build pipeline
Find a file
LanHikari 71b1fafd0f
Some checks failed
Build and Verify RPMs / build-rpms (push) Failing after 15m18s
running with no cache on docker
2025-10-27 19:41:21 -10:00
.forgejo/workflows running with no cache on docker 2025-10-27 19:41:21 -10:00
.gitignore Allowing for more flexibility in builds, also added a --help in case I forget in build.sh 2025-10-27 16:46:08 -10:00
build.sh running with no cache on docker 2025-10-27 19:41:21 -10:00
Dockerfile.libmodsecurity initial commit 2025-10-26 10:25:31 -10:00
Dockerfile.modsecurity-connector Fixing any issues during build, allowing it to gather all information through the argument 2025-10-27 18:58:49 -10:00
README.md readme 2025-10-26 10:26:55 -10:00

Nginx + ModSecurity Custom RPM Builder

This project builds custom RPM packages for libmodsecurity (v3) and the Nginx connector module, specifically for AlmaLinux 8 and Nginx 1.26.1 from the official nginx.org repository.

The build process is fully containerized using Docker, ensuring a clean, reproducible build environment.

Prerequisites

A Linux host machine (e.g., Alma, Fedora, Ubuntu)

Docker installed and running.

Files in this Project

build.sh: The main orchestration script. This is the only file you need to run.

Dockerfile.libmodsecurity: A multi-stage Dockerfile that builds libmodsecurity from source and packages it as two RPMs (libmodsecurity-cipherseed and libmodsecurity-cipherseed-devel).

Dockerfile.modsecurity-connector: A multi-stage Dockerfile that downloads the Nginx source, compiles the ModSecurity connector module against it, and packages it as an RPM.

How to Build the RPMs

Ensure all three files (build.sh, Dockerfile.libmodsecurity, Dockerfile.modsecurity-connector) are in the same directory.

Make the build script executable:

chmod +x build.sh

Run the build script:

./build.sh

The first build will be slow as it downloads base images, dependencies, and compiles the code. Subsequent builds will be very fast due to Docker's caching.

To force a full rebuild, ignoring the cache:

./build.sh --no-cache

Build Artifacts

When the build is complete, you will find all artifacts in the build/ directory, organized by the Nginx version:

build/1.26.1/rpm/: Contains all final .rpm packages.

libmodsecurity-cipherseed-3.0.14-1.el8.x86_64.rpm

libmodsecurity-cipherseed-devel-3.0.14-1.el8.x86_64.rpm

nginx-modsecurity-connector.rpm

build/1.26.1/srpm/: Contains the Source RPM for libmodsecurity.

build/1.26.1/logs/: Contains detailed build logs from each Docker stage.

How to Install the RPMs on AlmaLinux 8

Follow these steps on your target AlmaLinux 8 server to install and use the custom-built modules.

Step 1: Install Required Repositories

Our RPMs have dependencies that live in epel-release and the official nginx.org repository.

Install EPEL: This provides GeoIP and ssdeep-libs.

dnf install epel-release

Install Nginx.org Repository: Our module is built for Nginx 1.26.1 from this specific repository.

Create the repo file

cat < /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/8/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true

[nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/8/x86_64/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true EOF

Step 2: Install Nginx and Custom Modules

Copy all the RPMs from your build/1.26.1/rpm/ directory to your target server (e.g., using scp).

Install the correct Nginx version and your custom libmodsecurity package.

This command installs nginx 1.26.1 and your libmodsecurity.

dnf will automatically pull in GeoIP and ssdeep-libs from EPEL.

dnf install nginx-1.26.1 ./libmodsecurity-cipherseed-3.0.14-1.el8.x86_64.rpm

With Nginx installed, you can now install the connector module.

This will succeed because its dependencies (nginx and libmodsecurity-cipherseed) are now met.

dnf install ./nginx-modsecurity-connector.rpm

Step 3: Configure Nginx to Load the Module

Edit your main Nginx config file (/etc/nginx/nginx.conf).

At the very top, before the http block, add the following line:

Load the new module

load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so;

http { # ... your config ...

Enable and configure ModSecurity in your http or server block as needed:

http { # ... modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; # ... }

Test your configuration and restart Nginx:

nginx -t systemctl restart nginx