openwaf实战

# 安装所需依赖
yum install gcc gcc-c++ wget GeoIP-devel git swig make perl perl-ExtUtils-Embed readline-devel zlib-devel -y

# 安装openwaf

cd /opt
git clone https://github.com/titansec/OpenWAF.git
mv /opt/OpenWAF/lib/openresty/ngx_openwaf.conf /etc
mv /opt/OpenWAF/lib/openresty/configure /usr/local/src/openresty-1.13.6.2/ # 这个configure文件要使用openwaf维护者的文件
cp -RP /opt/OpenWAF/lib/openresty/* /usr/local/src/openresty-1.13.6.2/bundle/
cd /opt/OpenWAF
make install

# 编译openresty
cd /usr/local/src/openresty-1.13.6.2
./configure
--prefix=/data/server/openresty-1.13
--with-pcre-jit --with-ipv6
--with-http_v2_module
--with-stream
--with-http_gunzip_module
--with-http_ssl_module
--with-threads --with-file-aio
--with-http_stub_status_module
--with-http_ssl_module
--with-http_realip_module
--with-http_sub_module
--with-http_geoip_module
--with-openssl=/usr/local/src/openssl-1.1.0g
--with-pcre=/usr/local/src/pcre-8.42
--with-zlib=/usr/local/src/zlib-1.2.11
--with-http_gzip_static_module
--with-http_stub_status_module
--with-http_image_filter_module
--with-http_auth_request_module
--with-http_random_index_module
gmake && gmake install

# 接入Openwaf
拥有自己的nginx配置，仅需以下两步即可体验OpenWAF防护

nginx配置修改
在 nginx 的 http 级别添加如下两行：
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
要防护的 server 或 location 级别添加如下一行：
include /opt/OpenWAF/conf/twaf_server.conf;
OpenWAF接入规则修改
修改/opt/OpenWAF/conf/twaf_access_rule.json文件
将"state"值设为false即可

说明：
twaf_default_conf.json # 默认策略，不建议修改
twaf_policy_conf.json # 用户可以自定义的策略文件，该文件里面的策略会合并到 twaf_default_conf.json中(前提是启用接入规则文件：twaf_access_rule.json)
如果启用了接入规则文件：twaf_access_rule.json，twaf_policy_conf.json规则会合并到twaf_default_conf.json中，反之只有twaf_default_conf.json策略文件生效

贴出本文测试的配置文件：

# cat /etc/ngx_openwaf.conf
ngx_openwaf.conf ngx_openwaf.conf.bak ngx_openwaf.conf.ori
[root@nginx32-249 conf]# cat /etc/ngx_openwaf.conf
worker_processes 4;
error_log /data/logs/nginx/error.log;
pid /data/logs/nginx/run/nginx.pid;
# pcre_jit on;

events {
worker_connections 4096;
use epoll;
}

http {
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
port_in_redirect off;

include /data/server/openresty-1.13/nginx/conf/mime.types;
default_type application/octet-stream;
ssi on;
ssi_silent_errors on;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

log_format new_main 'yjall-test-------$server_addr####$remote_addr####$remote_user####[$time_local]####$request_time####$status####$bytes_sent####'
'$request_method####$Scheme://$Host$request_uri####$http_cdn_src_ip####'
'$upstream_http_content_type####$http_referer####"$http_user_agent"####"$http_cookie"####"$request_body"';

access_log /data/logs/nginx/access.log new_main;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 64k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript;
gzip_vary on;
fastcgi_intercept_errors on;
proxy_intercept_errors on;

sendfile on;
#tcp_nopush on;

keepalive_timeout 600;
send_timeout 600;

fastcgi_connect_timeout 600;
fastcgi_send_timeout 600;
fastcgi_read_timeout 600;
fastcgi_buffer_size 256k;
fastcgi_buffers 8 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
client_header_timeout 600; #调大点
client_body_timeout 600; #调大点
client_max_body_size 500m; #主要是这个参数，限制了上传文件大大小
client_body_buffer_size 256k;

proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;

upstream site {
server 10.10.35.190:8080;
}

server {
listen 80;
server_name test.com;

location ~* ^/(.*)$ {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
}

server {
listen 80;
server_name www.test.com;
include /opt/OpenWAF/conf/twaf_server.conf;

location / {
index index.jsp index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header From www.test.com;
proxy_cookie_path /yjall/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass http://site;
}

location ~ /upload/ {
root /data/yjwstatic/JYSWY_UPLOAD;
}
}

server {
listen 443 ssl;
server_name www.test.com;
include /opt/OpenWAF/conf/twaf_server.conf;

ssl_certificate /opt/OpenWAF/conf/ssl/nginx.crt;
ssl_certificate_key /opt/OpenWAF/conf/ssl/nginx.key;
ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_protocols TLSv1.1 TLSv1.2 TLSv2.0;

location / {
index index.jsp index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header From www.test.com;
proxy_cookie_path /yjall/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass http://site;
}

location ~ /upload/ {
root /data/yjwstatic/JYSWY_UPLOAD;
}

}
}

测试（一个注入攻击）：

http://www.test.com/?name=test AND 1=1

 返回结果：

非法的访问

您的访问已被识别为攻击并记录. 
如有任何意见或建议，请及时与管理员联系 

客户端地址: 192.168.51.242 
访问的URL: http://www.test.com/ 
触发的事件类型: attack.injection.sql.libinjection 
UNIQUE_ID: gcNONWK6a1dkUYPzKAGLZTyPNexcGETXKn 

规则文件目录：

# ll /opt/OpenWAF/lib/twaf/inc/knowledge_db/twrules/
total 36
-rw-r--r-- 1 root root 15884 6月 6 16:24 rules.json
-rw-r--r-- 1 root root 18758 6月 6 16:24 rules.lua

这两个文件有openwaf的所有规则