nginx默认可能做一些基础的防御,需要写出很多的localtion,返回403或者404。例如:
|
0 1 2 3 4 5 6 7 8 9 10 |
server_name localhost; set $block_user_agets 0; if ($http_user_agent ~ "Wget|ApacheBench|WebBench") { set $block_user_agents 1; } if ($block_user_agents = 1) { return 403; } location ~* "\.(sql|bak|old|zip|tar)$" { return 404; } |
还可以使用已经配置好的WAF(请根据具体情况,具体调整),今天推荐一款给大家。SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
1:此方法适用于未开始安装nginx;SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
参考文档:https://github.com/loveshell/ngx_lua_wafSourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
具体配置方法如下:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
[root@hz tools]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.gz [root@hz tools]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz [root@hz tools]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz [root@hz tools]# wget https://github.com/openresty/lua-nginx-module/archive/v0.9.16.tar.gz [root@hz tools]# tar -zxf v0.2.19.tar.gz #解压NDK [root@hz tools]# ll ngx_devel_kit-0.2.19/ total 84 drwxrwxr-x. 6 root root 4096 Sep 26 2013 auto -rw-rw-r--. 1 root root 1428 Sep 26 2013 config drwxrwxr-x. 6 root root 4096 Sep 26 2013 docs drwxrwxr-x. 3 root root 4096 Sep 26 2013 examples -rw-rw-r--. 1 root root 19299 Sep 26 2013 ngx_auto_lib_core drwxrwxr-x. 2 root root 4096 Sep 26 2013 notes drwxrwxr-x. 2 root root 4096 Sep 26 2013 objs drwxrwxr-x. 2 root root 4096 Sep 26 2013 patches -rw-rw-r--. 1 root root 4339 Sep 26 2013 README -rw-rw-r--. 1 root root 17470 Sep 26 2013 README_AUTO_LIB drwxrwxr-x. 3 root root 4096 Sep 26 2013 src -rw-rw-r--. 1 root root 50 Sep 26 2013 TODO [root@hz tools]# tar -zxf v0.9.16.tar.gz #lua-nginx-module [root@hz tools]# ll lua-nginx-module-0.9.16/ total 332 -rw-rw-r--. 1 root root 4167 Jun 23 2015 Changes -rw-rw-r--. 1 root root 15192 Jun 23 2015 config drwxrwxr-x. 2 root root 4096 Jun 23 2015 doc drwxrwxr-x. 2 root root 4096 Jun 23 2015 dtrace drwxrwxr-x. 3 root root 4096 Jun 23 2015 misc -rw-rw-r--. 1 root root 280375 Jun 23 2015 README.markdown drwxrwxr-x. 3 root root 4096 Jun 23 2015 src drwxrwxr-x. 6 root root 4096 Jun 23 2015 t drwxrwxr-x. 2 root root 4096 Jun 23 2015 tapset drwxrwxr-x. 2 root root 4096 Jun 23 2015 util -rw-rw-r--. 1 root root 2724 Jun 23 2015 valgrind.suppress [root@hz tools]# tar -zxf LuaJIT-2.0.4.tar.gz #安装LuaJIT Luajit是Lua即时编译器 [root@hz tools]# cd LuaJIT-2.0.4 [root@hz LuaJIT-2.0.4]# make && make install [root@hz tools]# useradd -s /sbin/nologin -M www [root@hz tools]# wget http://nginx.org/download/nginx-1.6.3.tar.gz [root@hz tools]# tar -zxf nginx-1.6.3.tar.gz [root@hz tools]# cd nginx-1.6.3/ [root@hz nginx-1.6.3]# export LUAJIT_LIB=/usr/local/lib [root@hz nginx-1.6.3]# export LUAJIT_INC=/usr/local/include/luajit-2.0 [root@hz nginx-1.6.3]# ./configure --user=www --group=www --prefix=/byrd/service/nginx-1.6.3 --with-openssl=/byrd/service/openssl-1.0.2d --with-pcre --with-http_ssl_module --with-http_v2_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-ipv6 --with-http_sub_module --add-module=../ngx_devel_kit-0.2.19/ --add-module=../lua-nginx-module-0.9.16/ [root@hz nginx-1.6.3]# make && make install [root@hz nginx-1.6.3]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2 |
测试安装:修改nginx.conf 增加第一个配置
|
0 1 2 3 4 5 6 7 |
location /hello { default_type 'text/plain'; content_by_lua 'ngx.say("hello,lua")'; } [root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf syntax is ok nginx: configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf test is successful [root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -s reload |
访问http://note.t4x.org/hello 如果出现hello,lua即表示lua安装成功。SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
部署WAF:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
[root@hz tools]# git clone https://github.com/loveshell/ngx_lua_waf.git #下载ngx_lua_waf [root@hz tools]# mv ngx_lua_waf/ /usr/local/nginx/conf/waf [root@hz tools]# ll /usr/local/nginx/conf/waf/ total 32 -rw-r--r--. 1 root root 2377 Jan 27 22:11 config.lua -rw-r--r--. 1 root root 6249 Jan 27 22:11 init.lua -rw-r--r--. 1 root root 1587 Jan 27 22:11 install.sh -rw-r--r--. 1 root root 4612 Jan 27 22:11 README.md drwxr-xr-x. 2 root root 4096 Jan 27 22:11 wafconf -rw-r--r--. 1 root root 2297 Jan 27 22:11 waf.lua [root@Lnmp tools]# egrep -v "#" /usr/local/nginx/conf/nginx.conf ################部分省略################ events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; #WAF lua_package_path "/usr/local/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/waf/init.lua; access_by_lua_file /usr/local/nginx/conf/waf/waf.lua; server { listen 80; server_name localhost; ################部分省略################ [root@Lnmp waf]# ll /usr/local/nginx/conf/waf/config.lua #配置文件 |
2:此方法适用于已安装nginx;SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
参考文档:https://github.com/openrestySourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
参考文档:https://github.com/unixhot/waf
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
安装依赖包 # yum install -y readline-devel pcre-devel openssl-devel # cd /usr/local/src 下载并编译安装openresty # wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz # tar zxf ngx_openresty-1.9.3.2.tar.gz # cd ngx_openresty-1.9.3.2 # ./configure --prefix=/usr/local/openresty-1.9.3.2 \ --with-luajit --with-http_stub_status_module \ --with-pcre --with-pcre-jit # gmake && gmake install # ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty 测试openresty安装 # vim /usr/local/openresty/nginx/conf/nginx.conf server { location /hello { default_type text/html; content_by_lua_block { ngx.say("HelloWorld") } } } # /usr/local/openresty/nginx/sbin/nginx -t nginx: the configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf test is successful # /usr/local/openresty/nginx/sbin/nginx Hello World # curl http://192.168.199.33/hello HelloWorld |
WAF部署:
|
0 1 2 3 4 5 6 7 8 9 10 11 |
#git clone https://github.com/unixhot/waf.git #cp -a ./waf/waf /usr/local/openresty/nginx/conf/ 修改Nginx的配置文件,加入以下配置。注意路径,同时WAF日志默认存放在/tmp/日期_waf.log #WAF lua_shared_dict limit 50m; lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua"; [root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t [root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx |
参考文档:https://github.com/unixhot/waf
参考文档:https://github.com/loveshell/ngx_lua_waf
参考文档:https://github.com/openresty
参考文档:http://drops.wooyun.org/tips/734SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
SourceByrd's Weblog-https://note.t4x.org/environment/nginx-web-application-firewall/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
