{"id":13491073,"url":"https://github.com/owasp-modsecurity/ModSecurity-nginx","last_synced_at":"2025-03-28T07:31:48.900Z","repository":{"id":34104239,"uuid":"37931803","full_name":"owasp-modsecurity/ModSecurity-nginx","owner":"owasp-modsecurity","description":"ModSecurity v3 Nginx Connector","archived":false,"fork":false,"pushed_at":"2024-07-02T17:16:11.000Z","size":279,"stargazers_count":1572,"open_issues_count":38,"forks_count":282,"subscribers_count":87,"default_branch":"master","last_synced_at":"2024-10-29T15:26:27.854Z","etag":null,"topics":["libmodsecurity","modsecurity","modsecurity-nginx","nginx","nginx-connector","waf"],"latest_commit_sha":null,"homepage":"","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/owasp-modsecurity.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-06-23T16:48:05.000Z","updated_at":"2024-10-29T14:42:28.000Z","dependencies_parsed_at":"2024-07-31T21:59:48.613Z","dependency_job_id":null,"html_url":"https://github.com/owasp-modsecurity/ModSecurity-nginx","commit_stats":null,"previous_names":["owasp-modsecurity/modsecurity-nginx","spiderlabs/modsecurity-nginx"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owasp-modsecurity%2FModSecurity-nginx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owasp-modsecurity%2FModSecurity-nginx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owasp-modsecurity%2FModSecurity-nginx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owasp-modsecurity%2FModSecurity-nginx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/owasp-modsecurity","download_url":"https://codeload.github.com/owasp-modsecurity/ModSecurity-nginx/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245907556,"owners_count":20691954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["libmodsecurity","modsecurity","modsecurity-nginx","nginx","nginx-connector","waf"],"created_at":"2024-07-31T19:00:53.302Z","updated_at":"2025-03-28T07:31:48.893Z","avatar_url":"https://github.com/owasp-modsecurity.png","language":"Perl","readme":"\n\u003cimg src=\"https://github.com/SpiderLabs/ModSecurity/raw/v3/master/others/modsec.png\" width=\"50%\"\u003e\n\n[![Build Status](https://travis-ci.org/SpiderLabs/ModSecurity-nginx.svg?branch=master)](https://travis-ci.org/SpiderLabs/ModSecurity-nginx)\n[![](https://raw.githubusercontent.com/ZenHubIO/support/master/zenhub-badge.png)](https://zenhub.com)\n\n\nThe ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx. \n\nThe ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity.\n\nNotice that this project depends on libmodsecurity rather than ModSecurity (version 2.9 or less).\n\n### What is the difference between this project and the old ModSecurity add-on for nginx?\n\nThe old version uses ModSecurity standalone, which is a wrapper for\nApache internals to link ModSecurity to nginx. This current version is closer\nto nginx, consuming the new libmodsecurity which is no longer dependent on\nApache. As a result, this current version has less dependencies, fewer bugs, and is faster. In addition, some new functionality is also provided - such as the possibility of use of global rules configuration with per directory/location customizations (e.g. SecRuleRemoveById).\n\n\n# Compilation\n\nBefore compile this software make sure that you have libmodsecurity installed.\nYou can download it from the [ModSecurity git repository](https://github.com/SpiderLabs/ModSecurity). For information pertaining to the compilation and installation of libmodsecurity please consult the documentation provided along with it.\n\nWith libmodsecurity installed, you can proceed with the installation of the ModSecurity-nginx connector, which follows the nginx third-party module installation procedure. From the nginx source directory:\n\n```\n./configure --add-module=/path/to/ModSecurity-nginx\n```\n\nOr, to build a dynamic module:\n\n```\n./configure --add-dynamic-module=/path/to/ModSecurity-nginx --with-compat\n```\n\nNote that when building a dynamic module, your nginx source version\nneeds to match the version of nginx you're compiling this for.\n\nFurther information about nginx third-party add-ons support are available here:\nhttp://wiki.nginx.org/3rdPartyModules\n\n\n# Usage\n\nModSecurity for nginx extends your nginx configuration directives.\nIt adds four new directives and they are:\n\nmodsecurity\n-----------\n**syntax:** *modsecurity on | off*\n\n**context:** *http, server, location*\n\n**default:** *off*\n\nTurns on or off ModSecurity functionality.\nNote that this configuration directive is no longer related to the SecRule state.\nInstead, it now serves solely as an nginx flag to enable or disable the module.\n\nmodsecurity_rules_file\n----------------------\n**syntax:** *modsecurity_rules_file \u0026lt;path to rules file\u0026gt;*\n\n**context:** *http, server, location*\n\n**default:** *no*\n\nSpecifies the location of the modsecurity configuration file, e.g.:\n\n```nginx\nserver {\n    modsecurity on;\n    location / {\n        root /var/www/html;\n        modsecurity_rules_file /etc/my_modsecurity_rules.conf;\n    }\n}\n```\n\nmodsecurity_rules_remote\n------------------------\n**syntax:** *modsecurity_rules_remote \u0026lt;key\u0026gt; \u0026lt;URL to rules\u0026gt;*\n\n**context:** *http, server, location*\n\n**default:** *no*\n\nSpecifies from where (on the internet) a modsecurity configuration file will be downloaded.\nIt also specifies the key that will be used to authenticate to that server:\n\n```nginx\nserver {\n    modsecurity on;\n    location / {\n        root /var/www/html;\n        modsecurity_rules_remote my-server-key https://my-own-server/rules/download;\n    }\n}\n```\n\nmodsecurity_rules\n-----------------\n**syntax:** *modsecurity_rules \u0026lt;modsecurity rule\u0026gt;*\n\n**context:** *http, server, location*\n\n**default:** *no*\n\nAllows for the direct inclusion of a ModSecurity rule into the nginx configuration.\nThe following example is loading rules from a file and injecting specific configurations per directory/alias:\n\n```nginx\nserver {\n    modsecurity on;\n    location / {\n        root /var/www/html;\n        modsecurity_rules_file /etc/my_modsecurity_rules.conf;\n    }\n    location /ops {\n        root /var/www/html/opts;\n        modsecurity_rules '\n          SecRuleEngine On\n          SecDebugLog /tmp/modsec_debug.log\n          SecDebugLogLevel 9\n          SecRuleRemoveById 10\n        ';\n    }\n}\n```\n\nmodsecurity_transaction_id\n--------------------------\n**syntax:** *modsecurity_transaction_id string*\n\n**context:** *http, server, location*\n\n**default:** *no*\n\nAllows to pass transaction ID from nginx instead of generating it in the library.\nThis can be useful for tracing purposes, e.g. consider this configuration:\n\n```nginx\nlog_format extended '$remote_addr - $remote_user [$time_local] '\n                    '\"$request\" $status $body_bytes_sent '\n                    '\"$http_referer\" \"$http_user_agent\" $request_id';\n\nserver {\n    server_name host1;\n    modsecurity on;\n    modsecurity_transaction_id \"host1-$request_id\";\n    access_log logs/host1-access.log extended;\n    error_log logs/host1-error.log;\n    location / {\n        ...\n    }\n}\n\nserver {\n    server_name host2;\n    modsecurity on;\n    modsecurity_transaction_id \"host2-$request_id\";\n    access_log logs/host2-access.log extended;\n    error_log logs/host2-error.log;\n    location / {\n        ...\n    }\n}\n```\n\nUsing a combination of log_format and modsecurity_transaction_id you will\nbe able to find correlations between access log and error log entries\nusing the same unique identificator.\n\nString can contain variables.\n\n\n# Contributing\n\nAs an open source project we invite (and encourage) anyone from the community to contribute to our project. This may take the form of: new\nfunctionality, bug fixes, bug reports, beginners user support, and anything else that you\nare willing to help with. Thank you.\n\n\n## Providing Patches\n\nWe prefer to have your patch within the GitHub infrastructure to facilitate our\nreview work, and our QA integration. GitHub provides an excellent\ndocumentation on how to perform “Pull Requests”. More information available\nhere: https://help.github.com/articles/using-pull-requests/\n\nPlease respect the coding style in use. Pull requests can include various commits, so\nprovide one fix or one functionality per commit. Do not change anything outside\nthe scope of your target work (e.g. coding style in a function that you have\npassed by). \n\n### Don’t know where to start?\n\nWithin our code there are various items marked as TODO or FIXME that may need\nyour attention. Check the list of items by performing a grep:\n\n```\n$ cd /path/to/modsecurity-nginx\n$ egrep -Rin \"TODO|FIXME\" -R *\n```\n\nYou may also take a look at recent bug reports and open issues to get an idea of what kind of help we are looking for.\n\n### Testing your patch\n\nAlong with the manual testing, we strongly recommend that you to use the nginx test\nutility to make sure that you patch does not adversely affect the behavior or performance of nginx. \n\nThe nginx tests are available on: http://hg.nginx.org/nginx-tests/ \n\nTo use those tests, make sure you have the Perl utility prove (part of Perl 5)\nand proceed with the following commands:\n\n```\n$ cp /path/to/ModSecurity-nginx/tests/* /path/to/nginx/test/repository\n$ cd /path/to/nginx/test/repository\n$ TEST_NGINX_BINARY=/path/to/your/nginx prove .\n```\n\nIf you are facing problems getting your added functionality to pass all the nginx tests, feel free to contact us or the nginx mailing list at: http://nginx.org/en/support.html\n\n### Debugging \n\nWe respect the nginx debugging schema. By using the configuration option\n\"--with-debug\" during the nginx configuration you will also be enabling the\nconnector's debug messages. Core dumps and crashes are expected to be debugged\nin the same fashion that is used to debug nginx. For further information,\nplease check the nginx debugging information: http://wiki.nginx.org/Debugging\n\n\n## Reporting Issues\n\nIf you are facing a configuration issue or if something is not working as you\nexpect it to be, please use ModSecurity user’s mailing list. Issues on GitHub\nare also welcome, but we prefer to have users question on the mailing list first,\nwhere you can reach an entire community. Also don’t forget to look for an\nexisting issue before opening a new one.\n\nLastly, If you are planning to open an issue on GitHub, please don’t forget to tell us the\nversion of your libmodsecurity and the version of the nginx connector you are running.\n\n### Security issue\n\nPlease do not publicly report any security issue. Instead, contact us at:\nsecurity@modsecurity.org to report the issue. Once the problem is fixed we will provide you with credit for the discovery.\n\n\n## Feature Request\n\nWe would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternatively,\nfeel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionality.\n\n\n## Packaging\n\nHaving our packages in distros on time is something we highly desire. Let us know if\nthere is anything we can do to facilitate your work as a packager.\n\n\n","funding_links":[],"categories":["Perl"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp-modsecurity%2FModSecurity-nginx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fowasp-modsecurity%2FModSecurity-nginx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp-modsecurity%2FModSecurity-nginx/lists"}