使用Nginx+Lua实现自定义WAF

 

功能列表：

支持IP白名单和黑名单功能，直接将黑名单的IP访问拒绝。
支持URL白名单，将不需要过滤的URL进行定义。
支持User-Agent的过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
支持CC攻击防护，单个URL指定时间的访问次数，超过设定值，直接返回403。
支持Cookie过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
支持URL过滤，匹配自定义规则中的条目，如果用户请求的URL包含这些，返回403。
支持URL参数过滤，原理同上。
支持日志记录，将所有拒绝的操作，记录到日志中去。
日志记录为JSON格式，便于日志分析，例如使用ELKStack进行攻击日志收集、存储、搜索和展示。

Nginx + Lua部署

# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty

 

openresty安装

 vim /usr/local/openresty/nginx/conf/nginx.conf
server {
    location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")
            }
        }
}
# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf test is successful
# /usr/local/openresty/nginx/sbin/nginx

 

测试:

 

WAF部署：

git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/修改Nginx的配置文件，加入以下配置（http中加入）。注意路径，同时WAF日志默认存放在/tmp/日期_waf.logvim nginx.conf

…

#keepalive_timeout  0;
keepalive_timeout  65; 

lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

…

 

 

也可以直接跳转到某个页面：

修改conf.lua

cd /usr/local/openresty/nginx/conf/waf/

vim config.lua

config_waf_output = "redirect"    #默认是html
config_waf_redirect_url = "http://www.cnblogs.com/panwenbin-logs/"   #自定义url

修改conf.lua

cd /usr/local/openresty/nginx/conf/waf/

vim config.lua

测试语法，重新载入nginx

防CC攻击:

以ab命令为例：

[root@node2 server]#  ab -c 10 -n 100 http://123.206.45.112/indexBenchmarking 123.206.45.112 (be patient).....done 

Server Software:        openresty/1.9.3.2
Server Hostname:        123.206.45.112
Server Port:            80 

Document Path:          /index.html
Document Length:        612 bytes 

Concurrency Level:      10
Time taken for tests:   0.031 seconds
Complete requests:      100
Failed requests:        89
   (Connect: 0, Receive: 0, Length: 89, Exceptions: 0)
Write errors:           0
Non-2xx responses:      89

Total transferred:      38631 bytes
HTML transferred:       22218 bytes
Requests per second:    3233.21 [#/sec] (mean)
Time per request:       3.093 [ms] (mean)
Time per request:       0.309 [ms] (mean, across all concurrent requests)
Transfer rate:          1219.75 [Kbytes/sec] received 

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   0.4      1       2
Processing:     1    2   0.5      2       3
Waiting:        1    2   0.5      2       3
Total:          1    3   0.5      3       4

 

加入黑名单之后：

[root@node2 ~]# vim  /usr/local/openresty/nginx/conf/waf/rule-config/blackip.rule 

123.206.45.112
[root@node2 ~]# ab -c 10 -n 100 http://123.206.45.112/index.html…
Benchmarking 123.206.45.112 (be patient).....done 

Server Software:        openresty/1.9.3.2
Server Hostname:        123.206.45.112
Server Port:            80 

Document Path:          /index.html
Document Length:        174 bytes 

Concurrency Level:      10
Time taken for tests:   0.033 seconds
Complete requests:      100
Failed requests:        0
Write errors:           0
Non-2xx responses:      100

Total transferred:      32900 bytes
HTML transferred:       17400 bytes
…

 

发现第一次非2xx请求为89(成功11个)

第二次非2xx请求为100(成功0个)

whiteip.rule  IP白名单(直接写入IP保存，无需重启)

blackip.rule  IP黑名单(直接写入IP保存，无需重启)

转载于:https://www.cnblogs.com/brucetang/p/10443891.html