生产级搭建openresty+waf防火墙

  1. 下载镜像源

wget https://openresty.org/package/centos/openresty.repo
sudo mv openresty.repo /etc/yum.repos.d/
sudo yum check-update

出现警告:按要求执行:
yum-config-manager --save --setopt=percona-release-x86_64.skip_if_unavailable=true

2. 下载openresty

sudo yum install -y openresty

3. 安装openresy-resty命令行工具

sudo yum install -y openresty-resty

4.  cd 至用户目录,下载waf

git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/

5. 创建软连接【重要!!!】

ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty

6. 查看waf/config.lua中的path是否正确

7. 进行复制原始nginx配置文件及文件夹(nginx.conf 及 项目域名配置.conf)

8. 测试openresy的nginx是否正常

openresty -t

nginx: [emerg] module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so" version 1012002 instead of 1021004 in /usr/share/nginx/modules/mod-http-geoip.conf:1
解决:
注释次模块引入,先观察观察x天后,注释对原有nginx业务不产生影响;

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/openresty/nginx/conf/sites/xxxx.conf:5
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful

解决:
注释ssl on;
#ssl on; 

9.  nginx.conf引入waf代码

http{
    #WAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
....

10. 检测 ok

openresty -t
nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf test is successful

11. 配置白名单

  01.项目业务ip白名单,不受cc控制;
  02.更改CC防护:600000/60
  备注:尽量前期调高cc后期慢慢缩减

12. 隐藏waf和nginx的版本号:

http{
 #隐藏nginx版本号
 server_tokens off;
 .....

13. 所有确认无误后,关闭原始nginx切换至openrestry

12. 进行杀死nginx && 启动 openresty
pkill nginx && openresty

至此所有步骤完结,希望能对大家有帮助!!

你可能感兴趣的:(openresty,服务器,linux,系统安全)