WAFWikiIndependent WAF intelligence

WAF installation guide

ModSecurity with NGINX and OWASP CRS Setup Guide

A practical ModSecurity and OWASP CRS deployment plan for NGINX reverse proxy environments, focused on tuning and validation.

Guide data

Difficulty
Intermediate
Time
1-2 hours for a lab deployment
Updated
2026-05-30
Intent
Users researching ModSecurity NGINX setup, OWASP CRS deployment, and open-source WAF tuning.

Prerequisites

  • NGINX reverse proxy experience.
  • A lab application with representative traffic.
  • A compatible ModSecurity connector or distribution path.
  • Time reserved for CRS tuning.

Deployment workflow

Use a narrow, reversible rollout.

1

Select the connector and rule source

Confirm which ModSecurity connector and CRS version your deployment path supports. Version mismatches are a common source of confusing behavior.

  • Connector is documented for the target NGINX build.
  • CRS version is pinned.
  • Rule files are stored in source control or a repeatable package path.
2

Start in detection-only mode

Detection-only mode lets you collect rule hits without breaking normal workflows. This is the fastest way to learn where tuning is needed.

  • Audit logs are written.
  • False positives are visible.
  • Rule IDs can be traced back to CRS files.
3

Tune exclusions by evidence

Avoid broad rule disables. Prefer narrow exclusions tied to a path, parameter, method, or upstream service where the false positive is repeatable.

  • Each exclusion has a reason.
  • Clean requests stop triggering the rule.
  • Attack-like test traffic still triggers related controls.

Validation checklist

  • Replay common clean workflows and collect false-positive rule IDs.
  • Test safe SQLi and XSS payloads in a lab environment.
  • Measure upstream latency before and after enabling inspection.
  • Review audit log size and retention requirements.

Rollback planning

  • Keep a known-good NGINX config snapshot.
  • Be able to switch back to detection-only mode quickly.
  • Use staged config reloads instead of editing production rules manually.

Common mistakes

  • Enabling blocking mode before collecting enough clean traffic.
  • Disabling entire CRS categories because of one false positive.
  • Ignoring audit log volume until disk pressure appears.

Related WAF profiles

ModSecurityOWASP Core Rule Set

FAQ

Is this ModSecurity with NGINX and OWASP CRS Setup Guide official documentation?

No. WAFWiki is independent. Always verify commands, pricing, and support terms with the linked official documentation before production use.

Should I enable blocking immediately?

No. Start with a lab route or observation mode where possible, collect clean traffic, tune false positives, and document rollback first.

Sources