Date: Tue, 22 Jan 2019 19:59:09 -0500 From: Matt Garber <matt.garber@gmail.com> To: SoftwareInforJam <softwareinforjam@gmail.com> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Issue with mod_security3 Message-ID: <D12B442B-2C78-437C-AB60-C4850A019E29@gmail.com> In-Reply-To: <5c47b2c0.1c69fb81.ba7c2.95f3@mx.google.com> References: <5c4744cd.1c69fb81.7b84f.5450@mx.google.com> <20190122185438.GC85865@v1.leiden.byshenk.net> <5c476baa.1c69fb81.58970.0af8@mx.google.com> <5c47b2c0.1c69fb81.ba7c2.95f3@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jan 22, 2019, at 7:18 PM, SoftwareInforJam = <softwareinforjam@gmail.com> wrote: >=20 > Well I am making some progress I guess. Now modsecurity is installed = and not orphaned. My challenge now is that I have been reading several = documents and all of them say I need to add the following to nginx.conf >=20 > load_module modules/ngx_http_modsecurity.so; >=20 > My challenge now is I can=E2=80=99t seem to find this module anywhere. = I am not sure what to do now. Isn=E2=80=99t this module needed for this = to work? >=20 > root@proxy:/usr/local/etc/nginx # find / -name "ngx_http_modsecurity*" > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _body_filter.o > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _rewrite.o > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _log.o > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _pre_access.o > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _header_filter.o > = /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity= _module.o > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_body_filter.c > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_common.h > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_header_filter.c > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_log.c > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_module.c > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_pre_access.c > = /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecuri= ty_rewrite.c Here are the steps I just followed successfully in a test jail =E2=80=93 = a mix of packages (modsecurity3) and the source for nginx and the = ModSecurity3-nginx connector; the =E2=80=98modsecurity3=E2=80=99 package = installs the shared library (e.g., = /usr/local/lib/libmodsecurity.so.3.0.3), but doesn=E2=80=99t install the = nginx connector. If the nginx port doesn=E2=80=99t have a make option = for the connector, you might have to either hack the port or just = compile from source like I did: ----- Very simplified, single jail ----- 1. Install the modsecurity3 library package and git for cloning the = ModSecurity-nginx repo: # pkg install modsecurity3 git 2. Grab the latest nginx source and ModSecurity-nginx repo: $ fetch 'http://nginx.org/download/nginx-1.14.2.tar.gz' $ tar -zxvf nginx-1.14.2.tar.gz $ git clone --depth 1 = https://github.com/SpiderLabs/ModSecurity-nginx.git $ cd nginx-1.14.2 3. Compile nginx, adding support for the ModSecurity3-nginx connector as = a dynamic module. I=E2=80=99ve also added a variety of other = FreeBSD-specific configuration directives and/or compilation/linking = hardening used by nginx upstream in their Linux repositories: $ ./configure --with-compat --add-dynamic-module=3D../ModSecurity-nginx = --prefix=3D/usr/local/etc/nginx --with-cc-opt=3D'-g -O2 = -fstack-protector-strong -Wformat -Werror=3Dformat-security -fPIC = -Wdate-time -D_FORTIFY_SOURCE=3D2 -I /usr/local/include' = --with-ld-opt=3D'-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC = -L /usr/local/lib' --conf-path=3D/usr/local/etc/nginx/nginx.conf = --sbin-path=3D/usr/local/sbin/nginx --pid-path=3D/var/run/nginx.pid = --error-log-path=3D/var/log/nginx/error.log --user=3Dwww --group=3Dwww = --modules-path=3D/usr/local/libexec/nginx --with-file-aio --with-threads = --without-mail_imap_module --without-mail_pop3_module = --without-mail_smtp_module --with-mail_ssl_module = --http-client-body-temp-path=3D/var/tmp/nginx/client_body_temp = --http-fastcgi-temp-path=3D/var/tmp/nginx/fastcgi_temp = --http-proxy-temp-path=3D/var/tmp/nginx/proxy_temp = --http-scgi-temp-path=3D/var/tmp/nginx/scgi_temp = --http-uwsgi-temp-path=3D/var/tmp/nginx/uwsgi_temp = --http-log-path=3D/var/log/nginx/access.log --with-http_addition_module = --with-http_auth_request_module --with-http_flv_module = --with-http_gunzip_module --with-http_gzip_static_module = --with-http_random_index_module --with-http_realip_module --with-pcre = --with-http_secure_link_module --with-http_slice_module = --with-http_ssl_module --with-http_stub_status_module = --with-http_sub_module --with-http_v2_module --with-stream_ssl_module = --with-mail=3Ddynamic --with-stream=3Ddynamic $ make $ sudo make install 4. The above step should have created ngx_http_modsecurity_module.so = under the nginx source directory, and installed it into = /usr/local/libexec/nginx, at which point the load_module directive in = the nginx configuration should work fine, and you can move on to ruleset = configuration. FYI, all of the above just follows the ~second half of = <https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-= source-nginx/>, after taking care of the prerequisites with FreeBSD = packages instead. Like I said, you could probably relatively easily hack = the nginx port to add in the integration of ModSecurity3-nginx if you = care about that more than keeping up-to-date with nginx source = separately, but then you=E2=80=99d have to avoid overwriting the port = =E2=80=93 YMMV. Thanks, =E2=80=94 Matt Garber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D12B442B-2C78-437C-AB60-C4850A019E29>