Nginx installation package vs manual source build with mod_security

Hi All,
I have done some googles here example

https://docs.nginx.com/nginx/admin-g...ource/#sources. This site talks on both how to install via package manager or manually build it from source. I know from source its tedious and difficult to keep up and manage and also to the upgrade. Secondly on via manual build we can control which module to build or remove. Thirdly also to further improve security only it works via manual build too. So looking at all the google link looks like to install nginx is it best to do via manual source build or should I remain via package manager?

I can't look at all the google links, because I don't know them. The link you mention doesn't talk about the advantages of building from source, only about the method. I don't think I fully understand your third point.

"best" is relative to your goals. For me it's best to install it with a package manager, since the hassle far outweighs the benefits of building from source.

I don't know why you limit this discussion to nginx, by the way. Why not install everything from source?

Hi Berfbausch,
Sorry my third point is about mod_security settings example it explains here https://medium.com/building-goalwise...inx-15fdd42fa3. In this link it some how have to build the mod_security manually then link it with nginx ? So based your suggest best to go with package manger right ? Why I limit just for nginx is cause its show module can only be off via installing from source?

From their website there is no prebuilt modsecurity module for NGINX Open Source. As suggested from their website, download and install the mainline version from their repository for your distribution and compile modsecurity per their instructions. If your distribution is not supported then you will need to install nginx from source.

https://www.nginx.com/blog/compiling...ginx/#mainline

Quote:

Originally Posted by newbie14 So based your suggest best to go with package manger right ?

No. I don't suggest anything. I just point out that the word "best" has different meanings for different people.

As michaelk points out, you don't have to build nginx to use modsecurity. You only need to build modsecurity.

EDIT: The Medium article also says "you don’t need to compile NGINX again with this module but just the module can be compiled and plugged into the web server".

Hi Michaelk,
I am on centos 7 actually. What I am worried about compiling from source is the issue of updates as pointed out by bernd. But from my googling looks like mod_security is for sure to be compile and link separately for nginx.

Hi Bernd,
Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?

Quote:

Step 1. Disable Any Unwanted nginx Modules When you install nginx, it automatically includes many modules. Currently, you cannot choose modules at runtime. To disable certain modules, you need to recompile nginx. We recommend that you disable any modules that are not required as this will minimize the risk of potential attacks by limiting allowed operations.

Quote:

Originally Posted by newbie14 Hi Bernd, Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?

Yes, if you want to reduce the number of modules and therefore the attack surface, it seems that you have no other choice than building NGINX from source.

However, you can list build parameters and modules by running nginx -v. If you are happy with the result, why build it?

newbie14, you have the option to completely recompile nginx to include mod_security, or to use the dynamic module mod_security for nginx.
It appears that most distros do NOT have that in their repositories. Compiling it yourself is the most prudent choice in that case.
FWIW, ArchLinux has it in their repos. But I wouldn't recommend ArchLinux as a server distro, esp. not for a newbie.

Why is mod_security so important to you? Do you think nginx without mod_security is insecure?

Hi Bernd,
I agree with you thats why I want to avoid building it from source cause its cause more problem in terms of updates. I dont get you on this

Quote:

However, you can list build parameters and modules by running nginx -v. If you are happy with the result, why build it?

. How does this command helps cause that -V just gives the current nginx version ?

Hi Ondoho,
Yes I can build completely from source both nginx and mod_security. Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.

Quote:

Originally Posted by newbie14 Hi Ondoho, Yes I can build completely from source both nginx and mod_security.

You did not understand my last post? You don't have to build nginx from source if you don't want to.

Quote:

Originally Posted by newbie14 Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.

You can have a firewall indpendent of nginx.
Your server is the complete OS nginx is running on, not just nginx itself.

Hi Ondoho,
Sorry for my misunderstanding. Yes I saw the post which says I can independently built it then link to my nginx too. When you say firewall independent meaning a physical firewall or the built in firewalld in the centos ? Yes I agree the server is the complete os running but I am now focusing on how to further harden nginx and also the centos os by itself too.

I mean a software firewall.
Can be builtin (I guess you mean iptables), can be fancier.

Quote:

Originally Posted by newbie14 How does this command helps cause that -V just gives the current nginx version ?

Sorry, my mistake. It needs to be an upper-case V:

Code:

# nginx -V
nginx version: nginx/1.19.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.1/debian/debuild-base/nginx-1.19.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'