背景
单纯NGINX配置图片服务器请参考:Nginx 图片、视频服务器配置_殷长庆的博客-CSDN博客
openresty本身没有默认集成image模块,需要手动编译openresty方式添加模块。
openresty下载地址,如果之前机器上已经安装过openresty,那最好去官网下载一下相对应的openresty源码
部署
下载
官网地址:OpenResty - 下载
编译openresty
tar -zxvf openresty-1.19.9.1.tar.gz
cd openresty-1.19.9.1
安装编译需要的工具
yum -y install gcc pcre-devel make zlib-devel openssl-devel libxml2-devel libxslt-devel gd-devel GeoIP-devel libatomic_ops-devel luajit luajit-devel perl-devel perl-ExtUtils-Embed
编译源码
先查看下原来的openresty安装了啥
/usr/local/openresty/nginx/sbin/nginx -V
这时候会出现
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.20 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.10 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_ssl_module
我们编译的时候只需要带上--with-xxxxx的数据,在加上http_image_filter_module这个模块
如:
./configure --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_ssl_module --with-http_image_filter_module
配置结束会出现
Type the following commands to build and install:
gmake
gmake install
然后执行
gmake && gmake install
执行完成会出现
gmake[2]: 离开目录“/home/openresty-1.19.9.1/build/nginx-1.19.9”
gmake[1]: 离开目录“/home/openresty-1.19.9.1/build/nginx-1.19.9”
mkdir -p /usr/local/openresty/site/lualib /usr/local/openresty/site/pod /usr/local/openresty/site/manifest
ln -sf /usr/local/openresty/nginx/sbin/nginx /usr/local/openresty/bin/openresty
这个时候在执行nginx -V就会发现image模块已经添加成功了,如果过程中出现错误大概是少工具,用yum安装一下少的工具一般可以解决
接下来就是配置nginx.conf,重启openresty
location ~ /img/(.*)_(\d+)x(\d+)(.*)$ {
root /;
rewrite ^/img/(\S)(\S)(.*)_(\d+)x(\d+)(.*)$ /home/imgs/$1$2/$3$6 break;
image_filter resize $4 $5;
image_filter_buffer 50M;
image_filter_jpeg_quality 75;
}
# 正则处理链接 /img/F166666666_240.jpg 会指向本地路径/home/img/F1/66666666.jpg文件
# 图片会按照宽240等比缩放,压缩率75
location ~ /img/(.*)_(\d+)(\.(.*))$ {
root /;
rewrite ^/img/(\S)(\S)(.*)_(\d+)(\.(.*))$ /home/imgs/$1$2/$3$5 break;
image_filter resize $4 -;
image_filter_buffer 50M;
image_filter_jpeg_quality 75;
}
# 正则处理链接 /img/F166666666.jpg 会指向本地路径/home/img/F1/66666666.jpg文件
location ~ /img/(.*)$ {
root /;
rewrite ^/img/(\S)(\S)(.*)$ /home/imgs/$1$2/$3 break;
}
保存重启。
nginx 使用naxsi防止SQL注入、xss的方法
去下载最新的naxsi包
Releases · nbs-system/naxsi · GitHub
cd /home
mkdir xss
cd xss
wget https://github.com/nbs-system/naxsi/archive/refs/tags/1.3.tar.gz
tar zvxf 1.3.tar.gz
mv naxsi-1.3 naxsi
然后重新编译openresty
cd openresty-1.19.9.1
./configure --prefix=/usr/local/openresty --with-http_stub_status_module --with-http_gzip_static_module --with-luajit --add-module=/home/xss/naxsi/naxsi_src
gmake && gmake install
cp /home/xss/naxsi/naxsi_config/naxsi_core.rules /usr/local/openresty/nginx/conf/
cd /usr/local/openresty/nginx/conf/
touch website.rules
vim website.rules
把下面内容搞里头
#上下文省略
# 启用Naxsi模块
SecRulesEnabled;
# 启用学习模式,即拦截请求后不拒绝访问,只将触发规则的请求写入日志
#LearningMode; #enable learning mode
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
# 拒绝访问时展示的页面
DeniedUrl "/RequestDenied";
# 检查规则
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
BasicRule wl:1315 "mz:$HEADERS_VAR:Cookie"; # Disable rule #1315 in Cookie
error_log logs/naxsi.log;
修改nginx.conf
http {
...
include naxsi_core.rules; # load naxsi core rules
...
}
server {
...
location / { # naxsi is enabled, and in learning mode
include website.rules;
proxy_pass http://127.0.0.1;
....
}
location /admin { # naxsi is disabled
SecRulesDisabled; #optional, naxsi is disabled by default
allow 1.2.3.4;
deny all;
proxy_pass http://127.0.0.1;
....
}
location /vuln_page.php { # naxsi is enabled, and is *not* in learning mode
SecRulesEnabled;
proxy_pass http://127.0.0.1;
}
location /RequestDenied {
internal;
return 403;
}
...
}
白名单黑名单参考文档
Home · nbs-system/naxsi Wiki · GitHub
完成重启nginx