Openresty+nginx图片服务器配置，添加http_image_filter_module模块

背景

单纯NGINX配置图片服务器请参考：Nginx 图片、视频服务器配置_殷长庆的博客-CSDN博客

openresty本身没有默认集成image模块，需要手动编译openresty方式添加模块。

openresty下载地址，如果之前机器上已经安装过openresty，那最好去官网下载一下相对应的openresty源码

部署

下载

官网地址：OpenResty - 下载

编译openresty 

tar -zxvf openresty-1.19.9.1.tar.gz

cd openresty-1.19.9.1

 安装编译需要的工具

yum -y install gcc pcre-devel make zlib-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel libatomic_ops-devel luajit luajit-devel perl-devel perl-ExtUtils-Embed

编译源码

 先查看下原来的openresty安装了啥

/usr/local/openresty/nginx/sbin/nginx -V

这时候会出现

configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_ssl_module

 我们编译的时候只需要带上--with-xxxxx的数据，在加上http_image_filter_module这个模块

如：

./configure --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_ssl_module --with-http_image_filter_module

配置结束会出现

Type the following commands to build and install:
    gmake
    gmake install

然后执行

gmake && gmake install

执行完成会出现

gmake[2]: 离开目录“/home/openresty-1.19.9.1/build/nginx-1.19.9”
gmake[1]: 离开目录“/home/openresty-1.19.9.1/build/nginx-1.19.9”
mkdir -p /usr/local/openresty/site/lualib /usr/local/openresty/site/pod /usr/local/openresty/site/manifest
ln -sf /usr/local/openresty/nginx/sbin/nginx /usr/local/openresty/bin/openresty

这个时候在执行nginx -V就会发现image模块已经添加成功了，如果过程中出现错误大概是少工具，用yum安装一下少的工具一般可以解决

接下来就是配置nginx.conf,重启openresty

        location ~ /img/(.*)_(\d+)x(\d+)(.*)$ {
            root /;
            rewrite ^/img/(\S)(\S)(.*)_(\d+)x(\d+)(.*)$ /home/imgs/$1$2/$3$6 break;
            image_filter resize $4 $5;
            image_filter_buffer 50M;
            image_filter_jpeg_quality 75;
        }
        # 正则处理链接 /img/F166666666_240.jpg 会指向本地路径/home/img/F1/66666666.jpg文件
        # 图片会按照宽240等比缩放，压缩率75
        location ~ /img/(.*)_(\d+)(\.(.*))$ {
            root /;
            rewrite ^/img/(\S)(\S)(.*)_(\d+)(\.(.*))$ /home/imgs/$1$2/$3$5 break;
            image_filter resize $4 -;
            image_filter_buffer 50M;
            image_filter_jpeg_quality 75;
        }
        # 正则处理链接 /img/F166666666.jpg 会指向本地路径/home/img/F1/66666666.jpg文件
        location ~ /img/(.*)$ {
            root /;
            rewrite ^/img/(\S)(\S)(.*)$ /home/imgs/$1$2/$3 break;
        }

保存重启。

nginx 使用naxsi防止SQL注入、xss的方法

去下载最新的naxsi包

Releases · nbs-system/naxsi · GitHub

cd /home

mkdir xss

cd xss

wget https://github.com/nbs-system/naxsi/archive/refs/tags/1.3.tar.gz

tar zvxf 1.3.tar.gz

mv naxsi-1.3 naxsi

然后重新编译openresty

cd openresty-1.19.9.1

./configure --prefix=/usr/local/openresty --with-http_stub_status_module --with-http_gzip_static_module --with-luajit --add-module=/home/xss/naxsi/naxsi_src

gmake && gmake install


cp /home/xss/naxsi/naxsi_config/naxsi_core.rules /usr/local/openresty/nginx/conf/

cd /usr/local/openresty/nginx/conf/

touch website.rules

vim website.rules

把下面内容搞里头

#上下文省略
# 启用Naxsi模块
SecRulesEnabled;
# 启用学习模式，即拦截请求后不拒绝访问，只将触发规则的请求写入日志
#LearningMode; #enable learning mode
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
# 拒绝访问时展示的页面
DeniedUrl "/RequestDenied";
# 检查规则
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
BasicRule wl:1315 "mz:$HEADERS_VAR:Cookie"; # Disable rule #1315 in Cookie
error_log  logs/naxsi.log;

修改nginx.conf

http {
    ...
    include naxsi_core.rules; # load naxsi core rules
    ...
}

server {
...

    location / { # naxsi is enabled, and in learning mode

        include website.rules;

        proxy_pass http://127.0.0.1;
        ....
    }

    location /admin { # naxsi is disabled 

        SecRulesDisabled; #optional, naxsi is disabled by default
        
        allow 1.2.3.4;
        deny all;
        proxy_pass http://127.0.0.1;
        ....
    }

    location /vuln_page.php { # naxsi is enabled, and is *not* in learning mode

        SecRulesEnabled;
        proxy_pass http://127.0.0.1;
    }
    
    location /RequestDenied {
        internal;
        return 403;
    }
...

}

白名单黑名单参考文档

Home · nbs-system/naxsi Wiki · GitHub

完成重启nginx