nginx Plus ModSecurity on Anubiz Offshore VPS
ModSecurity is the open-source web application firewall that runs as an nginx module. Pair it with the OWASP Core Rule Set and you block the noisy 90% of web attacks before they reach your application. On an Anubiz VPS this is a one-time setup that runs for years with quarterly tuning. This guide installs ModSecurity for nginx, deploys CRS in detection mode, then turns on enforcement after baseline.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Install nginx with ModSecurity
Ubuntu 24.04 ships nginx without ModSecurity. Build dynamic module or use the nginx-extras package which includes some WAF modules. For full ModSecurity, compile from source per official guide.
Step 2: Load CRS
Clone OWASP CRS, copy to /etc/nginx/modsec/coreruleset. Include in main.conf. Default action: SecRuleEngine DetectionOnly for baseline.
Step 3: Header Hardening
HTTP response headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy with restricted features.
Step 4: Tune
Run real traffic for 1-2 weeks in detection mode. tail -f /var/log/nginx/modsec_audit.log. False positives go into before-crs.conf as SecRuleRemoveById exclusions per location.
Step 5: Enforce
Flip to SecRuleEngine On. Monitor 4xx rates on legit endpoints. Be ready to rollback to detection.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.