备注：

使用的是modsecurity 3.0 的版本，也是nginx 官方推荐使用的，同时使用的是nginx 的dynamic module 

1. 环境准备

https://github.com/SpiderLabs/ModSecurity

https://github.com/SpiderLabs/ModSecurity-nginx

https://nginx.org/download/nginx-1.13.8.tar.gz

2.  编译libmodsecurity

a.预备（编译依赖）

yum install -y pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel gcc gcc-c++ gcc-g77 autoconf automake

geoip geip-devel libcurl libcurl-devel yajl yajl-devel lmdb-devel ssdeep-devel lua-devel

备注：比较多，实际安装会有提示

b.编译

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

cd ModSecurity

git submodule init

git submodule update

./build.sh

./configure

make

make install

备注：fatal:No names found,cannot describe anything.提示这个错误可以不用管（官方说明）

c.modsecurity nginx dynamicmodule编译

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

wget https://nginx.org/download/nginx-1.13.8.tar.gz

tar xvfnginx-1.13.8.tar.gz

cd nginx-1.13.8

./configure --add-dynamic-module=../ModSecurity-nginx

make modules

cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/modules(此处为Nginx安装位置,我的nginx也是源码编译)

d.nginx源码编译

参考上面的nginx下载

./configure

make

make install

3. 配置模块加载

load_module modules/ngx_http_modsecurity_module.so;

备注：位置nginx main

4. 测试nginx 环境准备

a.实际业务应用

/usr/local/nginx/cong/nginx.conf

server{

listen localhost:8085;

location /{

default_type text/plain;

return 200 "Thank you for requesting ${request_uri}\n";

}

}

b.waf(modsecurity nginx出口，以及数据入口)nginx proxy

server{

listen 80;

location /{

proxy_pass http://localhost:8085;

proxy_set_header Host $host;

     }

}

5. modsecurity 配置文件

a.官方模版

mkdir -p/usr/local/nginx/modsec

cd /usr/local/nginx/modsec

wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

mv modsecurity.conf-recommended modsecurity.conf

启用规引擎

SecRuleEngine On

b.创建主配置文件

main.conf

内容如下：

Include /usr/local/nginx/modsec/modsecurity.conf

SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"

c.waf上面的nginx80配置)

modsecurity on;

modsecurity_rules_file  /usr/local/nginx/modsec/main.conf;

6. 加载配置

sbin/nginx-t

备注：如果不报错说明没有问题，报错可以参考日志解决

7. 测试

实际上，上面的配置是如果请求参考testparam包含test就提示403

测试结果：

curl -i http://localhost/foo?testparam=dalongtest

HTTP/1.1403Forbidden

Server:nginx/1.13.8

Date:Sun,18Feb201810:45:43GMT

Content-Type:text/html

Content-Length:169

Connection:keep-alive

​

403Forbidden

403Forbidden

---

nginx/1.13.8

​

curl -i http://localhost/foo?testparam=dalong

HTTP/1.1200OK

Server:nginx/1.13.8

Date:Sun,18Feb201810:46:14GMT

Content-Type:text/plain

Content-Length:47

Connection:keep-alive

Thank you for requesting/foo?testparam=dalong

8. 扩展

同时支持OWASP的crs

配置参考：

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/ v3.0.2.tar.gz

tar -xzvf v3.0.2.tar.gz

sudo mv owasp-modsecurity-crs-3.0.2 /usr/local

cd /usr/local/owasp-modsecurity-crs-3.0.2

sudo cp crs-setup.conf.example crs-setup.conf

​# Include the recommended configuration Include /usr/local/nginx/modsec/modsecurity.conf

# OWASP CRS v3 rules

Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.confInclude /usr/local/owasp-modsecurity-crs-3.0.2/rules/*.conf

8. 参考资料

https://github.com/SpiderLabs/ModSecurity/tree/v3/master

https://github.com/SpiderLabs/ModSecurity

https://www.nginx.com/resources/library/modsecurity-3-nginx-quick-start-guide/