rpm版nginx安裝ngx_lua_waf擴(kuò)展

ngx_lua_waf是一個(gè)基于lua-nginx-module(openresty)的web應(yīng)用防火墻

lua-nginx-module 項(xiàng)目地址

  • 下載資源
    1.下載 luajit
    2.下載 ngx_devel_kit
    3.下載 ngx_lua
    4.下載 nginx
    5.下載 ngx_lua_waf

  • 編譯安裝 luajit 官網(wǎng)地址

    make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit

  • 編譯不安裝nginx

    wget 'http://nginx.org/download/nginx-1.13.6.tar.gz'
tar -xzvf nginx-1.13.6.tar.gz
cd nginx-1.13.6/

# tell nginx's build system where to find LuaJIT 2.0:
 export LUAJIT_LIB=/path/to/luajit/lib
 export LUAJIT_INC=/path/to/luajit/include/luajit-2.0

# tell nginx's build system where to find LuaJIT 2.1:
 export LUAJIT_LIB=/path/to/luajit/lib
 export LUAJIT_INC=/path/to/luajit/include/luajit-2.1
# or tell where to find Lua if using Lua instead:
#export LUA_LIB=/path/to/lua/lib
#export LUA_INC=/path/to/lua/include

# Here we assume Nginx is to be installed under /opt/nginx/.
 ./configure --prefix=/opt/nginx \
         --with-ld-opt="-Wl,-rpath,/path/to/luajit-or-lua/lib" \
         --add-module=/path/to/ngx_devel_kit \
         --add-module=/path/to/lua-nginx-module
# Note that you may also want to add `./configure` options which are used in your
# current nginx build.
# You can get usually those options using command nginx -V
# you can change the parallism number 2 below to fit the number of spare CPU 
cores in your
# machine.
make -j2
copy objs/nginx /usr/sbin/nginx

  • 使用ngx_lua_waf

    1. 把ngx_lua_waf下載到nginx/conf目錄下,解壓命名為waf
    2. 在nginx.conf的http段添加
    lua_package_path "/etc/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /etc/nginx/conf/waf/init.lua; 
access_by_lua_file /etc/nginx/conf/waf/waf.lua;
    1. 配置config.lua里的waf規(guī)則目錄(一般在waf/conf/目錄下)
    RulePath = "/etc/nginx/conf/waf/wafconf/"

  • 配置文件說(shuō)明:

      RulePath = "/usr/local/nginx/conf/waf/wafconf/"
  --規(guī)則存放目錄
  attacklog = "off"
  --是否開(kāi)啟攻擊信息記錄,需要配置logdir
  logdir = "/usr/local/nginx/logs/hack/"
  --log存儲(chǔ)目錄,該目錄需要用戶(hù)自己新建,切需要nginx用戶(hù)的可寫(xiě)權(quán)限
  UrlDeny="on"
  --是否攔截url訪(fǎng)問(wèn)
  Redirect="on"
  --是否攔截后重定向
  CookieMatch = "on"
  --是否攔截cookie攻擊
  postMatch = "on" 
  --是否攔截post攻擊
  whiteModule = "on" 
  --是否開(kāi)啟URL白名單
  black_fileExt={"php","jsp"}
  --填寫(xiě)不允許上傳文件后綴類(lèi)型
  ipWhitelist={"127.0.0.1"}
  --ip白名單,多個(gè)ip用逗號(hào)分隔
  ipBlocklist={"1.0.0.1"}
  --ip黑名單,多個(gè)ip用逗號(hào)分隔
  CCDeny="on"
  --是否開(kāi)啟攔截cc攻擊(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
  CCrate = "100/60"
  --設(shè)置cc攻擊頻率,單位為秒.
  --默認(rèn)1分鐘同一個(gè)IP只能請(qǐng)求同一個(gè)地址100次
  html=[[Please go away~~]]
  --警告內(nèi)容,可在中括號(hào)內(nèi)自定義
  備注:不要亂動(dòng)雙引號(hào),區(qū)分大小寫(xiě)

  • 重啟nginx之后,可以嘗試如下命令:

    curl http://xxxx/test.php?id=../etc/passwd

返回"Please go away~~"字樣,說(shuō)明規(guī)則生效。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀(guān)點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容