一.OpenResty安装和测试
官方网站:https://openresty.org/cn/
LUA学习:http://blog.jobbole.com/70480/
1.安装OpenResty:
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下载并编译安装openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty
2.测试openresty安装:
vim /usr/local/openresty/nginx/conf/nginx.conf
server {
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
3.启动openresty并测试:
/usr/local/openresty/nginx/sbin/nginx -t
/usr/local/openresty/nginx/sbin/nginx
http://172.16.1.211/hello #访问后出现“HelloWorld”
二.WAF安装和测试
参考资料: https://github.com/unixhot/waf
PS: 这个是赵班长写的WAF安全检测模块,过滤了一些常见的入侵方式,性能也非常不错。
1.安装并配置WAF:
#git clone https://github.com/unixhot/waf.git
#cp -a ./waf/waf /usr/local/openresty/nginx/conf/
修改Nginx的配置文件,在HTTP字段加入以下配置。注意路径,同时WAF日志默认存放在/tmp/日期_waf.log
vim /usr/local/openresty/nginx/conf/nginx.conf
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx
2.WAF配置文件:
vim /usr/local/openresty/nginx/conf/waf/config.lua
--waf 是否开启
config_waf_enable = "on"
--日杂文件目录
config_log_dir = "/tmp"
--配置文件目录
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--是否开启 白名单链接
config_white_url_check = "on"
--enable/disable 白名单IP
config_white_ip_check = "on"
--enable/disable 黑名单IP
config_black_ip_check = "on"
--enable/disable URL检测
config_url_check = "on"
--enalbe/disable url 参数检查
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc 检测
config_cc_check = "on"
--CC检测限制60秒内同一URL只能访问10次
config_cc_rate = "10/60"
--enable/disable post 检测(这个功能作者没完成)
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
3.验证:
http://172.16.1.211/a.sql #访问会出现安全检测页面
ab -n100 -c1 http://172.16.1.211/ #模仿CC攻击