1 Topic by Thierry (edited by Thierry 2015-12-23 03:36:11)

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Topic: Install new module on nginx

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Hi,

I would like to install modsecurity as new module for Nginx ....
It seems that I need to re-compile Nginx to install this new module .... Is it right ?
I don't know anything about Nginx and I would like to avoid breaking something ...

Thx

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Install new module on nginx

Please follow its manual to install it:
https://github.com/SpiderLabs/ModSecuri … _for_NGINX

3 Reply by Thierry (edited by Thierry 2015-12-23 15:47:25)

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Re: Install new module on nginx

checking for libcurl config script... /usr/bin/curl-config
./configure: line 13845: test: : integer expression expected
./configure: line 13848: test: : integer expression expected
./configure: line 13851: test: : integer expression expected
checking if libcurl is at least v... yes, 7.38.0
checking if libcurl is linked with gnutls... no
configure: using curl v7.38.0
configure: looking for Apache module support via DSO through APXS
configure: error: couldn't find APXS

Using Nginx .... Not apache smile
Seems to be a dependency from Apache2 even if I am using Nginx instead ....
There is a "special" version of modsecurity without this dependency .... But I still didn't understand yet how to install it.
Will let you know ...

4 Reply by Thierry (edited by Thierry 2015-12-23 17:12:58)

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Re: Install new module on nginx

$ sudo dnf install gcc-c++ flex bison curl-devel curl yajl yajl-devel GeoIP-devel doxygen 
$ cd /opt/ 
$ git clone https://github.com/SpiderLabs/ModSecurity 
$ cd ModSecurity 
$ git checkout libmodsecurity 
$ sh build.sh 
$ ./configure 
$ make 
$ make install 
$ cd /opt/ 
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx 
$ cd /opt/Modsecurity-nginx 
$ git checkout experimental 
$ cd /opt/ 
*******************************************************************
$ wget http://nginx.org/download/nginx-1.9.2.tar.gz 
$ tar -xvzf nginx-1.9.2.tar.gz 
$ yum install zlib-devel 
*******************************************************************
$ ./configure --add-module=/opt/ModSecurity-nginx

I have left nginx as it is on my server (didn't use commands between  " **** ")

Where should I do the last ./configure ?
If looking for nginx, I found this:

/usr/sbin/nginx
/usr/share/nginx
/var/log/nginx
/var/lib/nginx
/etc/logrotate.d/nginx
/etc/nginx
/etc/init.d/nginx
/etc/ufw/applications.d/nginx
/etc/default/nginx
/root/iRedMail-0.9.2/samples/nginx
/root/iRedMail-0.9.2/conf/nginx

Thx

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Install new module on nginx

Thierry wrote:

Where should I do the last ./configure ?

I guess it's /opt/Modsecurity-nginx

6 Reply by Thierry (edited by Thierry 2015-12-23 20:03:18)

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Re: Install new module on nginx

no ....
When you ned to add a new module for nginx, you should compile it from the working directory of nginx no ?
Where is this folder when nginx as been installed from binary ?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Install new module on nginx

You need to grab its source package from Debian apt repository.

8 Reply by Thierry

  • Thierry
  • Member
  • Offline
  • Registered: 2015-08-09
  • Posts: 180

Re: Install new module on nginx

A post from nginx list:

append  the configure argument you already mentioned  ./configure --add-module=/opt/ModSecurity-nginx with the

--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module


##

One problem I see here is that you need to place the modules added there in their exact path like for example /tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair .Otherwise you will have to modify those path accordingly. you need to install build deps for nginx too

Also you might be able to use 1.8.0 stable version

Follow - https://www.digitalocean.com/community/ … ian-wheezy . The difference is you are adding mod_sec instead of pagespeed .

I am not going to do it, I do not want to break everything .... Am I right ?

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Install new module on nginx

I cannot help confirm this since i didn't try it myself. I suggest you ask for support in Nginx or mod_security mailing list instead. Sorry.