ModSecurity

Installation

ModSecurity installation requirements:

  1. ModSecurity 2.x works only with Apache 2.0.x or higher. Version 2.2.x is highly recommended.

  2. Make sure you have mod_unique_id installed.

    mod_unique_id is packaged with Apache httpd.

  3. libapr and libapr-util

    http://apr.apache.org/

  4. libpcre

    http://www.pcre.org/

  5. libxml2

    http://xmlsoft.org/downloads.html

  6. liblua v5.1.x

    This library is optional and only needed if you will be using the new Lua engine.

    http://www.lua.org/download.html

    Note that ModSecurity requires the dynamic libraries. These are not built by default in the source distribution, so the binary distribution is recommended.

  7. libcurl v7.15.1 or higher

    If you will be using the ModSecurity Log Collector (mlogc) to send audit logs to a central repository, then you will also need the curl library.

    http://curl.haxx.se/libcurl/

    Note

    Many have had issues with libcurl linked with the GnuTLS library for SSL/TLS support. It is recommended that the openssl library be used for SSL/TLS support in libcurl.

ModSecurity installation consists of the following steps:

  1. Stop Apache httpd

  2. Unpack the ModSecurity archive

  3. Building differs for UNIX (or UNIX-like) operating systems and Windows.

    • UNIX

      1. Run the configure script to generate a Makefile. Typically no options are needed.

        ./configure

        Options are available for more customization (use ./configure --help for a full list), but typically you will only need to specify the location of the apxs command installed by Apache httpd with the --with-apxs option.

        ./configure --with-apxs=/path/to/httpd-2.x.y/bin/apxs

        Note

        There are certain configure options that are meant for debugging an other development use. If enabled, these options can substantially impact performance. These options include all --debug-* options as well as the --enable-performance-measurements options.

      2. Compile with: make

      3. Optionally test with: make test

        Note

        This is step is still a bit experimental. If you have problems, please send the full output and error from the build to the support list. Most common issues are related to not finding the required headers and/or libraries.

      4. Optionally build the ModSecurity Log Collector with: make mlogc

      5. Optionally install mlogc: Review the INSTALL file included in the apache2/mlogc-src directory in the distribution.

      6. Install the ModSecurity module with: make install

    • Windows (MS VC++ 8)

      1. Edit Makefile.win to configure the Apache base and library paths.

      2. Compile with: nmake -f Makefile.win

      3. Install the ModSecurity module with: nmake -f Makefile.win install

      4. Copy the libxml2.dll and lua5.1.dll to the Apache bin directory. Alternatively you can follow the step below for using LoadFile to load these libraries.

  4. Edit the main Apache httpd config file (usually httpd.conf)

    On UNIX (and Windows if you did not copy the DLLs as stated above) you must load libxml2 and lua5.1 before ModSecurity with something like this:

    LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so

    Load the ModSecurity module with:

    LoadModule security2_module modules/mod_security2.so

  5. Configure ModSecurity

  6. Start Apache httpd

  7. You should now have ModSecurity 2.x up and running.

Note

If you have compiled Apache yourself you might experience problems compiling ModSecurity against PCRE. This is because Apache bundles PCRE but this library is also typically provided by the operating system. I would expect most (all) vendor-packaged Apache distributions to be configured to use an external PCRE library (so this should not be a problem).

You want to avoid Apache using the bundled PCRE library and ModSecurity linking against the one provided by the operating system. The easiest way to do this is to compile Apache against the PCRE library provided by the operating system (or you can compile it against the latest PCRE version you downloaded from the main PCRE distribution site). You can do this at configure time using the --with-pcre switch. If you are not in a position to recompile Apache, then, to compile ModSecurity successfully, you'd still need to have access to the bundled PCRE headers (they are available only in the Apache source code) and change the include path for ModSecurity (as you did in step 7 above) to point to them (via the --with-pcre ModSecurity configure option).

Do note that if your Apache is using an external PCRE library you can compile ModSecurity with WITH_PCRE_STUDY defined,which would possibly give you a slight performance edge in regular expression processing.

Non-gcc compilers may have problems running out-of-the-box as the current build system was designed around the gcc compiler and some compiler/linker flags may differ. To use a non-gcc compiler you may need some manual Makefile tweaks if issues cannot be solved by exporting custom CFLAGS and CPPFLAGS environment variables.

If you are upgrading from ModSecurity 1.x, please refer to the migration matrix at http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf

Copyright (C) 2004-2009 Breach Security