thr3ads.net - freebsd stable - Issue with mod

If this information is useful, please help other people find it:
Share via:

SoftwareInforJam

2019-Jan-23 00:18 UTC

Issue with mod_security3

Well I am making some progress I guess. Now modsecurity is installed and not
orphaned. My challenge now is that I have been reading several documents and all
of them say I need to add the following to nginx.conf

load_module modules/ngx_http_modsecurity.so;

My challenge now is I can?t seem to find this module anywhere. I am not sure
what to do now. Isn?t this module needed for this to work?

root at proxy:/usr/local/etc/nginx # find / -name
"ngx_http_modsecurity*"
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_body_filter.o
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_rewrite.o
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_log.o
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_pre_access.o
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_header_filter.o
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_module.o
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_body_filter.c
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_common.h
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_header_filter.c
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_log.c
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_module.c
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_pre_access.c
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_rewrite.c



Sent from Mail for Windows 10

From: SoftwareInforJam
Sent: Tuesday, January 22, 2019 2:14 PM
To: Gregory Byshenk; freebsd-stable at freebsd.org
Subject: RE: Issue with mod_security3

Ah. Got that. Thank you. I had just assumed that the name would be the same as
the name of the port. I am going to try again. Thanks again.


Sent from Mail for Windows 10

From: Gregory Byshenk
Sent: Tuesday, January 22, 2019 1:54 PM
To: freebsd-stable at freebsd.org; SoftwareInforJam
Subject: Re: Issue with mod_security3

On Tue, Jan 22, 2019 at 11:29:01AM -0500, SoftwareInforJam wrote:
> I am have a queer problem with the port mod_security3. I
> actually want to set it up to work with NGINX. The port
> /usr/ports/www/mod_security3 exists but when I do a 
> # pkg install mod_security3 
> I get 
> ???pkg: No packages available to install matching 'mod_security3'
> have been found in the repositories???
> 
> When I do a pkg search ???mod_security*??? only
> ap24-mod_security-2.9.2_3 Intrusion detection and prevention
> engine. So only version 2.9 shows up. Not sure why this is
> happening. Can anyone shed some light on this please?
I'm no expert on mod_security, but my guess, based on reading
https://www.linuxjournal.com/content/modsecurity-and-nginx,
is that previous (to v3) versions of mod_security worked
_only_ with apache.

And it seems likely that the port has not yet been updated to
the newest v3.

Also based on the article, it seems that getting even mod_security
v3 to work with nginx is slightly complicated, as building it
depends on the specific version of nginx that is installed.

-- 
gregory byshenk? -? gbyshenk at byshenk.net? -? Leiden, NL

Matt Garber

2019-Jan-23 00:59 UTC

head link

Issue with mod_security3

> On Jan 22, 2019, at 7:18 PM, SoftwareInforJam <softwareinforjam at
gmail.com> wrote:
> 
> Well I am making some progress I guess. Now modsecurity is installed and
not orphaned. My challenge now is that I have been reading several documents and
all of them say I need to add the following to nginx.conf
> 
> load_module modules/ngx_http_modsecurity.so;
> 
> My challenge now is I can?t seem to find this module anywhere. I am not
sure what to do now. Isn?t this module needed for this to work?
> 
> root at proxy:/usr/local/etc/nginx # find / -name
"ngx_http_modsecurity*"
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_body_filter.o
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_rewrite.o
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_log.o
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_pre_access.o
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_header_filter.o
>
/usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_module.o
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_body_filter.c
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_common.h
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_header_filter.c
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_log.c
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_module.c
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_pre_access.c
>
/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_rewrite.c
Here are the steps I just followed successfully in a test jail ? a mix of
packages (modsecurity3) and the source for nginx and the ModSecurity3-nginx
connector; the ?modsecurity3? package installs the shared library (e.g.,
/usr/local/lib/libmodsecurity.so.3.0.3), but doesn?t install the nginx
connector. If the nginx port doesn?t have a make option for the connector, you
might have to either hack the port or just compile from source like I did:

-----
Very simplified, single jail
-----


1. Install the modsecurity3 library package and git for cloning the
ModSecurity-nginx repo:

# pkg install modsecurity3 git


2. Grab the latest nginx source and ModSecurity-nginx repo:

$ fetch 'http://nginx.org/download/nginx-1.14.2.tar.gz'
$ tar -zxvf nginx-1.14.2.tar.gz
$ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
$ cd nginx-1.14.2


3. Compile nginx, adding support for the ModSecurity3-nginx connector as a
dynamic module. I?ve also added a variety of other FreeBSD-specific
configuration directives and/or compilation/linking hardening used by nginx
upstream in their Linux repositories:

$ ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
--prefix=/usr/local/etc/nginx --with-cc-opt='-g -O2 -fstack-protector-strong
-Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2 -I
/usr/local/include' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now -fPIC -L /usr/local/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx
--pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log
--user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio
--with-threads --without-mail_imap_module --without-mail_pop3_module
--without-mail_smtp_module --with-mail_ssl_module
--http-client-body-temp-path=/var/tmp/nginx/client_body_temp
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp
--http-scgi-temp-path=/var/tmp/nginx/scgi_temp
--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp
--http-log-path=/var/log/nginx/access.log --with-http_addition_module
--with-http_auth_request_module --with-http_flv_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_realip_module --with-pcre --with-http_secure_link_module
--with-http_slice_module --with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-http_v2_module --with-stream_ssl_module
--with-mail=dynamic --with-stream=dynamic

$ make
$ sudo make install


4. The above step should have created ngx_http_modsecurity_module.so under the
nginx source directory, and installed it into /usr/local/libexec/nginx, at which
point the load_module directive in the nginx configuration should work fine, and
you can move on to ruleset configuration. FYI, all of the above just follows the
~second half of
<https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/>,
after taking care of the prerequisites with FreeBSD packages instead. Like I
said, you could probably relatively easily hack the nginx port to add in the
integration of ModSecurity3-nginx if you care about that more than keeping
up-to-date with nginx source separately, but then you?d have to avoid
overwriting the port ? YMMV.


Thanks,
?
Matt Garber

freebsd stable - Jan 2019 - Issue with mod_security3

Issue with mod_security3

Issue with mod_security3