Red Hat SummitChapter 2. Configuring ModSecurity on RHEL
When you install Red Hat JBoss Core Services on Red Hat Enterprise Linux (RHEL), you can configure the ModSecurity module to function as a web application firewall (WAF) for the Apache HTTP Server.
JBCS 2.4.57 does not currently provide an archive file distribution of the Apache HTTP Server for RHEL 9.
2.1. ModSecurity dependencies on RHEL
ModSecurity has several dependencies to function successfully. Some of these dependencies are already included as a part of Red Hat JBoss Core Services.
The following table provides a list of ModSecurity dependencies:
| Dependency | Part of JBCS on RHEL? |
|---|---|
| Apache Portable Runtimes (APR) | Yes |
|
| Yes |
|
| Yes |
|
| Yes |
| Perl-Compatible Regular Expressions (PCRE) | Yes |
|
| No |
On RHEL, Red Hat JBoss Core Services includes all of these dependencies except the libxml2 library.
2.2. ModSecurity installation on RHEL
The ModSecurity module is included as part of a Red Hat JBoss Core Services installation.
You can follow the procedures in the Red Hat JBoss Core Services Apache HTTP Server Installation Guide to download and install the Apache HTTP Server for your operating system.
2.3. Loading ModSecurity
You can load the ModSecurity module by using the LoadModule command.
Procedure
To load the ModSecurity module, enter the following command:
LoadModule security2_module modules/mod_security2.so
2.4. Configuring the rules directory on RHEL
ModSecurity functionality requires that you create rules that the system uses. Apache HTTP Server provides a preconfigured mod_security.conf.sample file in the HTTPD_HOME/modsecurity.d directory. To use ModSecurity rules, you must modify the mod_security.conf.sample file with settings that are appropriate for your environment. You can store the ModSecurity rules in the modsecurity.d directory or the modsecurity.d/activated_rules subdirectory.
Procedure
-
Go to the
HTTPD_HOME/modsecurity.ddirectory. Rename the
mod_security.conf.samplefile tomod_security.conf:mv mod_security.conf.sample ./mod_security.conf-
Open the
mod_security.conffile and specify parameters for all the configuration directives that you want to use with the ModSecurity rules.
2.5. Key ModSecurity configuration options
You can use key ModSecurity configuration options to improve the performance of regular expressions, investigate ModSecurity 2.6 phase one moving to phase two hook, and allow use of certain directives in .htaccess files.
- enable-pcre-jit
- Enables Just-In-Time (JIT) compiler support in the Perl-Compatible Regular Expressions (PCRE) library 8.20 or later to improve the performance of regular expressions.
- enable-request-early
- Enables testing of the ModSecurity 2.6 move from phase one to phase two hook
- enable-htaccess-config
-
Enables use of directives in
.htaccessfiles whenAllowOverride Optionsis set
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}