OpenResty and WAF Stack

The package combines OpenResty, ModSecurity v3, OWASP Core Rule Set, and several edge-focused nginx modules into one Debian package.

OpenResty build options

The build uses /usr/local/openresty as the install prefix and /etc/nginx/nginx.conf as the main configuration path. Runtime temp paths are under /var/lib/nginx, logs under /var/log/nginx, and the PID file is /run/openresty.pid.

Important compiled capabilities include:

• HTTP SSL, HTTP/2, and HTTP/3.
• Real IP, auth request, DAV, slice, gzip static, secure link, sub, and stub status.
• Stream SSL, stream preread, and stream real IP.
• Dynamic GeoIP, image filter, XSLT, mail, AJP, and stream GeoIP modules.
• ModSecurity-nginx, GeoIP2, and Brotli modules.

ModSecurity and CRS

ModSecurity is built from the OWASP-maintained fork and installed as a library dependency of OpenResty. CRS is copied into /etc/modsecurity/crs, with crs-setup.conf created from the example if needed.

The runtime include chain is intentionally explicit:

nginx vhost
  -> includes/waf.conf
    -> /etc/modsecurity/main.conf
      -> modsecurity.conf
      -> crs/crs-setup.conf
      -> crs/rules/*.conf
      -> local-rules.conf

local-rules.conf is loaded last so operators can disable noisy CRS rules or add local protections without editing upstream CRS files.

Brotli

Brotli is compiled and enabled in nginx.conf with moderate compression settings and support for static Brotli assets. This complements gzip rather than replacing it.

GeoIP and GeoIP2

The build includes legacy GeoIP module support and the GeoIP2 module. The package does not download MaxMind databases because GeoLite2 distribution requires a license key. Operators should install and maintain those databases separately, then wire the relevant geoip2 directives into site configuration.

AJP

nginx_ajp_module is fetched from the upstream default branch because it does not publish releases. The effective branch/ref is recorded in build/sources.manifest with the other build inputs.