ModSecurity WAF Setup on Nginx/Apache

Introduction

ModSecurity is a web application firewall that blocks SQL injection, XSS, and other exploits. This guide covers installation on Nginx and Apache.

1. Install ModSecurity (Nginx)

Compile Nginx with ModSecurity or use a pre‑built module. Many repositories offer libnginx-mod-security.

2. Install ModSecurity (Apache)

sudo apt install libapache2-mod-security2, then enable it.

3. Enable OWASP Core Rule Set (CRS)

Download CRS from GitHub and place in /etc/modsecurity/crs/.

4. Basic Configuration

Edit /etc/modsecurity/modsecurity.conf: set SecRuleEngine On.

5. Test with a Known Attack

Try curl 'http://example.com/?id=1 OR 1=1' – should be blocked.

6. CRS Paranoia Level

Start with paranoia level 1 (low) and increase after testing.

7. Whitelisting False Positives

Use SecRuleRemoveById in a location block to disable specific rules.

8. Audit Logging

Set SecAuditLog /var/log/modsec_audit.log and review regularly.

9. Performance Tuning

Disable rules that are not relevant (e.g., WordPress‑specific if not needed).

10. Rule Exclusion for Plugins

Create exclusions for known false positives (e.g., from popular CMS plugins).

11. ModSecurity on Nginx as Reverse Proxy

ModSecurity runs as an independent proxy or inside Nginx (libmodsecurity3).

12. Coraza as Alternative

Coraza is a modern, Go‑based WAF compatible with CRS.

13. Blocking Behaviour

Choose between deny (403) or redirect.

14. Inbound vs Outbound Rules

Default rules inspect requests. You can also inspect responses to prevent data leaks.

15. Updating CRS Regularly

Subscribe to CRS updates to receive new attack signatures.

16. ModSecurity Dashboard

Use a log analyser like OSSEC or a custom script to visualise blocked attacks.

17. Combining with Rate Limiting

Use Nginx’s limit_req together with ModSecurity for DDoS mitigation.

18. Testing with GoTestWAF

Run automated tests to ensure your WAF blocks known payloads.

19. Debugging Mode

Set SecRuleEngine DetectionOnly to log without blocking, then tune.

20. Hostxpeed Recommendations

ModSecurity adds CPU overhead. Use it only on high‑risk endpoints (e.g., login, checkout).

Conclusion

ModSecurity + OWASP CRS provides excellent protection against web attacks. Start in detection mode, then enable blocking.