Hardening Nginx: Raweb Nginx and ModSecurity WAF Integration
Step-by-step guide to installing and configuring ModSecurity WAF rules on a customized Raweb Nginx build for enterprise-level web protection.
In today's threat landscape, web security is no longer optional. Securing your web applications against SQL injection, cross-site scripting (XSS), malicious bots, and automated vulnerability scanners requires a robust defense-in-depth strategy. While a standard Nginx installation is excellent for serving content and proxying requests, it lacks built-in protective features like a Web Application Firewall (WAF).
That is where Raweb Nginx comes inโa performance-tuned, pre-configured Nginx build packed with ModSecurity, the OWASP Core Rule Set (CRS), and OpenResty Lua Resty Core modules. This guide will walk you through how to secure your website using Raweb Nginx, from installation to production hardening.
Why Choose Raweb Nginx?
Raweb Nginx is a hardened web server compilation designed for modern, secure, and fast websites. By combining the speed of Nginx with the defense capabilities of ModSecurity and the extensibility of Lua scripting, it offers:
- Turnkey WAF Protection: Out-of-the-box defense against the OWASP Top 10 vulnerabilities.
- HTTP/3 and QUIC Support: Enhanced speed and connection reliability using modern network protocols.
- Dynamic Scripting: Support for OpenResty Lua modules to inspect, block, or rewrite requests before they reach your backend application.
- Aesthetic Error Handling: Clean, custom error pages that don't leak server details.
Installation & Setup
Installing Raweb Nginx is simple. For complete, step-by-step installation instructions, follow the guide on: How to protect your website with Nginx and ModSecurity.
Quick Start: APT Installation
If you are on Debian 13 (Trixie) or Ubuntu 26.04 LTS (Raccoon), you can install Raweb Nginx using the following commands:
# Trust the repository GPG key
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc -o /etc/apt/keyrings/raweb.asc
# Add the repository
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb-trixie trixie main" | sudo tee /etc/apt/sources.list.d/raweb.list
# Update repository lists and install
sudo apt update && sudo apt install twiyHardening Your Nginx Configuration
Once installed, your configuration files reside in the /nginx/ directory. To leverage your WAF protection, you must configure ModSecurity inside your server blocks.
Step 1: Enable ModSecurity Globally or Per Vhost
Add the following directives inside your server configuration block (e.g. in your virtual host files under /nginx/live/):
server {
listen 443 ssl;
server_name yourdomain.com;
# Enable ModSecurity
modsecurity on;
modsecurity_rules_file /nginx/modsec/main.conf;
# ... rest of your server configuration ...
}Step 2: Strict SSL/TLS Settings
Ensure you are only supporting modern, secure cryptographic protocols. Disabling obsolete protocols like TLSv1.0 and TLSv1.1 protects your visitors from downgrade attacks:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';Step 3: Set Security Headers
Inject HTTP headers to enable browser security features (clickjacking protection, XSS protection, and MIME-type sniffing prevention):
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;Monitoring Security Events
Securing your site is not a set-and-forget task. Regular audits are vital to detect intrusion attempts and avoid false positives.
- Nginx Access Logs: Logs are formatted and saved under /srv/<domain>/logs/access.log.
- WAF Audit Logs: Blocked request logs are written to ModSecurity audit logs, which allow you to see the exact signature/payload that triggered the block.
By regularly monitoring your logs, you can spot botnet activities, brute-force campaigns, or active SQLi scans, and adapt your security rules accordingly.