CentOS7下Nginx使用ModSecurity進行WAF防禦

CentOS7下Nginx使用ModSecurity進行WAF防禦

環境：CentOS7，當前yum源中Nginx最新版本1.12.2。ModSecurity爲v3.本文適用於nginx反代Tomcat，或者nginx和php的環境，一切nginx能夠反向代理的環境理論上都適合。

1 安裝nginx

yum install nginx -y
yum update nginx
yum info nginx

2 安裝編譯依賴環境

yum install autoconf automake bzip2 flex gcc git httpd-devel libaio-devel libass-devel libjpeg-turbo-devel libpng12-devel libtheora-devel libtool libva-devel libvdpau-devel libvorbis-devel libxml2-devel libxslt-devel perl texi2html unzip zip openssl openssl-devel geoip geoip-devel

yum install -y gcc make automake autoconf libtool
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

4 編譯ModSecurity lib

git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make && make install

輸入路徑爲：/usr/local/modsecurity/lib

5 編譯ModSecurity-Nginx[須要nginx源碼]

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.12.2.tar.gz

解壓nginx: tar zxvf nginx-1.12.2.tar.gz
查看nginx參數： nginx -V CentOS7源中nginx的輸出爲，複製configure arguments後面的參數備用

cd nginx-1.12.2 開始編譯，注意add-dynamic-module前面是兩個橫線

./configure –prefix=/usr/share/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/tmp/client_body –http-proxy-temp-path=/var/lib/nginx/tmp/proxy –http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi –http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi –http-scgi-temp-path=/var/lib/nginx/tmp/scgi –pid-path=/run/nginx.pid –lock-path=/run/lock/subsys/nginx –user=nginx –group=nginx –with-file-aio –with-ipv6 –with-http_auth_request_module –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_xslt_module=dynamic –with-http_image_filter_module=dynamic –with-http_geoip_module=dynamic –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_degradation_module –with-http_slice_module –with-http_stub_status_module –with-http_perl_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-pcre –with-pcre-jit –with-stream=dynamic –with-stream_ssl_module –with-google_perftools_module –with-debug –with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' –with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' --add-dynamic-module=../ModSecurity-nginx

make modules
編譯完成的so文件在: ./objs/ngx_http_modsecurity_module.so

6 下載默認的配置文件

• 下載ModSecurity配置文件:

mkdir modsec
cd modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended /etc/nginx/modsecurity.conf

打開此文件，設置啓用waf設置，修改
SecRuleEngine DetectionOnly 爲 SecRuleEngine On

• 配置WAF核心規則:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /etc/nginx/conf/
cp crs-setup.conf.example /etc/nginx/crs-setup.conf

設置啓用這些規則:
vim /etc/nginx/modsecurity.conf

增長如下幾行:
#加載規則配置文件
Include crs-setup.conf
#加載全部規則
Include rules/*.conf
#禁用某個規則方法
#SecRuleRemoveById 911250

• 配置nginx啓用so連接庫

複製連接庫
cp ./nginx-1.12.2/objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
修改配置文件
vim /etc/nginx/nginx.conf
增長下面一行
load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so
修改主機定義，或者虛擬主機定義文件
load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so;
http {
    server {
        #針對全局啓用
         modsecurity on;
        modsecurity_rules_file /etc/nginx/modsecurity.conf;
        location / {
            #若是須要針對單個應用啓用，編輯這裏
        }
    }
}

7 重啓nginx

service nginx restart

tailf /var/log/modsec_audit.log