技術內容來自:https://github.com/loveshell/ngx_lua_wafphp
軟件包需求:
1 .Nginx兼容性【最後測試到1.13.6】html
[root@baolin src]# wget http://nginx.org/download/nginx-1.13.6.tar.gz
2 .PCRE爲Nginx編譯安裝關係的依賴python
[root@baolin src]# wget https://jaist.dl.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz
3 .下載luajit解釋器和ngx_devel_kit以及lua-nginx-module模塊nginx
[root@baolin src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz [root@baolin src]# wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz [root@baolin src]# wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz
4 .文件解壓:git
[root@baolin src]# tar xf nginx-1.13.6.tar.gz pcre-8.42.tar.gz LuaJIT-2.0.5.tar.gz v0.3.0.tar.gz v0.10.13.tar.gz
5 .安裝LuaJIT Luajit是Lua即時編譯器github
[root@baolin src]# cd LuaJIT-2.0.5/ [root@baolin LuaJIT-2.0.5]# make && make install
6 .添加環境變量web
[root@baolin src]# export LUAJIT_LIB=/usr/local/lib [root@baolin src]# export LUAJIT_INC=/usr/local/include/luajit-2.0
7 .安裝Nginx並加載模塊【注意目錄位置以及版本】shell
[root@baolin src]# cd nginx-1.13.6/ [root@baolin nginx-1.13.6]# ./configure --user=www --group=www --prefix=/usr/local/nginx-1.13.6 --with-pcre=/usr/local/src/pcre-8.42 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.13/ [root@baolin nginx-1.13.6]# make -j2 && make install
8 .添加連接文件json
[root@baolin src]# ln -s /usr/local/nginx-1.13.6 /usr/local/nginx [root@baolin src]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
1 .調用lua測試,編輯Nginx.conf 添加/hellovim
[root@baolin conf]# vim /usr/local/nginx/conf/nginx.conf worker_processes auto; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } location /hello { default_type 'text/plain'; content_by_lua 'ngx.say("hello,lua")'; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
2 .語法檢查並啓動
[root@baolin conf]# /usr/local/nginx/sbin/nginx -t [root@baolin conf]# /usr/local/nginx/sbin/nginx [root@baolin conf]# curl 192.168.55.110/hello hello,lua
1 .下載waf源碼:
[root@baolin conf]# cd /usr/local/nginx/conf/ [root@baolin conf]# git clone https://github.com/loveshell/ngx_lua_waf.git [root@baolin conf]# mv ngx_lua_waf/ waf
2 .文件註釋
config.lua # 配置文件 init.lua # 規則函數 waf.lua # 邏輯關係 # wafconf # 正則匹配關係目錄 wafconf/args # 裏面的規則get參數進行過濾的 wafconf/url # 是隻在get請求url過濾的規則 wafconf/post # 是隻在post請求過濾的規則 wafconf/whitelist # 是白名單,裏面的url匹配到不作過濾 wafconf/user-agent # 是對user-agent的過濾規則
3 .config.lua 註釋:
RulePath = "/usr/local/nginx/conf/waf/wafconf/" --規則存放目錄 attacklog = "off" --是否開啓攻擊信息記錄,須要配置logdir logdir = "/usr/local/nginx/logs/hack/" --log存儲目錄,該目錄須要用戶本身新建,切須要nginx用戶的可寫權限 UrlDeny="on" --是否攔截url訪問 Redirect="on" --是否攔截後重定向 CookieMatch = "on" --是否攔截cookie攻擊 postMatch = "on" --是否攔截post攻擊 whiteModule = "on" --是否開啓URL白名單 black_fileExt={"php","jsp"} --填寫不容許上傳文件後綴類型 ipWhitelist={"127.0.0.1"} --ip白名單,多個ip用逗號分隔 ipBlocklist={"1.0.0.1"} --ip黑名單,多個ip用逗號分隔 CCDeny="on" --是否開啓攔截cc攻擊(須要nginx.conf的http段增長lua_shared_dict limit 10m;) CCrate = "100/60" --設置cc攻擊頻率,單位爲秒. --默認1分鐘同一個IP只能請求同一個地址100次 html=[[Please go away~~]] --警告內容,可在中括號內自定義 備註:不要亂動雙引號,區分大小寫
4 .修改Nginx配置文件引用WAF功能【http段加入】
lua_shared_dict limit 50m; lua_package_path "/usr/local/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";
5 .詳情:
[root@baolin conf]# cat nginx.conf worker_processes auto; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; lua_shared_dict limit 50m; lua_package_path "/usr/local/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua"; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } location /hello { default_type 'text/plain'; content_by_lua 'ngx.say("hello,lua")'; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
6 .建立日誌目錄給予www用戶權限:
[root@baolin conf]# mkdir /usr/local/nginx/logs/hack/ [root@baolin conf]# chown www.www /usr/local/nginx/logs/hack/
7 .啓動Nginx 並測試:
[root@baolin conf]# /usr/local/nginx/sbin/nginx -t [root@baolin conf]# /usr/local/nginx/sbin/nginx -s reload
8 .測試是否阻止請求:
http://192.168.55.110/hello?id=../etc/passwd
9 .經過ab模仿cc攻擊:
[root@nq waf]# ab -c 100 -n 1200 http://192.168.55.110/hello
一個頁面版WAF--VeryNginx: https://github.com/alexazhou/VeryNginx
知識點:
#啓動服務 /opt/verynginx/openresty/nginx/sbin/nginx #中止服務 /opt/verynginx/openresty/nginx/sbin/nginx -s stop #重啓服務 /opt/verynginx/openresty/nginx/sbin/nginx -s reload web密碼配置: /opt/verynginx/verynginx/lua_script/VeryNginxConfig.lua Nginx 配置文件nginx.conf /opt/verynginx/openresty/nginx/conf/nginx.conf 規則配置: /opt/verynginx/verynginx/configs/config.json