How to patch and/or upgrade Nginx from source in production environment?
PGNet Dev
pgnet.dev at gmail.com
Thu Oct 13 17:54:30 UTC 2022
> My primary driving reason for considering the deployment of Nginx from source is to use ModSecurity WAF with Nginx. I'm under the impression that it's much easier to use ModSecurity with Nginx when compiled from source.
If ModSecurity is the issue ...
There are old instructions easily found ON the nginx.com site,
https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
for building it as a dynamic module, which can be separately built and added to a packaged nginx build. not required to rebuild/repackage/reinstall nginx itself. of course, you need to match source version to your pkg'd version.
but note, NGINX is dumping ... er ... Transitioning to End-of-Life ... ModSecurity support,
F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life
https://www.nginx.com/blog/f5-nginx-modsecurity-waf-transitioning-to-eol/
and that ModSecurity itself is on its way out,
Talking about ModSecurity and the new Coraza WAF
https://coreruleset.org/20211222/talking-about-modsecurity-and-the-new-coraza-waf/
but not quite dead yet. in the interim, there's ModSecurity v3/master
https://github.com/SpiderLabs/ModSecurity
, with a new architecture, and a specific Nginx connector
https://github.com/SpiderLabs/ModSecurity-nginx
which can, similarly to the above, be built/added as a dynamic module, and still works well enough.
and here's a useful tutorial for setting up Nginx + LibModsecurity
Configure LibModsecurity with Nginx on CentOS 8
https://kifarunix.com/configure-libmodsecurity-with-nginx-on-centos-8/
More information about the nginx
mailing list