運維安全——安全防禦-OpenResty

OpenResty® 是一個基於 Nginx 與 Lua 的高性能 Web 平臺，其內部集成了大量精良的 Lua 庫、第三方模塊以及大多數的依賴項。用於方便地搭建可以處理超高併發、擴展性極高的動態 Web 應用、Web 服務和動態網關。

安裝

安裝OpenResty

• 安裝依賴包

  $ yum install -y readline-devel pcre-devel openssl-devel gcc

• 下載最新OpenResty源碼包

  $ cd /usr/local/src/
  $ wget https://openresty.org/download/openresty-1.15.8.2.tar.gz

• 編譯安裝：

  $ tar zxvf openresty-1.15.8.2.tar.gz
  $ cd openresty-1.15.8.2/
  $ ./configure --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit
  $ gmake && gmake install

  補充： 關於gmake和make的區別

配置waf規則

• 下載waf規則lua文件：waf

$ cd /usr/local/src
$ git clone https://github.com/unixhot/waf.git
$ cp -a /usr/local/src/waf/waf  /usr/local/openresty/nginx/conf

• 配置OpenResty：vim /usr/local/openresty/nginx/conf/nginx.conf

  http {
      include       mime.types;
      default_type  application/octet-stream;
      lua_shared_dict limit 50m;
      lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
      init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
      access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

• 配置攔截後返回信息：vim /usr/local/openresty/nginx/conf/waf/config.lua

  --if config_waf_output ,setting url
  config_waf_redirect_url = "https://www.baidu.com" -- 重定向返回的url
  config_output_html=[[
  ...
  ]]

• 啓動OpenResty：

  $ /usr/local/openresty/nginx/sbin/nginx -t
  $ /usr/local/openresty/nginx/sbin/nginx

• 啓動報錯：

  nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
  	no field package.preload['resty.core']
  	no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
  	no file '/usr/local/openresty/site/lualib/resty/core.so'
  	no file '/usr/local/openresty/lualib/resty/core.so'
  	no file './resty/core.so'
  	no file '/usr/local/lib/lua/5.1/resty/core.so'
  	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
  	no file '/usr/local/lib/lua/5.1/loadall.so'
  	no file '/usr/local/openresty/site/lualib/resty.so'
  	no file '/usr/local/openresty/lualib/resty.so'
  	no file './resty.so'
  	no file '/usr/local/lib/lua/5.1/resty.so'
  	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
  	no file '/usr/local/lib/lua/5.1/loadall.so')

• 解決上述報錯：錯誤緣由是找不到lualib庫和resty模塊，默認到/usr/local/lib/ 去找lualib，然而在編譯安裝OpenResty時lualib庫默認放到/usr/local/openresty/lualib

  $ ln -s /usr/local/openresty/lualib /usr/local/lib/lua
  $ ln -s /usr/local/openresty/lualib/resty /usr/local/openresty/nginx/conf/waf/resty

• 啓動成功：

  $ /usr/local/openresty/nginx/sbin/nginx
  $ netstat -lntp
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     
  tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      20273/nginx: master

• 在瀏覽器訪問：示例

關於waf的使用，可參考：README