https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Nginx_mit_Modsecurity_Rocky
Nginx mit Modsecurity Rocky - Versionsgeschichte
2026-06-29T11:36:27Z
Versionsgeschichte dieser Seite in Xinux Wiki
MediaWiki 1.35.1
https://wiki.ixheim.de/index.php?title=Nginx_mit_Modsecurity_Rocky&diff=69411&oldid=prev
Thomas.will: /* Start & Test */
2026-05-04T07:28:35Z
<p><span dir="auto"><span class="autocomment">Start & Test</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="de">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Nächstältere Version</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Version vom 4. Mai 2026, 07:28 Uhr</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l156" >Zeile 156:</td>
<td colspan="2" class="diff-lineno">Zeile 156:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> sudo systemctl enable --now nginx</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> sudo systemctl enable --now nginx</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Test-Backend</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"> </ins># Test-Backend</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> python3 -m http.server 8080 &</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> python3 -m http.server 8080 &</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Abruf</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"> </ins># Abruf</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> curl -k https://localhost/</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> curl -k https://localhost/</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Block-Test</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"> </ins># Block-Test</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> curl -k "https://localhost/?param=<script>alert(1)</script>" -I</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> curl -k "https://localhost/?param=<script>alert(1)</script>" -I</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Logs verfolgen</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"> </ins># Logs verfolgen</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> sudo tail -f /var/log/nginx/modsec_audit.log /var/log/nginx/error.log</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> sudo tail -f /var/log/nginx/modsec_audit.log /var/log/nginx/error.log</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
</table>
Thomas.will
https://wiki.ixheim.de/index.php?title=Nginx_mit_Modsecurity_Rocky&diff=64415&oldid=prev
Thomas.will: Die Seite wurde neu angelegt: „= NGINX + ModSecurity v3 + OWASP CRS auf Rocky Linux (RHEL-kompatibel) = == Voraussetzungen == * Rocky Linux 8/9 (SELinux enforcing möglich) * Backend-Dienst…“
2025-08-23T17:31:27Z
<p>Die Seite wurde neu angelegt: „= NGINX + ModSecurity v3 + OWASP CRS auf Rocky Linux (RHEL-kompatibel) = == Voraussetzungen == * Rocky Linux 8/9 (SELinux enforcing möglich) * Backend-Dienst…“</p>
<p><b>Neue Seite</b></p><div>= NGINX + ModSecurity v3 + OWASP CRS auf Rocky Linux (RHEL-kompatibel) =<br />
<br />
== Voraussetzungen ==<br />
* Rocky Linux 8/9 (SELinux enforcing möglich)<br />
* Backend-Dienst (z. B. http://127.0.0.1:8080)<br />
* TLS-Dateien: /etc/nginx/crt.pem, /etc/nginx/privkey.pem, optional /etc/nginx/ca.crt<br />
<br />
== Repos aktivieren ==<br />
sudo dnf install -y epel-release<br />
# (Rocky 9) CRB einschalten, (Rocky 8) PowerTools:<br />
sudo dnf config-manager --set-enabled crb || sudo dnf config-manager --set-enabled powertools<br />
<br />
== Pakete installieren ==<br />
sudo dnf install -y nginx modsecurity libmodsecurity nginx-mod-modsecurity git httpd-tools<br />
<br />
== Verzeichnisstruktur ==<br />
sudo mkdir -p /etc/nginx/modsec<br />
<br />
== OWASP CRS installieren ==<br />
cd /etc/nginx/modsec<br />
sudo git clone https://github.com/coreruleset/coreruleset.git<br />
sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf<br />
<br />
== ModSecurity-Basisconfig ==<br />
sudo tee /etc/nginx/modsec/modsecurity.conf >/dev/null <<'EOF'<br />
SecRuleEngine On<br />
SecRequestBodyAccess On<br />
SecResponseBodyAccess Off<br />
<br />
SecAuditEngine RelevantOnly<br />
SecAuditLog /var/log/nginx/modsec_audit.log<br />
SecAuditLogParts ABIJDEFHZ<br />
<br />
SecDebugLog /var/log/nginx/modsec_debug.log<br />
SecDebugLogLevel 3<br />
<br />
SecTmpDir /tmp/<br />
SecDataDir /tmp/<br />
<br />
# Testregel (optional)<br />
SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'"<br />
<br />
# OWASP CRS<br />
Include /etc/nginx/modsec/coreruleset/crs-setup.conf<br />
Include /etc/nginx/modsec/coreruleset/rules/*.conf<br />
EOF<br />
<br />
== NGINX-ModSecurity-Snippet ==<br />
sudo tee /etc/nginx/modsec/main.conf >/dev/null <<'EOF'<br />
modsecurity on;<br />
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;<br />
EOF<br />
<br />
== NGINX Modul laden (wichtig auf Rocky) ==<br />
# In /etc/nginx/nginx.conf ganz oben NACH "user" und VOR "events" einfügen:<br />
load_module modules/ngx_http_modsecurity_module.so;<br />
<br />
# Zusätzlich im http{}-Block das Logformat ergänzen (siehe "Logging")<br />
<br />
== Site-Config (/etc/nginx/conf.d/waf.conf) ==<br />
sudo tee /etc/nginx/conf.d/waf.conf >/dev/null <<'EOF'<br />
# HTTP → HTTPS Redirect<br />
server {<br />
listen 80;<br />
server_name _;<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
# HTTPS mit ModSecurity<br />
server {<br />
listen 443 ssl;<br />
server_name _;<br />
<br />
ssl_certificate /etc/nginx/crt.pem;<br />
ssl_certificate_key /etc/nginx/privkey.pem;<br />
# Nur wenn mTLS gewünscht:<br />
# ssl_client_certificate /etc/nginx/ca.crt;<br />
<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_prefer_server_ciphers on;<br />
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';<br />
<br />
access_log /var/log/nginx/access.log waf_combined;<br />
error_log /var/log/nginx/error.log warn;<br />
<br />
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;<br />
add_header Cache-Control "no-store, no-cache, must-revalidate";<br />
<br />
error_page 403 /403.html;<br />
location = /403.html {<br />
root /usr/share/nginx/html;<br />
internal;<br />
}<br />
<br />
include /etc/nginx/modsec/main.conf;<br />
<br />
location / {<br />
proxy_pass http://127.0.0.1:8080;<br />
proxy_set_header Host $host;<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
}<br />
<br />
# Optional: Audit-Log im Browser (Basic-Auth)<br />
location /_waflog {<br />
alias /var/log/nginx/modsec_audit.log;<br />
types { }<br />
default_type text/plain;<br />
<br />
auth_basic "ModSecurity Auditlog";<br />
auth_basic_user_file /etc/nginx/.htpasswd;<br />
}<br />
}<br />
EOF<br />
<br />
== Fehlerseite (optional) ==<br />
sudo tee /usr/share/nginx/html/403.html >/dev/null <<'EOF'<br />
<html><br />
<head><title>403 Forbidden</title></head><br />
<body><br />
<h1>Oops! Zugriff verweigert</h1><br />
<p>Deine Anfrage wurde von der Web Application Firewall blockiert.</p><br />
</body><br />
</html><br />
EOF<br />
<br />
== Logging (in /etc/nginx/nginx.conf, im http{}-Block) ==<br />
# In den http-Block einfügen:<br />
log_format waf_combined '$remote_addr - $remote_user [$time_local] '<br />
'"$request" $status $body_bytes_sent '<br />
'"$http_referer" "$http_user_agent" '<br />
'ModSecID=$request_id Host="$host" URI="$request_uri"';<br />
<br />
== Logdateien anlegen und Rechte ==<br />
sudo touch /var/log/nginx/modsec_audit.log /var/log/nginx/modsec_debug.log<br />
sudo chown nginx:nginx /var/log/nginx/modsec_*.log<br />
sudo chmod 640 /var/log/nginx/modsec_*.log<br />
<br />
== Basic-Auth für /_waflog (optional) ==<br />
sudo htpasswd -c /etc/nginx/.htpasswd admin<br />
<br />
== SELinux (empfohlen statt Abschalten) ==<br />
# NGINX darf zu Backends verbinden:<br />
sudo setsebool -P httpd_can_network_connect 1<br />
# Wenn Logs unter /var/log/nginx bleiben, passt der Kontext. Bei eigenen Pfaden ggf.:<br />
# sudo semanage fcontext -a -t httpd_log_t "/var/log/nginx(/.*)?"<br />
# sudo restorecon -Rv /var/log/nginx<br />
<br />
== Firewall (Firewalld) ==<br />
sudo firewall-cmd --permanent --add-service=https<br />
sudo firewall-cmd --permanent --add-service=http<br />
sudo firewall-cmd --reload<br />
<br />
== Start & Test ==<br />
sudo nginx -t<br />
sudo systemctl enable --now nginx<br />
<br />
# Test-Backend<br />
python3 -m http.server 8080 &<br />
# Abruf<br />
curl -k https://localhost/<br />
# Block-Test<br />
curl -k "https://localhost/?param=<script>alert(1)</script>" -I<br />
<br />
# Logs verfolgen<br />
sudo tail -f /var/log/nginx/modsec_audit.log /var/log/nginx/error.log<br />
<br />
== Hinweise ==<br />
* crs-setup.conf definiert Paranoia-Level, Variablen und Schwellenwerte.<br />
* Regeln liegen unter /etc/nginx/modsec/coreruleset/rules/.<br />
* Zugriff auf /_waflog erlaubt Audit-Log-Ansicht im Browser (Basic-Auth).<br />
* ModSecurity greift nur, wenn include /etc/nginx/modsec/main.conf in der Server-Config enthalten ist.<br />
* Auf Rocky MUSS das Modul explizit via load_module modules/ngx_http_modsecurity_module.so; in nginx.conf geladen werden.<br />
<br />
[[KATEGORIE:WAF]]</div>
Thomas.will