Compiling for NGINX without Apache

[infinitnet]

Even though I use --disable-apache2-module to compile the standalone module, configure fails with "configure: error: couldn't find APXS". Now to install APXS I have to install the Apache development packages. The problem is, that with Debian based systems, even if you use something like --no-install-recommends with apt, it forces you to install Apache and not only the development libraries. Is there any way around this? I have NGINX running and don't want to bloat my system with Apache. It would cause other issues too, because I'd always have to keep an eye on Apache after OS updates, so it doesn't start automatically and interferes with NGINX.

[leejsinclair]

I've been working through this for a couple of hours now.. still have not got all the missing libraries but this is where i'm up to (Ubuntu 13 server):

wget https://github.com/SpiderLabs/ModSecurity/archive/master.zip
wget http://nginx.org/download/nginx-1.5.12.tar.gz
wget http://zlib.net/zlib-1.2.8.tar.gz

tar zxvf nginx-1.5.12.tar.gz
unzip master.zip
tar zxvf zlib-1.2.8.tar.gz

sudo apt-get update

# Get missing libraries for mod_security
sudo apt-get install libpcre3 libpcre3-dev lighttpd-dev apache2-prefork-dev
sudo apt-get install apache2-prefork-dev apache2-threaded-dev libxml2-dev libtool autoconf
sudo apt-get install libcurl4-openssl-dev libcurl4-nss-dev libcurl4-gnutls-dev

# install zlib, another missing library
cd zlib-1.2.8
./configure
make && sudo make install

cd ../ModSecurity-master
./autogen.sh
./configure --enable-standalone-module
make

This is where I'm up to, it continues to complain about some curl library. It is a worry that so many libraries need to be installed.

Has anyone got past this point?

[wellumies]

This is how I did it in Debian Wheezy

cd /opt
wget https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz

tar -xvf modsecurity-apache_2.7.7.tar.gz

ln -s modsecurity-apache_2.7.7/ mod_security
cd /mod_security

apt-get install build-essential libxml2 libxml2-dev libxml2-utils apache2-threaded-dev libcurl3-dev

~/mod_security# ./configure --enable-standalone-module
~/mod_security# make
~/mod_security# make install (it will generate the NGINX config file)

cd ..

wget http://nginx.org/download/nginx-1.4.1.tar.gz
tar -xvf nginx-1.4.1.tar.gz
cd nginx-1.4.1/

./configure --add-module=../mod_security/nginx/modsecurity
make
make install

root@debian:/opt/nginx# uname -a
Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
root@debian:/opt/nginx# lsb_release
No LSB modules are available.
root@debian:/opt/nginx# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.4 (wheezy)
Release: 7.4
Codename: wheezy
root@debian:/opt/nginx#

[infinitnet]

Well, my problem/concern is that if I install 'apache2-threaded-dev' or 'apache2-prefork-dev' via apt, it forces me to also install the Apache binaries with it, even when using '--no-install-recommends'. We already use NGINX as a web server, so it's rather bad if we're forced to install Apache too in order to compile mod_sec. Furthermore, if we configure mod_sec with '--disable-apache2-module', shouldn't it actually stop insisting on APXS, or is that also a requirement to compile the NGINX module?

[infinitnet]

Anyone?

[zimmerle]

@infinitnet more information on the dependencies are available here: #661.

[infinitnet]

@zimmerle Thanks for pointing that out - sorry I missed that existing report. So is anyone working on this already and if so, is there an ETA? It's great that mod_sec for NGINX is finally out of it's alpha/beta phase, but it's dependency on Apache is really annoying with NGINX-only systems.

[rcbarnett-zz]

You have a valid point, however you need to understand how we were able to port ModSecurity to other platforms. ModSecurity relies heavily on Apache Runtime (APR). It would take a massive recoding to remove those dependencies from the code. What we opted to do was to create a light-weight APR wrapper around ModSecurity to "trick" it into thinking it is always running inside Apache even when it is inside IIS, Nginx, Java, etc... We understand that the dependencies to initially compile it are cumbersome but it is necessary for it to work.

We will still investigate ways to make this easier. Hope you understand.

[infinitnet]

Wouldn't it be possible to simply include all Apache libs/files needed into the ModSecurity bundle and pull everything that's required for compilation from there instead of from the system environment?

[infinitnet]

To come back to this again - for example ngx_pagespeed bundles the APR libraries with PSOL, so it's not required to install the system packages, even though it also relies on APR and this solution works nicely. It would be nice if ModSecurity for NGINX could offer a similar solution.

[infinitnet]

It works fine now with a pull from the latest nginx_refacturing branch, but only if you compile ngx_pagespeed before ModSec.

[msva]

@infinitnet can you paste an example how do you compiling it with pagespeed? ;)

[infinitnet]

@msva Do you mean the configure options or the whole process or anything other specific?

[msva]

It would be nice to look on the whole build.log, since I'm unable to build modsecurity without apache installed even from nginx_refactoring branch :(

make CFLAGS="-I/usr/include/apr-1 -I../psol/include/third_party/httpd24/src/include -I../psol/include/third_party/httpd24/src/os/unix -I../psol/include/third_party/httpd24/gen/arch/linux/x64/include -I/usr/include/libxml2"
make -f objs/Makefile
make[1]: Entering directory `/var/tmp/portage/www-servers/nginx-1.7.4/work/nginx-1.7.4'
x86_64-pc-linux-gnu-gcc -c -I/usr/include/apr-1 -I../psol/include/third_party/httpd24/src/include -I../psol/include/third_party/httpd24/src/os/unix -I../psol/include/third_party/httpd24/gen/arch/linux/x64/include -I/usr/include/libxml2  -I src/core -I src/event -I src/event/modules -I src/os/unix -I ../ngx_pagespeed-1.8.31.4-beta/psol/include -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/chromium/src -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/google-sparsehash/src -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/google-sparsehash/gen/arch/linux/x64/include -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/protobuf/src -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/re2/src -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/out/Release/obj/gen -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/out/Release/obj/gen/protoc_out/instaweb -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/apr/src/include -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/aprutil/src/include -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/apr/gen/arch/linux/x64/include -I ../ngx_pagespeed-1.8.31.4-beta/psol/include/third_party/aprutil/gen/arch/linux/x64/include -I ../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity -I ../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity/../../standalone -I ../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity/../../apache2 -I objs -I src/http -I src/http/modules -I src/mail \
        -o objs/addon/modsecurity/ngx_http_modsecurity.o \
        ../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity/ngx_http_modsecurity.c
In file included from ../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity/ngx_http_modsecurity.c:28:0:
../ModSecurity-33b8760e87b7441142a431175d5b459245551314/nginx/modsecurity/../../standalone/api.h:29:28: fatal error: mod_log_config.h: No such file or directory
compilation terminated.
make[1]: *** [objs/addon/modsecurity/ngx_http_modsecurity.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/www-servers/nginx-1.7.4/work/nginx-1.7.4'
make: *** [build] Error 2

[msva]

@infinitnet can you reopen issue, since it is still impossible to build ModSecurity without apache headers and, probably, apsx too?

[msva]

thanks ;)

[zimmerle]

Already reported on #603. Tracking the progress on: #661.

@msva @infinitnet: Can we close this?

[msva]

Uhm... As you wish, of course, but it seems, there is no activity in the mentioned issues for a year and two years respectively ;)

// and then I don't get the purpose of nginx-refactoring branch. Isn't it for exactly that issue?

// Anyway, if you're sure it is enough to have mentioned issues to keep mind on possibility to apacheless install, you can freely close this issue ;)

[zimmerle]

By having #661 closed we will be able to have a nginx version free of Apache. Among of other things the nginx_refactoring is indeed built with that in mind. Although, it is not ready yet as you may have notice. Hope to have good news on that front soon.

I will let this open. It is now marked as depending on #661.

[infinitnet]

@msva I re-opened the issue for you. Are you still unable to compile it without NGINX? Since I know how frustrating it can be, here's a script for you that I just wrote (it's similar to what I use currently) and that should work on Wheezy and Jessie (on Jessie only if you adjust the init file and update-rc.d commands, as that's now systemctl, but I guess that's not the important part about this anyway):

#!/bin/bash

nginx_dl=https://github.com/nginx/nginx/archive/master.zip
nginx_dir=nginx-master
ps_dl=https://github.com/pagespeed/ngx_pagespeed/archive/release-1.9.32.4-beta.zip
psol_dl=https://dl.google.com/dl/page-speed/psol/1.9.32.4.tar.gz
modsec_dl=https://github.com/SpiderLabs/ModSecurity/archive/nginx_refactoring.zip

apt-get -y --force-yes update
apt-get -y --force-yes install make automake patch gcc geoip-database openssl libssl-dev libpcre3 libpcre3-dev perl-modules libghc-zlib-dev libtool gettext wget curl build-essential zlib1g-dev libperl-dev libjemalloc-dev python-geoip libxml2 libxml2-dev libxml2-utils apache2-threaded-dev libcurl3-dev

/etc/init.d/apache2 stop
update-rc.d -f apache2 remove
mv /etc/init.d/apache2 /etc/init.d/apache2-off
rm -f /usr/sbin/apache2

mkdir -p /tmp/sources
wget -O /tmp/sources/$nginx_dir.zip $nginx_dl
wget -O /tmp/sources/pagespeed.zip $ps_dl
wget -O /tmp/sources/modsec.zip $modsec_dl
cd /tmp/sources/
unzip $nginx_dir.zip
unzip modsec.zip
unzip pagespeed.zip
rm -f $nginx_dir.zip
rm -f modsec.zip
rm -f pagespeed.zip
cd ngx_pagespeed*
wget $psol_dl
tar xfz "$ps_ver".tar.gz
rm -f "$ps_ver".tar.gz

useradd -M -d /var/www -s /sbin/nologin nginx
mkdir -p /etc/nginx/conf.d
mkdir -p /usr/share/nginx
mkdir -p /var/log/nginx
mkdir -p /var/lib/nginx/tmp/client_body
mkdir -p /var/lib/nginx/tmp/proxy
mkdir -p /var/www
mkdir -p /var/cache/pagespeed
chown -R nginx:nginx /var/lib/nginx
chown -R nginx:nginx /var/log/nginx
chown -R nginx:nginx /var/cache/pagespeed

cd /tmp/sources/ModSecurity-nginx_refactoring
./autogen.sh
./configure --enable-standalone-module
make
make install
cp unicode.mapping /etc/nginx/conf.d/

cd /tmp/sources/$nginx_dir
./configure --user=nginx --group=nginx --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/var/lock/subsys/nginx --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_perl_module --with-http_geoip_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -march=native -mtune=native' --add-module=/tmp/sources/ngx_pagespeed-release-1.9.32.4-beta --add-module=/tmp/sources/ModSecurity-nginx_refactoring/nginx/modsecurity
make
make install
/bin/cp -f /usr/share/GeoIP/GeoIP.dat /etc/nginx/
/bin/cp /tmp/sources/$nginx_dir/conf/* /etc/nginx/

cat /etc/init.d/nginx << 'EOF'
#!/bin/sh
### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $network $local_fs 
# Required-Stop:     $network $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Stop/start nginx
### END INIT INFO

# Author: Sergey Budnevitch <[email protected]>

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC=nginx
NAME=nginx
CONFFILE=/etc/nginx/nginx.conf
DAEMON=/usr/sbin/nginx
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

[ -x $DAEMON ] || exit 0

[ -r /etc/default/$NAME ] && . /etc/default/$NAME

DAEMON_ARGS="-c $CONFFILE $DAEMON_ARGS"

. /lib/init/vars.sh

. /lib/lsb/init-functions

do_start()
{
    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
        $DAEMON_ARGS
    RETVAL="$?"
    return "$RETVAL"
}

do_stop()
{
    # Return
    #   0 if daemon has been stopped
    #   1 if daemon was already stopped
    #   2 if daemon could not be stopped
    #   other if a failure occurred
    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
    RETVAL="$?"
    rm -f $PIDFILE
    return "$RETVAL"
}

do_reload() {
    #
    start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME
    RETVAL="$?"
    return "$RETVAL"
}

do_configtest() {
    if [ "$#" -ne 0 ]; then
        case "$1" in
            -q)
                FLAG=$1
                ;;
            *)
                ;;
        esac
        shift
    fi
    $DAEMON -t $FLAG -c $CONFFILE
    RETVAL="$?"
    return $RETVAL
}

do_upgrade() {
    OLDBINPIDFILE=$PIDFILE.oldbin

    do_configtest -q || return 6
    start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
    RETVAL="$?"
    sleep 1
    if [ -f $OLDBINPIDFILE -a -f $PIDFILE ]; then
        start-stop-daemon --stop --signal QUIT --quiet --pidfile $OLDBINPIDFILE --name $NAME
        RETVAL="$?"
    else
        echo $"Upgrade failed!"
        RETVAL=1
        return $RETVAL
    fi
}

case "$1" in
    start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
        do_start
        case "$?" in
            0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
    stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
            0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  status)
        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
        ;;
  configtest)
        do_configtest
        ;;
  upgrade)
        do_upgrade
        ;;
  reload|force-reload)
        log_daemon_msg "Reloading $DESC" "$NAME"
        do_reload
        log_end_msg $?
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_configtest -q || exit $RETVAL
        do_stop
        case "$?" in
            0|1)
                do_start
                case "$?" in
                    0) log_end_msg 0 ;;
                    1) log_end_msg 1 ;; # Old process is still running
                    *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
            *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
    *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload|upgrade|configtest}" >&2
        exit 3
        ;;
esac

exit $RETVAL
EOF
chmod +x /etc/init.d/nginx
update-rc.d -f nginx defaults
/etc/init.d/nginx restart

[zimmerle]

@infinitnet yeah I know :( hopefully we can reduce the amount of all unnecessary dependencies soon.

Btw, that script seems great. I think it will be very valuable for the community in general. Want to start wiki page for nginx? Maybe place it on Gist? To avoid pollute this issue lets talk about it via email.

[msva]

@infinitnet
Main issue: I'm not using Ubuntu nor Debian (which leads to second part of second issue) 😉
Second issue: you're still installing a part of apache2: apache2-threaded-dev and I talking about entirely apacheless installation 😉

@zimmerle script is very ubuntu-centric (and don't take care on systemd-users, btw, in the time Ubuntu moving on SystemD), but, it probably be nice to have it somewhere just as cheatsheet for somebody ;)

[infinitnet]

@msva it's a quick and dirty workaround to at least not have the full Apache packages installed, it is obvious that completely Apache-less isn't possible yet. If that's not good enough for you, I guess you'll have to be patient.

@zimmerle the script is quite dirty and rather and example, but sure, if you think it would help people, I can start a wiki page on how to compile ModSecurity with NGINX when I have the time.

PS: I see there is a page containing those details already (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Manually_Installing_ModSecurity_Module_on_NGINX), I'll probably just edit that to include Debian system and see if there is a better way for RHEL that required less "garbage".

[wellumies]

I think it is pointless. If you are able to compile modsec with nginx you still have to turn off request processing to let it actually pass anything to the backend servers (read anything over 8k)

It is like using antivirus that does not detect any viruses, but uses 25% of your CPU

Sent from my iPhone

On 18.6.2015, at 21.36, infinitnet [email protected] wrote:

@msva it's a quick and dirty workaround to at least not have the full Apache packages installed, it is obvious that completely Apache-less isn't possible yet. If that's not good enough for you, I guess you'll have to be patient.

@zimmerle the script is quite dirty and rather and example, but sure, if you think it would help people, I can start a wiki page on how to compile ModSecurity with NGINX when I have the time.

—
Reply to this email directly or view it on GitHub.

[victorhora]

Won't fix in 2.x. libModSecurity no longer depends on Apache or APR.

Further information available here - https://github.com/SpiderLabs/ModSecurity-nginx