安装依赖包
安装依赖
yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libtool libxml2-devel libxslt-devel
安装依赖包
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libstdc++-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-c++-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libquadmath-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-gfortran-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.9.2009/sclo/x86_64/rh/Packages/d/devtoolset-9-binutils-2.32-16.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-runtime-9.1-0.el7.x86_64.rpm
# 一个一个安装,下面是示例
yum localinstall -y devtoolset-9-*.rpm
scl enable devtoolset-9 bash
下载modsecurity源码
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout v3/master
git submodule init
git submodule update
./build.sh
./configure
make
make install
安装ModSecurity-nginx Connector
git clone https://github.com/SpiderLabs/ModSecurity-nginx
cd /app/openresty/
# 和openresty一起编译或者用nginx编译后的二进制拷贝进去
./configure --prefix=/app/openresty --with-http_ssl_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-luajit \
--with-compat \
--add-dynamic-module=/usr/MyWorkSpace/ModSecurity-nginx-master
gmake && gmake install
拷贝配置文件到nginx
配置文件在ModSecurity的源码目录中
cp modsecurity.conf-recommended /path/to/modsecurity.conf
cp unicode.mapping /path/to/
参数配置
编辑 Nginx 配置文件(如 nginx.conf),加载并启用 ModSecurity 模块:
load_module modules/ngx_http_modsecurity_module.so;
#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
gzip on; # 启用 Gzip 压缩
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on; # 向响应头添加 `Vary: Accept-Encoding`,以确保代理缓存的正确性
gzip_min_length 1024; # 设置压缩的最小文件大小,较小的文件可能不压缩
gzip_proxied any; # 启用代理后端的压缩响应
gzip_comp_level 5; # 设置压缩级别,范围是1-9,数值越大压缩比越高,但CPU消耗也更大
server {
listen 8080;
server_name 0.0.0.0;
charset utf-8;
#access_log logs/host.access.log main;
location / {
proxy_pass http://127.0.0.1:9080;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 关键部分:重写后端服务器的重定向URL
proxy_redirect http://127.0.0.1:9080/ http://$host:8080/;
# 在特定位置启用 ModSecurity
modsecurity on;
modsecurity_rules_file /app/openresty/nginx/conf/modsecurity.conf;
}
}
}
启动openresty
/app/openresty/nginx/sbin/nginx -c /app/openresty/nginx/conf/nginx.conf
/app/openresty/nginx/sbin/nginx -s reload