https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Nginx_mit_Modsecurity_Erweitert 2026-06-29T06:43:58Z Versionsgeschichte dieser Seite in Xinux Wiki MediaWiki 1.35.1 https://wiki.ixheim.de/index.php?title=Nginx_mit_Modsecurity_Erweitert&diff=64009&oldid=prev 2025-07-25T15:19:55Z

<p><span dir="auto"><span class="autocomment">NGINX Site-Konfiguration (/etc/nginx/sites-available/default)</span></span></p> <table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="de"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 25. Juli 2025, 15:19 Uhr</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l53" >Zeile 53:</td> <td colspan="2" class="diff-lineno">Zeile 53:</td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</div></td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>     }</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>     }</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>     location /_waflog {</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>     location /_waflog {</div></td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>         alias /var/log/nginx/modsec_audit.log;</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>         alias /var/log/nginx/modsec_audit.log;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>         <del class="diffchange diffchange-inline">allow 192.168.178.0</del>/<del class="diffchange diffchange-inline">24</del>;</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>         <ins class="diffchange diffchange-inline">types { }</ins></div></td></tr> <tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>         <del class="diffchange diffchange-inline">deny all</del>;</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">        default_type text</ins>/<ins class="diffchange diffchange-inline">plain</ins>;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">    </del>}</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr> <tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>         <ins class="diffchange diffchange-inline">auth_basic &quot;ModSecurity Auditlog&quot;;</ins></div></td></tr> <tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">        auth_basic_user_file /etc/nginx/.htpasswd</ins>;</div></td></tr> <tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>}</div></td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}</div></td></tr> <tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> </table>

Thomas.will https://wiki.ixheim.de/index.php?title=Nginx_mit_Modsecurity_Erweitert&diff=64008&oldid=prev 2025-07-25T15:02:13Z

<p>Die Seite wurde neu angelegt: „= NGINX + ModSecurity (v3) als Reverse Proxy mit OWASP CRS = Diese Konfiguration stellt einen TLS-gesicherten Reverse-Proxy mit aktiver ModSecurity-WAF und OW…“</p> <p><b>Neue Seite</b></p><div>= NGINX + ModSecurity (v3) als Reverse Proxy mit OWASP CRS =<br /> <br /> Diese Konfiguration stellt einen TLS-gesicherten Reverse-Proxy mit aktiver ModSecurity-WAF und OWASP CRS bereit. Ziel ist die Absicherung von Backend-Webdiensten, ergänzt durch Logging und optionale Anzeige des Audit-Logs im Browser.<br /> <br /> == Struktur ==<br /> * TLS-Zertifikate aus interner CA (crt.pem, privkey.pem, ca.crt)<br /> * Reverse Proxy auf Port 443 → Ziel: http://192.168.178.66<br /> * Weiterleitung von HTTP auf HTTPS<br /> * Logging ins access.log + modsec_audit.log + modsec_debug.log<br /> * OWASP Core Rule Set aktiviert<br /> * Beispielregel zur Erkennung von `&lt;script&gt;` im Query<br /> <br /> == NGINX Site-Konfiguration (/etc/nginx/sites-available/default) ==<br /> &lt;pre&gt;<br /> # HTTP → HTTPS Redirect<br /> server {<br /> listen 80;<br /> server_name localhost;<br /> return 301 https://$host$request_uri;<br /> }<br /> <br /> # HTTPS-Server mit TLS-Zertifikat und ModSecurity<br /> server {<br /> listen 443 ssl;<br /> server_name localhost;<br /> <br /> ssl_certificate /etc/nginx/crt.pem;<br /> ssl_certificate_key /etc/nginx/privkey.pem;<br /> ssl_client_certificate /etc/nginx/ca.crt;<br /> <br /> ssl_protocols TLSv1.2 TLSv1.3;<br /> ssl_prefer_server_ciphers on;<br /> ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';<br /> <br /> access_log /var/log/nginx/access.log waf_combined;<br /> error_log /var/log/nginx/error.log warn;<br /> <br /> add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains&quot; always;<br /> add_header Cache-Control &quot;no-store, no-cache, must-revalidate&quot;;<br /> <br /> error_page 403 /403.html;<br /> location = /403.html {<br /> root /var/www/html;<br /> internal;<br /> }<br /> <br /> include /etc/nginx/modsec/main.conf;<br /> <br /> location / {<br /> proxy_pass http://192.168.178.66;<br /> proxy_set_header Host $host;<br /> proxy_set_header X-Real-IP $remote_addr;<br /> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br /> }<br /> <br /> location /_waflog {<br /> alias /var/log/nginx/modsec_audit.log;<br /> allow 192.168.178.0/24;<br /> deny all;<br /> }<br /> }<br /> &lt;/pre&gt;<br /> <br /> == ModSecurity-Konfiguration (/etc/nginx/modsec/modsecurity.conf) ==<br /> &lt;pre&gt;<br /> SecRuleEngine On<br /> SecRequestBodyAccess On<br /> SecResponseBodyAccess Off<br /> <br /> SecAuditEngine RelevantOnly<br /> SecAuditLog /var/log/nginx/modsec_audit.log<br /> SecAuditLogParts ABIJDEFHZ<br /> <br /> SecDebugLog /var/log/nginx/modsec_debug.log<br /> SecDebugLogLevel 3<br /> <br /> SecTmpDir /tmp/<br /> SecDataDir /tmp/<br /> <br /> SecRule ARGS &quot;@contains script&quot; \<br /> &quot;id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'&quot;<br /> <br /> Include /etc/nginx/modsec/coreruleset/crs-setup.conf<br /> Include /etc/nginx/modsec/coreruleset/rules/*.conf<br /> &lt;/pre&gt;<br /> <br /> == Erweitertes Logging (in nginx.conf einfügen) ==<br /> &lt;pre&gt;<br /> log_format waf_combined '$remote_addr - $remote_user [$time_local] '<br /> '&quot;$request&quot; $status $body_bytes_sent '<br /> '&quot;$http_referer&quot; &quot;$http_user_agent&quot; '<br /> 'ModSecID=$request_id Host=&quot;$host&quot; URI=&quot;$request_uri&quot;';<br /> &lt;/pre&gt;<br /> <br /> == Rechte und Dateianlage für Logs ==<br /> &lt;pre&gt;<br /> touch /var/log/nginx/modsec_audit.log /var/log/nginx/modsec_debug.log<br /> chown www-data:www-data /var/log/nginx/modsec_*.log<br /> chmod 640 /var/log/nginx/modsec_*.log<br /> &lt;/pre&gt;<br /> <br /> == Aktivierung ==<br /> &lt;pre&gt;<br /> ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default<br /> nginx -t &amp;&amp; systemctl reload nginx<br /> &lt;/pre&gt;<br /> <br /> == Hinweise ==<br /> * Die Audit-Log-Datei kann über `/waflog` im Browser angezeigt werden (intern erlaubt).<br /> * Der `crs-setup.conf` definiert Schwellenwerte, Paranoia-Level und Variablenkontrolle.<br /> * Die Regeln befinden sich unter: `/etc/nginx/modsec/coreruleset/rules/`<br /> * ModSecurity greift nur, wenn `include /etc/nginx/modsec/main.conf` gesetzt ist.<br /> <br /> [[KATEGORIE:WAF]]</div>

Thomas.will