nginx+nginx_lua實現waf防護
阿新 • • 發佈:2020-11-04
一、下載所需軟體包
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
git clone https://github.com/simpl/ngx_devel_kit
git clone -b 0.10.14 https://github.com/openresty/lua-nginx-module(下載指定版本,否則會報錯nginx啟動不了)
wget http://nginx.org/download/nginx-1.12.1.tar.gz
wget -c https://github.com/loveshell/ngx_lua_waf/archive/master.zip
二、安裝配置
LuaJIT: # tar xf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make -j 2 && make install 設定環境變數 # vim /etc/profile.d/LuaJIT.conf export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.0 export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH # . /etc/profile.d/LuaJIT.conf Nginx: # tarxf nginx-1.12.1.tar.gz # cd nginx-1.12.1 # yum install -y openssl-devel pcre-devel #./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=../ngx_devel_kit --add-module=../lua-nginx-module --user=nginx --group=nginx # make && make install Nginx_lua_waf:# mkdir -p /usr/local/nginx/conf/waf # unzip master.zip # cd ngx_lua_waf-master # cp -rf * /usr/local/nginx/conf/waf/ # mkdir -p /usr/local/nginx/logs/hack # chown -R nginx /usr/local/nginx/logs/hack
三、修改配置
vim /usr/local/nginx/conf/nginx.conf http段新增如下配置: lua_need_request_body on; lua_package_path "/usr/local/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/waf/init.lua; access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
四、啟動nginx並驗證
啟動:/usr/local/nginx/sbin/nginx
訪問驗證:192.168.1.1:8080/?id=select * from mysql; 出現如下頁面表示已生效
問題記錄:
出現上圖的原因主要是因為lua-nginx-module包的版本不對,需要提供0.10.14版本包