-
Notifications
You must be signed in to change notification settings - Fork 0
/
install
executable file
·172 lines (148 loc) · 6.45 KB
/
install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
#!/usr/bin/env bash
# https://www.linuxbabe.com/security/modsecurity-nginx-debian-ubuntu
# https://github.com/openresty/headers-more-nginx-module#installation
nginx_version="nginx-$(sudo apt-cache policy nginx | sed -nr 's/^.*Candidate: (.*)-.*$/\1/p')"
os_id=$(sudo awk -F= '/^ID=/{print $2}' /etc/os-release)
cpu_count=$(printf '%.*f\n' 0 "$((($(sudo grep -c ^processor /proc/cpuinfo)) / 2))")
echo "Nginx: " $nginx_version
echo "OS: " $os_id
echo "Cores Used: " $cpu_count
if [ "$os_id" = "ubuntu" ]; then
echo "If you use Ubuntu 16.04, 18.04, 20.04, or 20.10, run the following commands to install the latest version of Nginx."
echo ""
echo " sudo add-apt-repository ppa:ondrej/nginx-mainline -y && sudo apt update"
echo ""
echo "By default, only the binary repository is enabled. We also need to enable the source code repository in order to download Nginx source code. Edit the Nginx mainline repository file."
echo " sudo nano /etc/apt/sources.list.d/ondrej-ubuntu-nginx-mainline-*.list"
echo "Find the line that begins with # deb-src and uncomment it and the run"
echo ""
echo " sudo apt update"
echo ""
echo "would you like to continue?"
read -n1
else
echo "Start?"
read -n1
fi
echo ""
echo "************************************************************"
echo "uninstalling current nginx version"
echo "************************************************************"
echo ""
sudo systemctl stop nginx
sudo apt --purge remove -y nginx* --allow-change-held-packages
sudo rm -rf /etc/nginx
sudo rm -rf /usr/share/nginx
sudo rm -rf /var/log/nginx
sudo mkdir -p /etc/nginx/src
sudo mkdir -p /etc/nginx/modsec
sudo mkdir -p /etc/nginx/modsec-crs
echo ""
echo "************************************************************"
echo "installing nginx"
echo "************************************************************"
echo ""
sudo apt install -y nginx nginx-core nginx-common nginx-full dpkg-dev gcc make build-essential autoconf automake libtool libcurl4-openssl-dev liblua5.3-dev libfuzzy-dev ssdeep gettext pkg-config libpcre3 libpcre3-dev libxml2 libxml2-dev libcurl4 libgeoip-dev libyajl-dev doxygen uuid-dev
# region Nginx source
sudo mkdir -p /etc/nginx/src/nginx
cd /etc/nginx/src/nginx/ || exit
sudo apt source nginx
cd $nginx_version || exit # just to check
# endregion
# region ModSecurity
echo ""
echo "************************************************************"
echo "cloning modsecurity"
echo "************************************************************"
echo ""
sudo git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity /etc/nginx/src/ModSecurity/
cd /etc/nginx/src/ModSecurity/ || exit
sudo git submodule init
sudo git submodule update
echo ""
echo "************************************************************"
echo "bulding modsecurity"
echo "************************************************************"
echo ""
sudo ./build.sh
sudo ./configure
sudo make -j"$cpu_count"
sudo make install
sudo cp /etc/nginx/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo echo 'Include /etc/nginx/modsec/modsecurity.conf' >/etc/nginx/modsec/main.conf
sudo cp /etc/nginx/src/ModSecurity/unicode.mapping /etc/nginx/modsec/
# endregion
# region ModSecurity-Nginx
echo ""
echo "************************************************************"
echo "cloning Modsecurity-Nginx"
echo "************************************************************"
echo ""
sudo git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git /etc/nginx/src/ModSecurity-nginx/
cd /etc/nginx/src/nginx/$nginx_version || exit
sudo apt build-dep nginx -y
# endregion
# region Header-More source
echo ""
echo "************************************************************"
echo "cloning Header-More"
echo "************************************************************"
echo ""
sudo wget https://github.com/openresty/headers-more-nginx-module/archive/refs/tags/v0.34.tar.gz -P /etc/nginx/src/
sudo tar xf /etc/nginx/src/v0.34.tar.gz -C /etc/nginx/src/
sudo mv /etc/nginx/src/headers-more-nginx-module-0.34 /etc/nginx/src/header-more
sudo rm /etc/nginx/src/v0.34.tar.gz
# endregion
# region make nginx
echo ""
echo "************************************************************"
echo "building nginx"
echo "************************************************************"
echo ""
cd /etc/nginx/src/nginx/$nginx_version || exit
sudo ./configure --with-compat --add-dynamic-module=/etc/nginx/src/ModSecurity-nginx --add-dynamic-module=/etc/nginx/src/header-more --without-pcre2
sudo make modules
#endregion
# region copy module files to main installation address
sudo cp objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
sudo cp objs/ngx_http_headers_more_filter_module.so /usr/share/nginx/modules/
# endregion
# region Modsecurity-OWASP-CRS
echo ""
echo "************************************************************"
echo "cloning ModSecurity core-rule-set"
echo "************************************************************"
echo ""
cd /etc/nginx/modsec-crs || exit
sudo git clone https://github.com/coreruleset/coreruleset /etc/nginx/modsec-crs
sudo mv crs-setup.conf.example crs-setup.conf
sudo mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
sudo mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
sudo echo "$(cat /etc/nginx/modsec/main.conf)
Include /etc/nginx/modsec-crs/crs-setup.conf
#Include /etc/nginx/modsec-crs/plugins/*-config.conf
#Include /etc/nginx/modsec-crs/plugins/*-before.conf
Include /etc/nginx/modsec-crs/rules/*.conf
#Include /etc/nginx/modsec-crs/plugins/*-after.conf" >/etc/nginx/modsec/main.conf
# endregion
# region modify nginx.conf
sudo echo "load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
$(cat /etc/nginx/nginx.conf)" >/etc/nginx/nginx.conf
# endregion
echo ""
echo "************************************************************"
echo "cloning ModSecurity core-rule-set"
echo "************************************************************"
echo ""
echo "add these lines to http section"
echo " modsecurity on;"
echo " modsecurity_rules_file /etc/nginx/modsec/main.conf;"
sudo nginx -t
sudo apt-mark hold nginx
sudo systemctl stop nginx
#sudo systemctl start nginx
echo ""
echo "************************************************************"
echo "Nginx+ModSecurity+CRS+HeaderMore Installed"
echo "************************************************************"