I'm trying to set up a reverse proxy using NGINX on CentOS7 and ModSecurity for use in between an Exchange server and the internet. I'll be honest and say I'm not all that great with Linux, but I've learned how to do some things fairly well, and with a good 'how-to', I can get things working. Done plenty of that. That being said, I've got a NGINX Reverse Proxy set up, streaming the SSL traffic straight to the Exchange server, and that's working great, although it's rather useless in that configuration.
My first thought/goal is to get ModSecurity installed on it and use GeoIP filtering to block all IPs outside of the country. I know, people will say that doesn't work, and I can't entirely disagree - if you're trying to Geo filter to a smaller level than country, well, usually, IPs are registered to ISP's HQ, not the subscribers area, so trying to filter down to your local area more than likely won't work. Then there are VPNs attackers could use to appear to be coming from the same country - and you would be correct. But it would still limit the attack surface.
After thinking about it some more, I wouldn't really be opposed to the SSL terminating on the proxy and unencrypted HTTP traffic going to the Exchange server as that would be inside the private network, behind the firewall, allowing for more potential security scanning on the inbound traffic, but that's another topic.
I've tried to get ModSecurity working by going through several different 'how-to's', but so far, I've had no luck in getting it working. The one that I seemed to have the most luck with was the one on NGINX's blog, had to work through a few dependencies being missing that caused either the make or configure to fail (possibly due to version differences), but it seemed to compile and install in the end after I managed to work through the missing bits, but when I put in their test config and tried to test it... nope.
Does anyone have any suggestions or know of any good recent 'How-To's' that apply to the current releases of NGINX and ModSecurity that I could try? Or any other suggestions?
