Nginx部署配置应用级防火墙WAF

发表评论
6,032

A+

nginx默认可能做一些基础的防御，需要写出很多的localtion，返回403或者404。例如：

        server_name localhost;
        set $block_user_agets 0;
        if ($http_user_agent ~ "Wget|ApacheBench|WebBench") {
            set $block_user_agents 1;
        }
        if ($block_user_agents = 1) {
            return 403;
        }
        location ~* "\.(sql|bak|old|zip|tar)$"  {
            return 404;
        }

server_name localhost;

set $block_user_agets 0;

if ($http_user_agent ~ "Wget|ApacheBench|WebBench") {

set $block_user_agents 1;

}

if ($block_user_agents = 1) {

return 403;

}

location ~* "\.(sql|bak|old|zip|tar)$" {

return 404;

}

还可以使用已经配置好的WAF（请根据具体情况，具体调整），今天推荐一款给大家。

1：此方法适用于未开始安装nginx；

参考文档：https://github.com/loveshell/ngx_lua_waf

具体配置方法如下：

[root@hz tools]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.gz
[root@hz tools]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
[root@hz tools]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz
[root@hz tools]# wget https://github.com/openresty/lua-nginx-module/archive/v0.9.16.tar.gz
[root@hz tools]# tar -zxf v0.2.19.tar.gz    #解压NDK
[root@hz tools]# ll ngx_devel_kit-0.2.19/
total 84
drwxrwxr-x. 6 root root  4096 Sep 26  2013 auto
-rw-rw-r--. 1 root root  1428 Sep 26  2013 config
drwxrwxr-x. 6 root root  4096 Sep 26  2013 docs
drwxrwxr-x. 3 root root  4096 Sep 26  2013 examples
-rw-rw-r--. 1 root root 19299 Sep 26  2013 ngx_auto_lib_core
drwxrwxr-x. 2 root root  4096 Sep 26  2013 notes
drwxrwxr-x. 2 root root  4096 Sep 26  2013 objs
drwxrwxr-x. 2 root root  4096 Sep 26  2013 patches
-rw-rw-r--. 1 root root  4339 Sep 26  2013 README
-rw-rw-r--. 1 root root 17470 Sep 26  2013 README_AUTO_LIB
drwxrwxr-x. 3 root root  4096 Sep 26  2013 src
-rw-rw-r--. 1 root root    50 Sep 26  2013 TODO
[root@hz tools]# tar -zxf v0.9.16.tar.gz    #lua-nginx-module
[root@hz tools]# ll lua-nginx-module-0.9.16/
total 332
-rw-rw-r--. 1 root root   4167 Jun 23  2015 Changes
-rw-rw-r--. 1 root root  15192 Jun 23  2015 config
drwxrwxr-x. 2 root root   4096 Jun 23  2015 doc
drwxrwxr-x. 2 root root   4096 Jun 23  2015 dtrace
drwxrwxr-x. 3 root root   4096 Jun 23  2015 misc
-rw-rw-r--. 1 root root 280375 Jun 23  2015 README.markdown
drwxrwxr-x. 3 root root   4096 Jun 23  2015 src
drwxrwxr-x. 6 root root   4096 Jun 23  2015 t
drwxrwxr-x. 2 root root   4096 Jun 23  2015 tapset
drwxrwxr-x. 2 root root   4096 Jun 23  2015 util
-rw-rw-r--. 1 root root   2724 Jun 23  2015 valgrind.suppress
[root@hz tools]# tar -zxf LuaJIT-2.0.4.tar.gz    #安装LuaJIT Luajit是Lua即时编译器
[root@hz tools]# cd LuaJIT-2.0.4      
[root@hz LuaJIT-2.0.4]# make && make install
[root@hz tools]# useradd -s /sbin/nologin -M www
[root@hz tools]# wget http://nginx.org/download/nginx-1.6.3.tar.gz
[root@hz tools]# tar -zxf nginx-1.6.3.tar.gz 
[root@hz tools]# cd nginx-1.6.3/
[root@hz nginx-1.6.3]# export LUAJIT_LIB=/usr/local/lib
[root@hz nginx-1.6.3]# export LUAJIT_INC=/usr/local/include/luajit-2.0
[root@hz nginx-1.6.3]# ./configure --user=www --group=www --prefix=/byrd/service/nginx-1.6.3 --with-openssl=/byrd/service/openssl-1.0.2d --with-pcre --with-http_ssl_module --with-http_v2_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-ipv6 --with-http_sub_module --add-module=../ngx_devel_kit-0.2.19/ --add-module=../lua-nginx-module-0.9.16/
[root@hz nginx-1.6.3]# make && make install
[root@hz nginx-1.6.3]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

[root@hz tools]# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.gz

[root@hz tools]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz

[root@hz tools]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz

[root@hz tools]# wget https://github.com/openresty/lua-nginx-module/archive/v0.9.16.tar.gz

[root@hz tools]# tar -zxf v0.2.19.tar.gz #解压NDK

[root@hz tools]# ll ngx_devel_kit-0.2.19/

total 84

drwxrwxr-x. 6 root root 4096 Sep 26 2013 auto

-rw-rw-r--. 1 root root 1428 Sep 26 2013 config

drwxrwxr-x. 6 root root 4096 Sep 26 2013 docs

drwxrwxr-x. 3 root root 4096 Sep 26 2013 examples

-rw-rw-r--. 1 root root 19299 Sep 26 2013 ngx_auto_lib_core

drwxrwxr-x. 2 root root 4096 Sep 26 2013 notes

drwxrwxr-x. 2 root root 4096 Sep 26 2013 objs

drwxrwxr-x. 2 root root 4096 Sep 26 2013 patches

-rw-rw-r--. 1 root root 4339 Sep 26 2013 README

-rw-rw-r--. 1 root root 17470 Sep 26 2013 README_AUTO_LIB

drwxrwxr-x. 3 root root 4096 Sep 26 2013 src

-rw-rw-r--. 1 root root 50 Sep 26 2013 TODO

[root@hz tools]# tar -zxf v0.9.16.tar.gz #lua-nginx-module

[root@hz tools]# ll lua-nginx-module-0.9.16/

total 332

-rw-rw-r--. 1 root root 4167 Jun 23 2015 Changes

-rw-rw-r--. 1 root root 15192 Jun 23 2015 config

drwxrwxr-x. 2 root root 4096 Jun 23 2015 doc

drwxrwxr-x. 2 root root 4096 Jun 23 2015 dtrace

drwxrwxr-x. 3 root root 4096 Jun 23 2015 misc

-rw-rw-r--. 1 root root 280375 Jun 23 2015 README.markdown

drwxrwxr-x. 3 root root 4096 Jun 23 2015 src

drwxrwxr-x. 6 root root 4096 Jun 23 2015 t

drwxrwxr-x. 2 root root 4096 Jun 23 2015 tapset

drwxrwxr-x. 2 root root 4096 Jun 23 2015 util

-rw-rw-r--. 1 root root 2724 Jun 23 2015 valgrind.suppress

[root@hz tools]# tar -zxf LuaJIT-2.0.4.tar.gz #安装LuaJIT Luajit是Lua即时编译器

[root@hz tools]# cd LuaJIT-2.0.4

[root@hz LuaJIT-2.0.4]# make && make install

[root@hz tools]# useradd -s /sbin/nologin -M www

[root@hz tools]# wget http://nginx.org/download/nginx-1.6.3.tar.gz

[root@hz tools]# tar -zxf nginx-1.6.3.tar.gz

[root@hz tools]# cd nginx-1.6.3/

[root@hz nginx-1.6.3]# export LUAJIT_LIB=/usr/local/lib

[root@hz nginx-1.6.3]# export LUAJIT_INC=/usr/local/include/luajit-2.0

[root@hz nginx-1.6.3]# ./configure --user=www --group=www --prefix=/byrd/service/nginx-1.6.3 --with-openssl=/byrd/service/openssl-1.0.2d --with-pcre --with-http_ssl_module --with-http_v2_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-ipv6 --with-http_sub_module --add-module=../ngx_devel_kit-0.2.19/ --add-module=../lua-nginx-module-0.9.16/

[root@hz nginx-1.6.3]# make && make install

[root@hz nginx-1.6.3]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

测试安装：修改nginx.conf 增加第一个配置

        location /hello {
                default_type 'text/plain';
                content_by_lua 'ngx.say("hello,lua")';
        }
[root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf syntax is ok
nginx: configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf test is successful
[root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -s reload

location /hello {

default_type 'text/plain';

content_by_lua 'ngx.say("hello,lua")';

}

[root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /byrd/service/nginx-1.6.3/conf/nginx.conf test is successful

[root@hz nginx-1.6.3]# /usr/local/nginx/sbin/nginx -s reload

访问http://www.t4x.org/hello 如果出现hello,lua即表示lua安装成功。

部署WAF：

[root@hz tools]# git clone https://github.com/loveshell/ngx_lua_waf.git    #下载ngx_lua_waf
[root@hz tools]# mv ngx_lua_waf/ /usr/local/nginx/conf/waf    
[root@hz tools]# ll /usr/local/nginx/conf/waf/
total 32
-rw-r--r--. 1 root root 2377 Jan 27 22:11 config.lua
-rw-r--r--. 1 root root 6249 Jan 27 22:11 init.lua
-rw-r--r--. 1 root root 1587 Jan 27 22:11 install.sh
-rw-r--r--. 1 root root 4612 Jan 27 22:11 README.md
drwxr-xr-x. 2 root root 4096 Jan 27 22:11 wafconf
-rw-r--r--. 1 root root 2297 Jan 27 22:11 waf.lua
[root@Lnmp tools]# egrep -v "#" /usr/local/nginx/conf/nginx.conf
################部分省略################
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
#WAF
    lua_package_path "/usr/local/nginx/conf/waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /usr/local/nginx/conf/waf/init.lua; 
    access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
    server {
        listen       80;
        server_name  localhost;
################部分省略################
[root@Lnmp waf]# ll /usr/local/nginx/conf/waf/config.lua    #配置文件

[root@hz tools]# git clone https://github.com/loveshell/ngx_lua_waf.git #下载ngx_lua_waf

[root@hz tools]# mv ngx_lua_waf/ /usr/local/nginx/conf/waf

[root@hz tools]# ll /usr/local/nginx/conf/waf/

total 32

-rw-r--r--. 1 root root 2377 Jan 27 22:11 config.lua

-rw-r--r--. 1 root root 6249 Jan 27 22:11 init.lua

-rw-r--r--. 1 root root 1587 Jan 27 22:11 install.sh

-rw-r--r--. 1 root root 4612 Jan 27 22:11 README.md

drwxr-xr-x. 2 root root 4096 Jan 27 22:11 wafconf

-rw-r--r--. 1 root root 2297 Jan 27 22:11 waf.lua

[root@Lnmp tools]# egrep -v "#" /usr/local/nginx/conf/nginx.conf

################部分省略################

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

#WAF

lua_package_path "/usr/local/nginx/conf/waf/?.lua";

lua_shared_dict limit 10m;

init_by_lua_file /usr/local/nginx/conf/waf/init.lua;

access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

server {

listen 80;

server_name localhost;

################部分省略################

[root@Lnmp waf]# ll /usr/local/nginx/conf/waf/config.lua #配置文件

2：此方法适用于已安装nginx；

参考文档：https://github.com/openresty

参考文档：https://github.com/unixhot/waf

安装依赖包
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty

测试openresty安装
# vim /usr/local/openresty/nginx/conf/nginx.conf
server {
    location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")
            }
        }
}
# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf test is successful
# /usr/local/openresty/nginx/sbin/nginx
Hello World
# curl http://192.168.199.33/hello
HelloWorld

安装依赖包

# yum install -y readline-devel pcre-devel openssl-devel

# cd /usr/local/src

下载并编译安装openresty

# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz

# tar zxf ngx_openresty-1.9.3.2.tar.gz

# cd ngx_openresty-1.9.3.2

# ./configure --prefix=/usr/local/openresty-1.9.3.2 \

--with-luajit --with-http_stub_status_module \

--with-pcre --with-pcre-jit

# gmake && gmake install

# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty

测试openresty安装

# vim /usr/local/openresty/nginx/conf/nginx.conf

server {

location /hello {

default_type text/html;

content_by_lua_block {

ngx.say("HelloWorld")

}

# /usr/local/openresty/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf test is successful

# /usr/local/openresty/nginx/sbin/nginx

Hello World

# curl http://192.168.199.33/hello

HelloWorld

WAF部署：

#git clone https://github.com/unixhot/waf.git
#cp -a ./waf/waf /usr/local/openresty/nginx/conf/

修改Nginx的配置文件，加入以下配置。注意路径，同时WAF日志默认存放在/tmp/日期_waf.log
#WAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx