In the past I introduced mod-security to apache based Nextcloud.
Now my Nextcloud is running on Nginx/php-fpm environment and to add modsecurity on this.
You can refer docker-compose.yml and other files on my github.
What is done
Switching to owasp/modsecurity-crs:nginx
I switched from pure Nginx image to owasp/modsecurity-crs:nginx which includes modsecurity and Common Rule Sets for modsecurity.
Below error was resolved so we can use owasp/modsecurity-crs:nginx without any modification!
If you are interested in how to use please refer these commits of my repository.
is docker image has issue which modsecurity library doesn’t link with libGeoIP.
sudo docker run -it --rm owasp/modsecurity-crs:nginx 2021/11/06 09:15:00 [emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support. in /etc/nginx/conf.d/modsecurity.conf:2 nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support. in /etc/nginx/conf.d/modsecurity.conf:2 I decided to install from source code.
I referred this Dockerfile which is managed by Japanese geek!
ere you can see how to build/install.
– v3.0.5 is the latest tag at this moment.
It took about 30 mins by Raspberry Pi 4.
apt install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev git clone --depth 1 -b v3.0.5 https://github.com/SpiderLabs/ModSecurity cd ModSecurity git submodule init && git submodule update ./build.sh ./configure make make install
ou can refer my commits.
Added excluding rules for stability of Nextcloud
I investigated which rules should be excluded for stable Nextcloud by testing with these use cases.
- logging in - viewing dashboard - viewing folder - viewing images - viewing videos - uploading files - small size - large size - deleting files - chatting in talk - video conference in talk - using Joplin
There are rules I excluded.
echo 'SecRuleRemoveById 911100' > /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf && echo 'SecRuleRemoveById 920420' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf && echo 'SecRuleRemoveById 921110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf && echo 'SecRuleRemoveById 949110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
Yes, my Nextcloud works fine for now.
I didn’t experienced any performance down, so it’s good!
How was it?
This doesn’t take much time, so you should do it!
Hello, have you tried to get ModSecurity working with a Nextcloud running behind SWAG nginx instead please? Thanks
Unfortunately I haven’t used SWAG.
I use “https-portal” docker image as reverse proxy and https support.