nginx配合modsecurity实现WAF功能
2019獨角獸企業重金招聘Python工程師標準>>>
一.準備工作
系統:centos 6.5 64位、 ngx_openresty-1.7.10.1, modsecurity 2.9.0
openresty:??????http://openresty.org/download/ngx_openresty-1.7.10.1.tar.gz??
modsecurity for Nginx:? ??https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
OWASP規則集:?https://github.com/SpiderLabs/owasp-modsecurity-crs
依賴關系:
????modsecurty依賴的包:pcre httpd-devel libxml2 apr
???? yum?install?httpd-devel?apr?apr-util-devel?apr-devel??pcre?pcre-devel??libxml2?libxml2-devel????openresty依賴的包:pcre 、zlib、 openssl
yum?install?zlib?zlib-devel?openssl?openssl-devel??pcre?pcre-devel二.啟用standalone模塊并編譯
下載modsecurity for nginx 解壓,進入解壓后目錄執行:
./autogen.sh ./configure?--enable-standalone-module?--disable-mlogc make
三.openresty添加modsecurity模塊
在編譯standalone后,openresty編譯時可以通過"--add-module"添加modsecurity模塊:
./configure?--prefix=/opt/openresty??--with-pcre-jit??--with-ipv6?--without-http_redis2_module?--with-http_iconv_module???-j2?--add-module=../modsecurity-2.9.0/nginx/modsecurity/ make?&&?make?install四.添加規則
modsecurity傾向于過濾和阻止web危險,之所以強大就在于規則,OWASP提供的規則是于社區志愿者維護的,被稱為核心規則CRS(corerules),規則可靠強大,當然也可以自定義規則來滿足各種需求。
1.下載OWASP規則:
git?clone?https://github.com/SpiderLabs/owasp-modsecurity-crsmv??owasp-modsecurity-crs?/opt/openresty/nginx/conf/cd?/opt/openresty/nginx/conf/owasp-modsecurity-crs/?&&?mv?modsecurity_crs_10_setup.conf.example?modsecurity_crs_10_setup.conf2.啟用OWASP規則:
復制modsecurity源碼目錄下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目錄下,并將modsecurity.conf-recommended重新命名為modsecurity.conf。
mv?modsecurity.conf-recommended?/opt/openresty/nginx/conf/modsecurity.conf cp?unicode.mapping?/opt/openresty/nginx/conf/編輯modsecurity.conf 文件,將SecRuleEngine設置為 on
sed?-i?'s/^SecRuleEngine.*/SecRuleEngine?On/'?/opt/openresty/nginx/conf/modsecurity.confowasp-modsecurity-crs下有很多存放規則的文件夾,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的規則按需要啟用。
需要啟用的規則使用Include到modsecurity.conf即可。
Include?owasp-modsecurity-crs/modsecurity_crs_10_setup.conf? Include?owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf? Include?owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf? Include?owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf? Include?owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf? Include?owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf? Include?owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf五.配置nginx
在需要啟用modsecurity的主機的location下面加入下面兩行即可:
ModSecurityEnabled?on;?? ModSecurityConfig?modsecurity.conf;下面是幾個示例配置,php虛擬主機:
server?{listen??????80;server_name?test.net?www.test.net; location?~?\.php$?{ModSecurityEnabled?on;??ModSecurityConfig?modsecurity.conf;root?/web/wordpress;index?index.php?index.html?index.htm;fastcgi_pass???127.0.0.1:9000;fastcgi_index??index.php;fastcgi_param??SCRIPT_FILENAME??$Document_root$fastcgi_script_name;include????????fastcgi_params;}}upstream負載均衡:
upstream?online?{server?192.168.1.100:8080;server?192.168.1.101:8080?backup; }server?{ listen?80; server_name?test.net?www.test.net;location?/?{ModSecurityEnabled?on;??ModSecurityConfig?modsecurity.conf;??proxy_pass?http://online;proxy_redirect?????????off;proxy_set_header?Host?$host;proxy_set_header?X-Real-IP?$remote_addr;proxy_set_header??X-Forwarded-For?$proxy_add_x_forwarded_for;} }泛域名解析,反向代理方式:
upstream?real_webserver?{server?192.168.0.12;server?192.168.0.13; } server?{listen???????80;server_name??_?;location?{ModSecurityEnabled?on;ModSecurityConfig?modsecurity.conf;proxy_set_header???Host????$host;proxy_set_header???X-Real-IP???$remote_addr;proxy_set_header???X-Forwarded-For?$proxy_add_x_forwarded_for;proxy_pass?http://real_webserver;}}
六.測試
我們啟用了xss和sql注入的過濾,不正常的請求會直接返回403。以php環境為例,新建一個phpinfo.php內容為:
<?php????phpinfo();??????>在瀏覽器中訪問:
說明sql注入和xss已經被過濾了
轉載于:https://my.oschina.net/monkeyzhu/blog/393505
總結
以上是生活随笔為你收集整理的nginx配合modsecurity实现WAF功能的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【转载】知乎答案----孙志岗----G
- 下一篇: LeetCode - Reverse B