一,查看openresty的当前版本
[root@localhost luacache]# /usr/local/openresty/bin/openresty -V nginx version: openresty/1.15.8.2 built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC) built with OpenSSL 1.1.0k 28 May 2019 TLS SNI support enabled
说明:刘宏缔的架构森林是一个专注架构的博客,地址:https://www.cnblogs.com/architectforest
对应的源码可以访问这里获取: https://github.com/liuhongdi/
说明:作者:刘宏缔 邮箱: 371125307@qq.com
二,下载waf
[root@localhost ~]# cd /usr/local/source/ [root@localhost source]# git clone https://github.com/unixhot/waf.git 正克隆到 'waf'... remote: Enumerating objects: 89, done. remote: Total 89 (delta 0), reused 0 (delta 0), pack-reused 89 展开对象中: 100% (89/89), 完成.
三,把waf程序复制到openresty的目录下:
[root@localhost source]# cd waf [root@localhost waf]# cp -axv waf /usr/local/openresty/nginx/conf/
四,配置nginx.conf,使waf起作用:
把下面的命令添加到nginx.conf中,
添加到http下面,和各个server节点并列
lua_shared_dict limit 50m; lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua;/usr/local/nginx/lua/lua-resty-redis/lib/?.lua;;"; init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
说明:
lua_package_path的值里面,如果不需要访问redis,可以把后面一句:/usr/local/nginx/lua/lua-resty-redis/lib/?.lua;去掉
五,创建waf日志目录:
[root@localhost logs]# mkdir /data/logs [root@localhost logs]# mkdir /data/logs/waflogs [root@localhost logs]# chmod 777 waflogs
六,配置waf日志目录:
修改config.lua,配置日志目录:
config_log_dir = "/data/logs/waflogs"
七,重启openresty,然后测试效果:
说明:查看/usr/local/openresty/nginx/conf/waf/rule-config/目录下的规则文件,可以得到过滤时用的正则表达式:
可以通过传递影响安全的参数来查看安全防护的效果: