Security

ModSecurity WAF

A web application firewall that acts before your app ever sees the request.

nginx-module-modsecurity

Install

Make sure you have the official nginx.org repository configured first. These packages require nginx from nginx.org, not the distro-bundled version.

Add the Blendbyte repository if you haven't already:

Add Blendbyte repository 
sudo install -d -m 0755 /etc/apt/keyrings

curl -fsSL https://apt.blendbyte.net/nginx/blendbyte-archive-keyring.gpg \
  | sudo tee /etc/apt/keyrings/blendbyte.gpg >/dev/null

echo "deb [signed-by=/etc/apt/keyrings/blendbyte.gpg] https://apt.blendbyte.net/nginx $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/blendbyte.list

sudo apt update

Then install this module:

Install nginx-module-modsecurity 
$ sudo apt install nginx-module-modsecurity

Most modules auto-enable on install. If yours didn't, enable it manually:

Enable module manually (if needed) 
$ sudo ln -s /etc/nginx/modules-available/50-mod-modsecurity.conf \
  /etc/nginx/modules-enabled/
$ sudo nginx -t && sudo systemctl reload nginx
External dependency: libmodsecurity3 and a rule set (e.g. OWASP Core Rule Set) installed separately

What it does

ModSecurity is the industry-standard open-source WAF engine. Version 3 (libmodsecurity) is designed as a library that integrates directly into nginx via this connector module. It gives you request and response inspection, regex-based rule matching, anomaly scoring, and the ability to block, allow, or redirect based on traffic characteristics. The module is the engine. Rule sets are separate, and so is the work of configuring them. The OWASP Core Rule Set (CRS) is the most widely used and covers the OWASP Top 10. The right approach: start in detection mode, review your logs for false positives, tune carefully, then switch to prevention mode. Skipping the tuning step and going straight to prevention is a reliable way to start blocking legitimate traffic.

When to use it

  • Protect applications from SQL injection, XSS, and OWASP Top 10 attacks
  • Apply the OWASP Core Rule Set to web-facing nginx instances
  • Run in detection mode to audit traffic without blocking anything yet
  • Add a WAF layer to infrastructure without modifying application code

Configuration

A starting-point configuration. Adjust to your setup.

nginx.conf example 
# Inside your server {} or location {} block:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

# After installing OWASP CRS separately:
# modsecurity_rules_file /etc/nginx/modsecurity/crs/crs-setup.conf;
# modsecurity_rules_file /etc/nginx/modsecurity/crs/rules/*.conf;

Upstream project

This module is packaged from the upstream open-source project. Bug reports about module behaviour (not packaging) should go upstream.

https://github.com/SpiderLabs/ModSecurity-nginx ↗

← All modules