ModSecurity for Kong


We have kong version 0.14.1 based on the below images:

I’m wondering how can I implement Modsecurity WAF on top of Kong’s OpenResty for Nginx .

I have installed ModSecurity, and complied the same OpenResty version that exist on the kong image, and then I configured Nginx associated with Openresty for ModSecurity. But I’m missing the part of configuring Kong’s Nginx so that all the API requests go through it.

For example, I have a rule to prevent the word " testwaf " when running a curl command as below:

curl localhost?testparam=testwaf --> 403 forbidden

How can I do the sam for the API requests:

curl localhost:8001?testparam=testwaf
curl localhost:8000?testparam=testwaf

The Nginx file I configured is:

while the file Nginx files under Kong directory are:

I used: export KONG_NGINX_HTTP_INCLUDE="/usr/local/openresty/nginx/conf/nginx-modsec.conf" to include it to kong, but didn’t work for api links.