使用Nginx+Lua实现的WAF,nginxlua实现waf
使用Nginx+Lua实现的WAF,nginxlua实现waf
一.OpenResty安装和测试
官方网站:https://openresty.org/cn/
LUA学习:http://blog.jobbole.com/70480/
1.安装OpenResty:
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
2.测试openresty安装:
vim /usr/local/openresty/nginx/conf/nginx.conf
server {
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
3.启动openresty并测试:
/usr/local/openresty/nginx/sbin/nginx -t
/usr/local/openresty/nginx/sbin/nginx
http://172.16.1.211/hello #访问后出现“HelloWorld”
二.WAF安装和测试
参考资料: https://github.com/unixhot/waf
PS: 这个是赵班长写的WAF安全检测模块,过滤了一些常见的入侵方式,性能也非常不错。
1.安装并配置WAF:
#git clone https://github.com/unixhot/waf.git
#cp -a ./waf/waf /usr/local/openresty/nginx/conf/
修改Nginx的配置文件,在HTTP字段加入以下配置。注意路径,同时WAF日志默认存放在/tmp/日期_waf.log
vim /usr/local/openresty/nginx/conf/nginx.conf
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
2.WAF配置文件:
vim /usr/local/openresty/nginx/conf/waf/config.lua
--waf 是否开启
config_waf_enable = "on"
--日杂文件目录
config_log_dir = "/tmp"
--配置文件目录
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--是否开启 白名单链接
config_white_url_check = "on"
--enable/disable 白名单IP
config_white_ip_check = "on"
--enable/disable 黑名单IP
config_black_ip_check = "on"
--enable/disable URL检测
config_url_check = "on"
--enalbe/disable url 参数检查
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc 检测
config_cc_check = "on"
--CC检测限制60秒内同一URL只能访问10次
config_cc_rate = "10/60"
--enable/disable post 检测(这个功能作者没完成)
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
3.验证:
http://172.16.1.211/a.sql #访问会出现安全检测页面
ab -n100 -c1 http://172.16.1.211/ #模仿CC攻击
- 1
- 2
- 3
<link rel="stylesheet" href="https://csdnimg.cn/release/phoenix/template/css/markdown_views-ea0013b516.css">
</div>
评论暂时关闭