How to set up the ModSecurity module#
After the ModSecurity package was installed, additional setup is required.
-
Enable the installed module in your configuration with the load_module directive:
/etc/angie/angie.conf#load_module modules/ngx_http_modsecurity_module.so;
-
Use the
modsecurityandmodsecurity_rules_filedirectives in an appropriate context, such asserver:/etc/angie/http.d/default.conf#server { modsecurity on; modsecurity_rules_file /etc/angie/modsecurity/rules.conf; # ... }
-
Copy the OWASP ModSecurity Core Rule Set (CRS) to
/var/lib/angie/modsecurity/:$ cd /var/lib/angie/modsecurity/ $ sudo git clone -b v4.1.0 https://github.com/coreruleset/coreruleset
Tip
Find the latest release number here: coreruleset/coreruleset
-
In the core rule set directory, copy the minimal necessary ModSecurity configuration examples:
$ sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf $ sudo cp coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \ coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf $ sudo cp coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \ coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
-
Uncomment the following
Includedirectives in/etc/angie/modsecurity/rules.conf:Include /var/lib/angie/modsecurity/coreruleset/crs-setup.conf Include /var/lib/angie/modsecurity/coreruleset/rules/*.conf
-
Reload Angie configuration to apply the changes:
$ sudo angie -t && sudo service angie reload