Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update nginx, modsec, and modsec-nginx version. #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update nginx, modsec, and modsec-nginx version. #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 18 additions & 18 deletions tutorial-1/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,14 @@ sub 2048R/57A82F1DD345AB09 2011-11-27
With this in our hands, let's download the source code and the signature next to it:

```bash
$> wget https://nginx.org/download/nginx-1.13.9.tar.gz
$> wget https://nginx.org/download/nginx-1.13.9.tar.gz.asc
$> wget https://nginx.org/download/nginx-1.19.1.tar.gz
$> wget https://nginx.org/download/nginx-1.19.1.tar.gz.asc
```

The compressed source code is a bit less than a megabyte in size. Let's now verify everything is correct:

```bash
$> gpg --trusted-key 520A9993A1C052F8 --verify nginx-1.13.9.tar.gz.asc nginx-1.13.9.tar.gz
$> gpg --trusted-key 520A9993A1C052F8 --verify nginx-1.19.1.tar.gz.asc nginx-1.19.1.tar.gz
gpg: Signature made Tue Feb 20 15:10:07 2018 CET using RSA key ID A1C052F8
gpg: Good signature from "Maxim Dounin <[email protected]>"
```
Expand All @@ -85,31 +85,31 @@ Perfect. We're finally ready for the configuration of the compiler and the compi
We will start by unpacking the tar archive

```bash
$> tar -xvzf nginx-1.13.9.tar.gz
$> tar -xvzf nginx-1.19.1.tar.gz
```

This results in approximately 7 MB.

We now enter the directory and configure the compiler with our options:

```bash
$> cd nginx-1.13.9
$> ./configure --prefix=/opt/nginx-1.13.9 --with-http_ssl_module --with-threads --with-file-aio
$> cd nginx-1.19.1
$> ./configure --prefix=/opt/nginx-1.19.1 --with-http_ssl_module --with-threads --with-file-aio
...
Configuration summary
+ using threads
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library

nginx path prefix: "/opt/nginx-1.13.9"
nginx binary file: "/opt/nginx-1.13.9/sbin/nginx"
nginx modules path: "/opt/nginx-1.13.9/modules"
nginx configuration prefix: "/opt/nginx-1.13.9/conf"
nginx configuration file: "/opt/nginx-1.13.9/conf/nginx.conf"
nginx pid file: "/opt/nginx-1.13.9/logs/nginx.pid"
nginx error log file: "/opt/nginx-1.13.9/logs/error.log"
nginx http access log file: "/opt/nginx-1.13.9/logs/access.log"
nginx path prefix: "/opt/nginx-1.19.1"
nginx binary file: "/opt/nginx-1.19.1/sbin/nginx"
nginx modules path: "/opt/nginx-1.19.1/modules"
nginx configuration prefix: "/opt/nginx-1.19.1/conf"
nginx configuration file: "/opt/nginx-1.19.1/conf/nginx.conf"
nginx pid file: "/opt/nginx-1.19.1/logs/nginx.pid"
nginx error log file: "/opt/nginx-1.19.1/logs/error.log"
nginx http access log file: "/opt/nginx-1.19.1/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
Expand All @@ -118,7 +118,7 @@ Configuration summary

```

This is where we define the target directory for the future NGINX web server. We are compiling in compliance with the _File Hierarchy Standard_ and will install NGINX under `/opt/nginx-1.13.9`. The `/opt/` file tree allows us to keep our complete installation together under a branch of the tree. If we would look at the alternative `/usr/local` instead, we would need to split binaries, configuration files and logs over multiple branches.
This is where we define the target directory for the future NGINX web server. We are compiling in compliance with the _File Hierarchy Standard_ and will install NGINX under `/opt/nginx-1.19.1`. The `/opt/` file tree allows us to keep our complete installation together under a branch of the tree. If we would look at the alternative `/usr/local` instead, we would need to split binaries, configuration files and logs over multiple branches.

NGINX comes with several dynamic modules we can enable or disable at will. But the encryption module `http_ssl` is not part of the default set. So we need to enable this with a config time option named `--with-http_ssl_module`. After this option, there are two options that affect the performance of the server: `--with-thread` and `with-file-aio`. The threads option does not only enable threads (NGINX is threads-based by default), but it lets you instruct the server to work with pools of threads that are much more dynamic when processing requests. Say you need to wait for a file to be read from the disk. With a thread pool, the server thread hands of this specialised task and jumps to the next request. As soon as the file has been read, a different thread takes over immediately. This technique allows for better use of your resources, as the server threads are never idle.

Expand Down Expand Up @@ -151,13 +151,13 @@ $> sudo make install
Installation may also take some time.

```bash
$> sudo chown -R `whoami` /opt/nginx-1.13.9
$> sudo chown -R `whoami` /opt/nginx-1.19.1
```

And now for a trick: If you work professionally with NGINX then you may have several different versions on the test server. Different versions, different patches, different set of modules, etc. all result in tedious and long pathnames with version numbers and other descriptions. To ease things, I usually create a soft link from `/nginx` to the current NGINX web server when I switch to a new version or compilation. Care must be given that we and not the root user are is the owner of the soft link (this is important in configuring the server).

```bash
$> sudo ln -s /opt/nginx-1.13.9 /nginx
$> sudo ln -s /opt/nginx-1.19.1 /nginx
$> sudo chown `whoami` --no-dereference /nginx
$> cd /nginx
```
Expand Down Expand Up @@ -214,7 +214,7 @@ nginx version: nginx/1.13.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.13.9 --with-http_ssl_module --with-threads --with-file-aio --with-debug
configure arguments: --prefix=/opt/nginx-1.19.1 --with-http_ssl_module --with-threads --with-file-aio --with-debug
```

That's not much, but the basics are covered and we see which compile time options we included. Looking at the size of the binary file, we can see that it is approximately 6 MB in size.
Expand Down
34 changes: 17 additions & 17 deletions tutorial-6/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,20 +21,20 @@ We previously downloaded the source code for the web server to <i>/usr/src/nginx
$> sudo mkdir /usr/src/modsecurity
$> sudo chown `whoami` /usr/src/modsecurity
$> cd /usr/src/modsecurity
$> wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.0/modsecurity-v3.0.0.tar.gz
$> wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz
```

Compressed, the source code is just below 3 megabytes in size. We now need to verify the checksum. It is provided in SHA256 format.

```bash
$> wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.0/modsecurity-v3.0.0.tar.gz.sha256
$> sha256sum --check modsecurity-v3.0.0.tar.gz.sha256
$> wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz.sha256
$> sha256sum --check modsecurity-v3.0.4.tar.gz.sha256
```

We expect the following response:

```bash
modsecurity-v3.0.0.tar.gz: OK
modsecurity-v3.0.4.tar.gz: OK
```

### Step 2: Unpacking and configuring the compiler
Expand All @@ -55,9 +55,9 @@ We now unpack the source code and initiate the configuration. But before this it
The stage is thus set and we are ready for ModSecurity.

```bash
$> tar -xvzf modsecurity-v3.0.0.tar.gz
$> cd modsecurity-v3.0.0/
$> ./configure --prefix=/opt/modsecurity-3.0.0 --enable-mutex-on-pm
$> tar -xvzf modsecurity-v3.0.4.tar.gz
$> cd modsecurity-v3.0.4/
$> ./configure --prefix=/opt/modsecurity-3.0.4 --enable-mutex-on-pm
```

We created the <i>/nginx</i> symlink in the tutorial on compiling NGINX. This again comes to our assistance, because independent from the NGINX version being used, we can now have the ModSecurity configuration always work with the same parameters and always get access to the current NGINX web server. The first two options establish the link to the NGINX binary, since we have to make sure that ModSecurity is working with the right API version. The _with-pcre_ option defines that we are using the system’s own _PCRE-Library_, or Regular Expression Library, and not the one provided by NGINX. This gives us a certain level of flexibility for updates, because we are becoming independent from NGINX in this area, which has proven to work in practice. It requires the first installed _libpcre3-dev_ package.
Expand All @@ -83,20 +83,20 @@ ModSecurity 3.0 runs standalone. It is integrated via a NGINX module that organi

```bash
$> cd /usr/src/modsecurity
$> wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.0/modsecurity-nginx-v1.0.0.tar.gz
$> wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.0/modsecurity-nginx-v1.0.0.tar.gz.sha256
$> sha256sum --check modsecurity-nginx-v1.0.0.tar.gz.sha256
modsecurity-nginx-v1.0.0.tar.gz: OK
$> wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.1/modsecurity-nginx-v1.0.1.tar.gz
$> wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.1/modsecurity-nginx-v1.0.1.tar.gz.sha256
$> sha256sum --check modsecurity-nginx-v1.0.1.tar.gz.sha256
modsecurity-nginx-v1.0.1.tar.gz: OK
```

This seems to be alright, let's unpack this archive and return to the NGINX source code:

```bash
$> tar -xvzf modsecurity-nginx-v1.0.0.tar.gz
$> cd /usr/src/nginx/nginx-1.13.9
$> export MODSECURITY_LIB="/usr/src/modsecurity/modsecurity-v3.0.0/src/.libs/"
$> export MODSECURITY_INC="/usr/src/modsecurity/modsecurity-v3.0.0/headers/"
$> ./configure --prefix=/opt/nginx-1.13.9 --with-http_ssl_module --with-threads --with-file-aio --with-compat --add-dynamic-module=/usr/src/modsecurity/modsecurity-nginx-v1.0.0
$> tar -xvzf modsecurity-nginx-v1.0.1.tar.gz
$> cd /usr/src/nginx/nginx-1.19.1
$> export MODSECURITY_LIB="/usr/src/modsecurity/modsecurity-v3.0.4/src/.libs/"
$> export MODSECURITY_INC="/usr/src/modsecurity/modsecurity-v3.0.4/headers/"
$> ./configure --prefix=/opt/nginx-1.19.1 --with-http_ssl_module --with-threads --with-file-aio --with-compat --add-dynamic-module=/usr/src/modsecurity/modsecurity-nginx-v1.0.1
```
Before we can re-configure the compilation of NGINX, we need to give it two paths pointing to the ModSecurity source code path. And then with the configure command the path to the connector. Afterwards, this should be smooth. When it's done, then you can proceed and build the module. However, I also noticed, that the module could not be loaded by the previously compiled NGINX server. So we need to build that one again.

Expand All @@ -105,7 +105,7 @@ $> make
...
$> sudo make install
...
$> sudo chown -R `whoami` /opt/nginx-1.13.9
$> sudo chown -R `whoami` /opt/nginx-1.19.1
$> make modules
...
```
Expand Down