1、建立临时工作任务
[root@localhost ~]# cd /root && mkdir temporary && cd temporary/
2、yum安装系统常用软件
[root@localhost temporary]# yum install epel-release
[root@localhost temporary]# yum groupinstall ‘Development Tools’ -y
3、modsecurity依赖安装
[root@localhost temporary]# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel
[root@localhost temporary]# yum install lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel
4、安装modsecurity
[root@localhost temporary]# git clone --depth 1 --single-branch https://github.com/SpiderLabs/ModSecurity
[root@localhost temporary]# cd ModSecurity/ [root@localhost ModSecurity]# git submodule init
[root@localhost ModSecurity]# git submodule update
[root@localhost ModSecurity]# ./build.sh
[root@localhost ModSecurity]# yum install pcre -y
[root@localhost ModSecurity]# yum install pcre-devel -y
[root@localhost ModSecurity]# ./configure
[root@localhost ModSecurity]# make && make install
5、下载nginx安装包
[root@localhost ModSecurity]# cd /usr/local/
[root@localhost local]# wget http://nginx.org/download/nginx-1.16.0.tar.gz [root@localhost local]# tar zxvf nginx-1.16.0.tar.gz && cd nginx-1.16.0/
6、nginx依赖安装
[root@localhost nginx-1.16.0]# yum install gd-devel pcre pcre-devel zlib zlib-devel openssl openssl-devel
7、下载nginx连接modsecurity的connector备用
[root@localhost nginx-1.16.0]# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
8、nginx去版本信息和server信息 (按照需求,可不做)
[root@localhost nginx-1.16.0]# vi src/core/nginx.h
#define NGINX_VERSION "7.0"
#define NGINX_VER "IIS/" NGINX_VERSION
9、http头去nginx
[root@localhost nginx-1.16.0]# vi src/http/ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: IIS" CRLF;
10、响应页面去nginx
[root@localhost nginx-1.16.0]# vi src/http/ngx_http_special_response.c static u_char
ngx_http_error_tail[] =
"<hr><center>IIS</center>" CRLF "
</body>" CRLF
"</html>" CRLF ;
11、50x页面去nginx
[root@localhost nginx-1.16.0]# vi html/50x.html
<!DOCTYPE html>
<html>
<head>
<title>Error</title>
<style>
body {
width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>ERROR</h1>
<p>Please contact administrator</p>
<p><em>www.123.com</em></p>
</body> <
/html>
12、删除默认页面
[root@localhost nginx-1.16.0]# rm html/index.html
13、建立nginx运行用户
[root@localhost nginx-1.16.0]# groupadd nginx && useradd -g nginx -s /sbin/nologin -M nginx
14、确定nginx编译参数 [root@localhost nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-http_geoip_module --with-http_slice_module --with-http_v2_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-compat --add-dynamic-module=…/ModSecurity-nginx
注:将ModSecurity-nginx拷贝到/opt目录下
15、编译modsecurity动态模块
[root@localhost nginx-1.16.0]# make modules
16、停止正在运行的nginx服务并备份原有的tengine(新环境可以忽略) /usr/local/nginx/sbin/nginx -s quit tar zcvf /root/tengine_old.tar.gz /usr/local/nginx
17、编译安装新的nginx后检查是否正确安装
[root@localhost nginx-1.16.0]# make
[root@localhost nginx-1.16.0]# make install
[root@localhost nginx-1.16.0]# /usr/local/nginx/sbin/nginx -V
18、将modsecurity模块拷贝到nginx模块目录中
[root@localhost nginx-1.16.0]# cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/module
19、将nginx设置为开机自启
[root@localhost nginx-1.16.0]# chmod +x /etc/rc.local
[root@localhost nginx-1.16.0]# rm /var/run/nginx.pid -f&&/usr/local/nginx/sbin/nginx >/dev/null 2>& 1
20、下载modsecurity配置文件
[root@localhost nginx-1.16.0]# mkdir /usr/local/nginx/modsec [root@localhost nginx-1.16.0]# cd /usr/local/nginx/modsec [root@localhost modsec]# wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.confrecommended
[root@localhost modsec]# mv modsecurity.conf-recommended modsecurity.conf
21、开启规则引擎
[root@localhost modsec]# vi /usr/local/nginx/modsec/modsecurity.conf #SecRuleEngine DetectionOnly SecRuleEngine On
22、下载OWASP CRS
[root@localhost modsec]# wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.0.tar.gz
[root@localhost modsec]# tar -xzvf v3.0.0.tar.gz
[root@localhost modsec]# mv owasp-modsecurity-crs-3.0.0 /usr/local
23、创建一个crs配置文件,用于创建核心规则集
[root@localhost modsec]# cd /usr/local/owasp-modsecurity-crs-3.0.0 [root@localhost owasp-modsecurity-crs-3.0.0]# cp crs-setup.conf.example crs-setup.conf
24、配置主配置文件,包含规则集
[root@localhost owasp-modsecurity-crs-3.0.0]# vi /usr/local/nginx/modsec/main.conf
#Include the recommended configuration Include /usr/local/nginx/modsec/modsecurity.conf # OWASP CRS v3 rules Include /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf Include /usr/local/owasp-modsecurity-crs-3.0.0/rules/*.conf
25、拷贝mappin文件
[root@localhost owasp-modsecurity-crs-3.0.0]# cp /root/temporary/ModSecurity/unicode.mapping /usr/local/nginx/modsec/
26、配置主机nginx.conf配置文件
[root@localhost owasp-modsecurity-crs-3.0.0]# cd /usr/local/nginx/conf/ [root@localhost conf]# vi nginx.conf
user nginx;
worker_processes auto;
pid /var/run/nginx.pid; #与 ulimit -n 一致,加大到 65535 worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
events {
use epoll; #连接数加大
worker_connections 65535;
}
加载 modsecurity 的 connector 模块
load_module modules/ngx_http_modsecurity_module.so;
http {
include mime.types;
default_type application/octet-stream;
#启用 GeoIP 数据库
geoip_country /usr/share/GeoIP/GeoIP.dat;
geoip_proxy 192.168.180.0/24; geoip_proxy_recursive on;
geo $geoip_country_code_self {
192.168.180.0/24 CN;
}
#去掉 HTTP Server 请求头的版本号 server_tokens off;
#https session 缓存,提升 https 性能,减少来回握手次数 ssl_session_cache shared:SSL:10m;
#limit 限制请求速率
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=20r/s; limit_conn_zone $binary_remote_addr zone=addr:10m;
#buffer 缓冲大小配置
proxy_buffer_size 512k;
proxy_buffers 240 512k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 512k;
#代理超时配置
proxy_connect_timeout 300s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
send_timeout 600s;
log_format main ‘$remote_addr - $remote_user [$time_local] “$request” ‘ ‘$status $body_bytes_sent “$http_referer” ‘ ‘”$http_user_agent” “$http_x_forwarded_for”’;
#默认访问日志位置 access_log /var/log/nginx/access.log main;
sendfile on; keepalive_timeout 65;
#客户端上传数据大小限制 client_max_body_size 2048m; client_body_buffer_size 500m;
client_header_buffer_size 2048k;
large_client_header_buffers 4 64k;
include /usr/local/nginx/conf/conf.d/*.conf;
}
27、检查nginx是否有语法错误,启动
[root@localhost conf]# /usr/local/nginx/sbin/nginx –t
[root@localhost conf]# /usr/local/nginx/sbin/nginx
28、创建配置文件目录部署网站
[root@localhost conf]# mkdir conf.d
[root@localhost conf.d]# rz –E(导入配置文件)
29、导入网站
[root@localhost share]# cd /usr/local/nginx/html/
[root@localhost html]# rz –E(导入网站)
[root@localhost html]# tar xzvf maintenance.tgz
[root@localhost conf.d]# mkdir -p /var/cache/nginx/client_temp [root@localhost conf.d]# /usr/local/nginx/sbin/nginx (开启服务) [root@localhost html]# ss -natupl | grep nginx (查看端口开启状态)
30、修改host文件(c:/Windows/System32/drivers/etc/hosts) 192.168.1.12 www.test.com
31、访问网站 http://192.168.1.12/maintenance/sccin/index.html