条件准备:(所有的压缩包默认放在/root/下做所有安装操作!)
实验下的环境
系统: redhat7.x
nginx: nginx-1.14.0.tar.gz
modsecurity: modsecurity-3.0.0.tar.gz
nginx-modsecurity: ModSecurity-nginx-master.zip
下载地址:
nginx版本集官方下载地址:http://nginx.org/en/download.html
modsecurity官方下载地址:https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.0
modsecurity和nginx连接包下载地址:https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2/dev.zip
nginx和modsecurity3.X官方配置文档地址:
https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
一,系统依赖环境准备
[root@localhost ~]# yum install -y pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel gcc gcc-c++ gcc-g77 autoconf automake geoip geip-devel libcurl libcurl-devel yajl yajl-devel lmdb-devel ssdeep-devel lua-devel unzip
注:上面没有的其实基础安装方面不影响,如果想装全则需要到centos源中找,redhat源中可能有些不全;
二,安装modsecurity
[root@localhost ~]# tar xf modsecurity-v3.0.0.tar.gz
[root@localhost ~]# cd modsecurity-v3.0.0
[root@localhost modsecurity-v3.0.0]# ./configure && make && make install
三,安装nginx
[root@localhost modsecurity-v3.0.0]# cd ~
[root@localhost ~]# tar xf nginx-1.14.0.tar.gz
[root@localhost ~]# cd nginx-1.14.0
[root@localhost nginx-1.14.0]# ./configure --with-http_ssl_module && make && make install
四,生成nginx和modsecurity连接的动态模块
[root@localhost nginx-1.14.0]# cd ~
[root@localhost ~]# unzip ModSecurity-nginx-master.zip > /dev/null
[root@localhost ~]# ls ModSecurity-nginx-master
AUTHORS CHANGES config LICENSE ngx-modsec.stp README.md release.sh src tests
[root@localhost ~]# cd nginx-1.14.0
[root@localhost nginx-1.14.0]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --with-http_ssl_module
[root@localhost nginx-1.14.0]# ./configure --with-http_ssl_module --add-dynamic-module=../ModSecurity-nginx-master/ && make
[root@localhost nginx-1.14.0]# mkdir /usr/local/nginx/modules
[root@localhost nginx-1.14.0]# cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/modules/
注意:上面我使用了 /usr/local/nginx/sbin/nginx -V,为的就是查看当前下有哪些模块,在生成nginx动态模块的时候需要知道安装上的nginx中自带了哪些模块,并需要放在生成动态模块的编译命令中,这样动态模块才能被识别哦!
五,拷贝modsecurity的配置规则文件并修改nginx的主配置文件
由于modsecurity的规则配置文件有类似于基础的规则内容,所以可以暂时当做基础规则使用;
[root@localhost nginx-1.14.0]# cd ~
[root@localhost ~]# mkdir /usr/local/nginx/modsec
[root@localhost ~]# cp modsecurity-v3.0.0/modsecurity.conf-recommended /usr/local/nginx/modsec/modsecurity.conf
[root@localhost ~]# sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /usr/local/nginx/modsec/modsecurity.conf
创建并编写main.conf文件:
[root@localhost ~]# cat /usr/local/nginx/modsec/main.conf
# From https://github.com/SpiderLabs/ModSecurity/blob/master/\
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/usr/local/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
在nginx.conf中的顶部新建一行写加载模块语句:
[root@localhost ~]# cat /usr/local/nginx/conf/nginx.conf
load_module modules/ngx_http_modsecurity_module.so;
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
... ...
解释:就是第一行的这个=》“load_module modules/ngx_http_modsecurity_module.so;”
在相应位置添加启用并引入规则的语句,如下:
[root@localhost ~]# cat /usr/local/nginx/conf/nginx.conf
... ...
server {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
... ...
}
... ...
省略号就是代表里面已有的信息;可以写在server下的首两行;
六,测试并启动nginx
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx
七,测试是否成功拦截
[root@localhost ~]# curl localhost?testparam=test
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
[root@localhost ~]# cat /var/log/modsec_audit.log
---uCIdEUWW---A--
[15/Aug/2018:22:32:36 -0400] 153438675644.502478 10.82.1.124 5219 10.82.1.124 80
---uCIdEUWW---B--
GET /?testparam=test HTTP/1.1
Host: 10.82.23.56
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/
61.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
也可以使用 tail -f /var/log/modsec_audit.log -n 1实时跟踪被截拦的信息!
这样就表示成功了,为什么拦截这个,是因为我们在main.conf中写了一个规则:
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
八,总结
整体来说,唯一的难度就是在生成动态模块时,需要将nginx的已有模块信息需要编译到动态模块中,否则单纯编译modsecurity动态模块后,使用的时nginx会识别不了!
从下载资源--->安装modsecurity-->安装nginx-->生成modsecurity动态模块-->加载modsecurity动态模块-->实验出现效果为止,安装配置实验完成!!至于加载核心src模块其实就很简单了,下一次更新本文,我会写具体步骤的,其实很简单,完结。