Nginx installation package vs manual source build with mod_security
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nginx installation package vs manual source build with mod_security
Hi All,
I have done some googles here example
https://docs.nginx.com/nginx/admin-g...ource/#sources. This site talks on both how to install via package manager or manually build it from source. I know from source its tedious and difficult to keep up and manage and also to the upgrade. Secondly on via manual build we can control which module to build or remove. Thirdly also to further improve security only it works via manual build too. So looking at all the google link looks like to install nginx is it best to do via manual source build or should I remain via package manager?
I can't look at all the google links, because I don't know them. The link you mention doesn't talk about the advantages of building from source, only about the method. I don't think I fully understand your third point.
"best" is relative to your goals. For me it's best to install it with a package manager, since the hassle far outweighs the benefits of building from source.
I don't know why you limit this discussion to nginx, by the way. Why not install everything from source?
Last edited by berndbausch; 07-31-2020 at 01:20 PM.
Hi Berfbausch,
Sorry my third point is about mod_security settings example it explains here https://medium.com/building-goalwise...inx-15fdd42fa3. In this link it some how have to build the mod_security manually then link it with nginx ? So based your suggest best to go with package manger right ? Why I limit just for nginx is cause its show module can only be off via installing from source?
From their website there is no prebuilt modsecurity module for NGINX Open Source. As suggested from their website, download and install the mainline version from their repository for your distribution and compile modsecurity per their instructions. If your distribution is not supported then you will need to install nginx from source.
So based your suggest best to go with package manger right ?
No. I don't suggest anything. I just point out that the word "best" has different meanings for different people.
As michaelk points out, you don't have to build nginx to use modsecurity. You only need to build modsecurity.
EDIT: The Medium article also says "you don’t need to compile NGINX again with this module but just the module can be compiled and plugged into the web server".
Last edited by berndbausch; 07-31-2020 at 01:58 PM.
Hi Michaelk,
I am on centos 7 actually. What I am worried about compiling from source is the issue of updates as pointed out by bernd. But from my googling looks like mod_security is for sure to be compile and link separately for nginx.
Hi Bernd,
Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?
Quote:
Step 1. Disable Any Unwanted nginx Modules
When you install nginx, it automatically includes many modules. Currently, you cannot choose modules at runtime. To disable certain modules, you need to recompile nginx. We recommend that you disable any modules that are not required as this will minimize the risk of potential attacks by limiting allowed operations.
Hi Bernd,
Yes I agree the link just ask to built mod_security separately and link it to nginx. I have also done googling for example on how to harden nginx for example here https://www.acunetix.com/blog/web-se...rdening-nginx/. Based on this link it suggest this. So looks like for this I must compile it manually I dont see any other option?
Yes, if you want to reduce the number of modules and therefore the attack surface, it seems that you have no other choice than building NGINX from source.
However, you can list build parameters and modules by running nginx -v. If you are happy with the result, why build it?
newbie14, you have the option to completely recompile nginx to include mod_security, or to use the dynamic module mod_security for nginx.
It appears that most distros do NOT have that in their repositories. Compiling it yourself is the most prudent choice in that case.
FWIW, ArchLinux has it in their repos. But I wouldn't recommend ArchLinux as a server distro, esp. not for a newbie.
Why is mod_security so important to you? Do you think nginx without mod_security is insecure?
Hi Ondoho,
Yes I can build completely from source both nginx and mod_security. Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.
Hi Ondoho,
Yes I can build completely from source both nginx and mod_security.
You did not understand my last post? You don't have to build nginx from source if you don't want to.
Quote:
Originally Posted by newbie14
Why it important to me is to react as firewall? Do you have any better solution to further harden nginx web server ? I am just trying to harden my server.
You can have a firewall indpendent of nginx.
Your server is the complete OS nginx is running on, not just nginx itself.
Hi Ondoho,
Sorry for my misunderstanding. Yes I saw the post which says I can independently built it then link to my nginx too. When you say firewall independent meaning a physical firewall or the built in firewalld in the centos ? Yes I agree the server is the complete os running but I am now focusing on how to further harden nginx and also the centos os by itself too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.