Join the community today
Become a Member

Nginx Custom module install (modsecurity)?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by yves, Jan 17, 2016.

  1. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    Hi I've read the FAQ and found details about customs settings, I've done a bit of search here as well.

    Yet I find nothing about the possible custom settings as for modules compiled with Nginx.
    Is there any possibility to add custom setting for this (for say, adding a module that is not listed by default)?
    If so, can these settings be set as persistent in some config file?

    Thanks for any help.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    What nginx modules do you have in mind ? If it's nginx naxsi or mod_security, i haven't had much luck with them or real world experience using them so left them out.

    Centmin Mod Nginx has alot of nginx modules out of the box already so already might have you covered :)

    Code:
    nginx -V 2>&1 | sed -e 's|--|\n--|g'
    nginx version: nginx/1.9.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.5
    TLS SNI support enabled
    configure arguments:
    --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib'
    --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector
    --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion'
    --sbin-path=/usr/local/sbin/nginx
    --conf-path=/usr/local/nginx/conf/nginx.conf
    --with-http_stub_status_module
    --with-http_secure_link_module
    --with-openssl-opt=enable-tlsext
    --add-module=../nginx-module-vts
    --with-libatomic
    --with-threads
    --with-stream
    --with-stream_ssl_module
    --with-http_gzip_static_module
    --add-module=../ngx_pagespeed-release-1.9.32.11-beta
    --with-http_sub_module
    --with-http_addition_module
    --with-http_image_filter_module
    --with-http_geoip_module
    --with-http_realip_module
    --add-module=../nginx-accesskey-2.0.3
    --add-module=../nginx-http-concat-master
    --add-module=../ngx-fancyindex-ngx-fancyindex
    --add-module=../ngx_cache_purge-2.3
    --add-module=../ngx_devel_kit-0.2.19
    --add-module=../set-misc-nginx-module-0.29
    --add-module=../echo-nginx-module-0.58
    --add-module=../redis2-nginx-module-0.12
    --add-module=../ngx_http_redis-0.3.7
    --add-module=../lua-nginx-module-0.9.19
    --add-module=../lua-upstream-nginx-module-0.04
    --add-module=../lua-upstream-cache-nginx-module-0.1.1
    --add-module=../nginx_upstream_check_module-0.3.0
    --add-module=../openresty-memc-nginx-module-4f6f78f
    --add-module=../openresty-srcache-nginx-module-ffa9ab7
    --add-module=../headers-more-nginx-module-0.28
    --with-pcre=../pcre-8.37
    --with-pcre-jit
    --with-http_ssl_module
    --with-http_v2_module
    --with-openssl=../libressl-2.2.5

    I posted an example of how to add nginx modules to Centmin Mod at centminmod.com/nginx_webdav.html for webdav prior to it becoming an official part of Centmin Mod's default module list. You can use that example to pretty much add or extend Nginx with additional modules.

    Only limitations are
    1. You need to know generally how to add Nginx modules and that is basically the same for any Nginx server not just Centmin Mod
    2. You also need to know the instructions for specific Nginx module
    3. You also need to know any prerequiste system dependencies and YUM packages that the Nginx module requires as I may not know what they are as I may have never used the Nginx module you want.
    4. I'm limited to what I can add to Centmin Mod by what I know and use usually and what I am comfortable with supporting. So that limits what officially I can add to Centmin Mod. But you are free to add whatever you need using above as a guide.
    For Centmin Mod Nginx, download tar.gz nginx modules to /svr-setup and extract and then editing inc/nginx_configure.inc just use the same --add-module=../nginx-module-name line.

    Posted a more recent example below. Actual Github commits for adding 3 new Centmin Mod Nginx modules, echo-nginx-module, set-misc-nginx-module and ngx_devel_kit are located below (you can use these changes and webdav example as a blue print for understanding how to extend and add your own Centmin Mod Nginx modules.

    Github commits for 3 new Nginx modules

    General Info on Adding New Nginx Modules



    There's 5 basic steps involve in adding a new Nginx module into Centmin Mod Nginx server for Centmin Mod .08 beta02 and higher. They involve editing 5 Centmin Mod files.
    1. centmin.sh - add VARIABLE name to define the nginx module's version number if there is one
    2. inc/downloadlinks.inc - add 2 VARIABLES to define the module download link and filename
    3. inc/downloads.inc - add download function to download the module using download link defined in inc/downloadlinks.inc and test the download validity i.e. untar it using filename defined in inc/downloadlinks.inc
    4. inc/nginx_configure.inc - add check variables to grab latest nginx module extracted directory and put it info directory variable to be called from Nginx ./configure options only if NGINX_OPENRESTY='y'
    5. inc/nginx_upgrade.inc - add to existing file check, the new module download file name (defined in inc/downloadlinks.inc). This ensures, when you run centmin.sh menu option 4 to upgrade Nginx, if the new nginx module download file doesn't exist in /svr-setup, it will download it and extract it before the Nginx compilation begins
    Another way of doing it is shown at Nginx - A straight forward tutorial to install test-cookie? | Centmin Mod Community This way doesn't allow for managing nginx module version updates and auto updates via centmin.sh menu option 4 like the above method.

    The above is for nginx modules requiring additional downloads to be configured. There's also nginx modules which do not need additional downloads but just enabling of the nginx module itself. I just added ngx_http_auth_request_module to Nginx for .08 beta 03 as it only required adding --with-http_auth_request_module to configure options. You can see the changes I did here add ngx_http_auth_request_module support · centminmod/centminmod@ec079c5 · GitHub - similar to above instructions just did not need to touch inc/downloadslinks.inc and inc/downloads.inc and inc/nginx_upgrade.inc as there are NO additional downloads to account for and check.
     
  3. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    I am thinking about WAF modules, namely Naxsi and / or ModSecurity.

    I must admit this is for testing purpose at this stage since I don't know their usage (though I know they are not quite straightforward to setup).
    Since those must be set around some "known" web app config and since Centminmod offers the possibility to install WP, all in some known config (at least for the default install), I was thinking it could be a good starting point for default rules.
    Still these rules may not fit all WP themes / plugins, but it could set some fondations from where to start if installed with default WP install.

    Having said that, thank you very much for all the details about adding some custom module, I will have a look at it.

    Edit: BTW, may I ask what kind of problems you did face regarding those actual modules (Naxsi, ModSec) ?
     
    Last edited: Jan 17, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    compilation errors and dependency requirements

    for instance revisited mod_security today and fails at ./autogen.sh part and had various errors in the past - just not something I'd spend much time on seeing as I don't have real world configuration experience with common web apps out there and not going to support users for free troubleshooting their web app's mod_security conflicts etc :)
    Code:
    ModSecurity-2.9.0]# ./autogen.sh
    libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.
    libtoolize: copying file `build/ltmain.sh'
    libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
    libtoolize: copying file `build/libtool.m4'
    libtoolize: copying file `build/ltoptions.m4'
    libtoolize: copying file `build/ltsugar.m4'
    libtoolize: copying file `build/ltversion.m4'
    libtoolize: copying file `build/lt~obsolete.m4'
    configure.ac:18: installing 'build/ar-lib'
    configure.ac:21: installing 'build/config.guess'
    configure.ac:21: installing 'build/config.sub'
    configure.ac:17: installing 'build/install-sh'
    configure.ac:17: installing 'build/missing'
    alp2/Makefile.am: installing 'build/depcomp'
    tests/Makefile.am:2: warning: compiling '../apache2/acmp.c' in subdir requires 'AM_PROG_CC_C_O' in 'configure.ac'
    parallel-tests: installing 'build/test-driver'
    tests/Makefile.am:2: warning: compiling '../apache2/acmp.c' in subdir requires 'AM_PROG_CC_C_O' in 'configure.ac'
     
  5. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    OK, noted as for compilation problems.

    Yes, I see, good points for not having these as standards (besides compilation issues) ;)

    I think I'll try to have a go though, yet there seems to be quite a steep learning curve to handle them properly.

    Thanks for the advices anyway.
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    I guess if I don't use github tarball but prepacked one on site it compiles though
    Code:
    Libraries have been installed in:
       /usr/local/modsecurity/lib
    
    Code:
    ls -lah /usr/local/modsecurity/lib
    total 9.6M
    drwxr-xr-x 2 root root   88 Jan 17 14:20 .
    drwxr-xr-x 4 root root   26 Jan 17 14:20 ..
    -rwxr-xr-x 1 root root 2.4M Jan 17 14:20 mod_security2.so
    -rw-r--r-- 1 root root 4.6M Jan 17 14:20 standalone.a
    -rwxr-xr-x 1 root root 1.2K Jan 17 14:20 standalone.la
    -rwxr-xr-x 1 root root 2.6M Jan 17 14:20 standalone.so
     
    Last edited: Jan 18, 2016
    • Like Like x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, I added nginx modsecurity detection and configuration support into Centmin Mod 123.09beta01 only Beta Branch - update inc/nginx_configure.inc and centmin.sh modsecurity detection | Centmin Mod Community Not install but detection and configurtaion. Which means if Modsecurity is properly installed in the right default directories and Centmin Mod centmin.sh menu option 4 for nginx recompiles can detect modsecurity, then nginx will be configured with the right modsecurity add-module flags to add modsecurity nginx module to nginx.

    This means I can probably later on add a standalone Centmin Mod Addon i.e. addons/modsecurity.sh to do the modsecurity installation which Centmin Mod 123.09beta01 will be able to auto detect and pick on and configure on when you run centmin.sh menu option 4 :)
     
  8. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    Thanks again for all these details :)
    I definitely have to have a look at this all
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    8:28 PM
    1.13.x
    MariaDB 10.1.x
    @eva2000 do you think it's a good idea to run modsecurity?
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    i don't use it production wise so only good idea if you know what you're doing modsecurity setting/configuration wise for your specific web apps
     
  12. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    8:28 PM
    1.13.x
    MariaDB 10.1.x
    Thanks. I used it on cPanel, but wasn't considering running it on Centminmod. I remember a lot of things got blocked when I was using it on cPanel.
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks like modsecurity 2.9 is outdated for nginx as they are working on a new version Re: nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11
     
    • Informative Informative x 1
  14. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    Sorry for the late feedback (I haven't had time to test that earlier).
    Thanks for this update and thanks for having been that far as to provide the modsec addons installer :)
    However, I am having some problems whren compiling Nginx, namely, just after the ./configure command:
    inc/nginx_configure.inc: line 780: ./configure: No such file or directory

    I have had this both on fresh centos 6.7 32 and 64 bits inside VMWare VPS (tested on both to see if that could be the cause)

    Just to be sure I am doing things properly:

    Code:
    yum -y install wget nano bc unzip
    branchname=123.09beta01
    wget -O /usr/local/src/${branchname}.zip https://github.com/centminmod/centminmod/archive/${branchname}.zip
    cd /usr/local/src
    unzip ${branchname}.zip
    mv centminmod-${branchname} centminmod
    cd centminmod
    ./centmin.sh  
    Then I install centminmod, then modsecurity.sh from addons,
    Then edit ./centmin.sh with NGINX_MODSECURITY=y
    Then Nginx install again from option 4 in from ./centmin.sh

    Could you please confirm these steps are done the proper way ?
    If so, any idea why this exits with an error ?


    Hmmm, looks this may not go smoothly then after. Thanks for that advice too.
    Anyway from what I've read so far, modsec hardly works out of the box with default rules and some from owasp need to be tweaked / disabled depending on usage (I am thinking WP here).

    Will see how it goes if I can have it working for tests.
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Jan 21-23 i did alot of commits for EC2 fixes for PATH variables Commits · centminmod/centminmod · GitHub so you might have been caught before or during those updates ?
    yup correct
    Code:
    yum -y install wget nano bc unzip
    branchname=123.09beta01
    wget -O /usr/local/src/${branchname}.zip https://github.com/centminmod/centminmod/archive/${branchname}.zip
    cd /usr/local/src
    unzip ${branchname}.zip
    mv centminmod-${branchname} centminmod
    cd centminmod
    ./centmin.sh 
    or can use curl installer too outlined at Beta Branch - Centmin Mod .09 beta branch Testing | Centmin Mod Community
    Code:
    curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh
    You'll need to post on the forums with the following info
    • Server or VPS details ? XEN, KVM, OpenVZ, VMWare or dedicated server ? OS ? CentOS 6.7 or 7.1 ? 32bit or 64bit ?
    • How long ago did you install Centmin Mod ?
    • There's numerous code changes, bug fixes over time, so ensure you have latest Centmin Mod code installed by upgrading your Centmin Mod code as instructed below.

    Troubleshooting Initial Install



    To troubleshoot initial installation, you need to check the initial install log at /root/centminlogs and instructions under Sharing logs and errors heading for using Pastebin.com or Gists to share a sanitised version of the contents of the initial install log. You can see full details at How to troubleshoot Centmin Mod initial install issues
     
    Last edited: Jan 24, 2016
  16. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    Well I deed try the other day, yes, but I've started again with a fresh VPS install like 2 hours ago to make sure I hadn't broken the thing on my side.
    So this is quite a fresh test off fresh wget regarding the used source.

    As mentioned in my post Centos 6.7 inside VMWare VPS, tried both 32bits and 64bits, same result and that was about 2 hours ago

    Thanks for all the advices, I am going to dig into the info I can grab in the logs and read troubleshoot info.

    Last thing: if I directly clone the 123.09beta01 branch Commits · centminmod/centminmod · GitHub , I get the exact same thing to start off than
    Code:
    branchname=123.09beta01
    wget -O /usr/local/src/${branchname}.zip https://github.com/centminmod/centminmod/archive/${branchname}.zip
    
    Right?
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes just git clone slower than wget due to git clone pulling on the revisions too AFAIK
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, just tested both 123.08stable and 123.09beta01 on fresh installs via centmin.sh menu option 1 and both installed ok without problem on 1GB OpenVZ CentOS 6.7 64bit VPS
     
  19. yves

    yves New Member

    16
    3
    3
    Jan 17, 2016
    Ratings:
    +4
    Local Time:
    2:28 AM
    Oh, yes, I have no problem either intsalling these straight from the install option.

    The problem arise AFTER modesecurity install (from provided addon) when trying to recompile Nginx.

    Just tried again from a fresh VMWare 1GB Centos 6.7 64 bit install, fresh git fetch on branch 123.09beta01, no luck again.

    And this time, at the time of running option 4 after modsec install, BTW, I set NGINX_HTTP2=n along with NGINX_MODSECURITY=y because I have a feeling that http2 support might not help testing modsec if it is not prepared for Nginx 1.9.9 yet as http2 is probably much too many new things going on.
    Anyway I still get inc/nginx_configure.inc: line 780: ./configure: No such file or directory at Nginx compilation stage.
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    10:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah i see did you try with leaving NGINX_HTTP2=y ? as Nginx 1.9.5+ and higher have HTTP/2 only. My NGINX_HTTP2=n will revert to SPDY module as I started testing during Nginx 1.9.3 stage which had both SPDY and HTTP/2. But SPDY doesn't exist in Nginx 1.9.5+ I think

    the install logs would help troubleshooting too