Nginx + LUA Building website Protection WAF (i)

Recently help a friend to maintain a Site. This site is a PHP site. The pit daddy is the agent with Iis. Out of countless problems after unbearable, so I want to help him switch to Nginx above, Pre-scan and CC constantly. finally, a solution like WAF is found to Mitigate. Words do not speak more directly to Start.

The role of Waf:

Prevent SQL injection, local containment, partial overflow, fuzzing test, xss,ssrf and other web attacks to prevent file leaks such as Svn/backup against the attack of a stress test tool such as apachebench to mask common scan hack tools, Scanner Mask exception network request mask picture Attachment class directory PHP Execute permissions prevent Webshell upload

Nginx words I choose Spring Brother Open Source: openresty a great Project.

okay, Step to Start:

1, installation Luagit:

# wget http://luajit.org/download/LuaJIT-2.1.0-beta1.tar.gz

# TAR-XVF Luajit-2.1.0-beta1.tar.gz

# CD Luajit-2.1.0-beta1

# make

# make Install

#ln-sf Luajit-2.1.0-beta1/usr/local/bin/luajit

2, installation Openresty:

./configure--prefix=/opt/openresty--with-luajit--without-http_redis2_module--with-http_iconv_module

Gmake

Gmake Install

3, Test Openresty:

[email protected] ngx_lua_waf]# cd/opt/openresty/nginx/conf/

[email protected] conf]# Cat nginx.conf

HTTP {

server {

Listen 80;

location/{

Default_type text/html;

Content_by_lua_block {

Ngx.say ("HelloWorld")

}

}

}

}

###

Test if the access output Hello world, there should be some introduction to the Columns.

[[email protected]www conf]# Curl localhost

HelloWorld

4. Download the Open source Project:

[email protected] nginx]# cd/opt/openresty/nginx/

[[email protected] nginx]# git clone https://github.com/loveshell/ngx_lua_waf.git

5, then modify the Nginx add configuration, support Lua script address, in the HTTP segment location:

Lua_package_path "/opt/openresty/nginx/ngx_lua_waf/?"  Lua "; # # #相关项目存放地址

Lua_shared_dict Limit 10m; # # #存放limit表的大小

init_by_lua_file/opt/openresty/nginx/ngx_lua_waf/init.lua; # # #相应地址

access_by_lua_file/opt/openresty/nginx/ngx_lua_waf/waf.lua; # #相应地址

6, Modify NGX_LUA_WAF related configuration:

[email protected] ngx_lua_waf]# Vim Config.lua

Rulepath = "/opt/openresty/nginx/ngx_lua_waf/wafconf/" # #指定相应位置

Attacklog = "on" # #开启日志

LogDir = "/opt/openresty/nginx/logs/hack/" # #日志存放位置

urldeny= "on" # #是否开启URL防护

redirect= "on" # #地址重定向

Cookiematch= "on" # #cookie拦截

Postmatch= "on" # #post拦截

whitemodule= "on" # #白名单

black_fileext={"php", "jsp"}

ipwhitelist={"127.0.0.1"} # #白名单IP

ipblocklist={"1.0.0.1"} # #黑名单IP

ccdeny= "on" # #开启CC防护

ccrate= "100/60" # #60秒内允许同一个IP访问100次

7. Create log storage directory:

[[email protected] ngx_lua_waf] #mkdir/opt/openresty/nginx/logs/hack/

[[email protected] ngx_lua_waf] #chown-r nobody:nobody/opt/openresty/nginx/logs/hack/

8. Start Nginx Test:

[email protected] Logs]#/opt/openresty/nginx/sbin/nginx

9, Web Access a test:

10. Pressure Test cc Attack:

Change the frequency of the Congfig.lua to the Following:

ccdeny= "on"

Ccrate= "50/60"

Test Results:

[email protected] ngx_lua_waf]# ab-c 100-n http://192.168.63.242/index.heml

This is apachebench, Version 2.3

Copyright 1996 Adam twiss, Zeus technology Ltd, http://www.zeustech.net/

Licensed to the Apache software Foundation, http://www.apache.org/

Benchmarking 192.168.63.242 (be Patient) ... done

Server software:openresty/1.11.2.2

Server hostname:192.168.63.242

Server port:80

Document Path:/index.heml

Document length:2078 bytes

Concurrency level:100

Time taken for tests:0.052 seconds

Complete requests:100

Failed requests:49 # # #因为做了现在, So so much is a failure.

A set of WAF defenses has been built everywhere, thanks to Loveshell for providing such a great WAF open source project and the openresty of Spring.

Original Address: http://www.roncoo.com/article/detail/126294

Nginx + LUA Building website Protection WAF (i)