ox0xo/nginx-modsecurity-install.sh

## nginx-modsecurity-install.sh
#!/bin/sh
apt update -y

# Install required packages
## 環境によってモジュール名が違うので結果を見ながら微調整する
apt install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev  -y
apt install libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev -y
apt install libyajl-dev locales lua5.3-dev pkg-config wget zlib1g-dev zlibc libgd-dev libxml2-dev libxslt1-dev -y

# Install SSDEEP
mkdir /downloads
cd /downloads
git clone https://github.com/ssdeep-project/ssdeep
cd ssdeep/
./bootstrap
./configure
make
make install
echo "/usr/local/lib" > libfuzzy.conf
cp ./libfuzzy.conf /etc/ld.so.conf.d/libfuzzy.conf
ldconfig

# Install ModSecurity
cd /downloads
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
git submodule init
git submodule update
sh build.sh
./configure
make
make install

###################### !! Important !! #########################
## NginxでModSecurityを使うためには別途動的モジュールが必要となる
## 動的モジュールはNginxのバージョンやビルド時のオプションがずれていると利用できない
## バージョンとビルドオプションを確認すること

nginx -V
################################################################

# Install ModSecurity Nginx Connector
cd /downloads
git clone https://github.com/SpiderLabs/ModSecurity-nginx

###################### !! Important !! #########################
## Nginxのバージョンを合わせること

wget http://nginx.org/download/nginx-1.14.0.tar.gz
tar -zxvf nginx-1.14.0.tar.gz
cd nginx-1.14.0
################################################################


###################### !! Important !! #########################
## Nginxのビルドオプション（--with-cc-opt=以降) を合わせる事

./configure --add-dynamic-module=../ModSecurity-nginx --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-H4cN7P/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
make modules
################################################################

cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

# ModSecurity Core Rule Install
cd /downloads
wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.tar.gz
tar -zxvf v3.3.2.tar.gz
mv coreruleset-3.3.2 owasp-modsecurity-crs
mv owasp-modsecurity-crs/crs-setup.conf.example owasp-modsecurity-crs/crs-setup.conf
mv owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example  owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv owasp-modsecurity-crs /usr/local/

# Config Nginx
sed 's/pid \/run\/nginx.pid;/pid \/run\/nginx.pid; load_module modules\/ngx_http_modsecurity_module.so;/g' -i /etc/nginx/nginx.conf
mkdir -p /etc/nginx/modsec
cp /downloads/ModSecurity/unicode.mapping /etc/nginx/modsec/
cp /downloads/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sed 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' -i /etc/nginx/modsec/modsecurity.conf
sed 's/SecAuditLog \/var\/log\/modsec_audit.log/SecAuditLog \/var\/log\/nginx\/modsec_audit.log/g' -i /etc/nginx/modsec/modsecurity.conf
cat <<EOF > /etc/nginx/modsec/main.conf
Include "/etc/nginx/modsec/modsecurity.conf"
Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"
Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"
EOF
	#!/bin/sh
	apt update -y

	# Install required packages
	## 環境によってモジュール名が違うので結果を見ながら微調整する
	apt install bison build-essential ca-certificates curl dh-autoreconf doxygen flex gawk git iputils-ping libcurl4-gnutls-dev -y
	apt install libexpat1-dev libgeoip-dev liblmdb-dev libpcre3-dev libpcre++-dev libssl-dev libtool libxml2 libxml2-dev -y
	apt install libyajl-dev locales lua5.3-dev pkg-config wget zlib1g-dev zlibc libgd-dev libxml2-dev libxslt1-dev -y

	# Install SSDEEP
	mkdir /downloads
	cd /downloads
	git clone https://github.com/ssdeep-project/ssdeep
	cd ssdeep/
	./bootstrap
	./configure
	make
	make install
	echo "/usr/local/lib" > libfuzzy.conf
	cp ./libfuzzy.conf /etc/ld.so.conf.d/libfuzzy.conf
	ldconfig

	# Install ModSecurity
	cd /downloads
	git clone https://github.com/SpiderLabs/ModSecurity
	cd ModSecurity
	git checkout -b v3/master origin/v3/master
	git submodule init
	git submodule update
	sh build.sh
	./configure
	make
	make install

	###################### !! Important !! #########################
	## NginxでModSecurityを使うためには別途動的モジュールが必要となる
	## 動的モジュールはNginxのバージョンやビルド時のオプションがずれていると利用できない
	## バージョンとビルドオプションを確認すること

	nginx -V
	################################################################

	# Install ModSecurity Nginx Connector
	cd /downloads
	git clone https://github.com/SpiderLabs/ModSecurity-nginx

	###################### !! Important !! #########################
	## Nginxのバージョンを合わせること

	wget http://nginx.org/download/nginx-1.14.0.tar.gz
	tar -zxvf nginx-1.14.0.tar.gz
	cd nginx-1.14.0
	################################################################


	###################### !! Important !! #########################
	## Nginxのビルドオプション（--with-cc-opt=以降) を合わせる事

	./configure --add-dynamic-module=../ModSecurity-nginx --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-H4cN7P/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
	make modules
	################################################################

	cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

	# ModSecurity Core Rule Install
	cd /downloads
	wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.tar.gz
	tar -zxvf v3.3.2.tar.gz
	mv coreruleset-3.3.2 owasp-modsecurity-crs
	mv owasp-modsecurity-crs/crs-setup.conf.example owasp-modsecurity-crs/crs-setup.conf
	mv owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
	mv owasp-modsecurity-crs /usr/local/

	# Config Nginx
	sed 's/pid \/run\/nginx.pid;/pid \/run\/nginx.pid; load_module modules\/ngx_http_modsecurity_module.so;/g' -i /etc/nginx/nginx.conf
	mkdir -p /etc/nginx/modsec
	cp /downloads/ModSecurity/unicode.mapping /etc/nginx/modsec/
	cp /downloads/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
	sed 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' -i /etc/nginx/modsec/modsecurity.conf
	sed 's/SecAuditLog \/var\/log\/modsec_audit.log/SecAuditLog \/var\/log\/nginx\/modsec_audit.log/g' -i /etc/nginx/modsec/modsecurity.conf
	cat <<EOF > /etc/nginx/modsec/main.conf
	Include "/etc/nginx/modsec/modsecurity.conf"
	Include "/usr/local/owasp-modsecurity-crs/crs-setup.conf"
	Include "/usr/local/owasp-modsecurity-crs/rules/*.conf"
	EOF