# Dockerfile to build openresety Installed Containers
FROM 192.168.1.67/library/centos7.4:v1
MAINTAINER xiayun 

#Install necessary tools 
RUN yum install -y pcre-devel wget net-tools gcc zlib zlib-devel make openssl-devel unzip python-devel
#download tar.gz
ADD https://openresty.org/download/openresty-1.11.2.5.tar.gz .
ADD http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz .
ADD https://github.com/loveshell/ngx_lua_waf/archive/master.zip .
#unzip 
RUN tar zxvf ngx_cache_purge-2.3.tar.gz 
RUN tar -zxvf openresty-1.11.2.5.tar.gz 
RUN unzip master.zip
#install openresety
RUN cd openresty-1.11.2.5 && ./configure --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit --add-module=../ngx_cache_purge-2.3/ && gmake && gmake install
RUN mkdir /usr/local/openresty/nginx/conf/waf/
RUN mkdir /usr/local/openresty/nginx/logs/hack/
RUN cp -r /ngx_lua_waf-master/* /usr/local/openresty/nginx/conf/waf/
RUN mv /usr/local/openresty/nginx/conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf.bak
RUN mv /usr/local/openresty/nginx/conf/waf/config.lua /usr/local/openresty/nginx/conf/waf/config.bak
COPY .nginx_conf /usr/local/openresty/nginx/conf/nginx.conf
COPY config.lua /usr/local/openresty/nginx/conf/waf/config.lua
#add user nginx 
RUN useradd -s /sbin/nologin nginx
#chown nginx
RUN chown  -R nginx.nginx /usr/local/openresty/
RUN chown  -R nginx.nginx /ngx_cache_purge-2.3
#Expose ports for 80
EXPOSE 80
#start openresty
CMD /usr/local/openresty/nginx/sbin/nginx -g "daemon off;"

附1:.nginx_conf 与Dockerfile在同一路径

user  nginx nginx;
worker_processes 2;
error_log  /usr/local/openresty/nginx/logs/nginx_error.log  error;
pid        /usr/local/openresty/nginx/nginx.pid;
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 65535;
}
http
{
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/openresty/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua;
include       mime.types;
default_type  application/octet-stream;
charset   utf-8;
server_tokens off;
log_format main '$host $status [$time_local] $upstream_addr $remote_addr - $remote_user [$time_local] $request_uri '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'$bytes_sent $request_time $sent_http_x_cache_hit "$upstream_cache_status"';
log_format log404 '$status [$time_local] $remote_addr $host$request_uri $sent_http_location';
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
sendfile on;
fastcgi_intercept_errors on;
tcp_nopush     on;
keepalive_timeout 20;
tcp_nodelay on;
client_body_timeout 10;
client_body_buffer_size  512k;
gzip on;
gzip_min_length  1k;
gzip_buffers     4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types       text/plain application/x-javascript text/css application/xml;
gzip_vary on;
send_timeout 60;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
server
{
listen       80;
server_name  localhost;
index index.html index.htm index.shtml index.php;
	root /usr/local/openresty/nginx/html;
	
if ($http_user_agent ~* "Baiduspider-render|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
{
return 403;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}

附2:config.lua与Dockerfile同一路径

RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
attacklog = "on"
logdir = "/usr/local/openresty/nginx/logs/hack/"
UrlDeny="off"
Redirect="off"
CookieMatch="off"
postMatch="off" 
whiteModule="off" 
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1","192.168.20.25"}
ipBlocklist={}
CCDeny="off"
CCrate="100/60"
html=[[


网站防火墙





 
  
  
  
    网站防火墙 
           您的请求带有不合法参数,已被网站管理员设置拦截!

可能原因:您提交的内容包含危险的***请求

如何解决:

1)检查提交内容; 2)如网站托管,请联系空间提供商; 3)普通网站访客,请联系网站管理员;