# Enable ModSecurity Latest Current version only
The default rules provided by this project are very easy to bypass and many users have difficulty maintaining a reliable set of rules.
In this case, you can enable ModSecurity (opens new window) and load the OWSAP (Open Web Application Security Project) core rule set (opens new window) to strengthen the protection.
# Step 1: Download the rule set
cd /usr/local/src
git clone https://github.com/SpiderLabs/ModSecurity.git
git clone https://github.com/coreruleset/coreruleset.git
# Step 2: Copy the rules file
mkdir -p /etc/nginx/rules/modsecurity
cp coreruleset/crs-setup.conf.example /etc/nginx/rules/modsecurity/crs-setup.conf
cp ModSecurity/modsecurity.conf-recommended /etc/nginx/rules/modsecurity/modsecurity.conf
cp ModSecurity/unicode.mapping /etc/nginx/rules/modsecurity/unicode.mapping
cp -r coreruleset/rules /etc/nginx/rules/modsecurity/owasp
# Step 3: Edit rules
- Edit
/etc/nginx/rules/modsecurity/modsecurity.confand changeSecRuleEngine DetectionOnlytoSecRuleEngine on. - Edit
/etc/nginx/rules/modsecurity/modsecurity.confand append the following at the end of the file.Include /usr/local/src/ngx_waf/assets/rules/crs-setup.conf Include /etc/nginx/rules/modsecurity/owasp/*.conf
# Step 4: Load Rules
Edit the nginx configuration file.
waf_modsecurity on file=/etc/nginx/rules/modsecurity/modsecurity.conf;
# Step 5: Optimize performance
Enabling rules causes a significant performance degradation due to the complexity of ModSecurity's rules engine, but this also gives it power.
Generally we do not need to inspect some static files, so we can optimize performance based on this.
Edit the nginx configuration file.
location ~* \.(gif|jpg|png|jpeg|webp|bmp|swf)$ {
waf_modsecurity off;
}
location ~* \.(html|htm|js|css)$ {
waf_modsecurity off;
}
# Step 6: Restart nginx
nginx -s stop
nginx
Why not nginx -s reload ?
# Step 7: Testing
At this point you should check your website to make sure that no false positives will cause your website to be abnormal.