Nginx mit Modsecurity: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(12 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 18: Zeile 18:
 
<pre>
 
<pre>
 
# Aktivieren des ModSecurity-Engines
 
# Aktivieren des ModSecurity-Engines
 +
# -----------------------------
 +
# Grundkonfiguration
 +
# -----------------------------
 +
 
SecRuleEngine On
 
SecRuleEngine On
 +
SecRequestBodyAccess On
 +
SecResponseBodyAccess Off
  
# Audit-Log-Modus (nur für Tests, später evtl. RelevantOnly)
 
 
SecAuditEngine RelevantOnly
 
SecAuditEngine RelevantOnly
 +
SecAuditLog /var/log/nginx/modsec_audit.log
  
# Audit-Protokoll-Pfad
+
SecDebugLog /var/log/nginx/modsec_debug.log
SecAuditLog /var/log/nginx/modsec_audit.log
+
SecDebugLogLevel 0
  
# Speicherort für Zwischenregeln
 
 
SecTmpDir /tmp/
 
SecTmpDir /tmp/
 
SecDataDir /tmp/
 
SecDataDir /tmp/
  
# Basisregeln zulassen
+
# -----------------------------
SecRequestBodyAccess On
+
# Testregel (kann entfernt werden)
SecResponseBodyAccess Off
+
# -----------------------------
 +
SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'"
  
# Logging
+
# -----------------------------
SecDebugLog /var/log/nginx/modsec_debug.log
+
# OWASP Core Rule Set (CRS)
SecDebugLogLevel 0
+
# -----------------------------
 +
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
 +
Include /etc/nginx/modsec/coreruleset/rules/*.conf
  
# Empfohlene Defaults
 
SecRule ARGS "@rx attack" "id:1234,deny,status:403,msg:'Attack detected'"
 
 
</pre>
 
</pre>
  
Zeile 59: Zeile 65:
 
  modsecurity on;
 
  modsecurity on;
 
  modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;
 
  modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;
  include /etc/nginx/modsec/coreruleset/crs-setup.conf;
+
==Eventuell anpassen==
include /etc/nginx/modsec/coreruleset/rules/*.conf;
+
 
 +
  sudo nano /etc/nginx/modsec/modsecurity.conf
 +
 
 +
<pre>
 +
  GNU nano 7.2                                                                    /etc/nginx/modsec/modsecurity.conf                                                                             
 +
# Aktivieren des ModSecurity-Engines
 +
# -----------------------------
 +
# Grundkonfiguration
 +
# -----------------------------
 +
 
 +
SecRuleEngine On
 +
SecRequestBodyAccess On
 +
SecResponseBodyAccess Off
 +
 
 +
SecAuditEngine RelevantOnly
 +
SecAuditLog /var/log/nginx/modsec_audit.log
 +
SecAuditLogParts ABIJDEFHZ
 +
SecDebugLog /var/log/nginx/modsec_debug.log
 +
SecDebugLogLevel 3
 +
 
 +
SecTmpDir /tmp/
 +
SecDataDir /tmp/
 +
 
 +
# -----------------------------
 +
# Testregel (kann entfernt werden)
 +
# -----------------------------
 +
SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'"
 +
 
 +
# -----------------------------
 +
# OWASP Core Rule Set (CRS)
 +
# -----------------------------
 +
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
 +
Include /etc/nginx/modsec/coreruleset/rules/*.conf
 +
</pre>
  
 
== Reverse Proxy konfigurieren ==
 
== Reverse Proxy konfigurieren ==
 
* Standard-VHost ersetzen
 
* Standard-VHost ersetzen
  sudo nano /etc/nginx/sites-available/default
+
  sudo vim /etc/nginx/sites-available/default
  
 
* Inhalt:
 
* Inhalt:
server {
+
<pre>
    listen 80;
+
# HTTP → HTTPS Redirect
    server_name localhost;
+
server {
+
    listen 80;
    include /etc/nginx/modsec/main.conf;
+
    server_name localhost;
+
    return 301 https://;
    location / {
+
}
        proxy_pass http://127.0.0.1:8080;
+
 
        proxy_set_header Host $host;
+
# HTTPS-Server mit TLS-Zertifikat
        proxy_set_header X-Real-IP $remote_addr;
+
server {
        proxy_set_header X-Forwarded-For  
+
    listen 443 ssl;
$proxy_add_x_forwarded_for;
+
    server_name localhost;
    }
+
 
  }
+
    ssl_certificate    /etc/nginx/crt.pem;
 +
    ssl_certificate_key /etc/nginx/privkey.pem;
 +
    ssl_client_certificate /etc/nginx/ca.crt;
 +
 
 +
    # Optional: Client-CA-Zertifikat zur Authentifizierung (falls benötigt)
 +
    # ssl_client_certificate /etc/nginx/ssl/ca.crt;
 +
    # ssl_verify_client optional;
 +
 
 +
    error_page 403 /403.html;
 +
    location = /403.html {
 +
        root /var/www/html;
 +
        internal;
 +
    }
 +
 
 +
    include /etc/nginx/modsec/main.conf;
 +
 
 +
    location / {
 +
        proxy_pass http://192.168.178.66;
 +
        proxy_set_header Host $host;
 +
        proxy_set_header X-Real-IP $remote_addr;
 +
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
    }
 +
}
 +
 
 +
</pre>
 +
 
 +
 
 +
*Fehler Anzeige erstellen.
 +
vi  /var/www/html/403.html
 +
<pre>
 +
<html>
 +
<head><title>403 Forbidden</title></head>
 +
<body>
 +
<h1>Oops! Zugriff verweigert</h1>
 +
<p>Deine Anfrage wurde von der Web Application Firewall blockiert.</p>
 +
</body>
 +
  </html>
 +
</pre>
  
 
== NGINX prüfen und neu laden ==
 
== NGINX prüfen und neu laden ==
Zeile 98: Zeile 174:
 
* Audit-Log (wenn aktiviert) prüfen:
 
* Audit-Log (wenn aktiviert) prüfen:
 
  /var/log/nginx/error.log
 
  /var/log/nginx/error.log
 +
 +
[[KATEGORIE:WAF]]

Aktuelle Version vom 25. Juli 2025, 14:59 Uhr

NGINX mit ModSecurity v3 und OWASP CRS als Reverse Proxy

Voraussetzungen

Installation

  • NGINX und ModSecurity installieren
sudo apt update
sudo apt install nginx libmodsecurity3 libnginx-mod-http-modsecurity git -y

ModSecurity aktivieren

  • Konfigurationsverzeichnis erstellen
sudo mkdir -p /etc/nginx/modsec
  • Standardkonfiguration erstellen
sudo vi /etc/nginx/modsec/modsecurity.conf

# Aktivieren des ModSecurity-Engines
# -----------------------------
# Grundkonfiguration
# -----------------------------

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

SecAuditEngine RelevantOnly
SecAuditLog /var/log/nginx/modsec_audit.log

SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 0

SecTmpDir /tmp/
SecDataDir /tmp/

# -----------------------------
# Testregel (kann entfernt werden)
# -----------------------------
SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'"

# -----------------------------
# OWASP Core Rule Set (CRS)
# -----------------------------
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
Include /etc/nginx/modsec/coreruleset/rules/*.conf

OWASP Core Rule Set installieren

  • In das ModSecurity-Verzeichnis wechseln
cd /etc/nginx/modsec
  • CRS klonen
sudo git clone https://github.com/coreruleset/coreruleset.git
  • Setup-Datei aktivieren
sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf

ModSecurity-Snippet erstellen

  • Konfigurationsdatei erstellen
sudo nano /etc/nginx/modsec/main.conf
  • Inhalt:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;

Eventuell anpassen

sudo nano /etc/nginx/modsec/modsecurity.conf

  GNU nano 7.2                                                                    /etc/nginx/modsec/modsecurity.conf                                                                              
# Aktivieren des ModSecurity-Engines
# -----------------------------
# Grundkonfiguration
# -----------------------------

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

SecAuditEngine RelevantOnly
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts ABIJDEFHZ
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 3

SecTmpDir /tmp/
SecDataDir /tmp/

# -----------------------------
# Testregel (kann entfernt werden)
# -----------------------------
SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'"

# -----------------------------
# OWASP Core Rule Set (CRS)
# -----------------------------
Include /etc/nginx/modsec/coreruleset/crs-setup.conf
Include /etc/nginx/modsec/coreruleset/rules/*.conf

Reverse Proxy konfigurieren

  • Standard-VHost ersetzen
sudo vim /etc/nginx/sites-available/default
  • Inhalt:
# HTTP → HTTPS Redirect
server {
    listen 80;
    server_name localhost;
    return 301 https://;
}

# HTTPS-Server mit TLS-Zertifikat
server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate     /etc/nginx/crt.pem;
    ssl_certificate_key /etc/nginx/privkey.pem;
    ssl_client_certificate /etc/nginx/ca.crt;

    # Optional: Client-CA-Zertifikat zur Authentifizierung (falls benötigt)
    # ssl_client_certificate /etc/nginx/ssl/ca.crt;
    # ssl_verify_client optional;

    error_page 403 /403.html;
    location = /403.html {
        root /var/www/html;
        internal;
    }

    include /etc/nginx/modsec/main.conf;

    location / {
        proxy_pass http://192.168.178.66;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}


  • Fehler Anzeige erstellen.
vi  /var/www/html/403.html 

<html>
 <head><title>403 Forbidden</title></head>
 <body>
 <h1>Oops! Zugriff verweigert</h1>
 <p>Deine Anfrage wurde von der Web Application Firewall blockiert.</p>
 </body>
 </html>

NGINX prüfen und neu laden

  • Syntax testen
sudo nginx -t
  • Dienst neu laden
sudo systemctl reload nginx

Test

  • Beispielziel: Python-Testserver
python3 -m http.server 8080
  • Angriff simulieren
curl "http://localhost/?param=<script>alert(1)</script>"
  • Audit-Log (wenn aktiviert) prüfen:
/var/log/nginx/error.log
Abgerufen von „http://wiki.ixheim.de/index.php?title=Nginx_mit_Modsecurity&oldid=64005