环境信息
- 操作系统: Alibaba Cloud Linux 3 (兼容RHEL 8)
- Nginx版本: 1.20.1
- ModSecurity版本: 3.0.12+
- OWASP CRS版本: 4.0.0
第一阶段:安装依赖
1. 安装开发工具
sudo yum groupinstall -y "Development Tools"2. 安装ModSecurity编译依赖
sudo yum install -y \
wget git \
pcre-devel zlib-devel libxml2-devel \
curl-devel geoip-devel yajl-devel \
doxygen libtool autoconf automake说明 : lmdb-devel和ssdeep-devel在Alibaba Cloud Linux 3中不可用,但不影响核心功能。
3. 安装Nginx编译依赖
sudo yum install -y libxslt-devel gd-devel perl-devel perl-ExtUtils-Embed第二阶段:编译安装ModSecurity
1. 下载ModSecurity源码
cd /usr/local/src
sudo wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.12/modsecurity-v3.0.12.tar.gz
sudo tar -xzf modsecurity-v3.0.12.tar.gz
sudo mv modsecurity-v3.0.12 ModSecurity
cd ModSecurity2. 编译安装
sudo sh build.sh
sudo ./configure
sudo make -j$(nproc)
sudo make install3. 验证安装
ls -l /usr/local/modsecurity/lib/libmodsecurity.so*第三阶段:编译Nginx ModSecurity模块
1. 下载ModSecurity-nginx连接器
cd /usr/local/src
sudo wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/heads/master.zip
sudo unzip master.zip
sudo mv ModSecurity-nginx-master ModSecurity-nginx2. 下载匹配版本的Nginx源码
cd /usr/local/src
sudo wget http://nginx.org/download/nginx-1.20.1.tar.gz
sudo tar -xzf nginx-1.20.1.tar.gz
cd nginx-1.20.13. 获取当前Nginx编译参数
nginx -V4. 重新配置并编译模块
sudo ./configure \
--prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-ipv6 \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_auth_request_module \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-debug \
--with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -floop-unroll-and-jam -ftree-loop-distribution --param early-inlining-insns=160 --param inline-heuristics-hint-percent=800 --param inline-min-speedup=50 --param inline-unit-growth=256 --param max-average-unrolled-insns=500 --param max-completely-peel-times=32 --param max-completely-peeled-insns=800 --param max-inline-insns-auto=128 --param max-inline-insns-small=128 --param max-unroll-times=16 --param max-unrolled-insns=16 -O3' \
--with-compat \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' \
--add-dynamic-module=/usr/local/src/ModSecurity-nginx5. 编译并安装模块
sudo make modules
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/6. 配置系统库路径
sudo bash -c 'echo "/usr/local/modsecurity/lib" > /etc/ld.so.conf.d/modsecurity.conf'
sudo ldconfig第四阶段:配置ModSecurity
1. 创建配置目录
sudo mkdir -p /etc/nginx/modsec2. 复制基础配置文件
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/3. 启用规则引擎
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf4. 配置审计日志
sudo sed -i 's|^SecAuditLog .*|SecAuditLog /var/log/nginx/modsec_audit.log|' /etc/nginx/modsec/modsecurity.conf
sudo touch /var/log/nginx/modsec_audit.log
sudo chown nginx:nginx /var/log/nginx/modsec_audit.log第五阶段:安装OWASP CRS规则集
1. 下载CRS
cd /etc/nginx/modsec
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
sudo tar -xzf v4.0.0.tar.gz
sudo mv coreruleset-4.0.0 coreruleset2. 配置CRS
cd /etc/nginx/modsec/coreruleset
sudo cp crs-setup.conf.example crs-setup.conf3. 创建主配置文件
sudo tee /etc/nginx/modsec/main.conf > /dev/null <<'EOF'
# 加载ModSecurity核心配置
Include /etc/nginx/modsec/modsecurity.conf
# 加载OWASP CRS配置
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
# 加载CRS规则
Include /etc/nginx/modsec/coreruleset/rules/*.conf
EOF第六阶段:配置Nginx
1. 备份原配置
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup.$(date +%F_%H%M%S)2. 加载ModSecurity模块
编辑 /etc/nginx/nginx.conf,在文件第一行添加:
load_module modules/ngx_http_modsecurity_module.so;3. 在站点配置中启用ModSecurity
编辑站点配置文件(如/etc/nginx/conf.d/default.conf):
server {
listen 80;
server_name your_domain.com;
# 启用ModSecurity
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}4. 测试并重启Nginx
sudo nginx -t
sudo systemctl restart nginx安装完成检查清单
# 1. 检查模块文件
ls -l /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
# 2. 检查库文件
ldconfig -p | grep modsecurity
# 3. 检查规则文件数量
ls /etc/nginx/modsec/coreruleset/rules/*.conf | wc -l
# 4. 检查Nginx配置
sudo nginx -t
# 5. 查看加载日志
sudo tail -20 /var/log/nginx/error.log | grep -i modsecurity预期日志输出:
ModSecurity-nginx v1.0.4 (rules loaded inline/local/remote: 0/832/0)
libmodsecurity3 version 3.0.14常见问题处理
问题1: lmdb-devel和ssdeep-devel安装失败
解决: 这两个是可选依赖,不影响核心功能,可以忽略。
问题2: 编译时提示找不到某个库
解决 : 根据错误提示安装对应的-devel包:
# 例如缺少libxslt
sudo yum install -y libxslt-devel问题3: Nginx启动时提示找不到libmodsecurity.so.3
解决: 重新配置库路径:
sudo bash -c 'echo "/usr/local/modsecurity/lib" > /etc/ld.so.conf.d/modsecurity.conf'
sudo ldconfig性能优化建议
1. 静态资源排除
在站点配置中添加:
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
modsecurity off;
root /usr/share/nginx/html;
}2. 配置日志轮转
sudo tee /etc/logrotate.d/modsecurity > /dev/null <<'EOF'
/var/log/nginx/modsec_audit.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
sharedscripts
postrotate
/bin/kill -USR1 $(cat /run/nginx.pid 2>/dev/null) 2>/dev/null || true
endscript
}
EOF因为首次尝试安装,第一次有些曲折,不是很确定整理的步骤对不对,下面贴上完整的执行记录:
bash
sudo yum-config-manager --add-repo=https://mirrors.aliyun.com/epel/8/Everything/x86_64/
sudo yum groupinstall -y "Development Tools"
sudo yum install -y wget git pcre-devel zlib-devel libxml2-devel \
curl-devel geoip-devel lmdb-devel yajl-devel ssdeep-devel \
doxygen libtool autoconf automake
# 1. 安装 geoip-devel
sudo yum install -y geoip-devel
# 下载稳定版本的 release 包
cd /usr/local/src
sudo wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.12/modsecurity-v3.0.12.tar.gz
sudo tar -xzf modsecurity-v3.0.12.tar.gz
sudo mv modsecurity-v3.0.12 ModSecurity
cd ModSecurity
cd /usr/local/src/ModSecurity
sudo git submodule init
sudo git submodule update
# 如果使用 release 包方式,跳过上面两行
# 开始编译
sudo sh build.sh
sudo ./configure
# 编译(使用多核加速)
sudo make -j$(nproc)
# 安装
sudo make install
# 检查 libmodsecurity 是否安装成功
ls -l /usr/local/modsecurity/lib/libmodsecurity.so*
cd /usr/local/src
sudo wget https://github.com/SpiderLabs/ModSecurity-nginx/archive/refs/heads/master.zip
sudo unzip master.zip
sudo mv ModSecurity-nginx-master ModSecurity-nginx
cd /usr/local/src
sudo wget http://nginx.org/download/nginx-1.20.1.tar.gz
sudo tar -xzf nginx-1.20.1.tar.gz
cd nginx-1.20.1
# 查看当前 Nginx 的编译参数
nginx -V
cd /usr/local/src/nginx-1.20.1
# 重新配置
sudo ./configure \
--prefix=/usr/share/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body \
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-ipv6 \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_auth_request_module \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-debug \
--with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -floop-unroll-and-jam -ftree-loop-distribution --param early-inlining-insns=160 --param inline-heuristics-hint-percent=800 --param inline-min-speedup=50 --param inline-unit-growth=256 --param max-average-unrolled-insns=500 --param max-completely-peel-times=32 --param max-completely-peeled-insns=800 --param max-inline-insns-auto=128 --param max-inline-insns-small=128 --param max-unroll-times=16 --param max-unrolled-insns=16 -O3' \
--with-compat \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' \
--add-dynamic-module=/usr/local/src/ModSecurity-nginx
# 编译模块
sudo make modules
# 复制模块
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/
# 验证
ls -lh /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
cd /usr/local/src/nginx-1.20.1
sudo make modules
# 复制 ModSecurity 模块到 Nginx 模块目录
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/
# 验证模块文件
ls -lh /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
# 创建库配置文件
sudo tee /etc/ld.so.conf.d/modsecurity.conf > /dev/null <<EOF
/usr/local/modsecurity/lib
EOF
# 更新库缓存
sudo ldconfig
# 验证库是否可用
ldconfig -p | grep modsecurity
# 1. 编译模块
cd /usr/local/src/nginx-1.20.1
sudo make modules
# 2. 复制模块
sudo cp objs/ngx_http_modsecurity_module.so /usr/lib64/nginx/modules/
# 3. 配置库路径
sudo bash -c 'echo "/usr/local/modsecurity/lib" > /etc/ld.so.conf.d/modsecurity.conf'
sudo ldconfig
# 4. 验证
ls -lh /usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
ldconfig -p | grep modsecurity
# 创建 ModSecurity 配置目录
sudo mkdir -p /etc/nginx/modsec
# 复制推荐配置文件
sudo cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
# 启用规则引擎(从检测模式改为拦截模式)
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf
# 配置审计日志路径
sudo sed -i 's|^SecAuditLog .*|SecAuditLog /var/log/nginx/modsec_audit.log|' /etc/nginx/modsec/modsecurity.conf
# 确保日志目录存在
sudo touch /var/log/nginx/modsec_audit.log
sudo chown nginx:nginx /var/log/nginx/modsec_audit.log
cd /etc/nginx/modsec
sudo wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
sudo tar -xzf v4.0.0.tar.gz
sudo mv coreruleset-4.0.0 coreruleset
cd /etc/nginx/modsec/coreruleset
sudo cp crs-setup.conf.example crs-setup.conf
sudo tee /etc/nginx/modsec/main.conf > /dev/null <<'EOF'
# 加载 ModSecurity 核心配置
Include /etc/nginx/modsec/modsecurity.conf
# 加载 OWASP CRS 配置
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
# 加载 CRS 规则
Include /etc/nginx/modsec/coreruleset/rules/*.conf
EOF
# 检查主配置文件
cat /etc/nginx/modsec/main.conf
# 检查规则文件是否存在
ls -lh /etc/nginx/modsec/coreruleset/rules/*.conf | head -5
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup.$(date +%F_%H%M%S)
在文件/etc/nginx/nginx.conf最顶部(第一行)添加:
load_module modules/ngx_http_modsecurity_module.so;
在需要保护的站点配置中启用 ModSecurity,例如:
server {
listen 80;
server_name your_domain.com; # 改成你的域名
# 启用 ModSecurity
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# 其他配置...
}
测试:
sudo nginx -t
sudo systemctl restart nginx
sudo systemctl status nginx
# 检查错误日志
sudo tail -20 /var/log/nginx/error.log
# 应该看到类似这样的日志:
# ModSecurity: StatusEngine call: "modsecurity.conf" ...
# ModSecurity: Loaded XX rules