How to patch and/or upgrade Nginx from source in production environment?

PGNet Dev pgnet.dev at gmail.com
Thu Oct 13 17:54:30 UTC 2022


> My primary driving reason for considering the deployment of Nginx from source is to use ModSecurity WAF with Nginx. I'm under the impression that it's much easier to use ModSecurity with Nginx when compiled from source.

If ModSecurity is the issue ...

There are old instructions easily found ON the nginx.com site,

	https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/

for building it as a dynamic module, which can be separately built and added to a packaged nginx build.  not required to rebuild/repackage/reinstall nginx itself.  of course, you need to match source version to your pkg'd version.

but note, NGINX is dumping ... er ... Transitioning to End-of-Life ... ModSecurity support,

	F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life
	 https://www.nginx.com/blog/f5-nginx-modsecurity-waf-transitioning-to-eol/

and that ModSecurity itself is on its way out,

	Talking about ModSecurity and the new Coraza WAF
	 https://coreruleset.org/20211222/talking-about-modsecurity-and-the-new-coraza-waf/

but not quite dead yet.  in the interim, there's ModSecurity v3/master

	https://github.com/SpiderLabs/ModSecurity

, with a new architecture, and a specific Nginx connector

	https://github.com/SpiderLabs/ModSecurity-nginx

which can, similarly to the above, be built/added as a dynamic module, and still works well enough.

and here's a useful tutorial for setting up Nginx + LibModsecurity

	Configure LibModsecurity with Nginx on CentOS 8
	 https://kifarunix.com/configure-libmodsecurity-with-nginx-on-centos-8/




More information about the nginx mailing list