Date: Wed, 23 Jan 2019 09:42:17 -0500 From: SoftwareInforJam <softwareinforjam@gmail.com> To: Matt Garber <matt.garber@gmail.com> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: RE: Issue with mod_security3 Message-ID: <5c487d47.1c69fb81.42b03.5916@mx.google.com> In-Reply-To: <D12B442B-2C78-437C-AB60-C4850A019E29@gmail.com> References: <5c4744cd.1c69fb81.7b84f.5450@mx.google.com> <20190122185438.GC85865@v1.leiden.byshenk.net> <5c476baa.1c69fb81.58970.0af8@mx.google.com> <5c47b2c0.1c69fb81.ba7c2.95f3@mx.google.com> <D12B442B-2C78-437C-AB60-C4850A019E29@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Fantastic. Thanks so much for clarifying. I just thought that if the port i= nstalled, that should have taken care of that module. And thanks also for p= ointing out that document.=20 Sent from Mail for Windows 10 From: Matt Garber Sent: Tuesday, January 22, 2019 7:59 PM To: SoftwareInforJam Cc: freebsd-stable@freebsd.org Subject: Re: Issue with mod_security3 > On Jan 22, 2019, at 7:18 PM, SoftwareInforJam <softwareinforjam@gmail.com= > wrote: >=20 > Well I am making some progress I guess. Now modsecurity is installed and = not orphaned. My challenge now is that I have been reading several document= s and all of them say I need to add the following to nginx.conf >=20 > load_module modules/ngx_http_modsecurity.so; >=20 > My challenge now is I can=E2=80=99t seem to find this module anywhere. I = am not sure what to do now. Isn=E2=80=99t this module needed for this to wo= rk? >=20 > root@proxy:/usr/local/etc/nginx # find / -name "ngx_http_modsecurity*" > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_body_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_rewrite.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_log.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_pre_access.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_header_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_module.o > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_body_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_common.h > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_header_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_log.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_module.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_pre_access.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_rewrite.c Here are the steps I just followed successfully in a test jail =E2=80=93 a = mix of packages (modsecurity3) and the source for nginx and the ModSecurity= 3-nginx connector; the =E2=80=98modsecurity3=E2=80=99 package installs the = shared library (e.g., /usr/local/lib/libmodsecurity.so.3.0.3), but doesn=E2= =80=99t install the nginx connector. If the nginx port doesn=E2=80=99t have= a make option for the connector, you might have to either hack the port or= just compile from source like I did: ----- Very simplified, single jail ----- 1. Install the modsecurity3 library package and git for cloning the ModSecu= rity-nginx repo: # pkg install modsecurity3 git 2. Grab the latest nginx source and ModSecurity-nginx repo: $ fetch 'http://nginx.org/download/nginx-1.14.2.tar.gz' $ tar -zxvf nginx-1.14.2.tar.gz $ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git $ cd nginx-1.14.2 3. Compile nginx, adding support for the ModSecurity3-nginx connector as a = dynamic module. I=E2=80=99ve also added a variety of other FreeBSD-specific= configuration directives and/or compilation/linking hardening used by ngin= x upstream in their Linux repositories: $ ./configure --with-compat --add-dynamic-module=3D../ModSecurity-nginx --p= refix=3D/usr/local/etc/nginx --with-cc-opt=3D'-g -O2 -fstack-protector-stro= ng -Wformat -Werror=3Dformat-security -fPIC -Wdate-time -D_FORTIFY_SOURCE= =3D2 -I /usr/local/include' --with-ld-opt=3D'-Wl,-Bsymbolic-functions -Wl,-= z,relro -Wl,-z,now -fPIC -L /usr/local/lib' --conf-path=3D/usr/local/etc/ng= inx/nginx.conf --sbin-path=3D/usr/local/sbin/nginx --pid-path=3D/var/run/ng= inx.pid --error-log-path=3D/var/log/nginx/error.log --user=3Dwww --group=3D= www --modules-path=3D/usr/local/libexec/nginx --with-file-aio --with-thread= s --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp= _module --with-mail_ssl_module --http-client-body-temp-path=3D/var/tmp/ngin= x/client_body_temp --http-fastcgi-temp-path=3D/var/tmp/nginx/fastcgi_temp -= -http-proxy-temp-path=3D/var/tmp/nginx/proxy_temp --http-scgi-temp-path=3D/= var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=3D/var/tmp/nginx/uwsgi_temp = --http-log-path=3D/var/log/nginx/access.log --with-http_addition_module --w= ith-http_auth_request_module --with-http_flv_module --with-http_gunzip_modu= le --with-http_gzip_static_module --with-http_random_index_module --with-ht= tp_realip_module --with-pcre --with-http_secure_link_module --with-http_sli= ce_module --with-http_ssl_module --with-http_stub_status_module --with-http= _sub_module --with-http_v2_module --with-stream_ssl_module --with-mail=3Ddy= namic --with-stream=3Ddynamic $ make $ sudo make install 4. The above step should have created ngx_http_modsecurity_module.so under = the nginx source directory, and installed it into /usr/local/libexec/nginx,= at which point the load_module directive in the nginx configuration should= work fine, and you can move on to ruleset configuration. FYI, all of the a= bove just follows the ~second half of <https://www.nginx.com/blog/compiling= -and-installing-modsecurity-for-open-source-nginx/>, after taking care of t= he prerequisites with FreeBSD packages instead. Like I said, you could prob= ably relatively easily hack the nginx port to add in the integration of Mod= Security3-nginx if you care about that more than keeping up-to-date with ng= inx source separately, but then you=E2=80=99d have to avoid overwriting the= port =E2=80=93 YMMV. Thanks, =E2=80=94 Matt Garber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5c487d47.1c69fb81.42b03.5916>