LanHikari
71b1fafd0f
Some checks failed
Build and Verify RPMs / build-rpms (push) Failing after 15m18s
|
||
|---|---|---|
| .forgejo/workflows | ||
| .gitignore | ||
| build.sh | ||
| Dockerfile.libmodsecurity | ||
| Dockerfile.modsecurity-connector | ||
| README.md | ||
Nginx + ModSecurity Custom RPM Builder
This project builds custom RPM packages for libmodsecurity (v3) and the Nginx connector module, specifically for AlmaLinux 8 and Nginx 1.26.1 from the official nginx.org repository.
The build process is fully containerized using Docker, ensuring a clean, reproducible build environment.
Prerequisites
A Linux host machine (e.g., Alma, Fedora, Ubuntu)
Docker installed and running.
Files in this Project
build.sh: The main orchestration script. This is the only file you need to run.
Dockerfile.libmodsecurity: A multi-stage Dockerfile that builds libmodsecurity from source and packages it as two RPMs (libmodsecurity-cipherseed and libmodsecurity-cipherseed-devel).
Dockerfile.modsecurity-connector: A multi-stage Dockerfile that downloads the Nginx source, compiles the ModSecurity connector module against it, and packages it as an RPM.
How to Build the RPMs
Ensure all three files (build.sh, Dockerfile.libmodsecurity, Dockerfile.modsecurity-connector) are in the same directory.
Make the build script executable:
chmod +x build.sh
Run the build script:
./build.sh
The first build will be slow as it downloads base images, dependencies, and compiles the code. Subsequent builds will be very fast due to Docker's caching.
To force a full rebuild, ignoring the cache:
./build.sh --no-cache
Build Artifacts
When the build is complete, you will find all artifacts in the build/ directory, organized by the Nginx version:
build/1.26.1/rpm/: Contains all final .rpm packages.
libmodsecurity-cipherseed-3.0.14-1.el8.x86_64.rpm
libmodsecurity-cipherseed-devel-3.0.14-1.el8.x86_64.rpm
nginx-modsecurity-connector.rpm
build/1.26.1/srpm/: Contains the Source RPM for libmodsecurity.
build/1.26.1/logs/: Contains detailed build logs from each Docker stage.
How to Install the RPMs on AlmaLinux 8
Follow these steps on your target AlmaLinux 8 server to install and use the custom-built modules.
Step 1: Install Required Repositories
Our RPMs have dependencies that live in epel-release and the official nginx.org repository.
Install EPEL: This provides GeoIP and ssdeep-libs.
dnf install epel-release
Install Nginx.org Repository: Our module is built for Nginx 1.26.1 from this specific repository.
Create the repo file
cat < /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/8/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
[nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/8/x86_64/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true EOF
Step 2: Install Nginx and Custom Modules
Copy all the RPMs from your build/1.26.1/rpm/ directory to your target server (e.g., using scp).
Install the correct Nginx version and your custom libmodsecurity package.
This command installs nginx 1.26.1 and your libmodsecurity.
dnf will automatically pull in GeoIP and ssdeep-libs from EPEL.
dnf install nginx-1.26.1 ./libmodsecurity-cipherseed-3.0.14-1.el8.x86_64.rpm
With Nginx installed, you can now install the connector module.
This will succeed because its dependencies (nginx and libmodsecurity-cipherseed) are now met.
dnf install ./nginx-modsecurity-connector.rpm
Step 3: Configure Nginx to Load the Module
Edit your main Nginx config file (/etc/nginx/nginx.conf).
At the very top, before the http block, add the following line:
Load the new module
load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so;
http { # ... your config ...
Enable and configure ModSecurity in your http or server block as needed:
http { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; # ... }
Test your configuration and restart Nginx:
nginx -t systemctl restart nginx