nginx+ngx_lua支持WAF防護功能
安裝nginx+ngx_lua支持WAF防護功能
nginx lua模塊淘寶開發的nginx第三方模塊,它能將lua語言嵌入到nginx配置中,從而使用lua就極大增強了nginx的能力.nginx以高並發而知名,lua腳本輕便,兩者的搭配堪稱完美.
用途:防止sql註入,本地包含,部分溢出,fuzzing測試,xss,SSRF等web攻擊
防止svn/備份之類文件泄漏
防止ApacheBench之類壓力測試工具的攻擊
屏蔽常見的掃描黑客工具,掃描器
屏蔽異常的網絡請求
屏蔽圖片附件類目錄php執行權限
防止webshell上傳
系統:centos 6.4_x64
需要的軟件:LuaJIT-2.0.3.tar.gz
tengine-2.1.0.tar.gz (nginx)
ngx_devel_kit-master.zip (ngx_devel_kit)
lua-nginx-module-master.zip (nginx_lua模塊)
ngx_lua_waf-master.zip (waf策略 web應用防火墻)
yum -y install gcc gcc-c++ ncurses-devel libxml2-devel openssl-devel curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel zip unzip wget crontabs iptables file bison cmake patch mlocate flex diffutils automake make readline-devel glibc-devel glibc-static glib2-devel bzip2-devel gettext-devel libcap-devel logrotate ntp libmcrypt-devel GeoIP*
安裝LuaJIT 2.0
tar zxf LuaJIT-2.0.0.tar.gz
cd LuaJIT-2.0.0
make && make install
註:lib和include是直接放在/usr/local/lib和usr/local/include
再來設置環境變量(這是給後面nginx編譯的時候使用的):
vi /etc/profile
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH
source /etc/profile
安裝nginx
tar zxvf tengine-2.1.0.tar.gz
cd tengine-2.1.0
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-pcre=/root/lnmp/pcre-8.20 --with-google_perftools_module --with-http_realip_module --with-poll_module --with-select_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_slice_module --with-http_mp4_module --with-http_gzip_static_module --with-http_concat_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_sysguard_module --with-http_browser_module=shared --with-http_user_agent_module=shared --with-http_upstream_ip_hash_module=shared --with-http_upstream_least_conn_module=shared --with-http_upstream_session_sticky_module=shared --with-http_addition_module=shared --with-http_xslt_module=shared --with-http_image_filter_module=shared --with-http_sub_module=shared --with-http_flv_module=shared --with-http_slice_module=shared --with-http_mp4_module=shared --with-http_concat_module=shared --with-http_random_index_module=shared --with-http_secure_link_module=shared --with-http_sysguard_module=shared --with-http_charset_filter_module=shared --with-http_userid_filter_module=shared --with-http_footer_filter_module=shared --with-http_trim_filter_module=shared --with-http_access_module=shared --with-http_autoindex_module=shared --with-http_map_module=shared --with-http_split_clients_module=shared --with-http_referer_module=shared --with-http_uwsgi_module=shared --with-http_scgi_module=shared --with-http_memcached_module=shared --with-http_limit_conn_module=shared --with-http_limit_req_module=shared --with-http_empty_gif_module=shared
make && make install
報錯誤請執行error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
然後創建下面文件夾
mkdir -p /data/logs/{client_body,hack}
chown -R www:www /data
chmod -R 755 /data
解壓ngxluawaf-master.zip
unzip ngx_lua_waf-master.zip
mv ngx_lua_waf-master/* /usr/local/webserver/nginx/conf/
vi /usr/local/webserver/nginx/conf/config.lua
RulePath = waf的路徑--規則存放目錄
logdir = 日誌記錄地址--log存儲目錄,該目錄需要用戶自己新建,切需要nginx用戶的可寫權限
attacklog = "off" --是否開啟攻擊信息記錄,需要配置logdir
UrlDeny="on" --是否攔截url訪問
Redirect="on" --是否攔截後重定向
CookieMatch = "on" --是否攔截cookie攻擊
postMatch = "on" --是否攔截post攻擊
whiteModule = "on" --是否開啟URL白名單
ipWhitelist={"127.0.0.1"} --ip白名單,多個ip用逗號分隔
ipBlocklist={"1.0.0.1"} --ip黑名單,多個ip用逗號分隔
CCDeny="on" --是否開啟攔截cc攻擊(需要nginx.conf的http段增加luashareddict limit 10m;)
CCrate = "100/60" --設置cc攻擊頻率,單位為秒. --默認1分鐘同一個IP只能請求同一個地址100次
html=[[Please go away~~]] --警告內容,可在中括號內自定義
備註:不要亂動雙引號,區分大小寫
修改nginx配置,在HTTP裏面加入 記得改自己的路徑
lua_need_request_body on;
lua_package_path "/usr/local/webserver/nginx/conf /?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/webserver/nginx/conf/init.lua;
access_by_lua_file /usr/local/webserver/nginx/conf/waf.lua;
limit_req_zone $binary_remote_addr $uri zone=two:3m rate=1r/s;
limit_req_zone $binary_remote_addr $request_uri zone=thre:3m rate=1r/s;
然後啟動nginx.
測試創建個test.php文件,內容為test,使用curl來訪問,當然前提是nginx做好了虛擬主機,這裏就不介紹怎麽做虛擬主機了.
curl http://localhost/test.php?id=../etc/passwd
返回的內容:test
因為127.0.0.1允許的所以能看見頁面的內容,因為域名地址是不允許的所以能看不見頁面的內容,說明生效了
curl http://blog.slogra.com/test.php?id=../etc/passwd
返回的內容:
nginx+ngx_lua支持WAF防護功能