Thermo Library

Welcome to the Library, your gateway to our Thermo knowledge base and community. Here, you’ll find proven answers to many common issues. If you’d like to contribute and get paid to do it, then see our guide!

Contribute on GitHub

View Project | View File | Edit File

Installing ModSecurity with Nginx on CentOS7

But first...

You need sudo access and the most current version of CentOS 7. See Creating sudo users on CentOS for more information.

1: Update

See Updating CentOS.

2: Install dependencies

Install the following packages:

yum groupinstall -y "Development Tools"
yum install -y httpd httpd-devel pcre pcre-devel libxml2 libxml2-devel curl curl-devel openssl openssl-devel
shutdown -r now

3: Compile ModSec

ModSec for the Nginx master branch has been reported as currently being unstable; therefore, use the nginx_refactoring branch as directed below:

  1. Download the nginx_refactoring branch of ModSecurity for Nginx:
    cd /usr/src
    git clone -b nginx_refactoring
  2. Compile ModSec: Attention: The two sed commands below prevent warning messages when using newer automake versions.
    cd ModSecurity
    sed -i '/AC_PROG_CC/a\AM_PROG_CC_C_O'
    sed -i '1 i\AUTOMAKE_OPTIONS = subdir-objects'
    ./configure --enable-standalone-module --disable-mlogc

4: Compile Nginx

  1. Download and unarchive the latest stable release of Nginx. Currently, this is Nginx 1.13.4:
    cd /usr/src
    tar -zxvf nginx-1.13.4.tar.gz && rm -f nginx-1.13.4.tar.gz
  2. Create a dedicated nginx user and group for Nginx:
    groupadd -r nginx
    useradd -r -g nginx -s /sbin/nologin -M nginx
  3. Compile Nginx and enable ModSecurity and SSL modules:
    cd nginx-1.10.3/
    ./configure --user=nginx --group=nginx --add-module=/usr/src/ModSecurity/nginx/modsecurity --with-http_ssl_module
    make install
  4. Modify the default Nginx user:
    sed -i "s/#user  nobody;/user nginx nginx;/" /usr/local/nginx/conf/nginx.conf

5: Configure ModSec and Nginx

  1. Configure Nginx:

    a. Issue:

       vi /usr/local/nginx/conf/nginx.conf

    b. Find the following segment within the http {} segment:

            location / {
                root   html;
                index  index.html index.htm;

    Add the lines below so the final result should be:

       location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsec_includes.conf;
        root   html;
        index  index.html index.htm;

    c. You also need to change the location of the default PID file to match the systemd script you will make in the following steps. Find the line #pid logs/ and change it to the following by removing the # and changing the path:

       pid  /var/run/

    d. Save and quit:

  2. Create the file /usr/local/nginx/conf/modsec_includes.conf: Attention: The config below applies all of the OWASP ModSecurity Core Rules in the owasp-modsecurity-crs/rules/ directory. If you want to apply selective rules only, you should remove the include owasp-modsecurity-crs/rules/*.conf line, and then specify exact rules you need after step 5 of this section.
    cat <<EOF>> /usr/local/nginx/conf/modsec_includes.conf
    include modsecurity.conf
    include owasp-modsecurity-crs/crs-setup.conf
    include owasp-modsecurity-crs/rules/*.conf
  3. Import the ModSec config files:
    cp /usr/src/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
    cp /usr/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
  4. Modify the file /usr/local/nginx/conf/modsecurity.conf:
    sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/nginx/conf/modsecurity.conf
    sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/nginx/logs/modsec_audit.log|"        /usr/local/nginx/conf/modsecurity.conf
  5. Allow Nginx to create Modsec logs in the Nginx log directory:
    chown nginx.root /usr/local/nginx/logs
  6. Add OWASP ModSecurity Core Rule Set (CRS) files:
    cd /usr/local/nginx/conf
    git clone
    cd owasp-modsecurity-crs
    mv crs-setup.conf.example crs-setup.conf
    cd rules

6: Create Systemd Script

  1. Create the file /lib/systemd/system/nginx.service and add the script:
    cat <<EOF>> /lib/systemd/system/nginx.service
    Description=The NGINX HTTP and reverse proxy server
    ExecStartPre=/usr/local/nginx/sbin/nginx -t
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
  2. Reload systemd services:
    systemctl daemon-reload

7: Test ModSec

  1. Start Nginx:
    systemctl start nginx.service
  2. Point your web browser to http://<YourServersIP>/?param="><script>alert(1);</script> (Be sure to replace with the IP address of your server)
  3. Use grep to fetch error messages:
    grep error /usr/local/nginx/logs/error.log
    The output should include error messages resembling the following:
    2017/02/15 14:07:54 [error] 10776#0: [client] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/nginx/conf/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "56"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data:  found within ARGS:param: \x22><script>alert(1);</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname ""] [uri "/index.html"] [unique_id "ATAcAcAkucAchGAcPLAcAcAY"]
  4. The procedure is complete. To customize your settings, review and edit the following files:
  5. /usr/local/nginx/conf/modsecurity.conf
  6. /usr/local/nginx/conf/owasp-modsecurity-crs/crs-setup.conf

For 24-hour assistance any day of the year, contact a Thermo Physicist through the Client Portal.