nginx+lua 构建waf防火墙

时间:2022-01-05 19:43:19
1 lua 安装
wget http://www.lua.org/ftp/lua-5.1.5.tar.gz
tar -xf lua-5.1.5.tar.gz

cd lua-5.1.5
make generic

make install


2 LuaJTT 2.0 安装
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar -xf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make && make install



3 nginx 安装
 wget 'http://nginx.org/download/nginx-1.11.2.tar.gz'
 tar -xzvf nginx-1.11.2.tar.gz
 cd nginx-1.11.2/

 # tell nginx's build system where to find LuaJIT 2.0:
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.0

 ./configure --prefix=/usr/local/nginx \
          --user=www --group=www \
         --with-ld-opt="-Wl,-rpath,/usr/local/lib" \
         --add-module=../ngx_devel_kit-master \
         --add-module=../lua-nginx-module-master

 make -j2
 make install


4  准备nginx的攻击日志目录
mkdir -p /home/wwwlogs/
chown www.www /home/wwwlogs/
chmod -R 755 /home/wwwlogs/


5 安装nginx的Lua_waf模块

官方地址:https://github.com/loveshell/ngx_lua_waf
wget https://codeload.github.com/loveshell/ngx_lua_waf/zip/master

unzip ngx_lua_waf-master.zip

cd ngx_lua_waf-master
mkdir /usr/local/nginx/conf/waf
cp -a ./ /usr/local/nginx/conf/waf


6 修改nginx的配置文件,在http段加入如下内容:

lua_package_path"/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;  开启拦截cc攻击必须加这条规则
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;


6.1 修改/usr/local/nginx/conf/waf/config.lua中如下2部分内容即可:


RulePath ="/usr/local/nginx/conf/waf/wafconf/"

attacklog = "on"

logdir ="/home/wwwlogs/"

UrlDeny="on"

Redirect="on"

CookieMatch="on"

postMatch="on"

whiteModule="on"

black_fileExt={"php","jsp"}

ipWhitelist={"127.0.0.1"}

ipBlocklist={"1.0.0.1"}

CCDeny="on"

CCrate="100/60"


nginx检查语法和重启

/usr/local/nginx/sbin/nginx -t

/usr/local/nginx/sbin/nginx -s reload


6.2  waf 配置说明


  • [root@zyb waf]# pwd
  • /usr/local/nginx/conf/waf
  • [root@zyb waf]# cat config.lua
  • --WAF config file,enable = "on",disable = "off"
  • --waf status
  • config_waf_enable = "on" #是否开启配置
  • --log dir
  • config_log_dir = "/tmp/waf_logs" #日志记录地址
  • --rule setting
  • config_rule_dir = "/usr/local/nginx/conf/waf/rule-config"
  • #匹配规则缩放地址
  • --enable/disable white url
  • config_white_url_check = "on" #是否开启url检测
  • --enable/disable white ip
  • config_white_ip_check = "on" #是否开启IP白名单检测
  • --enable/disable block ip
  • config_black_ip_check = "on" #是否开启ip黑名单检测
  • --enable/disable url filtering
  • config_url_check = "on" #是否开启url过滤
  • --enalbe/disable url args filtering
  • config_url_args_check = "on" #是否开启参数检测
  • --enable/disable user agent filtering
  • config_user_agent_check = "on" #是否开启ua检测
  • --enable/disable cookie deny filtering
  • config_cookie_check = "on" #是否开启cookie检测
  • --enable/disable cc filtering
  • config_cc_check = "on" #是否开启防cc攻击
  • --cc rate the xxx of xxx seconds
  • config_cc_rate = "10/60" #允许一个ip60秒内只能访问10此
  • --enable/disable post filtering
  • config_post_check = "on" #是否开启post检测
  • --config waf output redirect/html
  • config_waf_output = "html" #action一个html页面,也可以选择跳转
  • --if config_waf_output ,setting url
  • config_waf_redirect_url = "http://www.baidu.com"

  • 6.3 学习access.lua的配置
     
     
    1. [root@iZ28t900vpcZ waf]# pwd
    2. /usr/local/openresty/nginx/conf/waf
    3. [root@iZ28t900vpcZ waf]# cat access.lua
    4. require 'init'
    5. function waf_main()
    6. if white_ip_check() then
    7. elseif black_ip_check() then
    8. elseif user_agent_attack_check() then
    9. elseif cc_attack_check() then
    10. elseif cookie_attack_check() then
    11. elseif white_url_check() then
    12. elseif url_attack_check() then
    13. elseif url_args_attack_check() then
    14. --elseif post_attack_check() then
    15. else
    16. return
    17. end
    18. end
    19. waf_main()

    [root@zyb ]# echo “1.12.52.98” >>/usr/local/openresty/nginx/conf/waf/rule-config/whiteip.rule

     
     
    1. 显示结果如下
    2. ![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/3ded0e02-480f-48f4-8aab-41aff0fc5538.png)
    3. ###3.5.5 模拟URL参数检测
    4. 浏览器输入www.chuck-blog.com/?a=select * from table
    5. 显示结果如下
    6. ![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/744e4a20-5558-43fc-9f50-1546cbc765a3.png)
    7. 详细规定在arg.rule中有规定,对请求进行了规范
    8. ```bash
    9. [root@iZ28t900vpcZ rule-config]# /usr/local/openresty/nginx/conf/waf/rule-config/cat args.rule
    10. \.\./
    11. \:\$
    12. \$\{
    13. select.+(from|limit)
    14. (?:(union(.*?)select))
    15. having|rongjitest
    16. sleep\((\s*)(\d*)(\s*)\)
    17. benchmark\((.*)\,(.*)\)
    18. base64_decode\(
    19. (?:from\W+information_schema\W)
    20. (?:(?:current_)user|database|schema|connection_id)\s*\(
    21. (?:etc\/\W*passwd)
    22. into(\s+)+(?:dump|out)file\s*
    23. group\s+by.+\(
    24. xwork.MethodAccessor
    25. (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
    26. xwork\.MethodAccessor
    27. (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
    28. java\.lang
    29. \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
    30. \<(iframe|script|body|img|layer|div|meta|style|base|object|input)
    31. (onmouseover|onerror|onload)\=
    32. [root@iZ28t900vpcZ rule-config]# pwd
    33. /usr/local/openresty/nginx/conf/waf/rule-config
    配置信息参考:http://blog.oldboyedu.com/nginx-waf/