zoukankan      html  css  js  c++  java
  • 使用Nginx+Lua实现waf

    使用Nginx+Lua实现waf

    技术内容来自:https://github.com/loveshell/ngx_lua_waf

    软件包需求:
    1 .Nginx兼容性【最后测试到1.13.6】

    [root@baolin src]# wget http://nginx.org/download/nginx-1.13.6.tar.gz
    

    2 .PCRE为Nginx编译安装关系的依赖

    [root@baolin src]# wget https://jaist.dl.sourceforge.net/project/pcre/pcre/8.42/pcre-8.42.tar.gz
    

    3 .下载luajit解释器和ngx_devel_kit以及lua-nginx-module模块

    [root@baolin src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
    [root@baolin src]# wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz
    [root@baolin src]# wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz
    

    4 .文件解压:

    [root@baolin src]# tar xf nginx-1.13.6.tar.gz pcre-8.42.tar.gz LuaJIT-2.0.5.tar.gz v0.3.0.tar.gz v0.10.13.tar.gz
    

    5 .安装LuaJIT Luajit是Lua即时编译器

    [root@baolin src]# cd LuaJIT-2.0.5/
    [root@baolin LuaJIT-2.0.5]# make && make install 
    

    6 .添加环境变量

    [root@baolin src]# export LUAJIT_LIB=/usr/local/lib
    [root@baolin src]# export LUAJIT_INC=/usr/local/include/luajit-2.0
    

    7 .安装Nginx并加载模块【注意目录位置以及版本】

    • --prefix=/usr/local/nginx-1.13.6 # nginx 安装目录
    • --with-pcre=/usr/local/src/pcre-8.42 # pcre 所在目录
    • --add-module=../ngx_devel_kit-0.3.0/ # ngx_devel_kit 所在目录
    • --add-module=../lua-nginx-module-0.10.13/ # lua-nginx-module 所在目录
    • -j2 调用编译CPU的核数
    [root@baolin src]# cd nginx-1.13.6/
    [root@baolin nginx-1.13.6]# ./configure --user=www --group=www --prefix=/usr/local/nginx-1.13.6 --with-pcre=/usr/local/src/pcre-8.42 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module  --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.13/
    [root@baolin nginx-1.13.6]# make -j2 && make install
    

    8 .添加链接文件

    [root@baolin src]# ln -s /usr/local/nginx-1.13.6 /usr/local/nginx
    [root@baolin src]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
    

    应用配置

    1 .调用lua测试,编辑Nginx.conf 添加/hello

    [root@baolin conf]# vim /usr/local/nginx/conf/nginx.conf
    worker_processes  auto;
    events {
        worker_connections  1024;
    }
    http {
        include       mime.types;
        default_type  application/octet-stream;
        sendfile        on;
        keepalive_timeout  65;
        server {
            listen       80;
            server_name  localhost;
            location / {
                root   html;
                index  index.html index.htm;
            }
            location /hello {
                    default_type 'text/plain';
                    content_by_lua 'ngx.say("hello,lua")';
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
        }
    }
    

    2 .语法检查并启动

    [root@baolin conf]# /usr/local/nginx/sbin/nginx -t
    [root@baolin conf]# /usr/local/nginx/sbin/nginx
    
    [root@baolin conf]# curl 192.168.55.110/hello
    hello,lua
    

    WAF部署

    1 .下载waf源码:

    [root@baolin conf]# cd /usr/local/nginx/conf/
    [root@baolin conf]# git clone https://github.com/loveshell/ngx_lua_waf.git
    [root@baolin conf]# mv ngx_lua_waf/ waf 
    

    2 .文件注释

    config.lua     # 配置文件
    init.lua       # 规则函数
    waf.lua        # 逻辑关系
    # wafconf      # 正则匹配关系目录
    wafconf/args           # 里面的规则get参数进行过滤的
    wafconf/url            # 是只在get请求url过滤的规则		
    wafconf/post           # 是只在post请求过滤的规则		
    wafconf/whitelist      # 是白名单,里面的url匹配到不做过滤		
    wafconf/user-agent     # 是对user-agent的过滤规则
    

    3 .config.lua 注释:

    RulePath = "/usr/local/nginx/conf/waf/wafconf/"
    --规则存放目录
    attacklog = "off"
    --是否开启攻击信息记录,需要配置logdir
    logdir = "/usr/local/nginx/logs/hack/"
    --log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
    UrlDeny="on"
    --是否拦截url访问
    Redirect="on"
    --是否拦截后重定向
    CookieMatch = "on"
    --是否拦截cookie攻击
    postMatch = "on" 
    --是否拦截post攻击
    whiteModule = "on" 
    --是否开启URL白名单
    black_fileExt={"php","jsp"}
    --填写不允许上传文件后缀类型
    ipWhitelist={"127.0.0.1"}
    --ip白名单,多个ip用逗号分隔
    ipBlocklist={"1.0.0.1"}
    --ip黑名单,多个ip用逗号分隔
    CCDeny="on"
    --是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
    CCrate = "100/60"
    --设置cc攻击频率,单位为秒.
    --默认1分钟同一个IP只能请求同一个地址100次
    html=[[Please go away~~]]
    --警告内容,可在中括号内自定义
    备注:不要乱动双引号,区分大小写
    

    4 .修改Nginx配置文件引用WAF功能【http段加入】

        lua_shared_dict limit 50m;
        lua_package_path "/usr/local/nginx/conf/waf/?.lua";
        init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";
        access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";
    

    5 .详情:

    [root@baolin conf]# cat nginx.conf
    worker_processes  auto;
    events {
        worker_connections  1024;
    }
    http {
        include       mime.types;
        default_type  application/octet-stream;
        sendfile        on;
        keepalive_timeout  65;
        lua_shared_dict limit 50m;
        lua_package_path "/usr/local/nginx/conf/waf/?.lua";
        init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";
        access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";
        server {
            listen       80;
            server_name  localhost;
            location / {
                root   html;
                index  index.html index.htm;
            }
            location /hello {
                    default_type 'text/plain';
                    content_by_lua 'ngx.say("hello,lua")';
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
        }
    }
    

    6 .创建日志目录给予www用户权限:

    [root@baolin conf]# mkdir /usr/local/nginx/logs/hack/
    [root@baolin conf]# chown www.www /usr/local/nginx/logs/hack/
    

    7 .启动Nginx 并测试:

    [root@baolin conf]# /usr/local/nginx/sbin/nginx -t
    [root@baolin conf]# /usr/local/nginx/sbin/nginx -s reload 
    

    8 .测试是否阻止请求:

    http://192.168.55.110/hello?id=../etc/passwd
    

    9 .通过ab模仿cc攻击:

    [root@nq waf]# ab -c 100 -n 1200 http://192.168.55.110/hello
    

    其他

    一个页面版WAF--VeryNginx: https://github.com/alexazhou/VeryNginx

    知识点:

    #启动服务
    /opt/verynginx/openresty/nginx/sbin/nginx
    
    #停止服务
    /opt/verynginx/openresty/nginx/sbin/nginx -s stop
    
    #重启服务
    /opt/verynginx/openresty/nginx/sbin/nginx -s reload
    
    web密码配置:
    /opt/verynginx/verynginx/lua_script/VeryNginxConfig.lua
    
    Nginx 配置文件nginx.conf
    /opt/verynginx/openresty/nginx/conf/nginx.conf
    
    规则配置:
    /opt/verynginx/verynginx/configs/config.json
    
  • 相关阅读:
    arcgis api 3.x for js 入门开发系列八聚合效果(附源码下载)
    arcgis api 3.x for js 入门开发系列七图层控制(附源码下载)
    arcgis api 3.x for js 入门开发系列六地图分屏对比(附源码下载)
    arcgis api 3.x for js 入门开发系列五地图态势标绘(附源码下载)
    arcgis api 3.x for js 入门开发系列四地图查询(附源码下载)
    Java里面获取当前服务器的IP地址
    Flutter at Google I/O 2018
    Modbus RTU 协议使用汇总
    plsql 创建表空间、用户、赋予权限
    Oracle:ODP.NET Managed 小试牛刀
  • 原文地址:https://www.cnblogs.com/baolin2200/p/10033173.html
Copyright © 2011-2022 走看看