev \

libreadline-dev \

librtmp-dev \

libsdl1.2-dev \

libssl-dev \

libssl1.0.0 \

libswscale-dev \

libtheora-dev \

libtiff5-dev \

libtool \

libva-dev \

libvdpau-dev \

libvorbis-dev \

libxml2-dev \

libxslt-dev \

libxslt1-dev \

libxslt1.1 \

libxvidcore-dev \

libxvidcore4 \

libyajl-dev \

make \

openssl \

perl \

pkg-config \

tar \

texi2html \

unzip \

zip \

zlib1g-dev

5. cd /home/rohitranjan

6. git clone https://github.com/SpiderLabs/ModSecurity

7. cd ModSecurity/

8. git checkout -b v3/master origin/v3/master

Or,

git checkout v3/master

9. ./build.sh

10. git submodule init

11. git submodule update

12. ./configure

13. make

14. make install

15. cd ..

16. wget https://openresty.org/download/openresty-1.15.8.2.tar.gz

Note: Make sure to download same version of openresty as installed. You can check version by command nginx -V

17. git clone — depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

18. tar xvf openresty-1.15.8.2.tar.gz

19. ls

Note: When you run above command, there should be 4 files in the directory

Screenshot showing all files ready for deployment

20. cd openresty-1.15.8.2

21. ./configure — with-compat — add-dynamic-module=/home/rohitranjan/ModSecurity-nginx/

22. ln -s /usr/bin/make /usr/bin/gmake

23. gmake

24. gmake install

25. ln -s /usr/local/openresty/bin/openresty /usr/bin/openresty

26. cd /usr/local/openresty/nginx

27. mkdir modsec

28. wget https: // raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

29. mv modsecurity.conf-recommended modsecurity.conf

30. vi modsecurity.conf

Note: change DetectionOnly to On

31. cp /home/rohitranjan/ModSecurity/unicode.mapping /usr/local/openresty/nginx/modsec

32. ln -s /usr/local/openresty/bin/openresty /usr/bin/openresty

33. cd /usr/local/openresty/nginx/conf

34. vi nginx.conf

35. Note: In the top of nginx.conf of openresty add below line:

load_module /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so;

36. Note: In the server block, add below line:

modsecurity on;

modsecurity_rules_file /usr/local/openresty/nginx/modsec/main.conf;

Setting up nginx.conf on openresty WAF

37. cd /usr/local/openresty/nginx/modsec/

38. vim main.conf

Note: Add your custom rules here or you can opt for OWASP CRS

Include “/usr/local/openresty/nginx/modsec/modsecurity.conf”

SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “@contains /etc/passwd” “id:1240,msg:Contact Support!!!,deny,status:403”

39. Note: Check if every config is correct by below command, proceed only if you see OK

openresty -t

40. Now reload openresty for changes to take effect

openresty -s reload

41. Open browser or API and insert /etc/passwd anywhere in the request and you should get 403.

42. You can checkout OWASP CRS as well by downloading the ruleset.

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Modsecurity
Openresty
Waf
Ubuntu
Nginx

--

--

Rohit Ranjan
Rohit Ranjan

Written by Rohit Ranjan

56 Followers
3 Following

Security Engineer, Open Source Enthusiast

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams