OpenEuler2203编译安装Nginx1.24+ModSecurity(3.0.x)配置OWASP规则

TIPS：服务器操作系统最小安装，已选环境的附加软件选择包括“开发工具”、“传统UNIX兼容性”、“安全性工具”、“系统工具”，避免一些
一、安装依赖

yum -y install curl-devel curl GeoIP-devel zlib-devel pcre-devel pcre2-devel libxml2-devel openssl-devel
yum -y install lua-devel yajl-devel lmdb-devel doxygen

二、下载资源
1.下载nginx

• 2024/10/21最新稳定版为26.2：http://nginx.org/en/download.html
  2.下载Modsecurity
• 途径一，国内中文网站下载稳定版本地址http://www.modsecurity.cn/
• 途径二，github上下载最新版本https://github.com/owasp-modsecurity/ModSecurity/releases/modsecurity-v3.0.x.tar.gz
  3.下载ModSecurity-nginx模块
  github上下载最新版本https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/modsecurity-nginx-v1.0.x.tar.gz
  4.下载OWASP规则
• 途径一，国内中文网站下载http://www.modsecurity.cn/
• 途径二，github下载最新版本https://github.com/coreruleset/coreruleset/releases/coreruleset-4.x.0-minimal.tar.gz

三、安装Modsecurity

tar zxf modsecurity-v3.0.x.tar.gz
cd modsecurity-v3.0.x
sh build.sh
./configure
make -j4
make install

四、安装ModSecurity-nginx模块

tar zxf modsecurity-nginx-v1.0.x.tar.gz

五、编译nginx增加ModSecurity-nginx模块

tar zxf nginx-1.xy.x,tar,gz
cd nginx-1.xy.x
./configure --prefix=/app/nginx  --user=eastray --group=eastray --with-compat --with-file-aio --with-threads --with-http_addition_module \
--with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module \
--with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module \
--with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module \
--with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
--add-module=../modsecurity-nginx-v1.0.x
make -j$(proc)
make install

六、配置加载规则
1.创建存放modsecurity配置的目录

mkdir -pv /usr/local/nginx/conf/modsecurity/crs

2.modsecurity配置

# 进入modsecurity源码目录
cd modsecurity-v3.0.x
cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/nginx/conf/modsecurity/unicode.mapping

3.owasp规则配置

tar zxf coreruleset-4.x.0-minimal.tar.gz -C /usr/local/nginx/conf/modsecurity/crs
cd /usr/local/nginx/conf/modsecurity/crs
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd /usr/local/nginx/conf/modsecurity
sed -i  "/SecRuleEngine/ s/DetectionOnly/On/g" modsecurity.conf-recommended
echo "Include /app/nginx/conf/modsecurity/crs/crs-setup.conf" >> modsecurity.conf
echo "Include /app/nginx/conf/modsecurity/crs/rules/*.conf" >> modsecurity.conf

4.nginx配置启用modsecurity

# http或server节点中添加以下内容（在http节点添加表示全局配置，在server节点添加表示为指定网站配置）
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;

5.启动或重载nginx配置

/app/nginx/sbin/nginx
/app/nginx/sbin/nginx -s reload

七、验证是否生效
浏览器访问如下非法地址
http://服务器ip:端口/?foo=/etc/passwd&bar=/bin/sh
http://服务器ip:端口/?param=">