正文

nginx_lua_waf配置

admin
admin V管理员 /0 评论 /623 阅读
0708
此篇文章发布距今已超过991天,您需要注意文章的内容或图片是否可用!

# 存放路径

cd /usr/local/src/


# 安装依赖包

yum install wget gcc gcc-c++ pcre pcre-devel openssl openssl-devel zlib zlib-devel


#安装lua-nginx-module

openresty/lua-nginx-module   0.10.20

wget https://github.com/openresty/lua-nginx-module/archive/v0.10.20.tar.gz

tar xf v0.10.20.tar.gz



#安装ngx_devel_kit

cd /usr/local/src

wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.1rc1.tar.gz

tar xf v0.3.1rc1.tar.gz



#安装luajit

wget https://codeload.github.com/openresty/luajit2/tar.gz/refs/tags/v2.1-20210510

mv v2.1-20210510 v2.1-20210510.tar.gz

tar -zxvf v2.1-20210510.tar.gz

cd luajit2-2.1-20210510/

make

make install


# 加入环境变量

export LUAJIT_LIB=/usr/local/lib

export LUAJIT_INC=/usr/local/include/luajit-2.1


# 安装lua-resty-core

wget --no-check-certificate https://github.com/openresty/lua-resty-core/archive/refs/tags/v0.1.22.tar.gz

tar -zxvf v0.1.22.tar.gz

cd lua-resty-core-0.1.22

make install PREFIX=/usr/local/lua_core



#安装lua-resty-lrucache

wget --no-check-certificate https://github.com/openresty/lua-resty-lrucache/archive/refs/tags/v0.11.tar.gz

tar -zxvf v0.11.tar.gz

cd ../lua-resty-lrucache-0.11

make install PREFIX=/usr/local/lua_core


# 安装nginx

tar xf nginx-1.12.2.tar.gz

cd nginx-1.12.2

useradd -s /bin/false -M www


# 编译时加入其他模块

./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --add-module=/usr/local/src/ngx_devel_kit-0.3.1rc1 --add-module=/usr/local/src/lua-nginx-module-0.10.20 --with-ld-opt=-Wl,-rpath,$LUAJIT_LIB


make && make install


# 启动nginx

ln -sv /usr/local/nginx/sbin/nginx /usr/local/sbin/

wget -P /etc/init.d/ http://down.whsir.com/downloads/nginx

chmod +x /etc/init.d/nginx

chkconfig --add nginx

chkconfig nginx on

/etc/init.d/nginx start



加入nginx http模块

    lua_package_path "/usr/local/nginx/conf/waf/?.lua;/usr/local/lua_core/lib/lua/?.lua";

    lua_shared_dict limit 10m;

    init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;

    access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

#配置攻击日志目录

mkdir /usr/local/nginx/log/hack

chown -R www /usr/local/nginx/log/hack



# 安装nginx_lua_waf

cd /usr/local/nginx/conf

wget https://codeload.github.com/loveshell/ngx_lua_waf/tar.gz/refs/tags/v0.7.2

mv v0.7.2 v0.7.2.tar.gz

tar xf v0.7.2.tar.gz

mv ngx_lua_waf-0.7.2/ waf


# 重启nginx

/etc/init.d/nginx restart 


# 访问503生效

http://192.168.139.129/?id=../../etc/passwds


#配置样例

RulePath = "/usr/local/nginx/conf/waf/wafconf/"

    --规则存放目录

    attacklog = "off"

    --是否开启攻击信息记录,需要配置logdir

    logdir = "/usr/local/nginx/logs/hack/"

    --log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限

    UrlDeny="on"

    --是否拦截url访问

    Redirect="on"

    --是否拦截后重定向

    CookieMatch = "on"

    --是否拦截cookie攻击

    postMatch = "on" 

    --是否拦截post攻击

    whiteModule = "on" 

    --是否开启URL白名单

    black_fileExt={"php","jsp"}

    --填写不允许上传文件后缀类型

    ipWhitelist={"127.0.0.1"}

    --ip白名单,多个ip用逗号分隔

    ipBlocklist={"1.0.0.1"}

    --ip黑名单,多个ip用逗号分隔

    CCDeny="on"

    --是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)

    CCrate = "100/60"

    --设置cc攻击频率,单位为秒.

    --默认1分钟同一个IP只能请求同一个地址100次

    html=[[Please go away~~]]

    --警告内容,可在中括号内自定义

    备注:不要乱动双引号,区分大小写



宙飒zhousa.om