下载naxsi
wget https://github.com/nbs-system/naxsi/archive/untagged-afabfc163946baa8036f.tar.gz tar zxvf untagged-afabfc163946baa8036f.tar.gz mv naxsi-untagged-afabfc163946baa8036f/ naxsi
编译openresty加上--add-module
./configure --prefix=/usr/local/openresty --with-http_stub_status_module --with-http_gzip_static_module --with-luajit --add-module=/usr/local/naxsi/naxsi_src
将核心规则复制到openresty的conf中
cp /usr/local/naxsi/naxsi_config/naxsi_core.rules /usr/local/openresty/nginx/conf/
自定义一个规则文件
vi /usr/local/openresty/nginx/conf/mySite.rules
内容为
#开启 naxsi SecRulesEnabled; #定义阻止请求的位置 DeniedUrl "/RequestDenied"; #CheckRules, 确定 naxsi 何时采取行动 CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;
编辑opernresty的主配置文件
vi /usr/local/openresty/nginx/conf/nginx.conf
http { include mime.types; include naxsi_core.rules; default_type text/html; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { include mySite.rules; root html; index index.html index.htm; } location /test { include mySite.rules; content_by_lua_file /usr/local/lua/test.lua; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } #定义naxsi.rules中DeniedUrl返回的代码 location /RequestDenied { return 403; } error_page 403 /403.html; location = /403.html { root html; } } }