nginx增加modsecurity模块
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
1
2
3
4
5
6
7
8
9
10
11
|
git clone https:
//github
.com
/SpiderLabs/ModSecurity
.git
cd
ModSecurity/
.
/autogen
.sh
.
/configure--enable-standalone-module
--disable-mlogc
make
cd
tengine/
.
/configure--prefix
=
/usr/local/nginx
--conf-path=
/etc/nginx/nginx
.conf--pid-path=
/var/run/nginx/nginx
.pid
--error-log-path=
/var/log/nginx/nginx
.log--http-log-path=
/var/log/nginx/nginx-http
.log--add-module=
/root/ngx_devel_kit-0
.2.19
/--add-module
=
/root/lua-nginx-module-0
.9.13
/--add-module
=
/root/ModSecurity/nginx/modsecurity/
--with-ld-opt=
"-Wl,-rpath,$LUAJIT_LIB"
make
|
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
git clone https:
//github
.com
/SpiderLabs/owasp-modsecurity-crs
cp
-R owasp-modsecurity-crs
/etc/nginx/
cp
/etc/nginx/owasp-modsecurity-crs/modsecurity_crs_10_setup
.conf.example
/etc/nginx/owasp-modsecurity-crs/modsecurity_crs_10_setup
.conf
cd
ModSecurity/
cp
modsecurity.conf-recommended
/etc/nginx/modsecurity
.conf
cp
unicode.mapping
/etc/nginx
vim modsecurity.conf
SecRuleEngine on
nclude owasp-modsecurity-crs
/modsecurity_crs_10_setup
.conf
Includeowasp-modsecurity-crs
/base_rules/modsecurity_crs_41_sql_injection_attacks
.conf
Include owasp-modsecurity-crs
/base_rules/modsecurity_crs_41_xss_attacks
.conf
Includeowasp-modsecurity-crs
/base_rules/modsecurity_crs_40_generic_attacks
.conf
Includeowasp-modsecurity-crs
/experimental_rules/modsecurity_crs_11_dos_protection
.conf
Include owasp-modsecurity-crs
/experimental_rules/modsecurity_crs_11_brute_force
.conf
Includeowasp-modsecurity-crs
/optional_rules/modsecurity_crs_16_session_hijacking
.conf
|
在需要启用modsecurity的主机的location下面加入下面两行即可:
1
2
|
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
|
参考文章
http://www.52os.net/articles/nginx-use-modsecurity-module-as-waf.html
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
http://drops.wooyun.org/tips/2614
http://drops.wooyun.org/tips/3804
http://drops.wooyun.org/tips/734
http://www.freebuf.com/articles/web/18084.html
http://www.freebuf.com/articles/web/16806.html
#使用有两个WEB安全服务器
modSecurity和Naxsi哪个更适合Nginx搭建WAF