Add ModSecurity to existing Nginx

[muzzammilhussain]

I have tried my Luck but could not find how to add ModSecurity to existing running nginx.

[victorhora]

@muzzammilhussain there's no pre-built modules for ModSecurity-nginx. You could try switching to Nginx Plus (aka Nginx WAF) which provides the pre-built module for you in addition to commercial support: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-installation-logging/

Alternatively you may also try downloading the same version of Nginx that you're currently running, compiling libModSecurity as per recommended compilation recipes but using the --add-dynamic-module when compiling Nginx with the ModSecurity-nginx connector.

That should generate an ELF LSB shared object file (ngx_http_modsecurity_module.so). Then add the load_module statement to your nginx.conf.

There's also a tutorial from Nginx here: https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/

[muzzammilhussain]

dear @victorhora the basic issue is this error which is coming

nginx: [emerg] module "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible in /etc/nginx/nginx.conf:4
nginx: configuration file /etc/nginx/nginx.conf test failed

[muzzammilhussain]

nginx version: nginx/1.14.0

[ejhayes]

FWIW I was able to get this working on nginx-1.15.8 (installed via apt not from source). I imagine this same approach would work for other versions too. Here's what I needed to do to get it working:

• Remove --with-compat option on ./configure
• Pass in all compilation options from nginx -V (minus all the --add-module params)

Nginx configuration options from nginx -V:

nginx -V
nginx version: nginx/1.15.8
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=/build/nginx-1.15.8/debian/modules/headers-more-nginx-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-auth-pam --add-module=/build/nginx-1.15.8/debian/modules/nginx-cache-purge --add-module=/build/nginx-1.15.8/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-development-kit --add-module=/build/nginx-1.15.8/debian/modules/nginx-echo --add-module=/build/nginx-1.15.8/debian/modules/ngx-fancyindex --add-module=/build/nginx-1.15.8/debian/modules/nchan --add-module=/build/nginx-1.15.8/debian/modules/nginx-lua --add-module=/build/nginx-1.15.8/debian/modules/nginx-upload-progress --add-module=/build/nginx-1.15.8/debian/modules/nginx-upstream-fair --add-module=/build/nginx-1.15.8/debian/modules/ngx_http_substitutions_filter_module --add-module=/build/nginx-1.15.8/debian/modules/passenger/src/nginx_module

Running configure (grabbed source code from http://nginx.org/download/nginx-1.15.8.tar.gz):

./configure --add-dynamic-module=../ModSecurity-nginx --with-cc-opt='-g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads

Then run make modules and copy objs/ngx_http_modsecurity_module.so to /usr/share/nginx/modules/.

Running nginx -t we no longer see the "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible error:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[chenyu1990]

FWIW I was able to get this working on nginx-1.15.8 (installed via apt not from source). I imagine this same approach would work for other versions too. Here's what I needed to do to get it working:

• Remove --with-compat option on ./configure
• Pass in all compilation options from nginx -V (minus all the --add-module params)

Nginx configuration options from nginx -V:

nginx -V
nginx version: nginx/1.15.8
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=/build/nginx-1.15.8/debian/modules/headers-more-nginx-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-auth-pam --add-module=/build/nginx-1.15.8/debian/modules/nginx-cache-purge --add-module=/build/nginx-1.15.8/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-development-kit --add-module=/build/nginx-1.15.8/debian/modules/nginx-echo --add-module=/build/nginx-1.15.8/debian/modules/ngx-fancyindex --add-module=/build/nginx-1.15.8/debian/modules/nchan --add-module=/build/nginx-1.15.8/debian/modules/nginx-lua --add-module=/build/nginx-1.15.8/debian/modules/nginx-upload-progress --add-module=/build/nginx-1.15.8/debian/modules/nginx-upstream-fair --add-module=/build/nginx-1.15.8/debian/modules/ngx_http_substitutions_filter_module --add-module=/build/nginx-1.15.8/debian/modules/passenger/src/nginx_module

Running configure (grabbed source code from http://nginx.org/download/nginx-1.15.8.tar.gz):

./configure --add-dynamic-module=../ModSecurity-nginx --with-cc-opt='-g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads

Then run make modules and copy objs/ngx_http_modsecurity_module.so to /usr/share/nginx/modules/.

Running nginx -t we no longer see the "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible error:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

its work.

[japita-se]

Here does not work:
nginx -V
reports an option
--with-file-aio

but when I try to configure

checking for IP_TRANSPARENT ... not found
checking for IP_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... not found
checking for IP_RECVDSTADDR ... not found
checking for IP_SENDSRCADDR ... not found
checking for IP_PKTINFO ... not found
checking for IPV6_RECVPKTINFO ... not found
checking for TCP_DEFER_ACCEPT ... not found
checking for TCP_KEEPIDLE ... not found
checking for TCP_FASTOPEN ... not found
checking for TCP_INFO ... not found
checking for accept4() ... not found
checking for kqueue AIO support ... not found
checking for Linux AIO support ... not found
checking for Linux AIO support (SYS_eventfd) ... not found

./configure: no supported file AIO was found
Currently file AIO is supported on FreeBSD 4.3+ and Linux 2.6.22+ only

[SI-BenHodges]

Thank you for the guide @ejhayes

I have one issue which i can't figure out. Although i have now got nginx -t to display the correct message and set everything up according to https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/#mainline and your guide above, for some reason when i type nginx -V it doesn't include the modsecurity dynamic module even though i've typed make modules and then copied the so file to /etc/nginx/modules.

this is my output:
nginx -V
nginx version: nginx/1.17.8
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.8/debian/debuild-base/nginx-1.17.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

help please! :)

thanks
Ben

[zimmerle]

Hi @SI-BenHodges,

What happens when you try to load the module?

[SI-BenHodges]

Hey,

I can load the module just fine and it does appear to work (so far from what i've tested) but every guide/video i've watched runs the nginx -V command and sees the modsecurity module come up but why does mine not?

thanks
Ben

[zimmerle]

Hi @SI-BenHodges,

I believe that the ones listed on -V are the ones statically compiled. The dynamic ones are not listed.

[wanitaqing]

FWIW I was able to get this working on nginx-1.15.8 (installed via apt not from source). I imagine this same approach would work for other versions too. Here's what I needed to do to get it working:

* Remove `--with-compat` option on `./configure`

* Pass in all compilation options from `nginx -V` (minus all the `--add-module` params)

Nginx configuration options from nginx -V:

nginx -V
nginx version: nginx/1.15.8
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=/build/nginx-1.15.8/debian/modules/headers-more-nginx-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-auth-pam --add-module=/build/nginx-1.15.8/debian/modules/nginx-cache-purge --add-module=/build/nginx-1.15.8/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-1.15.8/debian/modules/nginx-development-kit --add-module=/build/nginx-1.15.8/debian/modules/nginx-echo --add-module=/build/nginx-1.15.8/debian/modules/ngx-fancyindex --add-module=/build/nginx-1.15.8/debian/modules/nchan --add-module=/build/nginx-1.15.8/debian/modules/nginx-lua --add-module=/build/nginx-1.15.8/debian/modules/nginx-upload-progress --add-module=/build/nginx-1.15.8/debian/modules/nginx-upstream-fair --add-module=/build/nginx-1.15.8/debian/modules/ngx_http_substitutions_filter_module --add-module=/build/nginx-1.15.8/debian/modules/passenger/src/nginx_module

Running configure (grabbed source code from http://nginx.org/download/nginx-1.15.8.tar.gz):

./configure --add-dynamic-module=../ModSecurity-nginx --with-cc-opt='-g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads

Then run make modules and copy objs/ngx_http_modsecurity_module.so to /usr/share/nginx/modules/.

Running nginx -t we no longer see the "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible error:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Hi, I am also trying to install ModSecurity to my current Nginx, i have tried the quoted example but i received the following error after entering make modules

make -f objs/Makefile modules
make[1]: Entering directory '/home/websec/ModSecurity/nginx-1.14.0'
cd /usr/lib/ssl
&& if [ -f Makefile ]; then make clean; fi
&& ./config --prefix=/usr/lib/ssl/.openssl no-shared no-threads
&& make
&& make install_sw LIBDIR=lib
/bin/sh: 3: ./config: not found
objs/Makefile:1915: recipe for target '/usr/lib/ssl/.openssl/include/openssl/ssl.h' failed
make[1]: *** [/usr/lib/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory '/home/websec/ModSecurity/nginx-1.14.0'
Makefile:14: recipe for target 'modules' failed
make: *** [modules] Error 2
websec@websec4:~/ModSecurity/nginx-1.14.0$ make modules
make -f objs/Makefile modules
make[1]: Entering directory '/home/websec/ModSecurity/nginx-1.14.0'
cd /usr/lib/ssl
&& if [ -f Makefile ]; then make clean; fi
&& ./config --prefix=/usr/lib/ssl/.openssl no-shared no-threads
&& make
&& make install_sw LIBDIR=lib
/bin/sh: 3: ./config: not found
objs/Makefile:1915: recipe for target '/usr/lib/ssl/.openssl/include/openssl/ssl.h' failed
make[1]: *** [/usr/lib/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory '/home/websec/ModSecurity/nginx-1.14.0'
Makefile:14: recipe for target 'modules' failed
make: *** [modules] Error 2

Is anyone able to tell me where did I go wrong?

This is the output when i run nginx -V

nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

[trvrcr]

I'm trying to install ModSecurity on Raspbian.
Nginx version is 1.14.2 (no newer version available on Raspbian yet)
I have followed your instructions for installation.
had to increase the swapfile on Raspbian to be able to make the code.
But I end up with the following error:

nginx -t

nginx: [emerg] module "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible in /etc/nginx/nginx.conf:3

Ended up googling it and ending on this page.
Tried the different suggestions, but none worked.
Can anyone help me...

[zimmerle]

Hi @trvrcr,

This sounds to be a question more related to Nginx itself than to ModSecurity. Is there any other error message?

[trvrcr]

@zimmerle ,

Nginx is working fine when I remove the ModSecurity Module.
It's the only error message with "nginx -t".

[zimmerle]

Have you tried to build any other module for Nginx? is it working?

[trvrcr]

@zimmerle,
No it's my first module for Nginx.
Edit: Just installed Module Geoip without a problem
no problem with Nginx restarting and no error messages.

[trvrcr]

@zimmerle,
Anything else i can do to get it working?

[mprzyc]

Hello all,

same problem here, same architecture like @trvrcr (raspbian 10), even nginx version used equals to his one.

I did compare modsecurity connector build by me with other dynamic modules provided out of the box by nginx deb package and found out that my connector somewhat differs:

library built by raspbian devs:

file ngx_http_auth_pam_module.so
ngx_http_auth_pam_module.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=c1f710900dba8ceb3092c66c31ba97b92e7de5e8, stripped

library built by me

file ngx_http_modsecurity_module.so
ngx_http_modsecurity_module.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=e2d80d9c77e1a3d0670b4fe6c0647f194315c4d6, with debug_info, not stripped

Mine is not stripped and includes debug_info. However, these differences should not cause "...is not binary compatible" errors afaik.

---

to go for sure: same procedure (compiling libmodsecurity connector to nginx without flag "--with-compat" being set) I did try on amd64 architecture using debian 10 buster. Error message displayed by nginx -t stays the same:
nginx: [emerg] module "/etc/nginx/modules-available/ngx_http_modsecurity_module.so" is not binary compatible

conclusion:
this bug seems to be architectural agnostic because 2 builds fail on their dedicated architectures: arm and amd64.

[zimmerle]

This issue is more related to a compilation issue than ModSecurity. Look at the build signature as listed here:
apache/incubator-pagespeed-ngx#1440 (comment)

Other info that may be relevant:

• Update the docs for building a dynamic ngx_pagespeed module apache/incubator-pagespeed-ngx#1440 (comment)
• is not binary compatible leev/ngx_http_geoip2_module#82
• https://forum.nginx.org/read.php?2,280541,280542#msg-280542
• https://serverfault.com/questions/988250/nginx-module-not-binary-compatible-after-compilation-on-centos-7

[sah-anshu]

Same problem, unable to compile.

make -f objs/Makefile modules
make[1]: Entering directory '/home/admin/nginx-1.14.2'
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_module.o
../ModSecurity-nginx/src/ngx_http_modsecurity_module.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_pre_access.o
../ModSecurity-nginx/src/ngx_http_modsecurity_pre_access.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_header_filter.o
../ModSecurity-nginx/src/ngx_http_modsecurity_header_filter.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_body_filter.o
../ModSecurity-nginx/src/ngx_http_modsecurity_body_filter.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_log.o
../ModSecurity-nginx/src/ngx_http_modsecurity_log.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/addon/src/ngx_http_modsecurity_rewrite.o
../ModSecurity-nginx/src/ngx_http_modsecurity_rewrite.c
cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -O2 -fPIC -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/modsecurity/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http/modules/perl -I src/mail -I src/stream
-o objs/ngx_http_modsecurity_module_modules.o
objs/ngx_http_modsecurity_module_modules.c
cc -o objs/ngx_http_modsecurity_module.so
objs/addon/src/ngx_http_modsecurity_module.o
objs/addon/src/ngx_http_modsecurity_pre_access.o
objs/addon/src/ngx_http_modsecurity_header_filter.o
objs/addon/src/ngx_http_modsecurity_body_filter.o
objs/addon/src/ngx_http_modsecurity_log.o
objs/addon/src/ngx_http_modsecurity_rewrite.o
objs/ngx_http_modsecurity_module_modules.o
-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,-rpath,/usr/local/modsecurity/lib -L/usr/local/modsecurity/lib -lmodsecurity
-Wl,-E -fstack-protector-strong -L/usr/local/lib -L/usr/lib/x86_64-linux-gnu/perl/5.28/CORE -lperl -ldl -lm -lpthread -lc -lcrypt
-shared
/usr/bin/ld: cannot find -lperl
collect2: error: ld returned 1 exit status
make[1]: *** [objs/Makefile:1817: objs/ngx_http_modsecurity_module.so] Error 1
make[1]: Leaving directory '/home/admin/nginx-1.14.2'

[jsxii]

/usr/bin/ld: cannot find -lperl

sudo apt-get install libperl-dev

[ldvjjv]

hi everyone, i have this problem.

 nginx -t

nginx: [emerg] module "/usr/share/nginx/modules/ngx_http_modsecurity_module.so**" version 1018000 instead of 1021004 in /etc/nginx/nginx.conf:5**
nginx: configuration file /etc/nginx/nginx.conf test failed

my configurations /etc/nginx/nginx.conf is

cat /etc/nginx/nginx.conf

 user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
load_module modules/ngx_http_modsecurity_module.so;
events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
	modsecurity on;
	modsecurity_rules_file /etc/nginx/modsec/modsec-config.conf;
	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

my nginx version is

nginx -v

nginx version: nginx/1.21.4

[olegsidokhmetov]

The same issue
nginx -t
nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" failed (libfuzzy.so.2: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:1

nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

Anyone solved this problem?

[martinhsv]

Hello @olegsidokhmetov ,

What you are reporting appears to be only superficially similar to the rest of this closed issue's content.

libfuzzy is used by a specific, small (and I suspect little-used) portion of ModSecurity's functionality.

You haven't provided much information about your environment or your build/installation process, but with on what you have posted, I'll note a few things for you to consider.

Based on when and where you are seeing an error, the output from './configure' probably includes:

   + SSDEEP                                        ....found 
      -lfuzzy -L/usr/lib/x86_64-linux-gnu/, -DWITH_SSDEEP -I/usr/include

So:

1. If you did not build ModSecurity yourself (and hence do not know the output of './configure'), then you may simply need to install ssdeep and libfuzzy-dev on your machine.
2. If you did build ModSecurity yourself, and if libfuzzy.so.2 exists on your machine, then it is possible that you just need to copy the file to a location where nginx will find it.
3. If you did build ModSecurity yourself, and if you don't need that functionality at all (e.g. if you have no rules that use the fuzzyHash operator), you could consider uninstalling both ssdeep and libfuzzy-dev. In this case, nothing should even attempt to open that file. (You would have do the ModSecurity './configure', make, and 'make install' steps again, of course.)