install

#!/usr/bin/env bash

# https://www.linuxbabe.com/security/modsecurity-nginx-debian-ubuntu
# https://github.com/openresty/headers-more-nginx-module#installation

nginx_version="nginx-$(sudo apt-cache policy nginx | sed -nr 's/^.*Candidate: (.*)-.*$/\1/p')"
os_id=$(sudo awk -F= '/^ID=/{print $2}' /etc/os-release)
cpu_count=$(printf '%.*f\n' 0 "$((($(sudo grep -c ^processor /proc/cpuinfo)) / 2))")
echo "Nginx:      " $nginx_version
echo "OS:         " $os_id
echo "Cores Used: " $cpu_count


if [ "$os_id" = "ubuntu" ]; then
  echo "If you use Ubuntu 16.04, 18.04, 20.04, or 20.10, run the following commands to install the latest version of Nginx."
  echo ""
  echo "  sudo add-apt-repository ppa:ondrej/nginx-mainline -y && sudo apt update"
  echo ""
  echo "By default, only the binary repository is enabled. We also need to enable the source code repository in order to download Nginx source code. Edit the Nginx mainline repository file."
  echo "  sudo nano /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-*.list"
  echo "Find the line that begins with # deb-src and uncomment it and the run"
  echo ""
  echo "  sudo apt update"
  echo ""
  echo "would you like to continue?"
  read -n1
else
  echo "Start?"
  read -n1
fi

echo ""
echo "************************************************************"
echo "uninstalling current nginx version"
echo "************************************************************"
echo ""
sudo systemctl stop nginx
sudo apt --purge remove -y nginx* --allow-change-held-packages
sudo rm -rf /etc/nginx
sudo rm -rf /usr/share/nginx
sudo rm -rf /var/log/nginx

sudo mkdir -p /etc/nginx/src
sudo mkdir -p /etc/nginx/modsec
sudo mkdir -p /etc/nginx/modsec-crs

echo ""
echo "************************************************************"
echo "installing nginx"
echo "************************************************************"
echo ""
sudo apt install -y nginx nginx-core nginx-common nginx-full dpkg-dev gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen uuid-dev

# region Nginx source
sudo mkdir -p /etc/nginx/src/nginx
cd /etc/nginx/src/nginx/ || exit
sudo apt source nginx
cd $nginx_version || exit # just to check
# endregion

# region ModSecurity
echo ""
echo "************************************************************"
echo "cloning modsecurity"
echo "************************************************************"
echo ""
sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /etc/nginx/src/ModSecurity/
cd /etc/nginx/src/ModSecurity/ || exit

sudo git submodule init
sudo git submodule update

echo ""
echo "************************************************************"
echo "bulding modsecurity"
echo "************************************************************"
echo ""
sudo ./build.sh
sudo ./configure
sudo make -j"$cpu_count"
sudo make install

sudo cp /etc/nginx/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo echo 'Include /etc/nginx/modsec/modsecurity.conf' >/etc/nginx/modsec/main.conf
sudo cp /etc/nginx/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
# endregion

# region ModSecurity-Nginx
echo ""
echo "************************************************************"
echo "cloning Modsecurity-Nginx"
echo "************************************************************"
echo ""
sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /etc/nginx/src/ModSecurity-nginx/
cd /etc/nginx/src/nginx/$nginx_version || exit
sudo apt build-dep nginx -y
# endregion

# region Header-More source
echo ""
echo "************************************************************"
echo "cloning Header-More"
echo "************************************************************"
echo ""
sudo wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.34.tar.gz -P /etc/nginx/src/
sudo tar xf /etc/nginx/src/v0.34.tar.gz -C /etc/nginx/src/
sudo mv /etc/nginx/src/headers-more-nginx-module-0.34 /etc/nginx/src/header-more
sudo rm /etc/nginx/src/v0.34.tar.gz
# endregion

# region make nginx
echo ""
echo "************************************************************"
echo "building nginx"
echo "************************************************************"
echo ""
cd /etc/nginx/src/nginx/$nginx_version || exit
sudo ./configure --with-compat --add-dynamic-module=/etc/nginx/src/ModSecurity-nginx --add-dynamic-module=/etc/nginx/src/header-more --without-pcre2
sudo make modules
#endregion

# region copy module files to main installation address
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
sudo cp objs/ngx_http_headers_more_filter_module.so /usr/share/nginx/modules/
# endregion

# region Modsecurity-OWASP-CRS
echo ""
echo "************************************************************"
echo "cloning ModSecurity core-rule-set"
echo "************************************************************"
echo ""
cd /etc/nginx/modsec-crs || exit
sudo git clone https://github.com/coreruleset/coreruleset /etc/nginx/modsec-crs
sudo mv crs-setup.conf.example crs-setup.conf
sudo mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
sudo echo "$(cat /etc/nginx/modsec/main.conf)
Include /etc/nginx/modsec-crs/crs-setup.conf
#Include /etc/nginx/modsec-crs/plugins/*-config.conf
#Include /etc/nginx/modsec-crs/plugins/*-before.conf
Include /etc/nginx/modsec-crs/rules/*.conf
#Include /etc/nginx/modsec-crs/plugins/*-after.conf" >/etc/nginx/modsec/main.conf

# endregion

# region modify nginx.conf
sudo echo "load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
$(cat /etc/nginx/nginx.conf)" >/etc/nginx/nginx.conf

# endregion
echo ""
echo "************************************************************"
echo "cloning ModSecurity core-rule-set"
echo "************************************************************"
echo ""
echo "add these lines to http section"
echo "  modsecurity on;"
echo "  modsecurity_rules_file /etc/nginx/modsec/main.conf;"


sudo nginx -t
sudo apt-mark hold nginx
sudo systemctl stop nginx
#sudo systemctl start nginx

echo ""
echo "************************************************************"
echo "Nginx+ModSecurity+CRS+HeaderMore Installed"
echo "************************************************************"