nginx+lua實現waf
nginx+lua實現waf防火牆
lua簡介:
lua是一門簡潔、輕量、可擴充套件的指令碼語言(很容易被C/C++程式碼呼叫,也可以反過來呼叫C/C++的函式)
lua安裝:
[[email protected] ~]# yum -y install lua
lua的使用:
[[email protected] ~]# lua
Lua 5.1.4 Copyright © 1994-2008 Lua.org, PUC-Rio
print “hello world”
hello world
這種不方便,我們可以把它寫在檔案裡執行:
[[email protected] ~]# which lua
/usr/bin/lua
[[email protected] ~]# vim test.lua
新增:
#!/usr/bin/lua
print("hello world")
[[email protected] ~]# lua test.lua
hello world
lua的註釋語法:
基本註釋:
–註釋內容
範圍註釋:
–[[
註釋內容
–]]
例:
#!/usr/bin/lua
–你好
–[[
test
–]]
print(“hello world”)
hello world
Lua變數定義及呼叫:
#!/usr/bin/lua
–你好
–[[
test
–]]
a = 123
print(a)
print(“test:”,a)
[[email protected] ~]# lua test.lua
123
test: 123
#lua的布林型別只有nil(空,零)和false,布林型別就是真和假,也就是true和false.
#數字0,空字串都是true
#lua的變數全是全域性變數
更多的lua操作這裡不再說啦。什麼while迴圈,if判斷什麼的。
Nginx載入Lua環境:
預設情況下nginx不支援Lua模組,需要安裝LuaJIT直譯器,並且需要重新編譯Nginx。 也可以使用春哥開發的openrestry,載入這個非常簡單。
我們先來載入Lua:(我這裡早已經安裝完Nginx,所以重新編譯新增模組即可)
下載Luajit和ngx_devel_kit和Lua-nginx-module
[[email protected] ~]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
[[email protected] ~]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz
[[email protected] ~]# wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz
解壓ngx_devel_kit與Lua-nginx-module:
[[email protected] ~]# tar -zxvf v0.2.19.tar.gz -C /usr/src/
[[email protected] ~]# tar -zxvf v0.10.13.tar.gz -C /usr/src/
安裝Luajit:
[[email protected] ~]# cd /usr/src/LuaJIT-2.0.4/
[[email protected] LuaJIT-2.0.4]# make && make install
...............
==== Successfully installed LuaJIT 2.0.4 to /usr/local ==== #成功後有Successfully
[[email protected] ~]# echo "/usr/local/lib" >> /etc/ld.so.conf
[[email protected] ~]# ldconfig
因為我這裡已經安裝過nginx了,所以只需新增模組就可以,無需重新編譯安裝(如果未安裝直接編譯安裝即可,與以下預編譯引數一致即可):
[[email protected] ~]# nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_dav_module --with-http_stub_status_module --with-http_addition_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-pcre --with-http_ssl_module --with-http_gzip_static_module
#複製以上預編譯引數:
[[email protected] ~]# cd /usr/src/nginx-1.10.3/
[[email protected] nginx-1.10.3]# ./configure --prefix=/usr/local/nginx --with-http_dav_module --with-http_stub_status_module --with-http_addition_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-pcre --with-http_ssl_module --with-http_gzip_static_module --add-module=../ngx_devel_kit-0.2.19 --add-module=../lua-nginx-module-0.10.13 #新增這兩個新引數,這兩個模組為我們要新增的模組ngx_devel_kit與Lua-nginx-module
[[email protected] nginx-1.10.3]# make
[[email protected] nginx-1.10.3]# cp objs/nginx /usr/local/nginx/sbin/nginx #覆蓋
[[email protected] nginx-1.10.3]# rm -rf /usr/bin/nginx #刪除之前的軟連線
[[email protected] nginx-1.10.3]# ln -s /usr/local/nginx/sbin/* /usr/bin/ #做新的軟連線
驗證是否成功載入lua模組:
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
location /test {
default_type text/html;
content_by_lua_block {
ngx.say("hello world")
}
}
重啟驗證:
#成功
#也可以部署openrestry,這個比較簡單,Lua和openrestry二選一。這裡不寫openrestry部署啦
nginx+lua實現waf防火牆:
隨著網路的發展,安全也成為啦非常重要的一方面。網路有許多的攻擊手段,例如爬蟲、sql注入等。
搭建lnmp模擬sql注入,這裡已經有nginx+lua環境啦,我們安裝mysql與php即可。我這裡使用Yum安裝。(需要用到網路源)
[[email protected] ~]# yum -y install mariadb mariadb-server php php-fpm php-mysql
location / {
root html;
index index.html index.php;
}
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html/$fastcgi_script_name;
include fastcgi_params;
}
[[email protected] ~]# systemctl start php-fpm
[[email protected] ~]# systemctl start mariadb
[[email protected] ~]# nginx -s reload
[[email protected] ~]# vim /usr/local/nginx/html/index.php
新增:
<?php
phpinfo();
?>
訪問驗證即可。
配置mysql:
mysqladmin -uroot password 123.com
進入資料庫
MariaDB [(none)]> create database info;
MariaDB [(none)]> use info;
MariaDB [info]> create table user(id int,username varchar(64),password varchar(64),email varchar(64));
MariaDB [info]> insert into user values(1,'zs',('123'),'[email protected]');
Query OK, 1 row affected (0.00 sec)
MariaDB [info]> insert into user values(2,'ww',('456'),'[email protected]');
Query OK, 1 row affected (0.00 sec)
編寫檔案,為sql注入做準備:
[[email protected] ~]# vi /usr/local/nginx/html/login.html
新增:
<html>
<head>
<title> 測試Sql注入 </title>
<meta http-equiv="content-type"content="text/html;charset=utf-8">
</head>
<body>
<form action="sql.php" method="post">
<table>
<tr>
<td> 使用者: </td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td> 密碼: </td>
<td><input type="text" name="password"></td>
</tr>
<tr>
<td><input type="submit" value="提交"></td>
<td><input type="reset" value="重置"></td>
</tr>
</table>
</form>
</body>
</html>
[[email protected] ~]# vi /usr/local/nginx/html/sql.php
新增:
<?php
$conn = mysql_connect("localhost",'root','123.com') or die("資料庫連線失敗! ");
mysql_select_db("info",$conn) or die ("您選擇的資料庫不存在");
$name=$_POST['username'];
$pwd=$_POST['password'];
$sql="select * from user where username='$name' and password='$pwd'";
echo $sql."<br />";
$query=mysql_query($sql);
$arr=mysql_fetch_array($query);
if($arr) {
echo "login success!<br />";
echo $arr[1];
echo $arr[3]."<br /><br />";
}else{
echo "login failed!";
}
?>
瀏覽器訪問login.html驗證:
在使用者那塊填寫’ or 1=1#’ 提交
為啦防止sql注入,我們用nginx+lua部署waf防火牆:
[[email protected] ~]# yum -y install git
[[email protected] ~]# git clone https://github.com/Loveshell/ngx_lua_waf.git
[[email protected] ~]# cp -r ngx_lua_waf/ /usr/local/nginx/conf/waf
[[email protected] ~]# vim /usr/local/nginx/conf/nginx.conf
在http標籤內新增: #路徑一定要對應上面的waf路徑
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
[[email protected] ~]# nginx -s reload
[[email protected] ~]# vim /usr/local/nginx/conf/waf/config.lua
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
[[email protected] ~]# vim /usr/local/nginx/conf/waf/wafconf/post
在第一行新增:
\sor\s+
再次進行sql注入測試:
我克隆過來的waf策略它預設的策略基本夠使用了。
配置waf防止cc攻擊:
[[email protected] ~]# vim /usr/local/nginx/conf/waf/config.lua
CCDeny="on" #將此選項開啟
CCrate="600/60" #配置同個ip每60秒最多傳送600次請求,超過之後60秒內此IP將不能再訪問,其他IP可以
[[email protected] ~]# nginx -s reload
再開一臺機器使用ab測試:
[[email protected] ~]# ab -n 2000 -c 200 http://192.168.10.3/login.html
命令完成後訪問:
[[email protected] ~]# curl http://192.168.10.3/login.html
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body bgcolor="white">
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
60秒後可再次訪問:
[[email protected] ~]# curl http://192.168.10.3/login.html
<html>
<head>
<title> 測試Sql注入 </title>
<meta http-equiv="content-type"content="text/html;charset=utf-8">
</head>
<body>
<form action="sql.php" method="post">
<table>
…
完成。