ngx_lua_waf的安装

资源准备

git clone https://github.com/simpl/ngx_devel_it.git
git clone https://github.com/openresty/lua-nginx-module.git
wget -c http://luajit.org/download/LuaJIT-2.0.5.tar.gz

所需文件地址

1. 安装Luajit

1.1 安装

tar -xzf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make && make install

1.2 验证是否安装成功

luajit -v

1.3 导入环境变量

vim /etc/profile

# 如果按照上访步骤执行则不需要变更路径
export LUAJIT_LIB=/usr/local/lib  
export LUAJIT_INC=/usr/local/include/luajit-2.0

source /etc/profile

"/usr/local/lib" >> /etc/ld.so.conf

ldconfig

2. 安装 & 编译 nginx

2.1 安装nginx (如果已经安装则跳过)

curl -o nginx.tar.gz http://nginx.org/download/nginx-1.16.0.tar.gz

2.2 编译nginx参数

cd nginx-1.16.0

./configure --add-module=../ngx_devel_kit-0.3.1 --add-module=../lua-nginx-module-0.10.15 --prefix=/usr/local/nginx

这一步可能会报很多错

1. ./configure: error: the HTTP gzip module requires the zlib library.

2. yum -y install pcre-devel yum -y

3. install openssl openssl-devel

4. ./configure: error: the HTTP rewrite module requires the PCRE library.

5. yum -y install pcre-devel

6. ./configure: error: no ~/ng/ngx_devel_kit-0.3.1/config was found

7. 修改绝对路径为相对路径即可

注意，生产环境做任何操作都应备份为先，因此重新编译nginx时应先对旧的nginx可执行文件进行备份，以便于如果出问题后进行回滚操作，基于这个理由，增加模块的时候不要直接使用make install，而是手动cp过去

 make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak  
cp objs/nginx /usr/local/nginx/sbin/  
nginx -s reload  

make && make install 
cd /usr/local/nginx/sbin
nginx -s reload 

2. 安装并配置ngx_lua_waf

2.1 安装ngx_lua_waf

cd /usr/local/nginx/conf/
git clone https://github.com/loveshell/ngx_lua_waf.git
mv ngx_lua_waf/ waf
mkdir ../logs/hack
chmod -R 755 ../logs/hack/

修改config.lua的文件路径

vim waf/config.lua 

#config.lua在/usr/local/nginx/conf/waf内
#RulePath是存放规则文件的路径
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
attacklog = "on"
#日志存放路径
logdir = "/usr/local/nginx/logs/hack/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="off"
CCrate="100/60"
html=[[
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>网站防火墙</title>
<style>
p {
        line-height:20px;
}
ul{ list-style-type:none;}
li{ list-style-type:none;}
</style>

2.2 在nginx.conf的http段中添加配置

vim nginx.conf

lua_need_request_body on;
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/nginx/conf/waf/init.lua; 
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

重新加载nginx

 nginx -t
 nginx -s reload

3. 关于config.lua的配置说明

#规则存放目录
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
#是否开启攻击信息记录，需要配置logdir
attacklog = "off"
#log存储目录，该目录需要用户自己新建，切需要nginx用户的可写权限
logdir = "/usr/local/nginx/logs/hack/"
#是否拦截url访问
UrlDeny="on"
#是否拦截后重定向 
Redirect="on"
#是否拦截cookie攻击
CookieMatch = "on"
#是否拦截post攻击
postMatch = "on" 
#是否开启URL白名单
whiteModule = "on" 
#填写不允许上传文件后缀类型
black_fileExt={"php","jsp"}
#ip白名单，多个ip用逗号分隔
ipWhitelist={"127.0.0.1"}
#ip黑名单，多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}
#是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCDeny="on"
#设置cc攻击频率，单位为秒.
#默认1分钟(60秒)同一个IP只能请求同一个地址100次
CCrate = "100/60"
#警告内容,可在中括号内自定义
html=[[Please go away~~]]
 
# 备注:不要乱动双引号，区分大小写