Configuration Web application firewall based on NGX_LUA_WAF module

Objective

NGX_LUA_WAF is a Web application firewall based on Lua-nginx-module (openresty)

GitHub Address:HTTPS://GITHUB.COM/LOVESHELL/NGX_LUA_WAF

1 , use:

Prevent SQL injection, local containment, partial overflow, fuzzing test, XSS,SSRF and other web attacks

Prevent file leaks such as svn/backups

Attacks against stress test tools such as Apachebench

Mask Common scan hack tool, scanner

Network requests that mask exceptions

Block picture Attachment class Directory PHP Execute Permissions

Prevent Webshell Upload

2 , installation configuration

2.1 Download and install Luajit

Luajit is a C language-written LUA interpreter.

#git Clone Http://luajit.org/git/luajit-2.0.git

#make Install Prefix=/usr/local/luajit

# Export Luajit_lib=/usr/local/luajit/lib

# Export LUAJIT_INC=/USR/LOCAL/LUAJIT/INCLUDE/LUAJIT-2.0 Environment variables

# Vim/etc/profile.d/luajit adding Global environment variables

Export Path=/usr/local/luajit/bin: $PATH

2.2 Download and install Ngx_devel_kit

Ngx_devel_kit is a module of Nginx, which is used to extend the core functions of Nginx Server, and other modules can be developed better in this framework.

#git clone https://github.com/simpl/ngx_devel_kit.git download well without compiling

#/usr/local/soft/ngx_devel_kit Find a location.

2.3 Download Install download Lua-nginx-module

#wget https://github.com/openresty/lua-nginx-module/archive/v0.9.15.tar.gz

#tar-ZXVF v0.9.15.tar.gz

#/usr/local/soft/lua-nginx-module-0.9.15 after decompression to find the location can

2.4 Recompile Nginx, need to note the compilation order

--with-ld-opt= "-wl,-rpath,/usr/local/luajit/lib"--add-module=/usr/local/soft/ngx_devel_kit--add-module=/usr/ local/soft/lua-nginx-module-0.9.15

The above Luajit Lib,ngx_devel_kit,lua-nginx module is only the main added module. Finally, the following configuration is available.

# wget http://nginx.org/download/nginx-1.7.10.tar.gz recommended to use the nginx1.7 version, before I use 1.9 has been an error.

#./configure--prefix=/usr/local/nginx--user=nginx--group=nginx--error-log-path=/var/log/nginx/error.log-- Http-log-path=/var/log/nginx/access.log--pid-path=/var/run/nginx/nginx.pid--lock-path=/var/lock/nginx.lock-- With-http_ssl_module--with-http_stub_status_module--with-http_gzip_static_module--with-http_flv_module-- With-http_mp4_module--http-client-body-temp-path=/var/tmp/nginx/client--http-proxy-temp-path=/var/tmp/nginx/ Proxy--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi--with-ld-opt= " -wl,-rpath,/usr/local/luajit/lib "--add-module=/usr/local/soft/ngx_devel_kit--add-module=/usr/local/soft/ lua-nginx-module-0.9.15 && make &&make Install

To view the version after the installation is complete:

[Email protected] nginx-1.7.10]#/usr/local/nginx/sbin/nginx-v

Nginx version:nginx/1.7.10

Built by GCC 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

TLS SNI Support Enabled

Configure arguments:--prefix=/usr/local/nginx--user=nginx--group=nginx--error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log--pid-path=/var/run/nginx/nginx.pid--lock-path=/var/lock/nginx.lock-- With-http_ssl_module--with-http_stub_status_module--with-http_gzip_static_module--with-http_flv_module-- With-http_mp4_module--http-client-body-temp-path=/var/tmp/nginx/client--http-proxy-temp-path=/var/tmp/nginx/ Proxy--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi--http-uwsgi-temp-path=/var/tmp/nginx/uwsgi--with-ld-opt=- Wl,-rpath,/usr/local/luajit/lib--add-module=/usr/local/soft/ngx_devel_kit--add-module=/usr/local/soft/ lua-nginx-module-0.9.15

2.3 Smooth Restart Nginx

#kill-hup ' Cat/var/run/nginx/nginx.pid '
#/usr/local/nginx/sbin/nginx-s Reload

2.4 After download, unzip, move the NGX_LUA_WAF to the Conf directory of the Nginx installation directory and change the name to WAF

# wget Https://github.com/loveshell/ngx_lua_waf/archive/master.zip

# MV Ngx_lua_waf-master/waf

Add an HTTP segment to nginx.conf

Lua_package_path "/usr/local/nginx/conf/waf/?" Lua "; lua_shared_dict limit 10m;init_by_lua_file/usr/local/nginx/conf/waf/init.lua;access_by_lua_file/usr/local/ Nginx/conf/waf/waf.lua;

2.5 WAF Rule directory in Conf.lua (/USR/LOCAL/NGINX/CONF/WAF)

Rulepath = "/usr/local/nginx/conf/waf/wafconf/" Note the path of the rule configuration file

Restart Nginx.

3. Testing

Test the WAF firewall configuration/?a=union Select to prove the interception succeeded ~ok.

650) this.width=650; "class=" AlignCenter size-full wp-image-1073 "src=" http://www.mrliangqi.com/wp-content/uploads/ 2016/05/2016050701.png "alt=" 2016050701 "height=" 542 "width=" 846 "/>

[The above content script one-click installation:wafinstall.sh after #bash wafinstall.sh can be installed. ]

4. Summary

NGX_LUA_WAF installation is smooth, it is important to note that Luajit (interpreter)->ngx_devel_kit (Fast module)->lua-nginx-module (module), Luajit need to compile and specify the installation directory, This parameter is required for subsequent Nginx compile modules. There are also download good ngx_devel_kit and lua-nginx-module modules, no need to compile only after the download, find the path, and then compile the Nginx compile in the time. It is also recommended to use the nginx1.7 version.

This article comes from: the Penguin-controlled ' Blog, Permanent link: https://www.mrliangqi.com/1074.html

This article is from the "Internet&linux" blog, make sure to keep this source http://10250211.blog.51cto.com/10240211/1771402

Configuration Web application firewall based on NGX_LUA_WAF module