LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-31-2020, 12:22 PM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Rep: Reputation: Disabled
Nginx installation package vs manual source build with mod_security


Hi All,
I have done some googles here example

https://docs.nginx.com/nginx/admin-g...ource/#sources. This site talks on both how to install via package manager or manually build it from source. I know from source its tedious and difficult to keep up and manage and also to the upgrade. Secondly on via manual build we can control which module to build or remove. Thirdly also to further improve security only it works via manual build too. So looking at all the google link looks like to install nginx is it best to do via manual source build or should I remain via package manager?
 
Old 07-31-2020, 01:17 PM   #2
berndbausch
LQ Guru
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 5,020

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
I can't look at all the google links, because I don't know them. The link you mention doesn't talk about the advantages of building from source, only about the method. I don't think I fully understand your third point.

"best" is relative to your goals. For me it's best to install it with a package manager, since the hassle far outweighs the benefits of building from source.

I don't know why you limit this discussion to nginx, by the way. Why not install everything from source?

Last edited by berndbausch; 07-31-2020 at 01:20 PM.
 
Old 07-31-2020, 01:25 PM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Berfbausch,
Sorry my third point is about mod_security settings example it explains here https://medium.com/building-goalwise...inx-15fdd42fa3. In this link it some how have to build the mod_security manually then link it with nginx ? So based your suggest best to go with package manger right ? Why I limit just for nginx is cause its show module can only be off via installing from source?
 
Old 07-31-2020, 01:37 PM   #4
michaelk
Moderator
 
Registered: Aug 2002
Posts: 20,246

Rep: Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464Reputation: 3464
From their website there is no prebuilt modsecurity module for NGINX Open Source. As suggested from their website, download and install the mainline version from their repository for your distribution and compile modsecurity per their instructions. If your distribution is not supported then you will need to install nginx from source.

https://www.nginx.com/blog/compiling...ginx/#mainline
 
1 members found this post helpful.
Old 07-31-2020, 01:55 PM   #5
berndbausch
LQ Guru
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 5,020

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Quote:
Originally Posted by newbie14 View Post
So based your suggest best to go with package manger right ?
No. I don't suggest anything. I just point out that the word "best" has different meanings for different people.

As michaelk points out, you don't have to build nginx to use modsecurity. You only need to build modsecurity.

EDIT: The Medium article also says "you don’t need to compile NGINX again with this module but just the module can be compiled and plugged into the web server".

Last edited by berndbausch; 07-31-2020 at 01:58 PM.
 
Old 08-01-2020, 12:13 AM   #6
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Michaelk,
I am on centos 7 actually. What I am worried about compiling from source is the issue of updates as pointed out by bernd. But from my googling looks like mod_security is for sure to be compile and link separately for nginx.
 
Old 08-01-2020, 12:18 AM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Bernd,
Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?

Quote:
Step 1. Disable Any Unwanted nginx Modules

When you install nginx, it automatically includes many modules. Currently, you cannot choose modules at runtime. To disable certain modules, you need to recompile nginx. We recommend that you disable any modules that are not required as this will minimize the risk of potential attacks by limiting allowed operations.
 
Old 08-01-2020, 01:21 AM   #8
berndbausch
LQ Guru
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 5,020

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Quote:
Originally Posted by newbie14 View Post
Hi Bernd,
Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?
Yes, if you want to reduce the number of modules and therefore the attack surface, it seems that you have no other choice than building NGINX from source.

However, you can list build parameters and modules by running nginx -v. If you are happy with the result, why build it?
 
Old 08-01-2020, 04:53 AM   #9
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 14,976
Blog Entries: 9

Rep: Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240
newbie14, you have the option to completely recompile nginx to include mod_security, or to use the dynamic module mod_security for nginx.
It appears that most distros do NOT have that in their repositories. Compiling it yourself is the most prudent choice in that case.
FWIW, ArchLinux has it in their repos. But I wouldn't recommend ArchLinux as a server distro, esp. not for a newbie.

Why is mod_security so important to you? Do you think nginx without mod_security is insecure?
 
Old 08-01-2020, 12:26 PM   #10
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Bernd,
I agree with you thats why I want to avoid building it from source cause its cause more problem in terms of updates. I dont get you on this
Quote:
However, you can list build parameters and modules by running nginx -v. If you are happy with the result, why build it?
. How does this command helps cause that -V just gives the current nginx version ?
 
Old 08-01-2020, 12:29 PM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Ondoho,
Yes I can build completely from source both nginx and mod_security. Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.
 
Old 08-01-2020, 01:52 PM   #12
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 14,976
Blog Entries: 9

Rep: Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240
Quote:
Originally Posted by newbie14 View Post
Hi Ondoho,
Yes I can build completely from source both nginx and mod_security.
You did not understand my last post? You don't have to build nginx from source if you don't want to.

Quote:
Originally Posted by newbie14 View Post
Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.
You can have a firewall indpendent of nginx.
Your server is the complete OS nginx is running on, not just nginx itself.
 
Old 08-01-2020, 02:24 PM   #13
newbie14
Member
 
Registered: Sep 2011
Posts: 631

Original Poster
Rep: Reputation: Disabled
Hi Ondoho,
Sorry for my misunderstanding. Yes I saw the post which says I can independently built it then link to my nginx too. When you say firewall independent meaning a physical firewall or the built in firewalld in the centos ? Yes I agree the server is the complete os running but I am now focusing on how to further harden nginx and also the centos os by itself too.
 
Old 08-01-2020, 02:52 PM   #14
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 14,976
Blog Entries: 9

Rep: Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240Reputation: 4240
I mean a software firewall.
Can be builtin (I guess you mean iptables), can be fancier.
 
Old 08-01-2020, 07:46 PM   #15
berndbausch
LQ Guru
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 5,020

Rep: Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504Reputation: 1504
Quote:
Originally Posted by newbie14 View Post
How does this command helps cause that -V just gives the current nginx version ?
Sorry, my mistake. It needs to be an upper-case V:
Code:
# nginx -V
nginx version: nginx/1.19.1
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.1/debian/debuild-base/nginx-1.19.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] No package 'x11' found No package 'xext' found No package 'xdamage' found No package 'xfixes' found No package 'x11-xcb' found Jigsaw Linux From Scratch 12 04-25-2019 07:33 AM
[SOLVED] How to whitelist an Ip with mod_security and nginx muqor Linux - Newbie 1 02-19-2019 03:55 AM
Manual Python build cannot beat Ubuntu build??? taihd Ubuntu 0 12-26-2013 07:28 PM
man -t manual | ps2pdf - > manual.pdf error Amdx2_x64 Linux - General 2 07-01-2011 03:22 AM
debian 5 Apache mod_security - problem with installation dlugasx Linux - Server 1 11-04-2009 06:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration