Nginx+Naxsi部署专业级web应用防火墙
Naxsi简介:
Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙模块。Naxsi的主要目标是帮助人们加固他们的web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。
安装配置naxsi模块步骤如下:
一.首先要搭建lnmp环境并添加lua模块:
添加lua模块步骤如下:
1.下载并安装lua模块:
wget http://luajit.org/download/LuaJIT-2.0.1.tar.gz tar zxvfLuaJIT-2.0.1.tar.gz cd LuaJIT-2.0.1 make && make install
2.下载ngx_devel_kit 和nginx_lua_module并解压
tar zxvfngx_devel_kit-0.2.19.tar.gz tar zxvflua-nginx-module-0.9.2.tar.gz
3.进入nginx源码文件夹,编译安装nginx
a.导入环境变量
export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.0
b.查看nginx的先前的configure配置
/usr/local/webserver/nginx/sbin/nginx -V
nginxversion: nginx/1.2.9
configurearguments: --user=www --group=www --prefix=/usr/local/webserver/nginx --with- http_stub_status_module --with-http_ssl_module
c.重新编译安装nginx:
cd /tools/nginx-1.2.9 ./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2
make -j2 make install
此时检查nginx配置文件语法会出现错误:
/usr/local/webserver/nginx/sbin/nginx -t
/usr/local/webserver/nginx/sbin/nginx:error while loading shared libraries:
libluajit-5.1.so.2: cannot open sharedobject file: No such file or directory
原因是找不到libluajit-5.1.so.2
解决方法:
find / -name "libluajit-5.1.so.2"
/usr/local/lib/libluajit-5.1.so.2
echo "/usr/local/lib" >>/etc/ld.so.conf ldconfig /usr/local/webserver/nginx/sbin/nginx -t
nginx:the configuration file /usr/local/webserver/nginx/conf/nginx.conf syntax is ok
nginx:configuration file /usr/local/webserver/nginx/conf/nginx.conf test issuccessful
配置OK。
二.下载naxsi模块:
wget http://naxsi.googlecode.com/files/naxsi-core-0.50.tgz tar zxvf naxsi-core-0.50.tgz
三.关联naxsi模块:
先查看nginx的原有./configure配置,然后复制后并添加naxsi模块的路径:
cd /tools/nginx-1.2.9 ./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2 --add-module=/tools/naxsi-core-0.50/naxsi_src/
make && make install
4.配置naxsi模块:
官网说明见:
http://code.google.com/p/naxsi/wiki/Howto#Installing_nginx_+_naxsi
1.将naxsi_config目录下核心配置naxsi_core.rules拷贝到nginx/conf/目录下:
cp /tools/naxsi-core-0.50/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/
2.在nginx/conf/目录下新建naxsi_nbs.rules文件,用以配置使用;
touch naxsi_nbs.rules
3.配置nginx.conf文件:
user www;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
include/usr/local/webserver/nginx/conf/naxsi_core.rules;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location /xss {
include naxsi_nbs.rules;
include naxsi_BasicRule.conf;
default_type 'test/plain';
content_by_lua '
ngx.say("({\'Test xss ,come inplease!!!\'})");
';
root html;
}
location /RequestDenied {
return 403;
}
error_page 403 /403.html;
}
}
4.配置规则文件naxsi_nbs.rules
#LearningMode; #Enables learningmode SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; ## check rules CheckRule "$SQL >= 8"BLOCK; CheckRule "$RFI >= 8"BLOCK; CheckRule "$TRAVERSAL >=4" BLOCK; CheckRule "$EVADE >=4" BLOCK; CheckRule "$XSS >= 8"BLOCK;
5.配置白名单文件naxsi_BasicRule.conf
BasicRule wl:0"mz:$ARGS_VAR:script"; BasicRule wl:0"mz:$ARGS_VAR:id";
这表示xss攻击正常是被拦截的,若被添加白名单,则不被拦截:此处是Get 参数名若为id 或者script,则不被拦截;
BasicRule的规则说明,具体参见:http://code.google.com/p/naxsi/wiki/BasicRule
五.测试naxsi模块
1.检查语法并重启nginx服务:
/usr/local/webserver/nginx/sbin/nginx -t /usr/local/webserver/nginx/sbin/nginx -s reload
2.测试连接:
http://192.168.1.11/xss/
http://192.168.1.11/xss/?id=40/**/and/**/1=1
http://192.168.1.11/xss/?name=40/**/and/**/1=1
http://192.168.1.11/xss/?name=%28%29
http://192.168.1.11/xss/?term=%3Cscript%3Ewindow.open%28%22
http://192.168.1.11/xss/?title=meta%20http-equiv=%22refresh%22%20content=%220;%22
测试结果:
1通过
2通过,因为配置到白名单
3不通过,含有条件注入
4不通过,特殊字符
5不通过,参数内容含脚本注入
6不通过