docker.recipes

NGINX + ModSecurity WAF

advanced

NGINX with ModSecurity Web Application Firewall for security.

Overview

NGINX is a high-performance HTTP server and reverse proxy that has become the backbone of modern web infrastructure since its creation in 2004. Originally developed to solve the C10K problem of handling 10,000 concurrent connections, NGINX uses an event-driven, asynchronous architecture that dramatically outperforms traditional process-based web servers under high load conditions. Its lightweight footprint and exceptional performance characteristics make it ideal for serving static content, load balancing, and proxying requests to backend applications. This configuration combines NGINX with ModSecurity, the gold standard open-source Web Application Firewall (WAF) that inspects HTTP traffic in real-time to detect and block malicious requests. ModSecurity uses the OWASP Core Rule Set (CRS), a comprehensive collection of rules designed to protect against common web vulnerabilities including SQL injection, cross-site scripting (XSS), remote file inclusion, and other OWASP Top 10 threats. The integration creates a powerful security layer that filters malicious traffic before it reaches your application servers. This stack is essential for organizations running public-facing web applications that need enterprise-grade security without the cost of commercial WAF solutions. Security-conscious developers, system administrators protecting legacy applications, and compliance teams meeting regulatory requirements will find this combination provides robust protection with granular control over security policies. The OWASP ModSecurity CRS comes pre-configured with battle-tested rules while allowing extensive customization for specific application needs.

Key Features

  • OWASP Core Rule Set (CRS) protection against SQL injection, XSS, and remote file inclusion attacks
  • Configurable paranoia levels from 1-4 to balance security strictness with false positive rates
  • Real-time HTTP traffic inspection with anomaly scoring to detect complex attack patterns
  • Comprehensive request and response body analysis including file upload scanning
  • IP reputation blocking and rate limiting to prevent brute force and DDoS attacks
  • Detailed security logging with structured JSON output for SIEM integration
  • Rule customization support through SecRule directives and whitelist exceptions
  • Event-driven NGINX architecture handling thousands of concurrent connections efficiently

Common Use Cases

  • 1Protecting e-commerce platforms from payment card data theft and fraud attempts
  • 2Securing WordPress and CMS installations against automated vulnerability scanners
  • 3Compliance requirements for PCI DSS, HIPAA, or SOX mandating WAF deployment
  • 4Legacy application security hardening without modifying source code
  • 5API endpoint protection against injection attacks and malformed requests
  • 6Multi-tenant SaaS platforms requiring tenant-specific security policies
  • 7Educational institutions protecting student information systems from attacks

Prerequisites

  • Minimum 512MB RAM recommended for ModSecurity rule processing and logging
  • Available ports 80 and 443 for HTTP/HTTPS traffic handling
  • Understanding of HTTP request/response flow and common web vulnerabilities
  • Familiarity with NGINX configuration syntax and ModSecurity rule format
  • Log monitoring strategy for analyzing blocked requests and tuning rules
  • SSL/TLS certificates if enabling HTTPS protection

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  nginx-waf: 
3    image: owasp/modsecurity-crs:nginx
4    container_name: nginx-waf
5    restart: unless-stopped
6    environment: 
7      PARANOIA: 1
8      ANOMALY_INBOUND: 5
9      ANOMALY_OUTBOUND: 4
10    volumes: 
11      - ./nginx/conf.d:/etc/nginx/conf.d:ro
12    ports: 
13      - "80:80"
14      - "443:443"
15    networks: 
16      - waf-network
17
18networks: 
19  waf-network: 
20    driver: bridge

.env Template

.env
1# ModSecurity paranoia level (1-4)
2PARANOIA=1
3# Anomaly threshold
4ANOMALY_INBOUND=5
5ANOMALY_OUTBOUND=4

Usage Notes

  1. 1Docs: https://coreruleset.org/docs/ and https://modsecurity.org/
  2. 2OWASP Core Rule Set (CRS) pre-configured for common attacks
  3. 3PARANOIA=1 (low) to 4 (high) - higher = more strict, more false positives
  4. 4View blocked requests: docker logs nginx-waf | grep 'ModSecurity'
  5. 5Whitelist false positives with SecRuleRemoveById in custom rules
  6. 6Test rules before production: set SecRuleEngine DetectionOnly

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  nginx-waf:
5    image: owasp/modsecurity-crs:nginx
6    container_name: nginx-waf
7    restart: unless-stopped
8    environment:
9      PARANOIA: 1
10      ANOMALY_INBOUND: 5
11      ANOMALY_OUTBOUND: 4
12    volumes:
13      - ./nginx/conf.d:/etc/nginx/conf.d:ro
14    ports:
15      - "80:80"
16      - "443:443"
17    networks:
18      - waf-network
19
20networks:
21  waf-network:
22    driver: bridge
23EOF
24
25# 2. Create the .env file
26cat > .env << 'EOF'
27# ModSecurity paranoia level (1-4)
28PARANOIA=1
29# Anomaly threshold
30ANOMALY_INBOUND=5
31ANOMALY_OUTBOUND=4
32EOF
33
34# 3. Start the services
35docker compose up -d
36
37# 4. View logs
38docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/nginx-modsecurity/run | bash

Troubleshooting

  • High false positive rates blocking legitimate traffic: Lower PARANOIA level from 2 to 1 or add SecRuleRemoveById exceptions for specific rules
  • ModSecurity blocking file uploads or form submissions: Increase SecRequestBodyLimit and SecRequestBodyNoFilesLimit in configuration
  • Performance degradation with ModSecurity enabled: Disable response body inspection with SecResponseBodyAccess Off and tune paranoia level
  • Rules not loading or CRS errors in logs: Verify OWASP_CRS environment variables match available rule sets in the container image
  • Cannot access blocked request details: Enable audit logging with SecAuditEngine On and check /var/log/modsec_audit.log
  • NGINX failing to start with ModSecurity module: Ensure modsecurity.conf includes proper SecRuleEngine directive and valid CRS path

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

nginxmodsecurity

Tags

#nginx#waf#security#modsecurity

Category

Web Servers & Reverse Proxies

Related Recipes

Ad Space