NGINX Dynamic Module Support

[signus]

With the release of NGINX 1.9.11, dynamic modules are now supported. Is this a planned improvement for ModSecurity in the near future?

For example:

load_module modules/modsecurity_module_x.so

I suggest this a merely an improvement request, as this would enable myself and others to maintain a singular build of NGINX for all systems, and only load ModSecurity on the NGINX systems that we desire them to be loaded on.

[csanders-git]

It looks like someone has already submitted a pull for modsecurity v3 :)
owasp-modsecurity/ModSecurity-nginx#5

[signus]

Gotcha, searched on the wrong repo! Thanks!

Closing.

[csanders-git]

we welcome a patch for the 2.x branch

[mark-schaal]

Is there any backward compatibility planned for the 2.x branch as mentioned by @csanders-git ?

Hi,

If anyone is looking for a v2 config file to have dynamic module, I succeeded and it's working fine on my Debian 8 system... ! :)

first compile mod_security lib itself:

git clone -b master https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity
./autogen.sh
./configure CFLAGS="-fPIC" --enable-standalone-module --disable-apache2-module
make

Note: CFLAGS="-fPIC" is the important part that changed

then modify config file under nginx/modsecurity:

#!/bin/sh

CFLAGS="$CFLAGS \
     -I/usr/include/apr-1.0  \
     -I/usr/include/apr-1.0 -I/usr/include \
    -I/usr/include/apache2 \
    -I/usr/include/libxml2 \
     \
    -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500  -DREQUEST_EARLY                 -DWITH_APU_CRYPTO -DWITH_REMOTE_RULES \
     \
    -DWITH_YAJL -I/usr/include/yajl   \
    "


CORE_LIBS="$CORE_LIBS \
     -L/usr/lib/x86_64-linux-gnu -lapr-1 \
     -L/usr/lib/x86_64-linux-gnu -laprutil-1 \
    -I/usr/include/apache2 \
    -L/usr/lib/x86_64-linux-gnu -lcurl \
    -lxml2 \
     \
    -lpcre \
    -L/usr/lib   \
    -lyajl   \
    "


NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
                $ngx_addon_dir/apr_bucket_nginx.h \
                $ngx_addon_dir/ngx_pool_context.h"

CORE_LIBS="$ngx_addon_dir/../../standalone/.libs/standalone.a $CORE_LIBS"

CORE_INCS="$CORE_INCS \
        $ngx_addon_dir \
        $ngx_addon_dir/../../standalone \
        $ngx_addon_dir/../../apache2"

NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
                $ngx_addon_dir/ngx_http_modsecurity.c \
                $ngx_addon_dir/apr_bucket_nginx.c \
                $ngx_addon_dir/ngx_pool_context.c"

ngx_addon_name=ngx_http_modsecurity

if test -n "$ngx_module_link"; then
    ngx_module_type=HTTP_AUX_FILTER
    ngx_module_name="ngx_http_modsecurity ngx_pool_context_module"
    ngx_module_deps=$NGX_ADDON_DEPS
    ngx_module_incs="$ngx_addon_dir $CORE_INCS"
    ngx_module_srcs="$NGX_ADDON_SRCS"
    ngx_module_libs="$CORE_LIBS"

    . auto/module
else

CORE_MODULES="$CORE_MODULES ngx_pool_context_module"
HTTP_AUX_FILTER_MODULES="ngx_http_modsecurity $HTTP_AUX_FILTER_MODULES"

fi

Then compile nginx as normal, it will create a dynamic ngx_http_modsecurity.so!!

PS: There was a small mistake, just corrected it. ModSec is really running fine with comodo ruleset now :)

[Blason]

I just tried following up the same thing with nginx-plus package and everything gone perfectly however after enabling in server.conf file worker process is getting crashed consistently.

2017/08/10 22:52:40 [notice] 1980#1980: start worker process 2023
2017/08/10 22:52:40 [notice] 1980#1980: signal 29 (SIGIO) received
2017/08/10 22:52:40 [notice] 1980#1980: signal 17 (SIGCHLD) received
2017/08/10 22:52:40 [alert] 1980#1980: worker process 2012 exited on signal 11
2017/08/10 22:52:40 [notice] 1980#1980: start worker process 2024
2017/08/10 22:52:40 [notice] 1980#1980: signal 29 (SIGIO) received
2017/08/10 22:52:40 [notice] 1980#1980: signal 17 (SIGCHLD) received
2017/08/10 22:52:40 [alert] 1980#1980: worker process 2023 exited on signal 11
2017/08/10 22:52:40 [notice] 1980#1980: start worker process 2025
2017/08/10 22:52:40 [notice] 1980#1980: signal 29 (SIGIO) received