zoukankan      html  css  js  c++  java
  • 安装nginx+ngx_lua支持WAF防护功能

     

    nginx lua模块淘宝开发的nginx第三方模块,它能将lua语言嵌入到nginx配置中,从而使用lua就极大增强了nginx的能力.nginx以高并发而知名,lua脚本轻便,两者的搭配堪称完美.

    用途:防止sql注入,本地包含,部分溢出,fuzzing测试,xss,SSRF等web攻击

    防止svn/备份之类文件泄漏

    防止ApacheBench之类压力测试工具的攻击

    屏蔽常见的扫描黑客工具,扫描器

    屏蔽异常的网络请求

    屏蔽图片附件类目录php执行权限

    防止webshell上传

    系统:centos 6.4_x64

    需要的软件:LuaJIT-2.0.3.tar.gz

    tengine-2.1.0.tar.gz (nginx)

    ngx_devel_kit-master.zip (ngx_devel_kit)

    lua-nginx-module-master.zip (nginx_lua模块)

    ngx_lua_waf-master.zip (waf策略 web应用防火墙)

    yum -y install gcc gcc-c++ ncurses-devel libxml2-devel openssl-devel curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel zip unzip wget crontabs iptables file bison cmake patch mlocate flex diffutils automake make readline-devel glibc-devel glibc-static glib2-devel bzip2-devel gettext-devel libcap-devel logrotate ntp libmcrypt-devel GeoIP*

    安装LuaJIT 2.0

    tar zxf LuaJIT-2.0.0.tar.gz

    cd LuaJIT-2.0.0

    make && make install

    注:lib和include是直接放在/usr/local/lib和usr/local/include

    再来设置环境变量(这是给后面nginx编译的时候使用的):

    vi /etc/profile

    export LUAJIT_LIB=/usr/local/lib

    export LUAJIT_INC=/usr/local/include/luajit-2.0

    export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

    source /etc/profile

    安装nginx

    tar zxvf tengine-2.1.0.tar.gz

    cd tengine-2.1.0

    ./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-pcre=/root/lnmp/pcre-8.20 --with-google_perftools_module --with-http_realip_module --with-poll_module --with-select_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_slice_module --with-http_mp4_module --with-http_gzip_static_module --with-http_concat_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_sysguard_module --with-http_browser_module=shared --with-http_user_agent_module=shared --with-http_upstream_ip_hash_module=shared --with-http_upstream_least_conn_module=shared --with-http_upstream_session_sticky_module=shared --with-http_addition_module=shared --with-http_xslt_module=shared --with-http_image_filter_module=shared --with-http_sub_module=shared --with-http_flv_module=shared --with-http_slice_module=shared --with-http_mp4_module=shared --with-http_concat_module=shared --with-http_random_index_module=shared --with-http_secure_link_module=shared --with-http_sysguard_module=shared --with-http_charset_filter_module=shared --with-http_userid_filter_module=shared --with-http_footer_filter_module=shared --with-http_trim_filter_module=shared --with-http_access_module=shared --with-http_autoindex_module=shared --with-http_map_module=shared --with-http_split_clients_module=shared --with-http_referer_module=shared --with-http_uwsgi_module=shared --with-http_scgi_module=shared --with-http_memcached_module=shared --with-http_limit_conn_module=shared --with-http_limit_req_module=shared --with-http_empty_gif_module=shared

    make && make install

    报错误请执行error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

    ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

    然后创建下面文件夹

    mkdir -p /data/logs/{client_body,hack}

    chown -R www:www /data

    chmod -R 755 /data

    解压ngxluawaf-master.zip

    unzip ngx_lua_waf-master.zip

    mv ngx_lua_waf-master/* /usr/local/webserver/nginx/conf/

    vi /usr/local/webserver/nginx/conf/config.lua

    RulePath = waf的路径--规则存放目录


    logdir = 日志记录地址--log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限


    attacklog = "off" --是否开启攻击信息记录,需要配置logdir


    UrlDeny="on" --是否拦截url访问


    Redirect="on" --是否拦截后重定向


    CookieMatch = "on" --是否拦截cookie攻击


    postMatch = "on" --是否拦截post攻击


    whiteModule = "on" --是否开启URL白名单


    ipWhitelist={"127.0.0.1"} --ip白名单,多个ip用逗号分隔


    ipBlocklist={"1.0.0.1"} --ip黑名单,多个ip用逗号分隔


    CCDeny="on" --是否开启拦截cc攻击(需要nginx.conf的http段增加luashareddict limit 10m;)


    CCrate = "100/60" --设置cc攻击频率,单位为秒. --默认1分钟同一个IP只能请求同一个地址100次


    html=[[Please go away~~]] --警告内容,可在中括号内自定义



    备注:不要乱动双引号,区分大小写


    修改nginx配置,在HTTP里面加入 记得改自己的路径


    lua_need_request_body on;


    lua_package_path "/usr/local/webserver/nginx/conf /?.lua";


    lua_shared_dict limit 10m;


    init_by_lua_file /usr/local/webserver/nginx/conf/init.lua;


    access_by_lua_file /usr/local/webserver/nginx/conf/waf.lua;


    limit_req_zone $binary_remote_addr $uri zone=two:3m rate=1r/s;


    limit_req_zone $binary_remote_addr $request_uri zone=thre:3m rate=1r/s;


    然后启动nginx.


    测试创建个test.php文件,内容为test,使用curl来访问,当然前提是nginx做好了虚拟主机,这里就不介绍怎么做虚拟主机了.


    curl http://localhost/test.php?id=../etc/passwd


    返回的内容:test
    因为127.0.0.1允许的所以能看见页面的内容,因为域名地址是不允许的所以能看不见页面的内容,说明生效了


    curl http://blog.slogra.com/test.php?id=../etc/passwd


    返回的内容:


  • 相关阅读:
    Python中所有的关键字
    关于selenium的8种元素定位
    对提示框的操作
    selenium+webservice进行百度登录
    MISCONF Redis is configured to save RDB snapshots, but is currently not able to persist on disk. Commands that may modify the data set are disabled...报错解决
    Vue中使用echarts
    npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142解决方法
    插入排序
    冒泡排序优化
    roject 'org.springframework.boot:spring-boot-starter-parent:XXX' not found 解决
  • 原文地址:https://www.cnblogs.com/xull0651/p/7473060.html
Copyright © 2011-2022 走看看