# 安裝所需依賴
yum install gcc gcc-c++ wget GeoIP-devel git swig make perl perl-ExtUtils-Embed readline-devel zlib-devel -y
# 安裝openwaf
cd /opt
git clone https://github.com/titansec/OpenWAF.git
mv /opt/OpenWAF/lib/openresty/ngx_openwaf.conf /etc
mv /opt/OpenWAF/lib/openresty/configure /usr/local/src/openresty-1.13.6.2/ # 這個configure文件要使用openwaf維護者的文件
cp -RP /opt/OpenWAF/lib/openresty/* /usr/local/src/openresty-1.13.6.2/bundle/
cd /opt/OpenWAF
make install
# 編譯openresty
cd /usr/local/src/openresty-1.13.6.2
./configure \
--prefix=/data/server/openresty-1.13 \
--with-pcre-jit --with-ipv6 \
--with-http_v2_module \
--with-stream \
--with-http_gunzip_module \
--with-http_ssl_module \
--with-threads --with-file-aio \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_sub_module \
--with-http_geoip_module \
--with-openssl=/usr/local/src/openssl-1.1.0g \
--with-pcre=/usr/local/src/pcre-8.42 \
--with-zlib=/usr/local/src/zlib-1.2.11 \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_image_filter_module \
--with-http_auth_request_module \
--with-http_random_index_module
gmake && gmake install
# 接入Openwaf
擁有自己的nginx配置,僅需以下兩步即可體驗OpenWAF防護
nginx配置修改
在 nginx 的 http 級別添加如下兩行:
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
要防護的 server 或 location 級別添加如下一行:
include /opt/OpenWAF/conf/twaf_server.conf;
OpenWAF接入規則修改
修改/opt/OpenWAF/conf/twaf_access_rule.json文件
將"state"值設為false即可
說明:
twaf_default_conf.json # 默認策略,不建議修改
twaf_policy_conf.json # 用戶可以自定義的策略文件,該文件里面的策略會合並到 twaf_default_conf.json中(前提是啟用接入規則文件:twaf_access_rule.json)
如果啟用了接入規則文件:twaf_access_rule.json,twaf_policy_conf.json規則會合並到twaf_default_conf.json中,反之只有twaf_default_conf.json策略文件生效
貼出本文測試的配置文件:
# cat /etc/ngx_openwaf.conf
ngx_openwaf.conf ngx_openwaf.conf.bak ngx_openwaf.conf.ori
[root@nginx32-249 conf]# cat /etc/ngx_openwaf.conf
worker_processes 4;
error_log /data/logs/nginx/error.log;
pid /data/logs/nginx/run/nginx.pid;
# pcre_jit on;
events {
worker_connections 4096;
use epoll;
}
http {
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
port_in_redirect off;
include /data/server/openresty-1.13/nginx/conf/mime.types;
default_type application/octet-stream;
ssi on;
ssi_silent_errors on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format new_main 'yjall-test-------$server_addr####$remote_addr####$remote_user####[$time_local]####$request_time####$status####$bytes_sent####'
'$request_method####$Scheme://$Host$request_uri####$http_cdn_src_ip####'
'$upstream_http_content_type####$http_referer####"$http_user_agent"####"$http_cookie"####"$request_body"';
access_log /data/logs/nginx/access.log new_main;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 64k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript;
gzip_vary on;
fastcgi_intercept_errors on;
proxy_intercept_errors on;
sendfile on;
#tcp_nopush on;
keepalive_timeout 600;
send_timeout 600;
fastcgi_connect_timeout 600;
fastcgi_send_timeout 600;
fastcgi_read_timeout 600;
fastcgi_buffer_size 256k;
fastcgi_buffers 8 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
client_header_timeout 600; #調大點
client_body_timeout 600; #調大點
client_max_body_size 500m; #主要是這個參數,限制了上傳文件大大小
client_body_buffer_size 256k;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
upstream site {
server 10.10.35.190:8080;
}
server {
listen 80;
server_name test.com;
location ~* ^/(.*)$ {
rewrite ^/(.*)$ http://www.test.com/$1 permanent;
}
}
server {
listen 80;
server_name www.test.com;
include /opt/OpenWAF/conf/twaf_server.conf;
location / {
index index.jsp index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header From www.test.com;
proxy_cookie_path /yjall/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass http://site;
}
location ~ /upload/ {
root /data/yjwstatic/JYSWY_UPLOAD;
}
}
server {
listen 443 ssl;
server_name www.test.com;
include /opt/OpenWAF/conf/twaf_server.conf;
ssl_certificate /opt/OpenWAF/conf/ssl/nginx.crt;
ssl_certificate_key /opt/OpenWAF/conf/ssl/nginx.key;
ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_protocols TLSv1.1 TLSv1.2 TLSv2.0;
location / {
index index.jsp index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header From www.test.com;
proxy_cookie_path /yjall/ /;
proxy_set_header Cookie $http_cookie;
proxy_pass http://site;
}
location ~ /upload/ {
root /data/yjwstatic/JYSWY_UPLOAD;
}
}
}
測試(一個注入攻擊):
http://www.test.com/?name=test AND 1=1
返回結果:
非法的訪問
您的訪問已被識別為攻擊並記錄.
如有任何意見或建議,請及時與管理員聯系
客戶端地址: 192.168.51.242
訪問的URL: http://www.test.com/
觸發的事件類型: attack.injection.sql.libinjection
UNIQUE_ID: gcNONWK6a1dkUYPzKAGLZTyPNexcGETXKn
規則文件目錄:
# ll /opt/OpenWAF/lib/twaf/inc/knowledge_db/twrules/
total 36
-rw-r--r-- 1 root root 15884 6月 6 16:24 rules.json
-rw-r--r-- 1 root root 18758 6月 6 16:24 rules.lua
這兩個文件有openwaf的所有規則