1 lua 安装
wget http://www.lua.org/ftp/lua-5.1.5.tar.gz
tar -xf lua-5.1.5.tar.gz

cd lua-5.1.5
make generic

make install

2 LuaJTT 2.0 安装
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
tar -xf LuaJIT-2.0.4.tar.gz
cd LuaJIT-2.0.4
make && make install

3 nginx 安装
 wget 'http://nginx.org/download/nginx-1.11.2.tar.gz'
 tar -xzvf nginx-1.11.2.tar.gz
 cd nginx-1.11.2/

 # tell nginx's build system where to find LuaJIT 2.0:
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.0

 ./configure --prefix=/usr/local/nginx \
          --user=www --group=www \
         --with-ld-opt="-Wl,-rpath,/usr/local/lib" \
         --add-module=../ngx_devel_kit-master \
         --add-module=../lua-nginx-module-master

 make -j2
 make install

4  准备nginx的攻击日志目录
mkdir -p /home/wwwlogs/
chown www.www /home/wwwlogs/
chmod -R 755 /home/wwwlogs/

5 安装nginx的Lua_waf模块

官方地址：https://github.com/loveshell/ngx_lua_waf
wget https://codeload.github.com/loveshell/ngx_lua_waf/zip/master

unzip ngx_lua_waf-master.zip

cd ngx_lua_waf-master
mkdir /usr/local/nginx/conf/waf
cp -a ./ /usr/local/nginx/conf/waf

6 修改nginx的配置文件，在http段加入如下内容：

lua_package_path"/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;  开启拦截cc攻击必须加这条规则
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

6.1 修改/usr/local/nginx/conf/waf/config.lua中如下2部分内容即可：


RulePath ="/usr/local/nginx/conf/waf/wafconf/"

attacklog = "on"

logdir ="/home/wwwlogs/"

UrlDeny="on"

Redirect="on"

CookieMatch="on"

postMatch="on"

whiteModule="on"

black_fileExt={"php","jsp"}

ipWhitelist={"127.0.0.1"}

ipBlocklist={"1.0.0.1"}

CCDeny="on"

CCrate="100/60"

nginx检查语法和重启

/usr/local/nginx/sbin/nginx -t

/usr/local/nginx/sbin/nginx -s reload

6.2  waf 配置说明

[root@zyb waf]# pwd

/usr/local/nginx/conf/waf

[root@zyb waf]# cat config.lua

--WAF config file,enable = "on",disable = "off"

--waf status

config_waf_enable = "on" #是否开启配置

--log dir

config_log_dir = "/tmp/waf_logs" #日志记录地址

--rule setting

config_rule_dir = "/usr/local/nginx/conf/waf/rule-config"

#匹配规则缩放地址

--enable/disable white url

config_white_url_check = "on" #是否开启url检测

--enable/disable white ip

config_white_ip_check = "on" #是否开启IP白名单检测

--enable/disable block ip

config_black_ip_check = "on" #是否开启ip黑名单检测

--enable/disable url filtering

config_url_check = "on" #是否开启url过滤

--enalbe/disable url args filtering

config_url_args_check = "on" #是否开启参数检测

--enable/disable user agent filtering

config_user_agent_check = "on" #是否开启ua检测

--enable/disable cookie deny filtering

config_cookie_check = "on" #是否开启cookie检测

--enable/disable cc filtering

config_cc_check = "on" #是否开启防cc攻击

--cc rate the xxx of xxx seconds

config_cc_rate = "10/60" #允许一个ip60秒内只能访问10此

--enable/disable post filtering

config_post_check = "on" #是否开启post检测

--config waf output redirect/html

config_waf_output = "html" #action一个html页面，也可以选择跳转

--if config_waf_output ,setting url

config_waf_redirect_url = "http://www.baidu.com"

6.3 学习access.lua的配置

 
 

[root@iZ28t900vpcZ waf]# pwd
  
  
/usr/local/openresty/nginx/conf/waf
  
  
[root@iZ28t900vpcZ waf]# cat access.lua 
  
  
require 'init'
  
  
function waf_main()
  
  
 if white_ip_check() then
  
  
 elseif black_ip_check() then
  
  
 elseif user_agent_attack_check() then
  
  
 elseif cc_attack_check() then
  
  
 elseif cookie_attack_check() then
  
  
 elseif white_url_check() then
  
  
 elseif url_attack_check() then
  
  
 elseif url_args_attack_check() then
  
  
 --elseif post_attack_check() then
  
  
 else
  
  
 return 
  
  
 end
  
  
end
  
  
waf_main()
 
 

[root@zyb ]# echo “1.12.52.98” >>/usr/local/openresty/nginx/conf/waf/rule-config/whiteip.rule

 
 

显示结果如下
  
  
![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/3ded0e02-480f-48f4-8aab-41aff0fc5538.png)
  
  
###3.5.5 模拟URL参数检测
  
  
浏览器输入www.chuck-blog.com/?a=select * from table
  
  
显示结果如下
  
  
![](ca1fa711-48e6-4041-a367-b15db7bf2d2f_128_files/744e4a20-5558-43fc-9f50-1546cbc765a3.png)
  
  
详细规定在arg.rule中有规定,对请求进行了规范
  
  
```bash
  
  
[root@iZ28t900vpcZ rule-config]# /usr/local/openresty/nginx/conf/waf/rule-config/cat args.rule 
  
  
\.\./
  
  
\:\$
  
  
\$\{
  
  
select.+(from|limit)
  
  
(?:(union(.*?)select))
  
  
having|rongjitest
  
  
sleep\((\s*)(\d*)(\s*)\)
  
  
benchmark\((.*)\,(.*)\)
  
  
base64_decode\(
  
  
(?:from\W+information_schema\W)
  
  
(?:(?:current_)user|database|schema|connection_id)\s*\(
  
  
(?:etc\/\W*passwd)
  
  
into(\s+)+(?:dump|out)file\s*
  
  
group\s+by.+\(
  
  
xwork.MethodAccessor
  
  
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
  
  
xwork\.MethodAccessor
  
  
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
  
  
java\.lang
  
  
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
  
  
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
  
  
(onmouseover|onerror|onload)\=
  
  
[root@iZ28t900vpcZ rule-config]# pwd
  
  
/usr/local/openresty/nginx/conf/waf/rule-config
 
 

配置信息参考：http://blog.oldboyedu.com/nginx-waf/