ModSecurity and nginx

nginx is the web server that’s replacing Apache in more and more of the
world’s websites. Until now, nginx has not been able to benefit from the
security ModSecurity provides. Here’s how to install ModSecurity
and get it working with nginx.

Earlier this year the popular open-source web application firewall,
ModSecurity, released version 3 of its software. Version 3 is a
significant departure from the earlier versions, because it’s now
modularized. Before version 3, ModSecurity worked only with the Apache
web server as a dependent module, so there was no way for other HTTP
applications to utilize ModSecurity. Now the core functionality of
ModSecurity, the HTTP filtering engine, exists as a standalone library,
libModSecurity, and it can be integrated into any other application via
a “connector”. A connector is a small piece of code that allows any
application to access libModSecurity.

A Web Application Firewall (WAF) is a type of firewall for HTTP
requests. A standard firewall inspects data packets as they arrive and
leave a network interface and compares the properties of the packets
against a list of rules. The rules dictate whether the firewall will
allow the packet to pass or get blocked.

ModSecurity performs the same task as a standard firewall, but instead of
looking at data packets, it inspects HTTP traffic as it arrives at the
server. When an HTTP request arrives at the server, it’s first routed
through ModSecurity before it’s routed on to the destination application,
such as Apache2 or nginx. ModSecurity compares the inbound HTTP request
against a list of rules. These rules define the form of a malicious or
harmful request, so if the incoming request matches a rule, ModSecurity
blocks the request from reaching the destination application where it
may cause harm.

The following example demonstrates how ModSecurity protects a WordPress
site. The following HTTP request is a non-malicious request for the
index.php file as it appears in Apache2’s log files:


GET /index.php HTTP/1.1

This request does not match any rules, so ModSecurity allows it onto the web server.

WordPress keeps much of its secret information, such as the database
password, in a file called wp-config.php, which is located in the same
directory as the index.php file. A careless system administrator may
leave this important file unprotected, which means a web server
like Apache or nginx happily will serve it. This is because they will
serve any file that is not protected by specific configuration. This
means that the following malicious request:


GET /wp-config.php HTTP/1.1

will be served by Apache to whomever requests it.

Powered by WPeMatico