本文介绍了如何在服务器上编译安装nginx并集成Modsecurity以支持TLSv1.3,包括openssl的配置、Modsecurity库的编译、Nginx的编译参数设置以及配置文件的修改,确保服务器安全性和兼容性。
0x01 前言
最近利用awvs以及Wpscan对网站进行了漏洞扫描,扫出来一堆漏洞,然后就对服务器进行了一次大升级,才有了这篇文章
0x02 准备
因为我应用环境的需要,所以我需要下载以下源码:
- lua-nginx-module:用于支持lua模块
- nginx-ct:启用证书透明度
- ModSecurity:用于编译ModSecurity
- ModSecurity-nginx:用于连接ModSecurity与nignx
首先建立临时文件夹并下载相关文件:
#安装依赖
yum install -y libxml2 libxslt-devel gperftools pcre-devel libuuid-devel libxslt* libblkid-devel libudev-devel fuse-devel libedit-devel perl-ExtUtils-Embed at gcc-c++ python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd gd-devel t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel libatomic_ops-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel libpcap-devel glib2-devel GeoIP-devel libxml2-devel redis vim wget git htop iftop libtool make automake mlocate pam-devel unzip gcc screen iptables-services bash-completion* pcre-devel libxslt* perl-ExtUtils-Embed at python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel net-tools luajit
#新建文件夹
[root@web-dev ~]# mkdir /opt/nginx
#进入文件夹
[root@web-dev ~]# cd /opt/nginx/
#下载ngx_http_headers_module
[root@web-dev nginx]# git clone https://github.com/openresty/headers-more-nginx-module.git
#下载lua-nginx-module
[root@web-dev nginx]# git clone https://github.com/openresty/lua-nginx-module.git
#下载nginx-ct
[root@web-dev nginx]# git clone https://github.com/grahamedgecombe/nginx-ct.git
#下载openssl
[root@web-dev nginx]# wget https://github.com/openssl/openssl/archive/OpenSSL_1_1_1c.tar.gz
#下载ModSecurity
[root@web-dev nginx]# git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
#下载ModSecurity-nginx
[root@web-dev nginx]# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
#下载nginx
[root@web-dev nginx]# wget https://nginx.org/download/nginx-1.18.0.tar.gz
#下载OWASP ModSecurity CRS
[root@web-dev nginx]# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git最后解压被压缩的软件:
#解压并删除nginx压缩包
[root@web-dev nginx]# tar zxvf nginx-1.18.0.tar.gz && rm -f nginx-1.18.0.tar.gz
#解压openssl压缩包
[root@web-dev nginx]# tar -xzf OpenSSL_1_1_1c.tar.gz && rm -f OpenSSL_1_1_1c.tar.gz
最终,该目录下会有这些文件夹:
[root@iztsvh228msdkjz nginx]# ll
total 32
drwxr-xr-x 6 root root 4096 Sep 26 14:09 headers-more-nginx-module
drwxr-xr-x 11 root root 4096 Sep 26 14:20 lua-nginx-module
drwxr-xr-x 13 root root 4096 Sep 26 14:45 ModSecurity
drwxr-xr-x 6 root root 4096 Sep 26 14:45 ModSecurity-nginx
drwxr-xr-x 8 wordpress wordpress 4096 Apr 21 22:09 nginx-1.18.0
drwxr-xr-x 3 root root 4096 Sep 26 14:22 nginx-ct
drwxrwxr-x 18 root root 4096 May 28 2019 openssl-OpenSSL_1_1_1c
drwxr-xr-x 8 root root 4096 Sep 26 14:53 owasp-modsecurity-crs
0x03 编译安装
0x03.1配置安装openssl
#配置
cd openssl-OpenSSL_1_1_1c
./config --prefix=/usr
#编译&&安装
make && make install
ldconfig
#查看安装版本
openssl version0x03.2 Modsecurity Lib
先编译Modsecurity Lib,进入ModSecurity源码文件夹并运行以下命令:
#进入文件夹
[root@modsecurity openssl-OpenSSL_1_1_1c]# cd /opt/nginx/ModSecurity
#初始化submodule
[root@modsecurity ModSecurity]# git submodule init
Submodule 'bindings/python' (https://github.com/SpiderLabs/ModSecurity-Python-bindings.git) registered for path 'bindings/python'
Submo
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
