Wiki

Nginx:Install ModSecurity: Difference between revisions

← Older edit
Kangtain (talk | contribs)
Bureaucrats, Interface administrators, Suppressors, Administrators
9,281 edits
VisualWikitext
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 5: Line 5:
Instal semua dependensi yang diperlukan untuk proses build dan kompilasi dengan perintah berikut:<syntaxhighlight lang="shell">
Instal semua dependensi yang diperlukan untuk proses build dan kompilasi dengan perintah berikut:<syntaxhighlight lang="shell">
sudo apt-get install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales lua5.3-dev pkg-config wget zlib1g-dev zlibc libxslt-dev libgd-dev
sudo apt-get install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev libyajl-dev locales lua5.3-dev pkg-config wget zlib1g-dev zlibc libxslt-dev libgd-dev
</syntaxhighlight>di Debian 11<ref>[https://www.tecmint.com/install-modsecurity-nginx-debian-ubuntu/ tecmint.com] - How to Install ModSecurity for Nginx on Debian/Ubuntu</ref><syntaxhighlight lang="bash">
sudo apt install make gcc build-essential autoconf automake libtool libfuzzy-dev ssdeep gettext pkg-config libcurl4-openssl-dev liblua5.3-dev libpcre3 libpcre3-dev libxml2 libxml2-dev libyajl-dev doxygen libcurl4 libgeoip-dev libssl-dev zlib1g-dev libxslt-dev liblmdb-dev libpcre++-dev libgd-dev
</syntaxhighlight>
</syntaxhighlight>
*Install GIT  
*Install GIT  
<syntaxhighlight lang="shell">
<syntaxhighlight lang="shell">
Line 116: Line 117:
</syntaxhighlight>
</syntaxhighlight>
*Tambahkan code berikut
*Tambahkan code berikut
<syntaxhighlight lang="nginx">
<syntaxhighlight lang="nginx">
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
</syntaxhighlight>
</syntaxhighlight>
*'''Sample'''                           
*'''Sample'''                           
<syntaxhighlight lang="nginx">
 
<syntaxhighlight lang="nginx" line="1">
user www-data;
user www-data;
worker_processes auto; pid /run/nginx.pid;
worker_processes auto; pid /run/nginx.pid;
Line 131: Line 135:


*Pertama, hapus kumpulan aturan saat ini bawaan sebelumnya dengan ModSecurity, menggunakan perintah berikut:
*Pertama, hapus kumpulan aturan saat ini bawaan sebelumnya dengan ModSecurity, menggunakan perintah berikut:
sudo rm -rf /usr/share/modsecurity-crs
 
<syntaxhighlight lang="shell">
sudo rm -rf /usr/share/modsecurity-crs
</syntaxhighlight>


*Clone repository ke directory <code>/usr/local/modsecurity-crs</code>
*Clone repository ke directory <code>/usr/local/modsecurity-crs</code>
sudo git clone <nowiki>https://github.com/coreruleset/coreruleset</nowiki> /usr/local/modsecurity-crs
 
<syntaxhighlight lang="shell">
sudo git clone https://github.com/coreruleset/coreruleset /usr/local/modsecurity-crs
</syntaxhighlight>


*Rename the <code>crs-setup.conf.example</code> ke <code>crs-setup.conf</code>:
*Rename the <code>crs-setup.conf.example</code> ke <code>crs-setup.conf</code>:
sudo mv /usr/local/modsecurity-crs/crs-setup.conf.example /usr/local/modsecurity-crs/crs-setup.conf
 
<syntaxhighlight lang="shell">
sudo mv /usr/local/modsecurity-crs/crs-setup.conf.example /usr/local/modsecurity-crs/crs-setup.conf
</syntaxhighlight>


*Ganti nama file aturan pengecualian permintaan default:
*Ganti nama file aturan pengecualian permintaan default:
sudo mv /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
<syntaxhighlight lang="shell">
sudo mv /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/local/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
</syntaxhighlight>


Sekarang harus menyiapkan OWASP-CRS dan siap digunakan dalam konfigurasi [[Nginx]].
Sekarang harus menyiapkan OWASP-CRS dan siap digunakan dalam konfigurasi [[Nginx]].
Line 146: Line 161:
==Konfigurasi ModSecurity==
==Konfigurasi ModSecurity==
*Mulailah dengan membuat direktori ModSecurity di direktori <code>/etc/nginx/</code>:
*Mulailah dengan membuat direktori ModSecurity di direktori <code>/etc/nginx/</code>:
sudo mkdir -p /etc/nginx/modsec
 
<syntaxhighlight lang="shell">
sudo mkdir -p /etc/nginx/modsec
</syntaxhighlight>


*Salin file pemetaan unicode dan file konfigurasi ModSecurity dari repository GitHub ModSecurity cloning kalian:
*Salin file pemetaan unicode dan file konfigurasi ModSecurity dari repository GitHub ModSecurity cloning kalian:
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec


sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
<syntaxhighlight lang="shell">
sudo cp /opt/ModSecurity/unicode.mapping /etc/nginx/modsec
</syntaxhighlight>
 
<syntaxhighlight lang="shell">
sudo cp /opt/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
</syntaxhighlight>


*Hapus ekstensi <code>.recommended</code> dari nama file konfigurasi ModSecurity dengan perintah berikut:
*Hapus ekstensi <code>.recommended</code> dari nama file konfigurasi ModSecurity dengan perintah berikut:
  sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
 
<syntaxhighlight lang="shell">
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
</syntaxhighlight>


*Dengan editor teks seperti vim atau nano, buka <code>/etc/modsecurity/modsecurity.conf</code> dan ubah nilai untuk <code>SecRuleEngine</code> menjadi <code>On</code>:
*Dengan editor teks seperti vim atau nano, buka <code>/etc/modsecurity/modsecurity.conf</code> dan ubah nilai untuk <code>SecRuleEngine</code> menjadi <code>On</code>:
# -- Rule engine initialization ----------------------------------------------
 
<syntaxhighlight lang="shell" line="1">
# Enable ModSecurity, attaching it to every transaction. Use detection
# -- Rule engine initialization ----------------------------------------------
# only to start with, because that minimises the chances of post-installation
 
# disruption.
# Enable ModSecurity, attaching it to every transaction. Use detection
#
# only to start with, because that minimises the chances of post-installation
<span style="color:#ff0000">SecRuleEngine On</span>
# disruption.
#
SecRuleEngine On
</syntaxhighlight>


*Buat file konfigurasi baru bernama <code>main.conf</code> di direktori <code>/etc/nginx/modsec</code>:
*Buat file konfigurasi baru bernama <code>main.conf</code> di direktori <code>/etc/nginx/modsec</code>:
vim /etc/nginx/modsec/main.conf
 
<syntaxhighlight lang="shell">
vim /etc/nginx/modsec/main.conf
</syntaxhighlight>


*Copy code berikut  
*Copy code berikut  
Include /etc/nginx/modsec/modsecurity.conf
 
Include /usr/local/modsecurity-crs/crs-setup.conf
<syntaxhighlight lang="shell" line="1">
Include /usr/local/modsecurity-crs/rules/*.conf
Include /etc/nginx/modsec/modsecurity.conf
Include /usr/local/modsecurity-crs/crs-setup.conf
Include /usr/local/modsecurity-crs/rules/*.conf
</syntaxhighlight>


==Konfigurasi pada Nginx==
==Konfigurasi pada Nginx==
*Buka konfigurasi Nginx kalian biasanya pada directory /etc/nginx/sites-enabled, dengan menambahkan
*Buka konfigurasi Nginx kalian biasanya pada directory /etc/nginx/sites-enabled, dengan menambahkan
vim /etc/nginx/sites-enabled/default.conf
 
<syntaxhighlight lang="shell">
vim /etc/nginx/sites-enabled/default.conf
</syntaxhighlight>


atau
atau
vim /etc/nginx/conf.d/default.conf
 
<syntaxhighlight lang="shell">
vim /etc/nginx/conf.d/default.conf
</syntaxhighlight>


*Lalu tambahkan code berikut
*Lalu tambahkan code berikut
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;


<syntaxhighlight lang="nginx" line="1">
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
</syntaxhighlight>


{{Note|Jika mengikuti tutorial dari awal, konfigurasi default.conf berada di dorectory /etc/nginx/conf.d}}
{{Note|Jika mengikuti tutorial dari awal, konfigurasi default.conf berada di dorectory /etc/nginx/conf.d}}
Line 189: Line 232:


*'''Sample'''
*'''Sample'''
server {
 
  listen 80;
<syntaxhighlight lang="nginx" line="1">
  listen [::]:80;
server {
  server_name _;
  listen 80;
  root /usr/share/nginx/html/;
  listen [::]:80;
  index index.php index.html index.htm index.nginx-debian.html;
  server_name _;
  <span style="color:#ff0000">modsecurity on;</span>
  root /usr/share/nginx/html/;
  <span style="color:#ff0000">modsecurity_rules_file /etc/nginx/modsec/main.conf;</span>
  index index.php index.html index.htm index.nginx-debian.html;
  modsecurity on;
  modsecurity_rules_file /etc/nginx/modsec/main.conf;
</syntaxhighlight>


==Source==
==Source==
<references />
*[https://www.linode.com/docs/guides/securing-nginx-with-modsecurity/ linode.com]
*[https://www.linode.com/docs/guides/securing-nginx-with-modsecurity/ linode.com]
*[https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ nginx.com]
*[https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ nginx.com]
Retrieved from "https://kangtain.com/wiki/index.php/Nginx:Install_ModSecurity"