OpenResty又被称为ngx_openresty,是基于Nginx的核心Web应用程序服务器。OpenResty是基于Nginx和Lua的高性能Web平台,OpenResty通过汇聚各种设计精良的Nginx模块,从而将Nginx有效地变成一个强大的通用Web应用平台。
OpenResty同样也支持开源的waf组件,通过Nginx和Lua的结合,可以简化攻击的配置,OpenResty抵御CC攻击。
yum -y install gcc make pcre pcre-devel zlib zlib-devel openssl-devel
# 2、下载openresty 并解压
cd /usr/local/src
wget https://openresty.org/download/openresty-1.19.9.1.tar.gz
tar zxf openresty-1.19.9.1.tar.gz
# 3、编译安装
./configure --prefix=/root/openresty/application --with-http_stub_status_module --with-file-aio --with-threads --with-stream
make -j 5 或者 gmake
make install 或者 gmake install
# 4、部署lua程序写的waf
# git clone https://github.com/unixhot/waf.git
# cp -r ./waf/waf /root/openresty/application/nginx/conf/
# vim /root/openresty/application/nginx/conf/nginx.conf
#在http{}中增加,注意路径,同时WAF日志默认存放在/tmp/日期_waf.log
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
# ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty
# /root/openresty/application/nginx/sbin/nginx -t
# /root/openresty/application/nginx/sbin/nginx -s reload
# 5、修改配置
在nginx.conf文件的http标签中增加配置
# 4、增加waf配置
# lua_load_resty_core off;
lua_shared_dict limit 50m;
lua_package_path "/root/openresty/application/nginx/conf/waf/?.lua";
init_by_lua_file "/root/openresty/application/nginx/conf/waf/init.lua";
access_by_lua_file "/root/openresty/application/nginx/conf/waf/access.lua";
## 启动过程中遇到的问题
[root@linux-node3 core]# nginx
nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/root/openresty/application/nginx/conf/waf/resty/core.lua'
no file '/root/openresty/application/site/lualib/resty/core.so'
no file '/root/openresty/application/lualib/resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/root/openresty/application/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/root/openresty/application/site/lualib/resty.so'
no file '/root/openresty/application/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/root/openresty/application/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /root/openresty/application/nginx/conf/nginx.conf:134
# 解决办法:创建软链接
ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty
ln -s /root/openresty/application/lualib/resty/ /root/openresty/application/nginx/conf/waf/resty
## 在Nginx文件中增加了lua扩展模块,启动时遇到的问题
2021/09/01 09:06:12 [error] 59260#59260: *3 failed to load external Lua file "/root/openresty/application/nginx/conf/waf/access.lua": cannot open /root/openres
ty/application/nginx/conf/waf/access.lua: Permission denied, client: 192.168.56.1, server: localhost, request: "GET /hello HTTP/1.1", host: "192.168.56.7"
2021/09/01 09:11:20 [error] 61312#61312: *1 lua entry thread aborted: runtime error: /root/openresty/application/nginx/conf/waf/init.lua:152: bad argument #1 t
o 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/root/openresty/application/nginx/conf/waf/init.lua:152: in function 'user_agent_attack_check'
/root/openresty/application/nginx/conf/waf/access.lua:6: in function 'waf_main'
/root/openresty/application/nginx/conf/waf/access.lua:18: in main chunk, client: 192.168.56.1, server: localhost, request: "GET /hello HTTP/1.1", host:
"192.168.56.7"
# 解决办法:修改/waf/config.lua文件中的规则文件夹参数
--rule setting
config_rule_dir = "/root/openresty/application/nginx/conf/waf/rule-config"
#6、 测试结果
[root@linux-node3 logs]# curl http://192.168.56.7/hello
This is a test html!!!
[root@linux-node3 logs]# curl http://192.168.56.7/hello -A 'sqlmap' # 仿sqlmap的User-Agent测试URL
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>OpsAny|Web应用防火墙</title>
</head>
<body>
<h1 align="center"> 欢迎白帽子进行授权安全测试,安全漏洞请联系QQ:57459267
</body>
</html>
鸣谢:https://www.unixhot.com/ 赵班长