一、软件模块依赖性:
[root@localhost] # yum -y install gcc+ gcc-c++ gcc* make* libpcre.so* openssl* pcre* zlib* libtool* libxml2* libxslt* gd* lua*
二、安装GeoIP
安装 MaxMind 的 GeoIP 库
MaxMind 提供了免费的 IP 地域数据库(GeoIP.dat),不过这个数据库文件是二进制的,需要用 GeoIP 库来读取,所以除了要下载 GeoIP.dat 文件外(见下一步),还需要安装能读取这个文件的库。
下载地址:http://dev.maxmind.com/geoip/legacy/geolite/
(1)编译安装GeoIP
[root@localhost] # wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
[root@localhost] # tar -zxvf GeoIP.tar.gz
[root@localhost] # cd GeoIP-1.4.8/
[root@localhost] # ./configure
[root@localhost] # make
[root@localhost] # make install
刚才安装的库自动安装到 /usr/local/lib 下,所以这个目录需要加到动态链接配置里面以便运行相关程序的时候能自动绑定到这个 GeoIP 库:
[root@localhost] # echo '/usr/local/lib' >> /etc/ld.so.conf
[root@localhost] # ldconfig
(2)下载安装GeoIP.dat(GeoIP国家数据库)
MaxMind 提供了免费的 IP 地域数据库,这个数据库是二进制的,不能用文本编辑器打开,需要上面的 GeoIP 库来读取:
[root@localhost] # wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
[root@localhost] # gzip -d GeoIP.dat.gz
(3)下载安装GeoLiteCity.dat(GeoIP城市地区数据库)
[root@localhost] # http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
[root@localhost] # gzip -d GeoLiteCity.dat.gz
三、编译安装SeNginx
(1)下载Nginx版本:
[root@tgjtest02 ~]# wget http://senginx.org/download/senginx-1.6.0.tar.gz
(2)编译安装SeNginx:
因为要用到 http_geoip_module 模块,系统自带的 nginx 一般不带这个模块,所以要下载 nginx 源代码后自行编译:
[root@localhost] # tar zxvf senginx-1.6.0.tar.gz
[root@localhost] # cd senginx-1.6.0
[root@localhost] # vim se-configure.sh
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_geoip_module \
--with-mail \
--with-mail_ssl_module \
--with-ipv6 \
--with-http_ssl_module \
--with-debug \
[root@localhost] # ./se-configure.sh --prefix=/usr/local/nginx
[root@localhost] # make
[root@localhost] # make install
[root@localhost] # cd /usr/local/
[root@localhost] # nginx/sbin/nginx -V
(3)配置 Nginx
配置nginx,在相关地方加上如下的配置就可以了:
[root@localhost] # vim /usr/local/nginx/conf/nginx.conf
session_max_size 10240;
geo $ip_wl {
ranges;
default 0;
127.0.0.1-127.0.0.1 1;
10.0.101.1-10.0.101.254 1;
}
whitelist_ua $ua_wl {
"autotest" ".*\.test\.com";
}
(4)修改虚拟主机配置文件
[root@localhost] # vim /usr/local/nginx/conf/vhosts/server.conf
########## Robot Mitigation ##########
robot_mitigation on;
robot_mitigation_cookie_name enorth_cookie;
robot_mitigation_mode js;
robot_mitigation_blacklist 3;
robot_mitigation_timeout 60;
robot_mitigation_challenge_ajax on;
robot_mitigation_global_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
########## cookie ##########
#cookie_poisoning_action block/pass/remove/blacklist,num;
cookie_poisoning on;
cookie_poisoning_action blacklist,5;
cookie_poisoning_log on;
cookie_poisoning_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
######### naxsi_whitelist ##########
naxsi_whitelist ua_var_name=ua_wl ip_var_name=ip_wl ip_var_value=1;
LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
}
location /RequestDenied {
return 403;
}
# location / {
# if ($geoip_country_code = CN) {
# rewrite ^/$ /cn redirect;
# }
#
# if ($geoip_country_code != CN) {
# rewrite ^/$ /en redirect;
# }
# }