ModSecurity installation requirements:
ModSecurity 2.x works only with Apache 2.0.x or higher. Version 2.2.x is highly recommended.
Make sure you have mod_unique_id
installed.
mod_unique_id is packaged with Apache httpd.
libapr and libapr-util
libpcre
libxml2
liblua v5.1.x
This library is optional and only needed if you will be using the new Lua engine.
http://www.lua.org/download.html
Note that ModSecurity requires the dynamic libraries. These are not built by default in the source distribution, so the binary distribution is recommended.
libcurl v7.15.1 or higher
If you will be using the ModSecurity Log Collector (mlogc) to send audit logs to a central repository, then you will also need the curl library.
Many have had issues with libcurl linked with the GnuTLS library for SSL/TLS support. It is recommended that the openssl library be used for SSL/TLS support in libcurl.
ModSecurity installation consists of the following steps:
Stop Apache httpd
Unpack the ModSecurity archive
Building differs for UNIX (or UNIX-like) operating systems and Windows.
UNIX
Run the configure script to generate a Makefile. Typically no options are needed.
./configure
Options are available for more customization (use
./configure --help
for a full list), but
typically you will only need to specify the location of the
apxs
command installed by Apache httpd with
the --with-apxs
option.
./configure
--with-apxs=/path/to/httpd-2.x.y/bin/apxs
There are certain configure options that are meant for
debugging an other development use. If enabled, these
options can substantially impact performance. These options
include all --debug-*
options as well as
the --enable-performance-measurements
options.
Compile with: make
Optionally test with: make
test
This is step is still a bit experimental. If you have problems, please send the full output and error from the build to the support list. Most common issues are related to not finding the required headers and/or libraries.
Optionally build the ModSecurity Log Collector with:
make mlogc
Optionally install mlogc
: Review the
INSTALL
file included in the
apache2/mlogc-src directory in the distribution.
Install the ModSecurity module with: make
install
Windows (MS VC++ 8)
Edit Makefile.win
to configure the
Apache base and library paths.
Compile with: nmake -f
Makefile.win
Install the ModSecurity module with: nmake -f
Makefile.win install
Copy the libxml2.dll
and
lua5.1.dll
to the Apache
bin
directory. Alternatively you can follow
the step below for using LoadFile to load these
libraries.
Edit the main Apache httpd config file (usually
httpd.conf
)
On UNIX (and Windows if you did not copy the DLLs as stated above) you must load libxml2 and lua5.1 before ModSecurity with something like this:
LoadFile /usr/lib/libxml2.so LoadFile /usr/lib/liblua5.1.so
Load the ModSecurity module with:
LoadModule security2_module modules/mod_security2.so
Configure ModSecurity
Start Apache httpd
You should now have ModSecurity 2.x up and running.
If you have compiled Apache yourself you might experience problems compiling ModSecurity against PCRE. This is because Apache bundles PCRE but this library is also typically provided by the operating system. I would expect most (all) vendor-packaged Apache distributions to be configured to use an external PCRE library (so this should not be a problem).
You want to avoid Apache using the bundled PCRE library and
ModSecurity linking against the one provided by the operating system.
The easiest way to do this is to compile Apache against the PCRE library
provided by the operating system (or you can compile it against the
latest PCRE version you downloaded from the main PCRE distribution
site). You can do this at configure time using the --with-pcre
switch. If you are not in a
position to recompile Apache, then, to compile ModSecurity successfully,
you'd still need to have access to the bundled PCRE headers (they are
available only in the Apache source code) and change the include path
for ModSecurity (as you did in step 7 above) to point to them (via the
--with-pcre
ModSecurity configure option).
Do note that if your Apache is using an external PCRE library you
can compile ModSecurity with WITH_PCRE_STUDY
defined,which would possibly
give you a slight performance edge in regular expression
processing.
Non-gcc compilers may have problems running out-of-the-box as the current build system was designed around the gcc compiler and some compiler/linker flags may differ. To use a non-gcc compiler you may need some manual Makefile tweaks if issues cannot be solved by exporting custom CFLAGS and CPPFLAGS environment variables.
If you are upgrading from ModSecurity 1.x, please refer to the migration matrix at http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf