WAF嵌入LNMP集群架构

前言:

之前想着每天都更新一篇文章,但是连续几天之后,发现有好多博客大佬,所以觉得还是不要献丑好一点,然后就学习一下关于安全防护的知识,毕竟安全意识强弱代表在互联网防护能力,类似ddos,xss,csrf等也是经常出现,比如一些基本的×××方式:SQL注入,web参数,cc。所以我就记录了下面全程的将WAF嵌入LNMP架构,应用于实战集群架构。附带lua语言写的防护模块。

实战:

服务器架构图如下:

WAF嵌入LNMP集群架构_第1张图片

一、web服务器集群高可用负载均衡

1.高可用使用:nginx+keepalived模式

master(web1) 192.168.0.230

slaver(web2) 192.168.0.211

VIP:192.168.0.100

2.两边安装keepalived

[root@web1 ~]# yum install -y keepalived

3.创建服务器监控脚本

[root@web1 ~]# mkdir -p /server/work

[root@web1 ~]# cd  /server/work/

[root@web1 work]# vim check_ng.sh

#!/bin/bash

#write by leo

d=`date --date today +%Y%m%d_%H:%M:%S`

n=`ps -C nginx --no-heading|wc-l`

#如果进程为0,则启动nginx,并且再次检测nginx进程数量

#如果还为0,说明nginx无法启动,此时需要关闭keepalived

if[$n-eq"0"];then

            /etc/init.d/nginx start       

            n2=`ps -C nginx --no-heading|wc-l`

            if[$n2-eq"0"];then

                            echo"$dnginx down,keepalived will stop">> /server/logs/nginx/check_ng.log

                            systemctl stop keepalived

            fi

fi

[root@web1 work]# mkdir -p /server/logs/nginx

[root@web1 work]# chmod +x  check_ng.sh

4.修改master的keepalived配置文件

[root@web1 ~]# vim /etc/keepalived/keepalived.conf

! Configuration Fileforkeepalived

global_defs {  

             notification_email {

                            [email protected]  

              }  

              notification_email_from root@web1  

              smtp_server 127.0.0.1

              smtp_connect_timeout 30

              router_id LVS_DEVEL

}  

vrrp_script chk_nginx {    

                script "/server/work/check_ng.sh"

                interval 3

}

vrrp_instance VI_1 {    

                state MASTER    

                interface ens33    

                virtual_router_id 51

                priority 100

                advert_int 1

                authentication {        

                                auth_type PASS        

                                auth_pass 000000

                }    

                virtual_ipaddress {

                                192.168.0.100

                }    

                track_script {        

                                chk_nginx    

                }

}

[root@web1 ~]# systemctl stop nginx

[root@web1 ~]# systemctl status nginx

● nginx.service - LSB: starts the nginx web server  Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)  Active: inactive (dead)    Docs: man:systemd-sysv-generator(8)

[root@web1 ~]# systemctl start keepalived

[root@web1 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor  Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)  Active: active (running) since Fri2018-07-1315:06:13CST;32s ago  Process:14019ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:14020(keepalived)  CGroup: /system.slice/keepalived.service          ├─14020/usr/sbin/keepalived -D          ├─14021/usr/sbin/keepalived -D          └─14022/usr/sbin/keepalived -DJul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) Sendi...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Hint: Some lines were ellipsized, use -l to showinfull.

5.修改slaver的keepalived配置文件

[root@web2 ~]# vim /etc/keepalived/keepalived.conf

! Configuration Fileforkeepalivedglobal_defs {  

            notification_email {

                            [email protected]  

            }  

            notification_email_from root@web2  

            smtp_server 127.0.0.1

            smtp_connect_timeout 30

            router_id LVS_DEVEL

}  

vrrp_script chk_nginx {    

            script "/server/work/check_ng.sh"

            interval 3

}

vrrp_instance VI_1 {

            stateBACKUP    

            interface ens33    

            virtual_router_id 51

            priority 90

            advert_int1

            authentication {        

                            auth_type PASS        

                            auth_pass 000000

            }    

            virtual_ipaddress {

                            192.168.0.100

            }    

            track_script {        

                            chk_nginx    

            }

}

[root@web2 ~]# systemctl stop nginx

[root@web2 ~]# systemctl status nginx

● nginx.service - LSB: starts the nginx web server  Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)  Active: inactive (dead)    Docs: man:systemd-sysv-generator(8)

[root@web2 ~]# systemctl start keepalived

[root@web2 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor  Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)

  Active: active (running) since Fri 2018-07-13 15:07:20 CST; 43s ago

  Process: 13279 ExecStart=/usr/sbin/keepalived$KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:13280(keepalived)  CGroup:/system.slice/keepalived.service          ├─13280/usr/sbin/keepalived -D          ├─13281/usr/sbin/keepalived -D          └─13282/usr/sbin/keepalived -DJul1315:07:20web2 Keepalived_vrrp[13282]: Registering Kernel netlin...Jul1315:07:20web2 Keepalived_vrrp[13282]: Registering gratuitous AR...Jul1315:07:20web2 Keepalived_vrrp[13282]: Opening file'/etc/keepal...

Jul 13 15:07:20 web2 Keepalived_vrrp[13282]: WARNING - default user 'k...Jul1315:07:20web2 Keepalived_vrrp[13282]: SECURITY VIOLATION - scri...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) remov...Jul1315:07:20web2 Keepalived_vrrp[13282]: Using LinkWatch kernel ne...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) Enter...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP sockpool: [ifindex(2...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Script(chk_nginx) su...Hint: Some lines were ellipsized,use-l to show in full.

6.在master上查看IP地址

[root@web1 ~]# ip a1: lo: mtu65536qdisc noqueue state UNKNOWN groupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo      valid_lft forever preferred_lft forever    inet6 ::1/128scope host      valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_fast state UP groupdefaultqlen1000link/ether00:0c:29:c5:33:97brd ff:ff:ff:ff:ff:ff    inet192.168.0.230/24brd192.168.0.255scopeglobalnoprefixroute dynamic ens33      valid_lft6103sec preferred_lft6103sec    inet192.168.0.100/32scopeglobalens33      valid_lft forever preferred_lft forever

7.在slaver上查看IP地址

[root@web2 ~]# ip a

1: lo: mtu65536qdisc noqueuestateUNKNOWN group default qlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo      valid_lft forever preferred_lft forever    inet6 ::1/128scope host      valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_faststateUP group default qlen1000link/ether00:0c:29:d7:df:dc brd ff:ff:ff:ff:ff:ff    inet192.168.0.211/24brd192.168.0.255scope global noprefixroute dynamic ens33      valid_lft6107sec preferred_lft6107sec    inet6 fe80::20c:29ff:fed7:dfdc/64scopelinkvalid_lft forever preferred_lft forever

8.在master上关闭keepalived服务(模拟master宕机或者脑裂情况)

[root@web1 ~]# systemctl stop keepalived

[root@web1 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor  Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)  Active: inactive (dead)Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:11:20web1 systemd[1]: Stopping LVSandVRRP High Availabil....Jul1315:11:20web1 Keepalived[14020]: StoppingJul1315:11:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) sent ...Jul1315:11:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) remov...Jul1315:11:21web1 Keepalived_vrrp[14022]: StoppedJul1315:11:21web1 Keepalived[14020]: Stopped Keepalived v1.3.5(03...2Jul1315:11:21web1 systemd[1]: Stopped LVSandVRRP High Availabili....Hint: Some lines were ellipsized, use -l to showinfull.

9.在slaver上查看状态

[root@web2 ~]# ip a

1: lo: mtu65536qdisc noqueue state UNKNOWN groupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo      valid_lft forever preferred_lft forever    inet6 ::1/128scope host      valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_fast state UP groupdefaultqlen1000link/ether00:0c:29:d7:df:dc brd ff:ff:ff:ff:ff:ff    inet192.168.0.211/24brd192.168.0.255scopeglobalnoprefixroute dynamic ens33      valid_lft5895sec preferred_lft5895sec    inet192.168.0.100/32scopeglobalens33      valid_lft forever preferred_lft forever    inet6 fe80::20c:29ff:fed7:dfdc/64scope link      valid_lft forever preferred_lft forever

[root@web2 ~]# systemctl status  keepalived

● keepalived.service - LVSandVRRP High Availability Monitor  Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)  Active: active (running) since Fri2018-07-1315:07:20CST;7min ago  Process:13279ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:13280(keepalived)  CGroup: /system.slice/keepalived.service          ├─13280/usr/sbin/keepalived -D          ├─13281/usr/sbin/keepalived -D          └─13282/usr/sbin/keepalived -DJul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) Sendi...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Hint: Some lines were ellipsized, use -l to showinfull.

10.查看丢包情况

在windows上模拟持续性访问,使用ping查看丢包情况

WAF嵌入LNMP集群架构_第2张图片

二、建立共享存储服务器

1.安装NFS方式,master 服务端

[root@web1 web]# yum install -y rpcbind nfs-utils

2.slaver 客户端

[root@web2 web]# yum install -y nfs-utils

3.master服务端启动共享存储服务

[root@web1 web]# cat /etc/exports

/server/web192.168.0.0/24(rw,sync,no_root_squash)

[root@web1 web]# systemctl start nfs

4.slaver客户端查看共享存储

[root@web2 web]# showmount -e 192.168.0.230

Export listfor192.168.0.230:/server/web192.168.0.0/24

[root@web2 web]# mount -t nfs 192.168.0.230:/server/web  /server/web    -o proto=tcp -o nolock

[root@web2 web]# ls

[root@web2 web]# df -h

Filesystem                Size  Used Avail Use% Mountedon/dev/mapper/centos-root    50G  4.2G  46G  9% /devtmpfs899M0899M0% /devtmpfs911M0911M0% /dev/shmtmpfs911M9.6M902M2% /runtmpfs911M0911M0% /sys/fs/cgroup/dev/sda11014M142M873M14% /boot/dev/mapper/centos-home47G74M47G1% /hometmpfs183M0183M0% /run/user/0192.168.0.230:/server/web50G4.2G46G9% /server/web

[root@web2 web]#

5.修改nginx配置文件(两边配置一致)

[root@web1 ~]# cd /usr/local/nginx/conf/vhost/

[root@web1 vhost]# vim zt.conf

server    {       
            listen80;

            #listen [::]:80 default_server ipv6only=on;

            server_name zt.linuxview.com ;        

            index index.html index.htm index.php;        

            root  /server/web/test;

            #error_page  404  /404.html;error_page404404/404.html;       

            include enable-php.conf;        

            location /nginx_status        {            

                        stub_statuson;            

                        access_logoff;        

            }    

            location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$ {        

                        deny all;    

            }        

            location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$        {            

                        expires30d;        

            }       

            location ~ .*\.(js|css)?$        {            

                        expires12h;        

            }        

            location ~ /\.        {            

                        deny all;        

            }        

            access_log  /server/logs/nginx/zuitu/access.log ;        

            error_log  /server/logs/nginx/zuitu/error.log ;    

}

6.访问网页

WAF嵌入LNMP集群架构_第3张图片

7.master上设置反向代理

[root@web1 vhost]# vim xs.conf

server    {

        listen80;        

        server_name xs.linuxview.com ;    

        location / {        

                    proxy_pass http://192.168.0.211:80;        

                    proxy_set_header Host xs.linuxview.com;        

                    proxy_redirect off;        

                    proxy_set_header X-Real-IP192.168.0.211;        

                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;        

                    proxy_connect_timeout60;        

                    proxy_read_timeout600;        

                    proxy_send_timeout600;    

        }        

        access_log  /server/logs/nginx/zuitu/access.log ;        

        error_log  /server/logs/nginx/zuitu/error.log ;    

}

[root@web1 vhost]# /usr/local/nginx/sbin/nginx -s reload

8.slaver上设置nginx的配置文件

[root@web2 vhost]# vim xs.conf

server    {        

            listen80;

            #listen [::]:80 default_server ipv6only=on;

            server_name xs.linuxview.com ;        

            index index.html index.htm index.php;        

            root  /server/web/test3;#error_page  404  /404.html;error_page404404/404.html;        

            include enable-php.conf;        

            location /nginx_status        {            

                        stub_statuson;            

                        access_logoff;        

            }    

            location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$ {        

                        deny all;    

            }        

            location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$        {            

                        expires30d;        

            }        

            location ~ .*\.(js|css)?$        {            

                        expires12h;        

            }        

            location ~ /\.        {            

                        deny all;        

            }        

            access_log  /server/logs/nginx/zuitu/access.log ;        

            error_log  /server/logs/nginx/zuitu/error.log ;    

}

[root@web2 vhost]# /usr/local/nginx/sbin/nginx -s reload

9.访问网页测试

WAF嵌入LNMP集群架构_第4张图片

三、WAF镶嵌lnmp架构

1.安装依赖包

[root@waf ~]# yum install -y readline-devel pcre-devel openssl-devel gcc* git* libxml2*

2.下载2.0.5版本的luajit,编译安装

[root@waf ~]# mkdir -p /server/source

[root@waf ~]# cd /server/source/

[root@waf source]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

[root@waf source]# tar -xf LuaJIT-2.0.5.tar.gz

[root@waf source]# cd LuaJIT-2.0.5

[root@waf LuaJIT-2.0.5]# export LUAJIT_LIB=/user/local/lib

[root@waf LuaJIT-2.0.5]# export LUAJIT_INC=/usr/local/include/luajit-2.0

[root@waf LuaJIT-2.0.5]# make && make install  &&  ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

成功安装标志:

WAF嵌入LNMP集群架构_第5张图片

3.下载并编译安装openresty

[root@waf source]# wget https://openresty.org/download/openresty-1.11.2.2.tar.gz

[root@waf source]# tar -xf openresty-1.11.2.2.tar.gz

[root@waf source]# cd openresty-1.11.2.2

[root@waf openresty-1.11.2.2]# ./configure --prefix=/usr/local/openresty  --user=www  --group=www  --with-luajit --with-http_v2_module  --with-http_stub_status_module  --with-http_ssl_module  --with-http_gzip_static_module  --with-ipv6 --with-http_sub_module  --with-pcre  --with-pcre-jit  --with-file-aio --with-http_dav_module

[root@waf openresty-1.11.2.2]# gmake && gmake install

4.修改最大文件打开数量

[root@waf openresty-1.11.2.2]# vim /proc/sys/fs/file-max100000

[root@waf openresty-1.11.2.2]# ulimit -l64

5.修改openresty内置的nginx配置文件(--prefix指定的是安装目录,所以配置文件就在安装目录里面,编译完成之后,就不用在源码包界面了)

[root@waf openresty]# mkdir /server/conf

[root@waf openresty]# pwd/usr/local/openresty

[root@waf openresty]# cd /server/conf/

[root@waf conf]# ls

[root@waf conf]# ln -s /usr/local/openresty    /server/conf/openresty

[root@waf conf]# lsopenresty

[root@waf conf]# ln -s  /usr/local/openresty/nginx    /server/conf/nginx

[root@waf conf]# ll

total 0

lrwxrwxrwx1root root26Jul1009:25nginx ->/usr/local/openresty/nginx

lrwxrwxrwx1root root20Jul1009:23openresty ->/usr/local/openresty

[root@waf conf]#vim nginx.conf  

(修改user为www ,在最后一行的括号上新增include vhost/*.conf;)

[root@waf conf]# useradd www -M -s /sbin/nologin

[root@waf conf]# mkdir vhost

[root@waf conf]# cd vhost/

##编写测试网页

[root@waf vhost]# vim waf.conf

server {

        listen80;        

        server_name waf.linuxview.com ;

        indexindex.html index.php index.htm ;        

        root /server/web/waf ;        

        error_log /server/logs/nginx/waf/error.log;        

        access_log /server/logs/nginx/waf/access.log;

}

[root@waf vhost]# mkdir -p /server/web/waf && cd /server/web/waf

##创建测试网页

[root@waf waf]# cat index.html

Welcome to Linuxview!!!

##重加载nginx

[root@waf waf]# /usr/local/openresty/nginx/sbin/nginx -s reload

6.访问测试网页

WAF嵌入LNMP集群架构_第6张图片

7.安装waf防护模块

[root@waf waf]# cd /server/source/      

#这个目录用来存源码或软件包等

[root@waf source]# git clone https://github.com/leoheng/lua.git

#这些全是lua语言写的防护模块,复制到nginx的conf配置文件目录

[root@waf waf]# cp -a ./waf  /server/conf/nginx/conf/

[root@waf waf]# cd /server/conf/nginx/conf/

[root@waf conf]# ls

fastcgi.conf            koi-win            scgi_params          waffastcgi.conf.defaultmime.types          scgi_params.defaultwin-utffastcgi_params          mime.types.defaultuwsgi_paramsfastcgi_params.defaultnginx.conf          uwsgi_params.defaultkoi-utf                nginx.conf.defaultvhost

[root@waf conf]# cd waf/

[root@waf waf]# ls

access.lua  config.lua  init.lua  lib.lua  rule-config

[root@waf waf]#cd ..

##在http字段下添加lua模块

[root@waf conf]# vim nginx.conf

            lua_shared_dict limit50m;     ##CC,50M

            lua_package_path/server/conf/nginx/conf/waf/?.lua ;        

            init_by_lua_file  /server/conf/nginx/conf/waf/init.lua ;        

            access_by_lua_file  /server/conf/nginx/conf/waf/access.lua ;

##检查配置文件并重加载服务

[root@waf conf]# /usr/local/openresty/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntaxisoknginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf testissuccessful

[root@waf conf]# /usr/local/openresty/nginx/sbin/nginx -s reload

8.配置waf防护

[root@waf waf]# cat config.lua

--WAF config file,enable ="on",disable ="off"        ##WAF功能选项

--waf status

config_waf_enable ="on"        ##是否启动waf防护

--log dirconfig_log_dir ="/server/logs/waf_logs"        ##waf的日志

--rule settingconfig_rule_dir ="/usr/local/openresty/nginx/conf/waf/rule-config"        ##waf的防护规则配置文件

--enable/disable white urlconfig_white_url_check ="on"        ##配置白名单url检查

--enable/disable white ip    

config_white_ip_check ="on"        ##配置白名单IP检查

--enable/disable block ipconfig_black_ip_check ="on"        ##配置黑名单IP检查

--enable/disable url filteringconfig_url_check ="on"        ##配置url检查过滤

--enalbe/disable url args filteringconfig_url_args_check ="on"        ##配置url参数检查

--enable/disable user agent filteringconfig_user_agent_check ="on"        ##配置用户代理检查

--enable/disable cookie deny filteringconfig_cookie_check ="on"        ##配置cookie过滤检查

--enable/disable cc filteringconfig_cc_check ="on"        ##配置CC×××检查过滤

--cc rate the xxx of xxx secondsconfig_cc_rate ="10/60"        ##CC×××速率访问网页每60秒访问10次

--enable/disable post filteringconfig_post_check ="on"        ##配置post检查过滤

--config waf output redirect/htmlconfig_waf_output ="html"        ##配置匹配成功重定向或者输出警告页面

--if config_waf_output ,setting urlconfig_waf_redirect_url ="https://www.baidu.com"        ##重定向到百度首页##输出HTML格式的警告信息[[ html警告内容 ]]

config_output_html=[[                                WAF-TEST

WAF-TEST

        // TODO SOMTHING HTML

]]

9.访问匹配模块

规则:检测白名单-》黑名单-》UA×××检测-》CC×××检测-》cookie检测-》URL检测-》URL×××检测-》URL参数检测-》post检测

[root@waf waf]# cat access.lua

require'init'    ##先请求init.lua文件进行匹配,然后进行检查功能匹配

##配置检查顺序

function waf_main()

        if  white_ip_check()  then

        elseif black_ip_check()  then

        elseif user_agent_attack_check()  then

        elseif cc_attack_check()  then

        elseif cookie_attack_check()  then

        elseif white_url_check()  then

        elseif url_attack_check()  then

        elseif url_args_attack_check()  then

        --elseif post_attack_check()  then

        else

                return

        end

end

waf_main()

[root@waf waf]#

10.防护规则大概流程图:

WAF嵌入LNMP集群架构_第7张图片

11.url参数测试

WAF嵌入LNMP集群架构_第8张图片

12.模拟CC×××测试

[root@waf waf]# ab -c 100 -t 100 http://waf.linuxview.com/

WAF嵌入LNMP集群架构_第9张图片
WAF嵌入LNMP集群架构_第10张图片

13.查看日志记录:×××方式,客户端地址,被×××的服务器时间等等

WAF嵌入LNMP集群架构_第11张图片

14.SQL测试

WAF嵌入LNMP集群架构_第12张图片

15.安装httpguard再升级CC防护

下载压缩包,复制lua配置到waf下

[root@waf waf]# cd /server/source/

[root@waf source]# wget --no-check-certificate https://github.com/centos-bz/HttpGuard/archive/master.zip

[root@waf source]# unzip master.zip

[root@waf source]# cd HttpGuard-master/

[root@waf HttpGuard-master]# cp guard.lua /server/conf/nginx/conf/waf/

[root@waf HttpGuard-master]# cp runtime.lua /server/conf/nginx/conf/waf/

四、MySQL5.7集群(双主多从模式)

当只有两台数据库的时候,使用双主模式(互为主从)

1.修改master的mysql配置文件

[root@web1 ~]# vim /etc/my.cnf   

 #在mysqld下新增一下配置

[mysqld]

log-bin=mysql-bin

binlog_format=mixed

server-id  = 1

sync_binlog = 1

binlog_checksum = none

binlog_format = mixed

auto-increment-increment = 2

auto-increment-offset = 1

slave-skip-errors = all

[root@web1 ~]# systemctl restart mysql

[root@web1 ~]# systemctl status mysql

● mysql.service - LSB: start and stop MySQL  Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)  Active: active (exited) since Fri 2018-07-13 17:18:39 CST; 6s ago    Docs: man:systemd-sysv-generator(8)  Process: 37255 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS)Jul 13 17:18:39 web1 systemd[1]: Starting LSB: start and stop MySQL...Jul 13 17:18:39 web1 mysql[37255]: Starting MySQL SUCCESS!Jul 13 17:18:39 web1 systemd[1]: Started LSB: start and stop MySQL.Jul 13 17:18:40 web1 mysql[37255]: 2018-07-13T09:18:40.050893Z mysqld_safe A mys...tsHint: Some lines were ellipsized, use -l to show in full.

2.进入数据库,赋权给web2用户,让它连接主数据库同步数据

[root@web1 ~]# mysql -uroot -p000000

mysql:[Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.  Commandsendwith ;or\g.Your MySQL connection id is3Serverversion:5.7.18-log Source distributionCopyright (c)2000,2017, Oracleand/orits affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporationand/oritsaffiliates. Other names may be trademarks of their respectiveowners.Type'help;'or'\h'forhelp. Type'\c'to clear the current input statement.

mysql> grant replication slave,replication client on *.* to web2@'192.168.0.%'identified by"000000";

Query OK,0rows affected,1warning (0.13sec)

mysql> flush privileges;

Query OK,0rows affected (0.03sec)

###查看log bin日志和post值位置

mysql> show master status;

+------------------+----------+--------------+------------------+-------------------+| File            |Position| Binlog_Do_DB |Binlog_Ignore_DB| Executed_Gtid_Set |+------------------+----------+--------------+------------------+-------------------+| mysql-bin.000006 |620|              ||                  |+------------------+----------+--------------+------------------+-------------------+1 row in set (0.01sec)

mysql>

3.在slaver上修改MySQL配置文件

[root@web2 ~]# vim /etc/my.cnf

[mysqld]

server-id =2

log-bin = mysql-bin

sync_binlog =1

binlog_checksum = none

binlog_format = mixed

auto-increment-increment =2

auto-increment-offset =2

slave-skip-errors = all

[root@web2 ~]# systemctl restart mysql

[root@web2 ~]# systemctl status mysql

● mysql.service - LSB: startandstop MySQL  Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)  Active: active (running) since Fri2018-07-1317:29:56CST;20s ago    Docs: man:systemd-sysv-generator(8)  Process:31883ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS)  CGroup: /system.slice/mysql.service          ├─31891/bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/m...          └─32461/usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadi...Jul1317:29:38web2 systemd[1]: Starting LSB: startandstop MySQL...Jul1317:29:56web2 mysql[31883]: Starting MySQL................. SUCCESS!Jul1317:29:56web2 systemd[1]: Started LSB: startandstop MySQL.

4.创建数据库用户用于数据库同步数据

[root@web2 ~]# mysql -uroot -p000000

mysql: [Warning] Using a passwordonthe command line interface can be insecure.Welcome to the MySQL monitor.  Commands end with ;or\g.Your MySQL connection idis3Server version:5.7.18-log Source distributionCopyright (c)2000,2017, Oracleand/orits affiliates. All rights reserved.Oracleisa registered trademarkofOracle Corporationand/oritsaffiliates. Other names may be trademarksoftheir respectiveowners.Type'help;'or'\h'forhelp. Type'\c'to clear the current input statement.

mysql> grant replication slave,replication clienton*.* to web2@'192.168.0.%'identifiedby"000000";

ERROR1064(42000): You have an errorinyour SQL syntax; check the manual that corresponds to your MySQL server versionforthe right syntax to use near'identiified by "000000"'at line1

mysql> grant replication slave,replication clienton*.* to web2@'192.168.0..%'identifiedby"000000";

Query OK,0rows affected,1warning (0.18sec)

mysql> flush privileges;

Query OK,0rows affected (0.00sec)

mysql> show master status;

+------------------+----------+--------------+------------------+-------------------+| File            | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |+------------------+----------+--------------+------------------+-------------------+| mysql-bin.000007|610|              |                  |                  |+------------------+----------+--------------+------------------+-------------------+1rowinset (0.01sec)mysql>

5.在master上同步数据库到slaver上

mysql> stop slave;

Query OK, 0 rows affected, 1 warning (0.02 sec)

mysql>change  master to master_host='192.168.0.211',master_user='web2',master_password='000000',master_log_file='mysql-bin.000006',master_log_pos=620;

Query OK, 0 rows affected, 2 warnings (0.03 sec)

mysql> start slave;

Query OK, 0 rows affected (0.00 sec)

mysql> show slave status \G;

*************************** 1. row ***************************              Slave_IO_State: Waiting for master to send event                  Master_Host: 192.168.0.211                  Master_User: web2                  Master_Port: 3306                Connect_Retry: 60              Master_Log_File: mysql-bin.000008          Read_Master_Log_Pos: 1110              Relay_Log_File: web1-relay-bin.000002                Relay_Log_Pos: 312        Relay_Master_Log_File: mysql-bin.000008            Slave_IO_Running: Yes            Slave_SQL_Running: Yes              Replicate_Do_DB:          Replicate_Ignore_DB:          Replicate_Do_Table:      Replicate_Ignore_Table:      Replicate_Wild_Do_Table:  Replicate_Wild_Ignore_Table:                  Last_Errno: 0                  Last_Error:                Skip_Counter: 0          Exec_Master_Log_Pos: 1110              Relay_Log_Space: 510              Until_Condition: None              Until_Log_File:                Until_Log_Pos: 0          Master_SSL_Allowed: No          Master_SSL_CA_File:          Master_SSL_CA_Path:              Master_SSL_Cert:            Master_SSL_Cipher:              Master_SSL_Key:        Seconds_Behind_Master: 0Master_SSL_Verify_Server_Cert: No                Last_IO_Errno: 0                Last_IO_Error:              Last_SQL_Errno: 0              Last_SQL_Error:  Replicate_Ignore_Server_Ids:            Master_Server_Id: 2                  Master_UUID: ed87ba4b-8653-11e8-94fe-000c29d7dfdc            Master_Info_File: /usr/local/mysql/var/master.info                    SQL_Delay: 0          SQL_Remaining_Delay: NULL      Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates          Master_Retry_Count: 86400                  Master_Bind:      Last_IO_Error_Timestamp:    Last_SQL_Error_Timestamp:              Master_SSL_Crl:          Master_SSL_Crlpath:          Retrieved_Gtid_Set:            Executed_Gtid_Set:                Auto_Position: 0        Replicate_Rewrite_DB:                Channel_Name:          Master_TLS_Version:1 row in set (0.00 sec)

6.在slaver上同步master的数据库

mysql> stop slave;

Query OK, 0 rows affected, 1 warning (0.02 sec)

mysql>change  master to master_host='192.168.0.230',master_user='web2',master_password='000000',master_log_file='mysql-bin.000006',master_log_pos=620;

Query OK, 0 rows affected, 2 warnings (0.03 sec)

mysql> start slave;

Query OK, 0 rows affected (0.00 sec)

mysql> show slave status \G;

*************************** 1. row ***************************              Slave_IO_State: Connecting to master                  Master_Host: 192.168.0.230                  Master_User: web1                  Master_Port: 3306                Connect_Retry: 60              Master_Log_File: mysql-bin.000010          Read_Master_Log_Pos: 1110              Relay_Log_File: web2-relay-bin.000001                Relay_Log_Pos: 4        Relay_Master_Log_File: mysql-bin.000010            Slave_IO_Running: Yes            Slave_SQL_Running: Yes

7.在master的数据库上创建数据库和表

mysql> create database leotest;

Query OK, 1 row affected (0.00 sec)

mysql> use leotest;

Database changed

mysql>create tabletest(id int(4),name varchar(10));

Query OK, 0 rows affected (0.04 sec)

mysql> show tables ;

+-------------------+| Tables_in_leotest |+-------------------+| test              |+-------------------+1 row in set (0.00 sec)

mysql>

8.在slaver上查看同步的数据

mysql> show databases;

+--------------------+| Database          |+--------------------+| information_schema || leotest            || mysql              || performance_schema || sys                |+--------------------+5rowsinset (0.00sec)

mysql>

至此,MySQL集群已完成,而waf嵌入LNMP集群架构也完成了。

(原文来自:http://blog.51cto.com/leoheng/2148772)

你可能感兴趣的:(WAF嵌入LNMP集群架构)