功能列表:
支持IP白名单和黑名单功能,直接将黑名单的IP访问拒绝。 支持URL白名单,将不需要过滤的URL进行定义。 支持User-Agent的过滤,匹配自定义规则中的条目,然后进行处理(返回403)。 支持CC攻击防护,单个URL指定时间的访问次数,超过设定值,直接返回403。 支持Cookie过滤,匹配自定义规则中的条目,然后进行处理(返回403)。 支持URL过滤,匹配自定义规则中的条目,如果用户请求的URL包含这些,返回403。 支持URL参数过滤,原理同上。 支持日志记录,将所有拒绝的操作,记录到日志中去。 日志记录为JSON格式,便于日志分析,例如使用ELKStack进行攻击日志收集、存储、搜索和展示。
Nginx + Lua部署
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty
openresty安装
vim /usr/local/openresty/nginx/conf/nginx.conf
server {
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.9.3.2/nginx/conf/nginx.conf test is successful
# /usr/local/openresty/nginx/sbin/nginx
测试:
WAF部署:
git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/修改Nginx的配置文件,加入以下配置(http中加入)。注意路径,同时WAF日志默认存放在/tmp/日期_waf.logvim nginx.conf
…
#keepalive_timeout 0;
keepalive_timeout 65;
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
…
也可以直接跳转到某个页面:
修改conf.lua
cd /usr/local/openresty/nginx/conf/waf/
vim config.lua
config_waf_output = "redirect" #默认是html
config_waf_redirect_url = "http://www.cnblogs.com/panwenbin-logs/" #自定义url
修改conf.lua
cd /usr/local/openresty/nginx/conf/waf/
vim config.lua
测试语法,重新载入nginx
防CC攻击:
以ab命令为例:
[root@node2 server]# ab -c 10 -n 100 http://123.206.45.112/indexBenchmarking 123.206.45.112 (be patient).....done
Server Software: openresty/1.9.3.2
Server Hostname: 123.206.45.112
Server Port: 80
Document Path: /index.html
Document Length: 612 bytes
Concurrency Level: 10
Time taken for tests: 0.031 seconds
Complete requests: 100
Failed requests: 89
(Connect: 0, Receive: 0, Length: 89, Exceptions: 0)
Write errors: 0
Non-2xx responses: 89
Total transferred: 38631 bytes
HTML transferred: 22218 bytes
Requests per second: 3233.21 [#/sec] (mean)
Time per request: 3.093 [ms] (mean)
Time per request: 0.309 [ms] (mean, across all concurrent requests)
Transfer rate: 1219.75 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 1 0.4 1 2
Processing: 1 2 0.5 2 3
Waiting: 1 2 0.5 2 3
Total: 1 3 0.5 3 4
加入黑名单之后:
[root@node2 ~]# vim /usr/local/openresty/nginx/conf/waf/rule-config/blackip.rule
123.206.45.112
[root@node2 ~]# ab -c 10 -n 100 http://123.206.45.112/index.html…
Benchmarking 123.206.45.112 (be patient).....done
Server Software: openresty/1.9.3.2
Server Hostname: 123.206.45.112
Server Port: 80
Document Path: /index.html
Document Length: 174 bytes
Concurrency Level: 10
Time taken for tests: 0.033 seconds
Complete requests: 100
Failed requests: 0
Write errors: 0
Non-2xx responses: 100
Total transferred: 32900 bytes
HTML transferred: 17400 bytes
…
发现第一次非2xx请求为89(成功11个)
第二次非2xx请求为100(成功0个)
whiteip.rule IP白名单(直接写入IP保存,无需重启)
blackip.rule IP黑名单(直接写入IP保存,无需重启)