modsecurity#12592
Merged
Merged
Conversation
mekarpeles
commented
May 5, 2026
| # Install nginx and the NJS module | ||
| apt-get install -y --no-install-recommends nginx nginx-module-njs letsencrypt | ||
| # Install modsecurity | ||
| apt-get install -y libmodsecurity3 libmodsecurity-dev |
Member
Author
There was a problem hiding this comment.
This may not be the complete list
Collaborator
There was a problem hiding this comment.
Do we need modsecurity-crs ?
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to add ModSecurity (WAF) support to the nginx setup used by Open Library’s dockerized deployment by installing ModSecurity dependencies, loading the ModSecurity nginx module, and enabling ModSecurity for the main openlibrary.org server block.
Changes:
- Installs ModSecurity library packages in
scripts/install_nginx.sh. - Loads
ngx_http_modsecurity_module.soindocker/nginx.conf. - Enables ModSecurity and points nginx at a rules file in
docker/web_nginx.conf.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| scripts/install_nginx.sh | Adds ModSecurity library package installs during nginx setup. |
| docker/nginx.conf | Attempts to load the ModSecurity nginx dynamic module at nginx startup. |
| docker/web_nginx.conf | Enables ModSecurity for openlibrary.org and references an external rules file path. |
Comment on lines
+18
to
+22
| # Install nginx and the NJS module | ||
| apt-get install -y --no-install-recommends nginx nginx-module-njs letsencrypt | ||
| # Install modsecurity | ||
| apt-get install -y libmodsecurity3 libmodsecurity-dev | ||
|
|
| @@ -1,5 +1,6 @@ | |||
| # Needed for IP anonymization | |||
| load_module modules/ngx_http_js_module.so; | |||
| load_module modules/ngx_http_modsecurity_module.so; | |||
cdrini
reviewed
May 5, 2026
cdrini
left a comment
Collaborator
There was a problem hiding this comment.
A few comments; otherwise lgtm
| @@ -1,5 +1,6 @@ | |||
| # Needed for IP anonymization | |||
| load_module modules/ngx_http_js_module.so; | |||
| load_module modules/ngx_http_modsecurity_module.so; | |||
| @@ -1,5 +1,6 @@ | |||
| # Needed for IP anonymization | |||
| load_module modules/ngx_http_js_module.so; | |||
| load_module modules/ngx_http_modsecurity_module.so; | |||
Collaborator
There was a problem hiding this comment.
Note this will also apply to covers ; so we might have some trouble on covers if importing this causes issues.
| # Install nginx and the NJS module | ||
| apt-get install -y --no-install-recommends nginx nginx-module-njs letsencrypt | ||
| # Install modsecurity | ||
| apt-get install -y libmodsecurity3 libmodsecurity-dev |
Collaborator
There was a problem hiding this comment.
Do we need modsecurity-crs ?
Updated modsecurity module path and adjusted worker processes.
Replaced installation of libmodsecurity-dev with modsecurity-crs.
Updated install script to ensure modsecurity is installed correctly.
Member
Author
|
@cdrini and I reviewed together during 1:1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Half of #12591
This pull request introduces ModSecurity support to our Nginx configuration, enhancing the web server's security by enabling a web application firewall. The main changes involve installing the ModSecurity library, loading its module in Nginx, and configuring it to use a custom ruleset.
Security Enhancements:
libmodsecurity3andlibmodsecurity-devpackages in theinstall_nginx.shscript to provide ModSecurity support for Nginx.ngx_http_modsecurity_module.somodule innginx.confto enable ModSecurity functionality.Nginx Configuration Updates:
web_nginx.confserver block and specified the rules file at/olsystem/etc/nginx/modsecurity_openlibrary.conf.