碼上快樂

相關內容    簡體    繁體

nginx+waf(應用防火牆)的實戰操作

本文轉載自   查看原文   2021-04-13 11:35   486    f-stack/ nginx+lua/ Linux/ nginx/ luajit2/ luan_nginx_module/ ngx_devel_kit/ lua/ openresty/ dpdk

背景

  為了增強web服務器的安全性,減輕服務器的壓力,給服務器增加一道安全屏障,減少服務器受到"不必要"的攻擊。

需求

  因為原有的服務器使用nginx做web服務器(至於為什么使用nginx?以及nginx的優勢在哪里?我在這里就不過多的贅述了。想了解的自行學習相關知識),所以要想給服務器增加一道安全屏障,想通過nginx的模塊擴展性,使用lua來做這道牆。畢竟openresty可以說是lua版的么!相比較起來,實現更快,性能更好,主要是有openresty做參考(別人能實現的我也能實現。哼...)。

技術實現

  • 環境所需要的依賴軟件
  1. luajit2-2.1-20201027.tar.gz
  2. lua-nginx-module-0.10.19.tar.gz
  3. lua-resty-core-0.1.21.tar.gz
  4. lua-resty-lrucache-0.10.tar.gz
  5. nginx-1.16.1.tar.gz
  6. ngx_lua_waf-0.7.2.tar.gz
  7. ngx_devel_kit-0.3.1.tar.gz
  • 實操過程

   首先將所有的壓縮包解壓.tar -zxvf filename.tar.gz

   luajit的安裝

 

1 [root@cluste-black-node1 opt]# cd luajit2-2.1-20201027/
2 [root@cluste-black-node1 luajit2-2.1-20201027]# ls
3 COPYRIGHT  doc  dynasm  etc  Makefile  README  README.md  src  t
4 [root@cluste-black-node1 luajit2-2.1-20201027]# make install PREFIX=/usr/local/LuaJIT

 

    提示如下即表示成功:

 1 ==== Installing LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ====
 2 mkdir -p /usr/local/LuaJIT/bin /usr/local/LuaJIT/lib /usr/local/LuaJIT/include/luajit-2.1 /usr/local/LuaJIT/share/man/man1 /usr/local/LuaJIT/lib/pkgconfig /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit /usr/local/LuaJIT/share/lua/5.1 /usr/local/LuaJIT/lib/lua/5.1
 3 cd src && install -m 0755 luajit /usr/local/LuaJIT/bin/luajit-2.1.0-beta3
 4 cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/LuaJIT/lib/libluajit-5.1.a || :
 5 rm -f /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2
 6 cd src && test -f libluajit.so && \
 7   install -m 0755 libluajit.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 && \
 8   ( ldconfig -n 2>/dev/null /usr/local/LuaJIT/lib || : ) && \
 9   ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so && \
10   ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so.2 || :
11 cd etc && install -m 0644 luajit.1 /usr/local/LuaJIT/share/man/man1
12 cd etc && sed -e "s|^prefix=.*|prefix=/usr/local/LuaJIT|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && \
13   install -m 0644 luajit.pc.tmp /usr/local/LuaJIT/lib/pkgconfig/luajit.pc && \
14   rm -f luajit.pc.tmp
15 cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/LuaJIT/include/luajit-2.1
16 cd src/jit && install -m 0644 bc.lua bcsave.lua dump.lua p.lua v.lua zone.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua dis_mips64.lua dis_mips64el.lua vmdef.lua /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit
17 ln -sf luajit-2.1.0-beta3 /usr/local/LuaJIT/bin/luajit
18 ==== Successfully installed LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ====

    lua_resty_core的安裝

 1 [root@cluste-black-node1 opt]# cd lua-resty-core-0.1.21/
 2 [root@cluste-black-node1 lua-resty-core-0.1.21]# ls
 3 dist.ini  lib  Makefile  README.markdown  t  valgrind.suppress
 4 [root@cluste-black-node1 lua-resty-core-0.1.21]# make install PREFIX=/usr/local/LuaLIB
 5 install -d /usr/local/LuaLIB/lib/lua//resty/core/
 6 install -d /usr/local/LuaLIB/lib/lua//ngx/
 7 install -d /usr/local/LuaLIB/lib/lua//ngx/ssl
 8 install lib/resty/*.lua /usr/local/LuaLIB/lib/lua//resty/
 9 install lib/resty/core/*.lua /usr/local/LuaLIB/lib/lua//resty/core/
10 install lib/ngx/*.lua /usr/local/LuaLIB/lib/lua//ngx/
11 install lib/ngx/ssl/*.lua /usr/local/LuaLIB/lib/lua//ngx/ssl/

    lua_resty_lrucache的安裝

1 [root@cluste-black-node1 opt]# cd lua-resty-lrucache-0.10/
2 [root@cluste-black-node1 lua-resty-lrucache-0.10]# ls
3 dist.ini  lib  Makefile  README.markdown  t  valgrind.suppress
4 [root@cluste-black-node1 lua-resty-lrucache-0.10]# make install PREFIX=/usr/local/LuaLIB
5 install -d //usr/local/LuaLIB/lib/lua//resty/lrucache
6 install lib/resty/*.lua //usr/local/LuaLIB/lib/lua//resty/
7 install lib/resty/lrucache/*.lua //usr/local/LuaLIB/lib/lua//resty/lrucache/

    注意:lua_nginx_module的編譯需要改動文件。

1 [root@cluste-black-node1 opt]# cd lua-nginx-module-0.10.19/
2 [root@cluste-black-node1 lua-nginx-module-0.10.19]# ls
3 config  doc  dtrace  misc  README.markdown  src  t  tapset  util  valgrind.suppress

    添加環境變量如下:

[root@cluste-black-node1 lua-nginx-module-0.10.19]# vim config 

  1 LUAJIT_INC=/usr/local/LuaJIT/include/luajit-2.1
  2 LUAJIT_LIB=/usr/local/LuaJIT/lib
  3 
  4 ngx_lua_opt_I=
  5 ngx_lua_opt_L=
  6 luajit_ld_opt=
  7 
  8 ngx_feature_name=
  9 ngx_feature_run=no
 10 ngx_feature_incs=
 11 ngx_feature_test=
 12 
 13 if [ -n "$LUAJIT_INC" -o -n "$LUAJIT_LIB" ]; then
 14     # explicitly set LuaJIT paths

    編譯nginx。增加模塊編譯,相應編譯參數如下:

1 ./configure --with-debug --with-http_realip_module --with-stream_realip_module --prefix=/usr/local/nginx --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib" --add-module=/opt/ngx_devel_kit-0.3.1 --add-module=/opt/lua-nginx-module-0.10.19

    編譯通過以后生成Makefile執行make&& make install

    然后將解壓后的waf模塊存放在nginx安裝路徑下的conf目錄下。

    修改waf文件夾下config.lua文件中的RulePath路徑和logdir路徑,保存退出。

[root@cluste-black-node1 conf]# vim waf/config.lua 

  1 RulePath = "/usr/local/nginx/conf/waf/wafconf/"
  2 attacklog = "on"
  3 logdir = "/usr/local/nginx/logs/hack/"

    修改nginx的配置文件在http塊添加lua的路徑配置

1 lua_package_path "/usr/local/nginx/conf/waf/?.lua;/usr/local/LuaLIB/lib/lua/?.lua;;";
2 lua_shared_dict limit 10m;
3 init_by_lua_file /usr/local/nginxk/conf/waf/init.lua;
4 access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

    修改nginx的配置文件在server塊添加/lua訪問資源

1 location /lua {
2             default_type 'text/html';
3             content_by_lua 'ngx.say("Hi Lua")';
4 }

    通過curl訪問即可訪問到Hi Lua字符串。

1 curl http://ip+port/Lua

    通過curl訪問非法的資源輸出waf設定的字符串,說明應用防火牆生效。

1 curl http://ip+port/Lua?id=/etc/passwd
  • 問題解決

     在下載Luajit的時候下載了很早之前的版本,導致環境搭建失敗。切記LuaJIT下載時時openresty開源代碼中的LuaJIT.

    lua_nginx_module兩個環境變量的設置,通過export設置好像沒生效導致出現下面的情況

1 checking for LuaJIT 2.x ... not found
2     ./configure: error: unsupported LuaJIT version; ngx_http_lua_module requires LuaJIT 2.x.

 

f-stack平台同理可以編譯通過並且waf應用防火牆生效。只不過在編譯nginx的時候需要修改生成的objs目錄下的Makefile.將其中的Werror刪除即可

 f-stack平台報錯如下:

1 /opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c: In function ‘ngx_http_lua_udp_connect’:
2 /opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c:1435:9: error: the address of ‘ngx_add_event’ will always evaluate astrue’ [-Werror=address]
3      if (ngx_add_event) {
4          ^
5 cc1: all warnings being treated as errors
6 make[1]: *** [objs/addon/src/ngx_http_lua_socket_udp.o] Error 1
7 make[1]: Leaving directory `/opt/f-stack/app/nginx-1.16.1'
8 make: *** [build] Error 2

  dpdk在虛擬機的環境下可能會出現問題,出現網卡不支持的問題。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 nginx+modsecurity:WAF防火牆 nginx中使用waf防火牆 WAF(Web應用防火牆)淺析 Web應用防火牆(WAF) 開源框架openresty+nginx 實現web應用防火牆(WAF) Nginx添加Lua實現WAF防火牆 Nginx + Lua 搭建網站WAF防火牆 linux nginx 安裝防火牆ngx_lua_waf 1.如何繞過WAF(Web應用防火牆) [轉]Web應用防火牆WAF詳解
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM