Security

ModSecurity WAF

Blocks the bad stuff before your app has to deal with it.

nginx-module-modsecurity

Install

You'll need nginx from nginx.org configured first. These packages won't load on the distro nginx.

Add the Blendbyte repository if you haven't already:

Add Blendbyte repository 
sudo install -d -m 0755 /etc/apt/keyrings

curl -fsSL https://apt.blendbyte.net/nginx/blendbyte-archive-keyring.gpg \
  | sudo tee /etc/apt/keyrings/blendbyte.gpg >/dev/null

echo "deb [signed-by=/etc/apt/keyrings/blendbyte.gpg] https://apt.blendbyte.net/nginx $(lsb_release -cs) main" \
  | sudo tee /etc/apt/sources.list.d/blendbyte.list

sudo apt update

Then install this module:

Install nginx-module-modsecurity 
$ sudo apt install nginx-module-modsecurity

Most modules auto-enable on install. If yours didn't:

Enable module manually (if needed) 
$ sudo ln -s /etc/nginx/modules-available/50-mod-modsecurity.conf \
  /etc/nginx/modules-enabled/
$ sudo nginx -t && sudo systemctl reload nginx
External dependency: libmodsecurity3 and a rule set (e.g. OWASP Core Rule Set) installed separately

What it does

ModSecurity is the go-to open-source WAF engine. Version 3 (libmodsecurity) plugs directly into nginx as a library. You get request and response inspection, regex-based rule matching, anomaly scoring, and full control over what gets blocked, allowed, or redirected. The module is just the engine. Rule sets are separate, and tuning them is real work. The OWASP Core Rule Set is the most widely used option and covers the OWASP Top 10. Start in detection mode, go through your logs for false positives, tune carefully, then switch to blocking. Skipping that step and going straight to prevention is a reliable way to start blocking legitimate traffic.

When to use it

  • Protect applications from SQL injection, XSS, and OWASP Top 10 attacks
  • Apply the OWASP Core Rule Set to web-facing nginx instances
  • Run in detection mode to audit traffic without blocking anything yet
  • Add a WAF layer to infrastructure without modifying application code

Configuration

A starting point. Adjust to taste.

nginx.conf example 
# Inside your server {} or location {} block:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

# After installing OWASP CRS separately:
# modsecurity_rules_file /etc/nginx/modsecurity/crs/crs-setup.conf;
# modsecurity_rules_file /etc/nginx/modsecurity/crs/rules/*.conf;

Upstream project

We package this from the upstream open-source project. If it's a bug in the module itself (not in our packaging), report it upstream.

https://github.com/SpiderLabs/ModSecurity-nginx ↗

← All modules