rpm版nginx安装ngx_lua_waf扩展

ngx_lua_waf是一个基于lua-nginx-module(openresty)的web应用防火墙

lua-nginx-module 项目地址

  • 下载资源
    1.下载 luajit
    2.下载 ngx_devel_kit
    3.下载 ngx_lua
    4.下载 nginx
    5.下载 ngx_lua_waf

  • 编译安装 luajit 官网地址

    make PREFIX=/usr/local/luajit
    make install PREFIX=/usr/local/luajit
    
  • 编译不安装nginx

    wget 'http://nginx.org/download/nginx-1.13.6.tar.gz'
    tar -xzvf nginx-1.13.6.tar.gz
    cd nginx-1.13.6/
    
    # tell nginx's build system where to find LuaJIT 2.0:
     export LUAJIT_LIB=/path/to/luajit/lib
     export LUAJIT_INC=/path/to/luajit/include/luajit-2.0
    
    # tell nginx's build system where to find LuaJIT 2.1:
     export LUAJIT_LIB=/path/to/luajit/lib
     export LUAJIT_INC=/path/to/luajit/include/luajit-2.1
    # or tell where to find Lua if using Lua instead:
    #export LUA_LIB=/path/to/lua/lib
    #export LUA_INC=/path/to/lua/include
    
    # Here we assume Nginx is to be installed under /opt/nginx/.
     ./configure --prefix=/opt/nginx \
             --with-ld-opt="-Wl,-rpath,/path/to/luajit-or-lua/lib" \
             --add-module=/path/to/ngx_devel_kit \
             --add-module=/path/to/lua-nginx-module
    # Note that you may also want to add `./configure` options which are used in your
    # current nginx build.
    # You can get usually those options using command nginx -V
    # you can change the parallism number 2 below to fit the number of spare CPU 
    cores in your
    # machine.
    make -j2
    copy objs/nginx /usr/sbin/nginx
    
  • 使用ngx_lua_waf

    1. 把ngx_lua_waf下载到nginx/conf目录下,解压命名为waf
    2. 在nginx.conf的http段添加
    lua_package_path "/etc/nginx/conf/waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /etc/nginx/conf/waf/init.lua; 
    access_by_lua_file /etc/nginx/conf/waf/waf.lua;
    
    1. 配置config.lua里的waf规则目录(一般在waf/conf/目录下)
    RulePath = "/etc/nginx/conf/waf/wafconf/"
    
  • 配置文件说明:

      RulePath = "/usr/local/nginx/conf/waf/wafconf/"
      --规则存放目录
      attacklog = "off"
      --是否开启攻击信息记录,需要配置logdir
      logdir = "/usr/local/nginx/logs/hack/"
      --log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
      UrlDeny="on"
      --是否拦截url访问
      Redirect="on"
      --是否拦截后重定向
      CookieMatch = "on"
      --是否拦截cookie攻击
      postMatch = "on" 
      --是否拦截post攻击
      whiteModule = "on" 
      --是否开启URL白名单
      black_fileExt={"php","jsp"}
      --填写不允许上传文件后缀类型
      ipWhitelist={"127.0.0.1"}
      --ip白名单,多个ip用逗号分隔
      ipBlocklist={"1.0.0.1"}
      --ip黑名单,多个ip用逗号分隔
      CCDeny="on"
      --是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
      CCrate = "100/60"
      --设置cc攻击频率,单位为秒.
      --默认1分钟同一个IP只能请求同一个地址100次
      html=[[Please go away~~]]
      --警告内容,可在中括号内自定义
      备注:不要乱动双引号,区分大小写
    
  • 重启nginx之后,可以尝试如下命令:

    curl http://xxxx/test.php?id=../etc/passwd
    

返回"Please go away~~"字样,说明规则生效。

你可能感兴趣的:(rpm版nginx安装ngx_lua_waf扩展)