Installed modsecurity to Nginx/php-fpm based Nextcloud

Container
Reading Time: 2 minutes



In the past I introduced mod-security to apache based Nextcloud.



Now my Nextcloud is running on Nginx/php-fpm environment and to add modsecurity on this.



You can refer docker-compose.yml and other files on my github.

GitHub - kurofuku/nextcloud-container-fpm
Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.

What is done

Switching to owasp/modsecurity-crs:nginx

I switched from pure Nginx image to owasp/modsecurity-crs:nginx which includes modsecurity and Common Rule Sets for modsecurity.

This docker image has issue which modsecurity library doesn’t link with libGeoIP.

sudo docker run -it --rm owasp/modsecurity-crs:nginx
2021/11/06 09:15:00 [emerg] 1#1: "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /etc/nginx/conf.d/modsecurity.conf:2
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 76. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /etc/nginx/conf.d/modsecurity.conf:2



I decided to install from source code.
I referred this Dockerfile which is managed by Japanese geek!

Here you can see how to build/install.
– v3.0.5 is the latest tag at this moment.
It took about 30 mins by Raspberry Pi 4.

apt install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev
git clone --depth 1 -b v3.0.5 https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init && git submodule update
./build.sh
./configure
make
make install



You can refer my commits.

Switched to use owasp/modsecurity-crs:nginx for nginx. · kurofuku/nextcloud-container-fpm@e7cf318
Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.
Added missing file. · kurofuku/nextcloud-container-fpm@20a140a
Contribute to kurofuku/nextcloud-container-fpm development by creating an account on GitHub.



Added excluding rules for stability of Nextcloud

I investigated which rules should be excluded for stable Nextcloud by testing with these use cases.

- logging in
- viewing dashboard
- viewing folder
- viewing images
- viewing videos
- uploading files
 - small size
 - large size
- deleting files
- chatting in talk
- video conference in talk
- using Joplin



There are rules I excluded.

echo 'SecRuleRemoveById 911100' >  /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 920420' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 921110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&
echo 'SecRuleRemoveById 949110' >> /etc/modsecurity.d/owasp-crs/rules/zz-nextcloud.conf &&



Yes, my Nextcloud works fine for now.

I didn’t experienced any performance down, so it’s good!

Conclusion

How was it?

This doesn’t take much time, so you should do it!

Comments

タイトルとURLをコピーしました