On Mon, Mar 20, 2017 at 07:52:56PM +0100, [email protected] wrote: > Hi, > I have spent about 2 days trying to understand how to setup mod-security on > my web server. > > I choose to rely on packages in the official repo, so if possible I will > not compile packages. > > Is correct to say that I can't have mod-security in nginx? > Is mod-security only available in apache2? > > Then I'm looking for some instruction about installing. There are a lot of > outdated material and is difficult to learn the right stuff. > > > Here is what I have typed: > > > apt-get install libcurl3-gnutls liblua5.1-0 libxml2 > apt-get install libapache2-mod-security2 > apt-get install modsecuriy-crs > sudo mv /etc/modsecurity/modsecurity.conf-recommended > /etc/modsecurity/modsecurity.conf > sudo nano /etc/modsecurity/modsecurity.conf > > > I have turned on the option SecRuleEngine > > git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git > > > Now... my questions are: > > 1) Where I have to put the rules > 2) Which other config files I have to edit > 3) How I enable modsecurity on my website > 4) Do you have sample config file to share? >
Hi there, Debian's modsecurity packages will only work with Apache. In order to get modsecurity to work with nginx you'll have to re-compile nginx and modsecurity. This may help you: https://www.howtoforge.com/tutorial/install-nginx-with-mod_security-on-ubuntu-15-04/ Regards, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: [email protected] | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
