ngx_lua_waf是一个基于lua-nginx-module(openresty)的web应用防火墙,对于中小企业或不愿购置硬件防火墙的企业的首选,能有效保证网站的安全性。
0x1 安装部署
系统版本:Centos7 x86_64
安装依赖包
yum install -y readline-devel pcre-devel openssl-devel
1、openresty的安装配置
cd /usr/local/src
wget https://openresty.org/download/openresty-1.9.15.1.tar.gz
tar -zxvf openresty-1.9.15.1.tar.gz
cd openresty-1.9.15.1
./configure --prefix=/usr/local/openresty-1.9.15.1 --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit
gmake && gmake install
ln -s /usr/local/openresty-1.9.15.1/ /usr/local/openresty
测试启动nginx
/usr/local/openresty/nginx/sbin/nginx -t
成功启动nginx显示如下
nginx: the configuration file /usr/local/openresty-1.9.15.1/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/openresty-1.9.15.1/nginx/conf/nginx.conf test is successful
启动nginx
/usr/local/openresty/nginx/sbin/nginx
2、配置nginx_lua_waf
将git获取的文件放到nginx的conf目录下
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">在nginx.conf的http段添加</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">lua_package_path "/usr/local/openresty/nginx/conf/ngx_lua_waf/?.lua";</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">lua_shared_dict limit 10m;</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">init_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/init.lua;</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">access_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/waf.lua;</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">配置config.lua里的waf规则目录(一般在ngx_lua_waf/wafconf/目录下)</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">RulePath = "/usr/local/openresty/nginx/conf/ngx_lua_waf/wafconf"</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">attacklog = "on"</a>
<a href="https://github.com/loveshell/ngx_lua_waf.git" target="_blank">logdir = "/usr/local/nginx/logs/waf"</a>
3、waf日志配置
#将nginx.conf首行的”# user nobody;”的”#”注释去掉,重新启动nginx服务 user nobody #将防护日志目录所属user和group修改为nobody,目录权限可设为700也可以写入,当然也可以默认
cd /usr/local/nginx/conf
//chown -R nobay.nobady waf
//chmod 700 waf
因为nginx、php模块等是单独安装的,所以每次重启服务器都需要重启相应的服务
cd /usr/local/openresty/nginx/sbin
./nginx (不关闭nginx而重新加载配置文件 ./nginx -t)
0x2 nginx_lua_waf测试
启动php
直接执行/usr/sbin/php-fpm
测试SQL注入漏洞
<a href="https://s5.51cto.com/oss/201711/09/f090a0947a33c0f226e924b861a481f9.png-wh_500x0-wm_3-wmp_4-s_393516169.png" target="_blank"></a>
测试结果
<a href="https://s4.51cto.com/oss/201711/09/6abdacb3269720682b3e47d77a6398db.png-wh_500x0-wm_3-wmp_4-s_3813107689.png" target="_blank"></a>
测试任意文件读取
<a href="https://s5.51cto.com/oss/201711/09/4fa86ef73f1a6993a4045bdabf39aea1.png-wh_500x0-wm_3-wmp_4-s_1812848887.png" target="_blank"></a>
进行CC攻击测试
<a href="https://s2.51cto.com/oss/201711/09/41cdfdb1dbcf7eedda1f53a595589ee8.png-wh_500x0-wm_3-wmp_4-s_130261396.png" target="_blank"></a>
通过查看waf_logs可以看到waf拦截的所有的攻击操作
<a href="https://s3.51cto.com/oss/201711/09/909f018bed3c69a02e515cd117ae2aa0.jpg-wh_500x0-wm_3-wmp_4-s_3835973093.jpg" target="_blank"></a>
通过waf_logs可以看到无论是sql注入、任意文件读取还是CC攻击都被成功的拦截,waf的部署是成功可靠的!
本文转自Tar0 51CTO博客,原文链接:http://blog.51cto.com/tar0cissp/1980249,如需转载请自行联系原作者
![修改or隐藏nginx版本号[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)