# Dockerfile to build openresety Installed Containers FROM 192.168.1.67/library/centos7.4:v1 MAINTAINER xiayun <xiay@baomihua.com> #Install necessary tools RUN yum install -y pcre-devel wget net-tools gcc zlib zlib-devel make openssl-devel unzip python-devel #download tar.gz ADD https://openresty.org/download/openresty-1.11.2.5.tar.gz . ADD http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz . ADD https://github.com/loveshell/ngx_lua_waf/archive/master.zip . #unzip RUN tar zxvf ngx_cache_purge-2.3.tar.gz RUN tar -zxvf openresty-1.11.2.5.tar.gz RUN unzip master.zip #install openresety RUN cd openresty-1.11.2.5 && ./configure --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit --add-module=../ngx_cache_purge-2.3/ && gmake && gmake install RUN mkdir /usr/local/openresty/nginx/conf/waf/ RUN mkdir /usr/local/openresty/nginx/logs/hack/ RUN cp -r /ngx_lua_waf-master/* /usr/local/openresty/nginx/conf/waf/ RUN mv /usr/local/openresty/nginx/conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf.bak RUN mv /usr/local/openresty/nginx/conf/waf/config.lua /usr/local/openresty/nginx/conf/waf/config.bak COPY .nginx_conf /usr/local/openresty/nginx/conf/nginx.conf COPY config.lua /usr/local/openresty/nginx/conf/waf/config.lua #add user nginx RUN useradd -s /sbin/nologin nginx #chown nginx RUN chown -R nginx.nginx /usr/local/openresty/ RUN chown -R nginx.nginx /ngx_cache_purge-2.3 #Expose ports for 80 EXPOSE 80 #start openresty CMD /usr/local/openresty/nginx/sbin/nginx -g "daemon off;"
附1:.nginx_conf 与Dockerfile在同一路径
user nginx nginx; worker_processes 2; error_log /usr/local/openresty/nginx/logs/nginx_error.log error; pid /usr/local/openresty/nginx/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/openresty/nginx/conf/waf/init.lua; access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua; include mime.types; default_type application/octet-stream; charset utf-8; server_tokens off; log_format main '$host $status [$time_local] $upstream_addr $remote_addr - $remote_user [$time_local] $request_uri ' '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' '$bytes_sent $request_time $sent_http_x_cache_hit "$upstream_cache_status"'; log_format log404 '$status [$time_local] $remote_addr $host$request_uri $sent_http_location'; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 300m; sendfile on; fastcgi_intercept_errors on; tcp_nopush on; keepalive_timeout 20; tcp_nodelay on; client_body_timeout 10; client_body_buffer_size 512k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain application/x-javascript text/css application/xml; gzip_vary on; send_timeout 60; open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; ssi on; ssi_silent_errors on; ssi_types text/shtml; server { listen 80; server_name localhost; index index.html index.htm index.shtml index.php; root /usr/local/openresty/nginx/html; if ($http_user_agent ~* "Baiduspider-render|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") { return 403; } location ~ \.php$ { include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; } } }
附2:config.lua与Dockerfile同一路径
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/" attacklog = "on" logdir = "/usr/local/openresty/nginx/logs/hack/" UrlDeny="off" Redirect="off" CookieMatch="off" postMatch="off" whiteModule="off" black_fileExt={"php","jsp"} ipWhitelist={"127.0.0.1","192.168.20.25"} ipBlocklist={} CCDeny="off" CCrate="100/60" html=[[ <html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>网站防火墙</title> <style> p { line-height:20px; } ul{ list-style-type:none;} li{ list-style-type:none;} </style> </head> <body style=" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;"> <div style="margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;"> <div style="width:600px; float:left;"> <div style=" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;">网站防火墙 </div> <div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;"> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600; color:#fc4f03;">您的请求带有不合法参数,已被网站管理员设置拦截!</span></p> <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">可能原因:您提交的内容包含危险的***请求</p> <p style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;">如何解决:</p> <ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style=" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1)检查提交内容;</li> <li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2)如网站托管,请联系空间提供商;</li> <li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3)普通网站访客,请联系网站管理员;</li></ul> </div> </div> </div> </body></html> ]]
转载于:https://blog.51cto.com/linuxerxy/2047812