Installed modsecurity to Nginx/php-fpm based Nextcloud

Reading Time: 2 minutes

In the past I introduced mod-security to apache based Nextcloud.

 How to run nextcloud on Docker container?

In this post I established nextcloud server on Raspberry Pi 4. But as you imagine this takes time to establish when you ...

linuxfun.org

2021.04.17

Now my Nextcloud is running on Nginx/php-fpm environment and to add modsecurity on this.

You can refer docker-compose.yml and other files on my github.

GitHub - kurofuku/nextcloud-container-fpm

Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.

github.com

What is done

Switching to owasp/modsecurity-crs:nginx

I switched from pure Nginx image to owasp/modsecurity-crs:nginx which includes modsecurity and Common Rule Sets for modsecurity.

01/29/2022
Below error was resolved so we can use owasp/modsecurity-crs:nginx without any modification!
If you are interested in how to use please refer these commits of my repository.

Fixed to be able to use mod-security. · kurofuku/wordpress-container@4e2d122

Contribute to kurofuku/wordpress-container development by creating an account on GitHub.

github.com

Removed unneccessary file. · kurofuku/wordpress-container@d50304d

Contribute to kurofuku/wordpress-container development by creating an account on GitHub.

github.com

This docker image has issue which modsecurity library doesn’t link with libGeoIP.

sudo docker run -it --rm owasp/modsecurity-crs:nginx
2021/11/06 09:15:00 [emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /etc/nginx/conf.d/modsecurity.conf:2
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /etc/nginx/conf.d/modsecurity.conf:2

I decided to install from source code.
I referred this Dockerfile which is managed by Japanese geek!

Here you can see how to build/install.
– v3.0.5 is the latest tag at this moment.
It took about 30 mins by Raspberry Pi 4.

apt install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
git clone --depth 1 -b v3.0.5 https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init && git submodule update
./build.sh
./configure
make
make install

You can refer my commits.

Switched to use owasp/modsecurity-crs:nginx for nginx. · kurofuku/nextcloud-container-fpm@e7cf318

Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.

github.com

Added missing file. · kurofuku/nextcloud-container-fpm@20a140a

Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.

github.com

Added excluding rules for stability of Nextcloud

I investigated which rules should be excluded for stable Nextcloud by testing with these use cases.

- logging in
- viewing dashboard
- viewing folder
- viewing images
- viewing videos
- uploading files
 - small size
 - large size
- deleting files
- chatting in talk
- video conference in talk
- using Joplin

There are rules I excluded.

echo 'SecRuleRemoveById 911100' >  /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 920420' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 921110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 949110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&

Yes, my Nextcloud works fine for now.

I didn’t experienced any performance down, so it’s good!

Conclusion

How was it?

This doesn’t take much time, so you should do it!