使用Nginx+Lua實現waf
阿新 • • 發佈:2018-11-29
使用Nginx+Lua實現waf
技術內容來自:https://github.com/loveshell/ngx_lua_waf
軟體包需求:
1 .Nginx相容性【最後測試到1.13.6】
[[email protected] src]# wget http://nginx.org/download/nginx-1.13.6.tar.gz
2 .PCRE為Nginx編譯安裝關係的依賴
[[email protected] src]# wget https://jaist.dl.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz
3 .下載luajit直譯器和ngx_devel_kit以及lua-nginx-module模組
[[email protected] src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
[[email protected] src]# wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz
[[email protected] src]# wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz
4 .檔案解壓:
[[email protected] src]# tar xf nginx-1.13.6.tar.gz pcre-8.42.tar.gz LuaJIT-2.0.5.tar.gz v0.3.0.tar.gz v0.10.13.tar.gz
5 .安裝LuaJIT Luajit是Lua即時編譯器
[[email protected] src]# cd LuaJIT-2.0.5/
[[email protected] LuaJIT-2.0.5]# make && make install
6 .新增環境變數
[[email protected] src]# export LUAJIT_LIB=/usr/local/lib
[[email protected] src]# export LUAJIT_INC=/usr/local/include/luajit-2.0
7 .安裝Nginx並載入模組【注意目錄位置以及版本】
- --prefix=/usr/local/nginx-1.13.6 # nginx 安裝目錄
- --with-pcre=/usr/local/src/pcre-8.42 # pcre 所在目錄
- --add-module=../ngx_devel_kit-0.3.0/ # ngx_devel_kit 所在目錄
- --add-module=../lua-nginx-module-0.10.13/ # lua-nginx-module 所在目錄
- -j2 呼叫編譯CPU的核數
[[email protected] src]# cd nginx-1.13.6/
[[email protected] nginx-1.13.6]# ./configure --user=www --group=www --prefix=/usr/local/nginx-1.13.6 --with-pcre=/usr/local/src/pcre-8.42 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.13/
[[email protected] nginx-1.13.6]# make -j2 && make install
8 .新增連結檔案
[[email protected] src]# ln -s /usr/local/nginx-1.13.6 /usr/local/nginx
[[email protected] src]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
應用配置
1 .呼叫lua測試,編輯Nginx.conf 新增/hello
[[email protected] conf]# vim /usr/local/nginx/conf/nginx.conf
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location /hello {
default_type 'text/plain';
content_by_lua 'ngx.say("hello,lua")';
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
2 .語法檢查並啟動
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# /usr/local/nginx/sbin/nginx
[[email protected] conf]# curl 192.168.55.110/hello
hello,lua
WAF部署
1 .下載waf原始碼:
[[email protected] conf]# cd /usr/local/nginx/conf/
[[email protected] conf]# git clone https://github.com/loveshell/ngx_lua_waf.git
[[email protected] conf]# mv ngx_lua_waf/ waf
2 .檔案註釋
config.lua # 配置檔案
init.lua # 規則函式
waf.lua # 邏輯關係
# wafconf # 正則匹配關係目錄
wafconf/args # 裡面的規則get引數進行過濾的
wafconf/url # 是隻在get請求url過濾的規則
wafconf/post # 是隻在post請求過濾的規則
wafconf/whitelist # 是白名單,裡面的url匹配到不做過濾
wafconf/user-agent # 是對user-agent的過濾規則
3 .config.lua 註釋:
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--規則存放目錄
attacklog = "off"
--是否開啟攻擊資訊記錄,需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log儲存目錄,該目錄需要使用者自己新建,切需要nginx使用者的可寫許可權
UrlDeny="on"
--是否攔截url訪問
Redirect="on"
--是否攔截後重定向
CookieMatch = "on"
--是否攔截cookie攻擊
postMatch = "on"
--是否攔截post攻擊
whiteModule = "on"
--是否開啟URL白名單
black_fileExt={"php","jsp"}
--填寫不允許上傳檔案字尾型別
ipWhitelist={"127.0.0.1"}
--ip白名單,多個ip用逗號分隔
ipBlocklist={"1.0.0.1"}
--ip黑名單,多個ip用逗號分隔
CCDeny="on"
--是否開啟攔截cc攻擊(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--設定cc攻擊頻率,單位為秒.
--預設1分鐘同一個IP只能請求同一個地址100次
html=[[Please go away~~]]
--警告內容,可在中括號內自定義
備註:不要亂動雙引號,區分大小寫
4 .修改Nginx配置檔案引用WAF功能【http段加入】
lua_shared_dict limit 50m;
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";
5 .詳情:
[[email protected] conf]# cat nginx.conf
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
lua_shared_dict limit 50m;
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location /hello {
default_type 'text/plain';
content_by_lua 'ngx.say("hello,lua")';
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
6 .建立日誌目錄給予www使用者許可權:
[[email protected] conf]# mkdir /usr/local/nginx/logs/hack/
[[email protected] conf]# chown www.www /usr/local/nginx/logs/hack/
7 .啟動Nginx 並測試:
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# /usr/local/nginx/sbin/nginx -s reload
8 .測試是否阻止請求:
http://192.168.55.110/hello?id=../etc/passwd
9 .通過ab模仿cc攻擊:
[[email protected] waf]# ab -c 100 -n 1200 http://192.168.55.110/hello
一個頁面版WAF--VeryNginx:https://github.com/alexazhou/VeryNginx