Update install nginx script.

2022-08-20 17:04:57 +08:00 · 2022-08-20 17:04:57 +08:00 · 2dc3a15bb6
parent afc5c02215
commit 2dc3a15bb6
2 changed files with 27 additions and 1 deletions
--- a/install_nginx.sh
+++ b/install_nginx.sh
@ -104,8 +104,16 @@ if [[ "$nginx_ver" < $nginx_target_ver ]] || [[ "$1" == '--force' ]] || [[ "$ins
        sudo bash -l -c "
            cd /root/nginx-$nginx_target_ver &&
            make modules &&
+            mkdir -p /etc/nginx/modules &&
            cp -f objs/ngx_http_modsecurity_module.so /etc/nginx/modules/. &&
-            cd ..
+            echo 'load_module modules/ngx_http_modsecurity_module.so;' > /etc/nginx/modules-enabled/50-mod-modsecurity.conf &&
+            mkdir -p /etc/nginx/modsec &&
+            wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended &&
+            mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf &&
+            cd .. &&
+            cp -f ModSecurity/unicode.mapping /etc/nginx/modsec &&
+            sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf &&
+            wget http://gitlab.tp.rulingcom.com/erictyl/install_r45_on_ubuntu_1804lts_doc/-/raw/master/modsecurity_main.conf -O /etc/nginx/modsec/main.conf
        "
    fi
    if [[ $nginx_conf_exist == "0" ]]; then
@ -143,6 +151,16 @@ if [[ "$nginx_ver" < $nginx_target_ver ]] || [[ "$1" == '--force' ]] || [[ "$ins
                http_block_end=$((http_block_end + 1))
            fi
        done
+        if [[ "$install_modsecurity" == "1" ]]; then
+            echo "Please modify your nginx conf file by yourself!"
+            echo "
+            server {
+                # ...
+                modsecurity on;
+                modsecurity_rules_file /etc/nginx/modsec/main.conf;
+            }
+            "
+        fi
    fi
    cd "$org_pwd"
 fi
--- a/modsecurity_main.conf
+++ b/modsecurity_main.conf
@ -0,0 +1,8 @@
+# From https://github.com/SpiderLabs/ModSecurity/blob/master/
+# modsecurity.conf-recommended
+#
+# Edit to set SecRuleEngine On
+Include "/etc/nginx/modsec/modsecurity.conf"
+
+# Basic test rule
+SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"