Skip to content

Instantly share code, notes, and snippets.

@binhp

binhp/setup_debian_nginx_full.md

Last active October 23, 2018 04:36
Show Gist options
  • Save binhp/162a516953a3e150081a98da8712e71a to your computer and use it in GitHub Desktop.
Save binhp/162a516953a3e150081a98da8712e71a to your computer and use it in GitHub Desktop.
Download ZIP
Debian 9 + Nginx Completed New Setup Guide with Scripts
Raw
setup_debian_nginx_full.md 
########################################
## BEGIN NGINX SETUP from scratch
########################################

DEBIAN_CODE=$(dpkg --status tzdata|grep Provides|cut -f2 -d'-')

NGINX_DEB_MAINLINE="http://nginx.org/packages/mainline/debian/"
NGINX_DEB_STABLE="http://nginx.org/packages/debian/"
# change distribution you want here
NGINX_DEB=$NGINX_DEB_MAINLINE

echo "Debian veriosn $DEBIAN_CODE"
echo "Nginx distribution $NGINX_DEB"

## Prepare nginx deb 
sudo cat > /etc/apt/sources.list.d/nginx.list <<EOF
deb $NGINX_DEB $DEBIAN_CODE nginx
deb-src $NGINX_DEB $DEBIAN_CODE  nginx
EOF

## SETUP NGINX
wget https://nginx.org/keys/nginx_signing.key \
 && sudo apt-key add nginx_signing.key \
 && rm -rf nginx_signing.key\
 && sudo apt-get update \
 && sudo apt-get install nginx

NGINX_VERSION=$(/usr/sbin/nginx -v 2>/dev/stdout |cut -d '/' -f2)
NGINX_GZ="nginx-$NGINX_VERSION.tar.gz"
NGINX_DL="http://nginx.org/download/$NGINX_GZ"
echo "Current Nginx version $NGINX_VERSION"

###
## SETUP  modsecurity and modsecurity-nginx as dynamic module
###

## PREPARE git/compile toools if not available
which git || sudo apt-get --yes  install git
which automake || sudo apt-get --yes  install automake libtool m4 libcurl3
sudo apt-get install -y automake bison build-essential \
 g++ gcc libbison-dev libcurl4-openssl-dev libfl-dev libgeoip-dev \
 liblmdb-dev libpcre3-dev libtool libxml2-dev libyajl-dev make \
 pkg-config zlib1g-dev
 
## setup swap if server not enough mem to compile for error "g++: internal compiler error: Killed"
## see https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-ubuntu-14-04
# sudo fallocate -l 4G /swapfile && sudo chmod 600 /swapfile && sudo mkswap /swapfile && sudo swapon /swapfile

##
## See https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
##

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity \
 && cd ModSecurity \
 && git submodule init \
 && git submodule update \
 && ./build.sh && ./configure && make && sudo make install 
 
cd ..

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git \
 && wget $NGINX_DL \
 && tar zxvf $NGINX_GZ \
 && cd "nginx-$NGINX_VERSION" \
 && ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx \
 && make modules \
 && sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

cd..

## config ngx_http_modsecurity_module for nginx
## prepend load_module modules/ngx_http_modsecurity_module.so; at top before block http {}
echo -e "load_module modules/ngx_http_modsecurity_module.so;\n\n$(cat /etc/nginx/nginx.conf )" >/tmp/nginx.conf
## test config to reload
sudo /usr/sbin/nginx -t -c /tmp/nginx.conf && cat /tmp/nginx.conf | sudo tee /etc/nginx/nginx.conf 

## Config modsecurity
sudo mkdir /etc/nginx/modsec \
 && sudo wget -P /etc/nginx/modsec/ \
    https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
 && sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf \
 && sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz \
  && tar -xzvf v3.0.0.tar.gz \
  && sudo cp -rf owasp-modsecurity-crs-3.0.0/rules  /etc/nginx/modsec/crs-rules \
  && sudo cp owasp-modsecurity-crs-3.0.0/crs-setup.conf.example /etc/nginx/modsec/crs-setup.conf

cat <<EOF | tee -a /etc/nginx/modsec/crs-setup.conf
#Allow RESTful methods
SecAction \
 "id:900200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD DELETE PUT POST OPTIONS'"
EOF

#setup test config to verify
cat <<EOF |sudo tee /etc/nginx/modsec/main.conf

Include "/etc/nginx/modsec/modsecurity.conf"
# Basic test rule ex: curl example.com?testparam=test
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"


#Core Rules from https://github.com/SpiderLabs/owasp-modsecurity-crs
Include /etc/nginx/modsec/crs-setup.conf
Include /etc/nginx/modsec/crs-rules/*.conf
##Note in /etc/nginx/modsec/modsecurity.conf, change this line to avoid json parse error for GET method
#SecRule REQUEST_HEADERS:Content-Type "application/json" \
#     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON,chain"
#SecRule REQUEST_METHOD "!^(GET|DELETE)$"

EOF

##finally enable in your server.conf
#server {
#    # ...
#    modsecurity on;
#    modsecurity_rules_file /etc/nginx/modsec/main.conf;
#}

## reload nginx for new config
sudo systemctl reload nginx

## test common case by https://cirt.net/Nikto2
## test by docker run frapsoft/nikto -host https://example.com

## Setup certbot if you need https for nginx
# sudo apt-get --yes install python-certbot-nginx -t stretch-backports
# sudo certbot --authenticator webroot --installer nginx
# sudo certbot certonly --authenticator standalone --pre-hook "nginx -s stop" --post-hook "nginx"
#end
 
 
 ## clean up
 # sudo swapoff /swapfile && sudo rm -f /swapoff

sudo apt-get clean
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment