Nginx mit Modsecurity: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 65: | Zeile 65: | ||
modsecurity on; | modsecurity on; | ||
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf; | modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf; | ||
| + | ==Eventuell anpassen== | ||
| + | |||
| + | sudo nano /etc/nginx/modsec/modsecurity.conf | ||
| + | |||
| + | <pre> | ||
| + | GNU nano 7.2 /etc/nginx/modsec/modsecurity.conf | ||
| + | # Aktivieren des ModSecurity-Engines | ||
| + | # ----------------------------- | ||
| + | # Grundkonfiguration | ||
| + | # ----------------------------- | ||
| + | |||
| + | SecRuleEngine On | ||
| + | SecRequestBodyAccess On | ||
| + | SecResponseBodyAccess Off | ||
| + | |||
| + | SecAuditEngine RelevantOnly | ||
| + | SecAuditLog /var/log/nginx/modsec_audit.log | ||
| + | SecAuditLogParts ABIJDEFHZ | ||
| + | SecDebugLog /var/log/nginx/modsec_debug.log | ||
| + | SecDebugLogLevel 3 | ||
| + | |||
| + | SecTmpDir /tmp/ | ||
| + | SecDataDir /tmp/ | ||
| + | |||
| + | # ----------------------------- | ||
| + | # Testregel (kann entfernt werden) | ||
| + | # ----------------------------- | ||
| + | SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'" | ||
| + | |||
| + | # ----------------------------- | ||
| + | # OWASP Core Rule Set (CRS) | ||
| + | # ----------------------------- | ||
| + | Include /etc/nginx/modsec/coreruleset/crs-setup.conf | ||
| + | Include /etc/nginx/modsec/coreruleset/rules/*.conf | ||
| + | </pre> | ||
== Reverse Proxy konfigurieren == | == Reverse Proxy konfigurieren == | ||
| Zeile 72: | Zeile 107: | ||
* Inhalt: | * Inhalt: | ||
<pre> | <pre> | ||
| + | # HTTP → HTTPS Redirect | ||
server { | server { | ||
listen 80; | listen 80; | ||
server_name localhost; | server_name localhost; | ||
| + | return 301 https://; | ||
| + | } | ||
| + | |||
| + | # HTTPS-Server mit TLS-Zertifikat | ||
| + | server { | ||
| + | listen 443 ssl; | ||
| + | server_name localhost; | ||
| + | |||
| + | ssl_certificate /etc/nginx/crt.pem; | ||
| + | ssl_certificate_key /etc/nginx/privkey.pem; | ||
| + | ssl_client_certificate /etc/nginx/ca.crt; | ||
| + | |||
| + | # Optional: Client-CA-Zertifikat zur Authentifizierung (falls benötigt) | ||
| + | # ssl_client_certificate /etc/nginx/ssl/ca.crt; | ||
| + | # ssl_verify_client optional; | ||
| + | |||
error_page 403 /403.html; | error_page 403 /403.html; | ||
location = /403.html { | location = /403.html { | ||
| − | + | root /var/www/html; | |
| − | + | internal; | |
| − | } | + | } |
| + | |||
include /etc/nginx/modsec/main.conf; | include /etc/nginx/modsec/main.conf; | ||
location / { | location / { | ||
| − | proxy_pass http:// | + | proxy_pass http://192.168.178.66; |
proxy_set_header Host $host; | proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | proxy_set_header X-Real-IP $remote_addr; | ||
| − | proxy_set_header X-Forwarded-For | + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| − | $proxy_add_x_forwarded_for; | ||
} | } | ||
} | } | ||
| + | |||
</pre> | </pre> | ||
| − | + | *Fehler Anzeige erstellen. | |
vi /var/www/html/403.html | vi /var/www/html/403.html | ||
<pre> | <pre> | ||
| Zeile 121: | Zeile 174: | ||
* Audit-Log (wenn aktiviert) prüfen: | * Audit-Log (wenn aktiviert) prüfen: | ||
/var/log/nginx/error.log | /var/log/nginx/error.log | ||
| + | |||
| + | [[KATEGORIE:WAF]] | ||
Aktuelle Version vom 25. Juli 2025, 14:59 Uhr
NGINX mit ModSecurity v3 und OWASP CRS als Reverse Proxy
Voraussetzungen
- Ubuntu 22.04 oder Debian 12
- Zielsystem z. B. unter http://127.0.0.1:8080 erreichbar
Installation
- NGINX und ModSecurity installieren
sudo apt update sudo apt install nginx libmodsecurity3 libnginx-mod-http-modsecurity git -y
ModSecurity aktivieren
- Konfigurationsverzeichnis erstellen
sudo mkdir -p /etc/nginx/modsec
- Standardkonfiguration erstellen
sudo vi /etc/nginx/modsec/modsecurity.conf
# Aktivieren des ModSecurity-Engines # ----------------------------- # Grundkonfiguration # ----------------------------- SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off SecAuditEngine RelevantOnly SecAuditLog /var/log/nginx/modsec_audit.log SecDebugLog /var/log/nginx/modsec_debug.log SecDebugLogLevel 0 SecTmpDir /tmp/ SecDataDir /tmp/ # ----------------------------- # Testregel (kann entfernt werden) # ----------------------------- SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'" # ----------------------------- # OWASP Core Rule Set (CRS) # ----------------------------- Include /etc/nginx/modsec/coreruleset/crs-setup.conf Include /etc/nginx/modsec/coreruleset/rules/*.conf
OWASP Core Rule Set installieren
- In das ModSecurity-Verzeichnis wechseln
cd /etc/nginx/modsec
- CRS klonen
sudo git clone https://github.com/coreruleset/coreruleset.git
- Setup-Datei aktivieren
sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf
ModSecurity-Snippet erstellen
- Konfigurationsdatei erstellen
sudo nano /etc/nginx/modsec/main.conf
- Inhalt:
modsecurity on; modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;
Eventuell anpassen
sudo nano /etc/nginx/modsec/modsecurity.conf
GNU nano 7.2 /etc/nginx/modsec/modsecurity.conf # Aktivieren des ModSecurity-Engines # ----------------------------- # Grundkonfiguration # ----------------------------- SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off SecAuditEngine RelevantOnly SecAuditLog /var/log/nginx/modsec_audit.log SecAuditLogParts ABIJDEFHZ SecDebugLog /var/log/nginx/modsec_debug.log SecDebugLogLevel 3 SecTmpDir /tmp/ SecDataDir /tmp/ # ----------------------------- # Testregel (kann entfernt werden) # ----------------------------- SecRule ARGS "@contains script" "id:9999,phase:1,deny,log,status:403,msg:'Test rule triggered'" # ----------------------------- # OWASP Core Rule Set (CRS) # ----------------------------- Include /etc/nginx/modsec/coreruleset/crs-setup.conf Include /etc/nginx/modsec/coreruleset/rules/*.conf
Reverse Proxy konfigurieren
- Standard-VHost ersetzen
sudo vim /etc/nginx/sites-available/default
- Inhalt:
# HTTP → HTTPS Redirect
server {
listen 80;
server_name localhost;
return 301 https://;
}
# HTTPS-Server mit TLS-Zertifikat
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/crt.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
ssl_client_certificate /etc/nginx/ca.crt;
# Optional: Client-CA-Zertifikat zur Authentifizierung (falls benötigt)
# ssl_client_certificate /etc/nginx/ssl/ca.crt;
# ssl_verify_client optional;
error_page 403 /403.html;
location = /403.html {
root /var/www/html;
internal;
}
include /etc/nginx/modsec/main.conf;
location / {
proxy_pass http://192.168.178.66;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
- Fehler Anzeige erstellen.
vi /var/www/html/403.html
<html> <head><title>403 Forbidden</title></head> <body> <h1>Oops! Zugriff verweigert</h1> <p>Deine Anfrage wurde von der Web Application Firewall blockiert.</p> </body> </html>
NGINX prüfen und neu laden
- Syntax testen
sudo nginx -t
- Dienst neu laden
sudo systemctl reload nginx
Test
- Beispielziel: Python-Testserver
python3 -m http.server 8080
- Angriff simulieren
curl "http://localhost/?param=<script>alert(1)</script>"
- Audit-Log (wenn aktiviert) prüfen:
/var/log/nginx/error.log