Nginx Custom module install (modsecurity)?

What nginx modules do you have in mind ? If it's nginx naxsi or mod_security, i haven't had much luck with them or real world experience using them so left them out.

Centmin Mod Nginx has alot of nginx modules out of the box already so already might have you covered

Code:

nginx -V 2>&1 | sed -e 's|--|\n--|g'
nginx version: nginx/1.9.9
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.2.5
TLS SNI support enabled
configure arguments:
--with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib'
--with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion'
--sbin-path=/usr/local/sbin/nginx
--conf-path=/usr/local/nginx/conf/nginx.conf
--with-http_stub_status_module
--with-http_secure_link_module
--with-openssl-opt=enable-tlsext
--add-module=../nginx-module-vts
--with-libatomic
--with-threads
--with-stream
--with-stream_ssl_module
--with-http_gzip_static_module
--add-module=../ngx_pagespeed-release-1.9.32.11-beta
--with-http_sub_module
--with-http_addition_module
--with-http_image_filter_module
--with-http_geoip_module
--with-http_realip_module
--add-module=../nginx-accesskey-2.0.3
--add-module=../nginx-http-concat-master
--add-module=../ngx-fancyindex-ngx-fancyindex
--add-module=../ngx_cache_purge-2.3
--add-module=../ngx_devel_kit-0.2.19
--add-module=../set-misc-nginx-module-0.29
--add-module=../echo-nginx-module-0.58
--add-module=../redis2-nginx-module-0.12
--add-module=../ngx_http_redis-0.3.7
--add-module=../lua-nginx-module-0.9.19
--add-module=../lua-upstream-nginx-module-0.04
--add-module=../lua-upstream-cache-nginx-module-0.1.1
--add-module=../nginx_upstream_check_module-0.3.0
--add-module=../openresty-memc-nginx-module-4f6f78f
--add-module=../openresty-srcache-nginx-module-ffa9ab7
--add-module=../headers-more-nginx-module-0.28
--with-pcre=../pcre-8.37
--with-pcre-jit
--with-http_ssl_module
--with-http_v2_module
--with-openssl=../libressl-2.2.5

I posted an example of how to add nginx modules to Centmin Mod at centminmod.com/nginx_webdav.html for webdav prior to it becoming an official part of Centmin Mod's default module list. You can use that example to pretty much add or extend Nginx with additional modules.

Only limitations are

1. You need to know generally how to add Nginx modules and that is basically the same for any Nginx server not just Centmin Mod
2. You also need to know the instructions for specific Nginx module
3. You also need to know any prerequiste system dependencies and YUM packages that the Nginx module requires as I may not know what they are as I may have never used the Nginx module you want.
4. I'm limited to what I can add to Centmin Mod by what I know and use usually and what I am comfortable with supporting. So that limits what officially I can add to Centmin Mod. But you are free to add whatever you need using above as a guide.

For Centmin Mod Nginx, download tar.gz nginx modules to /svr-setup and extract and then editing inc/nginx_configure.inc just use the same --add-module=../nginx-module-name line.

Posted a more recent example below. Actual Github commits for adding 3 new Centmin Mod Nginx modules, echo-nginx-module, set-misc-nginx-module and ngx_devel_kit are located below (you can use these changes and webdav example as a blue print for understanding how to extend and add your own Centmin Mod Nginx modules.

Github commits for 3 new Nginx modules

• add Openresty set-misc-nginx-module and ngx_devel_kit Nginx modules t… · centminmod/centminmod@b1006c5 · GitHub
• add Openresty echo-nginx-module Nginx module for Centmin Mod .08 beta · centminmod/centminmod@6026a7a · GitHub

General Info on Adding New Nginx Modules

There's 5 basic steps involve in adding a new Nginx module into Centmin Mod Nginx server for Centmin Mod .08 beta02 and higher. They involve editing 5 Centmin Mod files.

1. centmin.sh - add VARIABLE name to define the nginx module's version number if there is one
2. inc/downloadlinks.inc - add 2 VARIABLES to define the module download link and filename
3. inc/downloads.inc - add download function to download the module using download link defined in inc/downloadlinks.inc and test the download validity i.e. untar it using filename defined in inc/downloadlinks.inc
4. inc/nginx_configure.inc - add check variables to grab latest nginx module extracted directory and put it info directory variable to be called from Nginx ./configure options only if NGINX_OPENRESTY='y'
5. inc/nginx_upgrade.inc - add to existing file check, the new module download file name (defined in inc/downloadlinks.inc). This ensures, when you run centmin.sh menu option 4 to upgrade Nginx, if the new nginx module download file doesn't exist in /svr-setup, it will download it and extract it before the Nginx compilation begins

Another way of doing it is shown at Nginx - A straight forward tutorial to install test-cookie? | Centmin Mod Community This way doesn't allow for managing nginx module version updates and auto updates via centmin.sh menu option 4 like the above method.

The above is for nginx modules requiring additional downloads to be configured. There's also nginx modules which do not need additional downloads but just enabling of the nginx module itself. I just added ngx_http_auth_request_module to Nginx for .08 beta 03 as it only required adding --with-http_auth_request_module to configure options. You can see the changes I did here add ngx_http_auth_request_module support · centminmod/centminmod@ec079c5 · GitHub - similar to above instructions just did not need to touch inc/downloadslinks.inc and inc/downloads.inc and inc/nginx_upgrade.inc as there are NO additional downloads to account for and check.

 

compilation errors and dependency requirements

for instance revisited mod_security today and fails at ./autogen.sh part and had various errors in the past - just not something I'd spend much time on seeing as I don't have real world configuration experience with common web apps out there and not going to support users for free troubleshooting their web app's mod_security conflicts etc

Code:

ModSecurity-2.9.0]# ./autogen.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build'.
libtoolize: copying file `build/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
configure.ac:18: installing 'build/ar-lib'
configure.ac:21: installing 'build/config.guess'
configure.ac:21: installing 'build/config.sub'
configure.ac:17: installing 'build/install-sh'
configure.ac:17: installing 'build/missing'
alp2/Makefile.am: installing 'build/depcomp'
tests/Makefile.am:2: warning: compiling '../apache2/acmp.c' in subdir requires 'AM_PROG_CC_C_O' in 'configure.ac'
parallel-tests: installing 'build/test-driver'
tests/Makefile.am:2: warning: compiling '../apache2/acmp.c' in subdir requires 'AM_PROG_CC_C_O' in 'configure.ac'

 

I guess if I don't use github tarball but prepacked one on site it compiles though

Code:

Libraries have been installed in:
   /usr/local/modsecurity/lib

Code:

ls -lah /usr/local/modsecurity/lib
total 9.6M
drwxr-xr-x 2 root root   88 Jan 17 14:20 .
drwxr-xr-x 4 root root   26 Jan 17 14:20 ..
-rwxr-xr-x 1 root root 2.4M Jan 17 14:20 mod_security2.so
-rw-r--r-- 1 root root 4.6M Jan 17 14:20 standalone.a
-rwxr-xr-x 1 root root 1.2K Jan 17 14:20 standalone.la
-rwxr-xr-x 1 root root 2.6M Jan 17 14:20 standalone.so

 

FYI, I added nginx modsecurity detection and configuration support into Centmin Mod 123.09beta01 only Beta Branch - update inc/nginx_configure.inc and centmin.sh modsecurity detection | Centmin Mod Community Not install but detection and configurtaion. Which means if Modsecurity is properly installed in the right default directories and Centmin Mod centmin.sh menu option 4 for nginx recompiles can detect modsecurity, then nginx will be configured with the right modsecurity add-module flags to add modsecurity nginx module to nginx.

This means I can probably later on add a standalone Centmin Mod Addon i.e. addons/modsecurity.sh to do the modsecurity installation which Centmin Mod 123.09beta01 will be able to auto detect and pick on and configure on when you run centmin.sh menu option 4

 

@yves heads up addons/modsecurity.sh standalone installer has been added to Centmin Mod 123.09beta01 branch https://community.centminmod.com/posts/24531/

 

i don't use it production wise so only good idea if you know what you're doing modsecurity setting/configuration wise for your specific web apps

 

looks like modsecurity 2.9 is outdated for nginx as they are working on a new version Re: nginx/1.9.9 with modsecurity/2.9.0 crashes with segfault and worker process exited on signal 11

 

Jan 21-23 i did alot of commits for EC2 fixes for PATH variables Commits · centminmod/centminmod · GitHub so you might have been caught before or during those updates ?
yup correct

Code:

yum -y install wget nano bc unzip
branchname=123.09beta01
wget -O /usr/local/src/${branchname}.zip https://github.com/centminmod/centminmod/archive/${branchname}.zip
cd /usr/local/src
unzip ${branchname}.zip
mv centminmod-${branchname} centminmod
cd centminmod
./centmin.sh 

or can use curl installer too outlined at Beta Branch - Centmin Mod .09 beta branch Testing | Centmin Mod Community

Code:

curl -O https://centminmod.com/betainstaller.sh && chmod 0700 betainstaller.sh && bash betainstaller.sh

You'll need to post on the forums with the following info

• Server or VPS details ? XEN, KVM, OpenVZ, VMWare or dedicated server ? OS ? CentOS 6.7 or 7.1 ? 32bit or 64bit ?
• How long ago did you install Centmin Mod ?
• There's numerous code changes, bug fixes over time, so ensure you have latest Centmin Mod code installed by upgrading your Centmin Mod code as instructed below.

Troubleshooting Initial Install

To troubleshoot initial installation, you need to check the initial install log at /root/centminlogs and instructions under Sharing logs and errors heading for using Pastebin.com or Gists to share a sanitised version of the contents of the initial install log. You can see full details at How to troubleshoot Centmin Mod initial install issues

 

yes just git clone slower than wget due to git clone pulling on the revisions too AFAIK

 

FYI, just tested both 123.08stable and 123.09beta01 on fresh installs via centmin.sh menu option 1 and both installed ok without problem on 1GB OpenVZ CentOS 6.7 64bit VPS

 

ah i see did you try with leaving NGINX_HTTP2=y ? as Nginx 1.9.5+ and higher have HTTP/2 only. My NGINX_HTTP2=n will revert to SPDY module as I started testing during Nginx 1.9.3 stage which had both SPDY and HTTP/2. But SPDY doesn't exist in Nginx 1.9.5+ I think

the install logs would help troubleshooting too