一、下载编译环境包
yum -y install gcc gcc-c++ bzip2 perl curl curl-devel expat-devel gettext-devel openssl-devel libxml2 libxml2-devel libjpeg-devel libpng-devel freetype-devel libmcrypt-devel autoconf gd-devel GeoIP GeoIP-devel GeoIP-data
二、下载安装需要的组件
Openssl:
OpenSSL 是一个强大的安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。,安装OpenSSL(http://www.openssl.org/source/)主要是为了让tengine支持Https的访问请求
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar zxvf openssl-1.1.1.tar.gz
cd openssl-1.1.1
./config --prefix=/usr/local/openssl
make
make installzlib:
Zlib是提供资料压缩之用的函式库,当Tengine想启用GZIP压缩的时候就需要使用到Zlib
cd /usr/local/src
wget http://zlib.net/zlib-1.2.11.tar.gz
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make
make installpcre:
PCRE(Perl Compatible Regular Expressions)是一个Perl库,包括 perl 兼容的正则表达式库。nginx rewrite依赖于PCRE库,所以在安装Tengine前一定要先安装PCRE
cd /usr/local/src
wget https://ftp.pcre.org/pub/pcre/pcre-8.30.tar.gz
tar -xvf pcre-8.30.tar.gz
cd pcre-8.30
./configure --prefix=/usr/local/pcre
make
make installjemalloc:
jemalloc(https://github.com/jemalloc/jemalloc/releases/)是一个更好的内存管理工具,使用jemalloc可以更好的优化Tengine的内存管理。
cd /usr/local/src
wget https://github.com/jemalloc/jemalloc/releases/download/5.1.0/jemalloc-5.1.0.tar.bz2
tar xvf jemalloc-5.1.0.tar.bz2
cd jemalloc-5.1.0
./configure --prefix=/usr/local/jemalloc
make
make installluajit2.1:
推荐使用lujit2.0以上做lua支持
ngx_lua如果是0.9.2以上版本,建议正则过滤函数改为ngx.re.find,匹配效率会提高三倍左右。
cd /usr/local/src
git clone https://github.com/LuaJIT/LuaJIT.git
cd LuaJIT/
make install PREFIX=/usr/local/luajit
echo "/usr/local/luajit/lib" > /etc/ld.so.conf.d/usr_local_luajit_lib.conf
ldconfig
echo "export LUAJIT_LIB=/usr/local/luajit/lib" >> /etc/profile
echo "export LUAJIT_INC=/usr/local/luajit/include/luajit-2.0" >> /etc/profile
source /etc/profile
三、下载lua库
cd /usr/local/src
git clone https://github.com/simplresty/ngx_devel_kit.git
git clone https://github.com/openresty/lua-nginx-module.git
git clone https://github.com/openresty/echo-nginx-module.git
git clone https://github.com/loveshell/ngx_lua_waf.git
git clone https://github.com/openresty/lua-resty-core.git
git clone https://github.com/openresty/lua-resty-lrucache.git
四、下载tengine并安装配置
下载tingine:
cd /usr/local/src
wget https://tengine.taobao.org/download/tengine-2.3.2.tar.gz
tar -xf tengine-2.3.2.tar.gz
cd tengine-2.3.2编译安装:
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-pcre=/usr/local/src/pcre-8.30 \
--with-openssl=/usr/local/src/openssl-1.1.1 \
--with-jemalloc=/usr/local/src/jemalloc-5.1.0 \
--with-openssl-opt=-fPIC \
--with-zlib=/usr/local/src/zlib-1.2.11 \
--with-luajit-inc=/usr/local/luajit/include/luajit-2.1 \
--with-luajit-lib=/usr/local/luajit/lib \
--with-lua-inc=/usr/local/luajit/include/luajit-2.1 \
--with-lua-lib=/usr/local/luajit/lib \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_addition_module \
--with-http_image_filter_module \
--with-http_sub_module \
--with-http_geoip_module \
--with-http_random_index_module \
--with-http_v2_module \
--with-file-aio \
--with-cc-opt='-O2' \
--without-select_module \
--without-poll_module \
--add-module=../ngx_devel_kit \
--add-module=../lua-nginx-module \
--add-module=../echo-nginx-module \
--add-module=./modules/ngx_http_concat_module \
--add-module=./modules/ngx_http_upstream_check_module \
--add-module=./modules/ngx_http_upstream_dynamic_module \
--add-module=./modules/ngx_http_upstream_dyups_module \
--add-module=./modules/ngx_http_upstream_session_sticky_module \
--http-client-body-temp-path=/usr/local/nginx/nginx_tmp/client_body \
--http-proxy-temp-path=/usr/local/nginx/nginx_tmp/proxy \
--http-fastcgi-temp-path=/usr/local/nginx/nginx_tmp/fastcgi \
--http-uwsgi-temp-path=/usr/local/nginx/nginx_tmp/uwsgi \
--http-scgi-temp-path=/usr/local/nginx/nginx_tmp/scgimake
make installmkdir /usr/local/nginx/nginx_tmp/
编写systemctl控制脚本:
vim /usr/lib/systemd/system/nginx.service[Unit]
Description=Tengine Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Environment="CONFFILE=/usr/local/nginx/conf/nginx.conf"
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx -c $CONFFILE
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
[Install]
WantedBy=multi-user.target
把nginx命令放入环境变量:
echo "export PATH=/usr/local/nginx/sbin:$PATH" >>/etc/profile
source /etc/profile
配置lua脚本:
cp -r /usr/local/src/ngx_lua_waf /usr/local/nginx/conf/waf
cp -r /usr/local/src/lua-resty-core/lib/resty /usr/local/nginx/conf/waf/
cp -r /usr/local/src/lua-resty-lrucache/lib/resty/* /usr/local/nginx/conf/waf/resty/
编写配置nginx配置文件:
vim /usr/local/nginx/conf/nginx.conf
user nginx nginx;
worker_processes auto;
error_log "pipe:rollback logs/error.log interval=1d baknum=7 maxsize=2G" error;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $host [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
access_log "pipe:rollback logs/access.log interval=1d baknum=7 maxsize=2G" main;
include vhost/*.conf;
}mkdir /usr/local/nginx/conf/vhostvim mkdir /usr/local/nginx/conf/vhost/lua-test.conf
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location /echo {
default_type 'text/plain';
echo 'hello echo';
}
location /lua {
default_type 'text/plain';
content_by_lua 'ngx.say("hello, lua")';
}
}
五、ngx_lua_waf模块
用途:
防止sql注入,本地包含,部分溢出,fuzzing测试,xss,SSRF等web攻击
防止svn/备份之类文件泄漏
防止ApacheBench之类压力测试工具的攻击
屏蔽常见的扫描黑客工具,扫描器
屏蔽异常的网络请求
屏蔽图片附件类目录php执行权限
防止webshell上传
推荐安装:
推荐使用lujit2.1做lua支持
ngx_lua如果是0.9.2以上版本,建议正则过滤函数改为ngx.re.find,匹配效率会提高三倍左右。
使用说明:
nginx安装路径假设为:/usr/local/nginx/conf/
把ngx_lua_waf下载到conf目录下,解压命名为waf
在nginx.conf的http段添加
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;配置config.lua里的waf规则目录(一般在waf/conf/目录下)
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
绝对路径如有变动,需对应修改
然后重启nginx即可
配置文件详细说明:
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--规则存放目录
attacklog = "off"
--是否开启攻击信息记录,需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
UrlDeny="on"
--是否拦截url访问
Redirect="on"
--是否拦截后重定向
CookieMatch = "on"
--是否拦截cookie攻击
postMatch = "on"
--是否拦截post攻击
whiteModule = "on"
--是否开启URL白名单
black_fileExt={"php","jsp"}
--填写不允许上传文件后缀类型
ipWhitelist={"127.0.0.1"}
--ip白名单,多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}
--ip黑名单,多个ip用逗号分隔
CCDeny="on"
--是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--设置cc攻击频率,单位为秒.
--默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]
--警告内容,可在中括号内自定义
备注:不要乱动双引号,区分大小写
检查规则是否生效:
部署完毕可以尝试如下命令:
curl http://xxxx/test.php?id=../etc/passwd
返回"Please go away~~"字样,说明规则生效。
注意:默认,本机在白名单不过滤,可自行调整config.lua配置
效果图如下:
规则更新:
考虑到正则的缓存问题,动态规则会影响性能,所以暂没用共享内存字典和redis之类东西做动态管理。
规则更新可以把规则文件放置到其他服务器,通过crontab任务定时下载来更新规则,nginx reload即可生效。以保障ngx lua waf的高性能。
只记录过滤日志,不开启过滤,在代码里在check前面加上--注释即可,如果需要过滤,反之
一些说明:
过滤规则在wafconf下,可根据需求自行调整,每条规则需换行,或者用|分割
args里面的规则get参数进行过滤的
url是只在get请求url过滤的规则
post是只在post请求过滤的规则
whitelist是白名单,里面的url匹配到不做过滤
user-agent是对user-agent的过滤规则
默认开启了get和post过滤,需要开启cookie过滤的,编辑waf.lua取消部分--注释即可
日志文件名称格式如下:虚拟主机名_sec.log
## Copyright
<table>
<tr>
<td>Weibo</td><td>神奇的魔法师</td>
</tr>
<tr>
<td>Forum</td><td>http://bbs.linuxtone.org/</td>
</tr>
<tr>
<td>Copyright</td><td>Copyright (c) 2013- loveshell</td>
</tr>
<tr>
<td>License</td><td>MIT License</td>
</tr>
</table>
六、其他依赖库
git clone https://github.com/openresty/array-var-nginx-module.git
git clone https://github.com/calio/form-input-nginx-module.git
git clone https://github.com/openresty/encrypted-session-nginx-module.git
git clone https://github.com/calio/iconv-nginx-module.git
git clone https://github.com/openresty/set-misc-nginx-module.git
git clone https://github.com/openresty/headers-more-nginx-module.git
git clone https://github.com/openresty/memc-nginx-module.git
git clone https://github.com/weibocom/nginx-upsync-module.git
git clone https://github.com/openresty/srcache-nginx-module.git
git clone https://github.com/openresty/redis2-nginx-module.git
git clone https://github.com/vozlt/nginx-module-vts.git
git clone https://github.com/FRiCKLE/ngx_coolkit.git
git clone https://github.com/openresty/rds-csv-nginx-module.git
git clone https://github.com/openresty/rds-json-nginx-module.git
git clone https://github.com/hamishforbes/lua-resty-consul.git
git clone https://github.com/cloudflare/lua-resty-cookie.git
git clone https://github.com/openresty/lua-resty-dns.git
git clone https://github.com/ledgetech/lua-resty-http.git
git clone https://github.com/hamishforbes/lua-resty-iputils.git
git clone https://github.com/doujiang24/lua-resty-kafka.git
git clone https://github.com/upyun/lua-resty-limit-rate.git
git clone https://github.com/openresty/lua-resty-limit-traffic.git
git clone https://github.com/openresty/lua-resty-lock.git
git clone https://github.com/cloudflare/lua-resty-logger-socket.git
git clone https://github.com/openresty/lua-resty-memcached.git
git clone https://github.com/openresty/lua-resty-mysql.git
git clone https://github.com/openresty/lua-resty-redis.git
git clone https://github.com/bungle/lua-resty-session.git
git clone https://github.com/openresty/lua-resty-string.git
git clone https://github.com/openresty/lua-resty-upload.git
git clone https://github.com/hamishforbes/lua-resty-upstream.git
git clone https://github.com/openresty/lua-resty-upstream-healthcheck.git
git clone https://github.com/openresty/lua-resty-websocket.git
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-pcre=/usr/local/src/pcre-8.30 \
--with-openssl=/usr/local/src/openssl-1.1.1 \
--with-jemalloc=/usr/local/src/jemalloc-5.1.0 \
--with-openssl-opt=-fPIC \
--with-zlib=/usr/local/src/zlib-1.2.11 \
--with-luajit-inc=/usr/local/luajit/include/luajit-2.0 \
--with-luajit-lib=/usr/local/luajit/lib \
--with-lua-inc=/usr/local/luajit/include/luajit-2.0 \
--with-lua-lib=/usr/local/luajit/lib \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_addition_module \
--with-http_image_filter_module \
--with-http_sub_module \
--with-http_geoip_module \
--with-http_random_index_module \
--with-http_v2_module \
--with-file-aio \
--with-cc-opt='-O2' \
--without-select_module \
--without-poll_module \
--add-module=../ngx_devel_kit \
--add-module=../array-var-nginx-module \
--add-module=../form-input-nginx-module \
--add-module=../encrypted-session-nginx-module \
--add-module=../iconv-nginx-module \
--add-module=../lua-nginx-module \
--add-module=../echo-nginx-module \
--add-module=../headers-more-nginx-module \
--add-module=../memc-nginx-module \
--add-module=../nginx-upsync-module \
--add-module=../srcache-nginx-module \
--add-module=../redis2-nginx-module \
--add-module=../nginx-module-vts \
--add-module=../ngx_coolkit \
--add-module=../rds-csv-nginx-module \
--add-module=../rds-json-nginx-module \
--add-module=./modules/ngx_http_concat_module \
--add-module=./modules/ngx_http_upstream_check_module \
--add-module=./modules/ngx_http_upstream_dynamic_module \
--add-module=./modules/ngx_http_upstream_dyups_module \
--add-module=./modules/ngx_http_upstream_session_sticky_module \
--http-client-body-temp-path=/usr/local/nginx/nginx_tmp/client_body \
--http-proxy-temp-path=/usr/local/nginx/nginx_tmp/proxy \
--http-fastcgi-temp-path=/usr/local/nginx/nginx_tmp/fastcgi \
--http-uwsgi-temp-path=/usr/local/nginx/nginx_tmp/uwsgi \
--http-scgi-temp-path=/usr/local/nginx/nginx_tmp/scgi
129
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
