wget http://www.lua.org/ftp/lua-5.1.5.tar.gz
tar -xf lua-5.1.5.tar.gz
cd lua-5.1.5
make generic
make install
2 LuaJTT 2.0 安装
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar -xf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make && make install
3 nginx 安装
wget 'http://nginx.org/download/nginx-1.11.2.tar.gz'
tar -xzvf nginx-1.11.2.tar.gz
cd nginx-1.11.2/
# tell nginx's build system where to find LuaJIT 2.0:
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
./configure --prefix=/usr/local/nginx \
--user=www --group=www \
--with-ld-opt="-Wl,-rpath,/usr/local/lib" \
--add-module=../ngx_devel_kit-master \
--add-module=../lua-nginx-module-master
make -j2
make install
4 准备nginx的攻击日志目录
mkdir -p /home/wwwlogs/
chown www.www /home/wwwlogs/
chmod -R 755 /home/wwwlogs/
5 安装nginx的Lua_waf模块
官方地址:https://github.com/loveshell/ngx_lua_waf
wget https://codeload.github.com/loveshell/ngx_lua_waf/zip/master
unzip ngx_lua_waf-master.zip
cd ngx_lua_waf-master
mkdir /usr/local/nginx/conf/waf
cp -a ./ /usr/local/nginx/conf/waf
6 修改nginx的配置文件,在http段加入如下内容:
lua_package_path"/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m; 开启拦截cc攻击必须加这条规则
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
6.1 修改/usr/local/nginx/conf/waf/config.lua中如下2部分内容即可:
RulePath ="/usr/local/nginx/conf/waf/wafconf/"
attacklog = "on"
logdir ="/home/wwwlogs/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="on"
CCrate="100/60"
nginx检查语法和重启
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
6.2 waf 配置说明
[root@zyb waf]# pwd
/usr/local/nginx/conf/waf
[root@zyb waf]# cat config.lua
--WAF config file,enable = "on",disable = "off"
--waf status
config_waf_enable = "on" #是否开启配置
--log dir
config_log_dir = "/tmp/waf_logs" #日志记录地址
--rule setting
config_rule_dir = "/usr/local/nginx/conf/waf/rule-config"
#匹配规则缩放地址
--enable/disable white url
config_white_url_check = "on" #是否开启url检测
--enable/disable white ip
config_white_ip_check = "on" #是否开启IP白名单检测
--enable/disable block ip
config_black_ip_check = "on" #是否开启ip黑名单检测
--enable/disable url filtering
config_url_check = "on" #是否开启url过滤
--enalbe/disable url args filtering
config_url_args_check = "on" #是否开启参数检测
--enable/disable user agent filtering
config_user_agent_check = "on" #是否开启ua检测
--enable/disable cookie deny filtering
config_cookie_check = "on" #是否开启cookie检测
--enable/disable cc filtering
config_cc_check = "on" #是否开启防cc攻击
--cc rate the xxx of xxx seconds
config_cc_rate = "10/60" #允许一个ip60秒内只能访问10此
--enable/disable post filtering
config_post_check = "on" #是否开启post检测
--config waf output redirect/html
config_waf_output = "html" #action一个html页面,也可以选择跳转
--if config_waf_output ,setting url
config_waf_redirect_url = "http://www.baidu.com"
6.3 学习access.lua的配置
[root@iZ28t900vpcZ waf]# pwd
/usr/local/openresty/nginx/conf/waf
[root@iZ28t900vpcZ waf]# cat access.lua
require 'init'
function waf_main()
if white_ip_check() then
elseif black_ip_check() then
elseif user_agent_attack_check() then
elseif cc_attack_check() then
elseif cookie_attack_check() then
elseif white_url_check() then
elseif url_attack_check() then
elseif url_args_attack_check() then
--elseif post_attack_check() then
else
return
end
end
waf_main()
[root@zyb ]# echo “1.12.52.98” >>/usr/local/openresty/nginx/conf/waf/rule-config/whiteip.rule
配置信息参考:http://blog.oldboyedu.com/nginx-waf/
显示结果如下
![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/3ded0e02-480f-48f4-8aab-41aff0fc5538.png)
###3.5.5 模拟URL参数检测
浏览器输入www.chuck-blog.com/?a=select * from table
显示结果如下
![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/744e4a20-5558-43fc-9f50-1546cbc765a3.png)
详细规定在arg.rule中有规定,对请求进行了规范
```bash
[root@iZ28t900vpcZ rule-config]# /usr/local/openresty/nginx/conf/waf/rule-config/cat args.rule
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
[root@iZ28t900vpcZ rule-config]# pwd
/usr/local/openresty/nginx/conf/waf/rule-config