> On Jan 22, 2019, at 7:18 PM, SoftwareInforJam <softwareinfor...@gmail.com> > wrote: > > Well I am making some progress I guess. Now modsecurity is installed and not > orphaned. My challenge now is that I have been reading several documents and > all of them say I need to add the following to nginx.conf > > load_module modules/ngx_http_modsecurity.so; > > My challenge now is I can’t seem to find this module anywhere. I am not sure > what to do now. Isn’t this module needed for this to work? > > root@proxy:/usr/local/etc/nginx # find / -name "ngx_http_modsecurity*" > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_body_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_rewrite.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_log.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_pre_access.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_header_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurity_module.o > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_body_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_common.h > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_header_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_log.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_module.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_pre_access.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecurity_rewrite.c
Here are the steps I just followed successfully in a test jail – a mix of packages (modsecurity3) and the source for nginx and the ModSecurity3-nginx connector; the ‘modsecurity3’ package installs the shared library (e.g., /usr/local/lib/libmodsecurity.so.3.0.3), but doesn’t install the nginx connector. If the nginx port doesn’t have a make option for the connector, you might have to either hack the port or just compile from source like I did: ----- Very simplified, single jail ----- 1. Install the modsecurity3 library package and git for cloning the ModSecurity-nginx repo: # pkg install modsecurity3 git 2. Grab the latest nginx source and ModSecurity-nginx repo: $ fetch 'http://nginx.org/download/nginx-1.14.2.tar.gz' $ tar -zxvf nginx-1.14.2.tar.gz $ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git $ cd nginx-1.14.2 3. Compile nginx, adding support for the ModSecurity3-nginx connector as a dynamic module. I’ve also added a variety of other FreeBSD-specific configuration directives and/or compilation/linking hardening used by nginx upstream in their Linux repositories: $ ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx --prefix=/usr/local/etc/nginx --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2 -I /usr/local/include' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC -L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-threads --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_addition_module --with-http_auth_request_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-stream_ssl_module --with-mail=dynamic --with-stream=dynamic $ make $ sudo make install 4. The above step should have created ngx_http_modsecurity_module.so under the nginx source directory, and installed it into /usr/local/libexec/nginx, at which point the load_module directive in the nginx configuration should work fine, and you can move on to ruleset configuration. FYI, all of the above just follows the ~second half of <https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/>, after taking care of the prerequisites with FreeBSD packages instead. Like I said, you could probably relatively easily hack the nginx port to add in the integration of ModSecurity3-nginx if you care about that more than keeping up-to-date with nginx source separately, but then you’d have to avoid overwriting the port – YMMV. Thanks, — Matt Garber _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
