nginx+lua+waf · 笔记

参考: https://cloud.tencent.com/developer/article/1943612 https://www.cnblogs.com/cheyunhua/p/13395745.html https://blog.csdn.net/m0_37814112/article/details/119967839 https://github.com/lejianwen/ngx_waf_cc https://github.com/unixhot/waf https://github.com/openresty/lua-nginx-module 官方有安装方法，版本要对应 # 安装ngx_lua_waf 主要处理cc攻击 nginx下常见的开源 waf 有 mod_security、naxsi、ngx_lua_waf 这三个以及openresty waf 配置 ngx_lua_waf 性能高和易用性强，基本上零配置 ModSecurity支持自定义，高级功能等，但是相应的配置也比较复杂 ``` 基础防盗链功能后台密码撞库文件上传漏洞：利用如头像、附近等可以上传的接口将恶意代码植入服务器中再通过url去访问来执行恶意代码 http://www.chinasoft.com/upload/1.jpg/1.php sql注入 cc攻击 cc攻击是指对某个接口进行超载访问从而达到拒绝服务攻击的效果测试 [root@node1 waf]# ab -n 2000 -c 2 http://192.168.3.177/login.html ``` # 一、安装环境和版本记录 ``` nginx1.19.3 ubuntu20.04 #安装包对应下载的网站：https://github.com/openresty 1、luajit： git clone https://github.com/openresty/luajit2 必需 2、lua-nginx-module：wget https://github.com/openresty/lua-nginx-module/archive/v0.10.26.tar.gz 必需 3、lua-resty-core：wget https://github.com/openresty/lua-resty-core/archive/refs/tags/v0.1.28.tar.gz 必需 4、lua-resty-lrucache：wget https://github.com/openresty/lua-resty-lrucache/releases/tag/v0.13 必需 5、ngx_devel_kit：wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v0.3.2.tar.gz 必需 6、nginx # lua-nginx-module 依赖LuaJIT 2.x，ngx_devel_kit，所以编译带lua-nignx-module模块的nginx之前必须先编译LuaJIT # waf模块 wget https://github.com/loveshell/ngx_lua_waf/archive/refs/heads/master.zip ``` ``` # 源安装nginx 指定版本1.19.3 lsb_release -c focal #更新apt源文件 $ sudo vim sources.list # 文件末尾添加以下两行并保存 deb http://nginx.org/packages/mainline/ubuntu/ focal nginx deb-src http://nginx.org/packages/mainline/ubuntu/ focal nginx #导入nginx公钥 sudo wget http://nginx.org/keys/nginx_signing.key sudo apt-key add nginx_signing.key #安装 apt-cache madison nginx 选择1.19.3 sudo apt update && sudo apt install nginx=1.19.3-1~focal ``` ## 1、编译安装luajit ``` #1、下载软件包 git clone https://github.com/openresty/luajit2 # 编译安装 make install PREFIX=/usr/local/luajit # 确定编译是否成功 #2、添加环境变量 vim /etc/profile export LUAJIT_LIB=/usr/local/luajit/lib export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1 source /etc/profile #3、加载lua库到ld.so.conf文件 echo "/usr/local/luajit/lib" > /etc/ld.so.conf.d/usr_local_luajit_lib.conf #4、执行ldconfig让动态函式库加载到缓存中 ldconfig ``` ## 2、解压lua-nginx-module ## 3、解压ngx_devel_kit ## 4、编译安装lua-resty-core make install PREFIX=/usr/local/luajit ## 5、编译安装lua-resty-lrucache make install PREFIX=/usr/local/luajit ## 6、编译安装nginx ``` #安装依赖 apt install build-essential libpcre3 libpcre3-dev libssl-dev zlib1g-dev openssl libssl-dev # 下载nginx wget https://nginx.org/download/nginx-1.19.3.tar.gz tar zxf nginx-1.19.3.tar.gz 使用前面源安装的nginx的参数nginx -V 编译安装追加2两条 ./configure --prefix= ...... --add-module=/home/ubuntu/ngx_devel_kit-0.3.2 --add-module=/home/ubuntu/lua-nginx-module-0.10.26 make && make install ``` ## 7、验证lua模块配置nginx后访问http://172.27.0.3/lua ``` # http{} 增加 lua_package_path "/usr/local/luajit/lib/lua/?.lua;;"; # server{} server { listen 80; server_name localhost; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } location /lua { default_type 'text/plain'; content_by_lua 'ngx.say("Hi,welcome 222")'; } } ``` # 二、WAF模块安装 https://github.com/loveshell/ngx_lua_waf 完整的waf https://github.com/lejianwen/ngx_waf_cc 只启用防cc攻击waf https://github.com/unixhot/waf 有专门的黑名单，方便放ip，直接生效。白名单没生效，还没研究。下载解压，重命名为waf文件夹，根据前面的编译的lua存放地址，将waf文件夹放到该目录下'/usr/local/luajit/lib/lua/' 修改config.lua确定要开启的功能等。在nginx http{}增加配置 ``` # waf lua_shared_dict limit 10m; lua_package_path "/usr/local/luajit/lib/lua/?.lua;/usr/local/luajit/lib/lua/waf/?.lua;"; init_by_lua_file "/usr/local/luajit/lib/lua/waf/init.lua"; access_by_lua_file "/usr/local/luajit/lib/lua/waf/waf_cc.lua"; ``` config_cc_rate="10/60"--cc攻击的速率/时间，单位为秒；默认示例中为单个IP地址在60秒内访问同一个页面次数超过10次则认为是cc攻击，则自动禁止此IP地址访问此页面60秒， 60秒后解封(封禁过程中此IP地址依然可以访问其它页面，如果同一个页面访问次数超过10次依然会被禁止) 这个60秒就是封禁时间，可以看情况增加