Nginx security basics (nginx + waf + lua)

: This article mainly introduces the security basics of nginx (nginx + waf + lua). For more information about PHP tutorials, see. Thanks to the documents provided by the online experts.

Nginx waf + lua security module, web application firewall on nginx

Required software:

1. LuaJIT download site: http://luajit.org (Current stable version: 2.0.4)
2、ngx_devel_kit-0.2.19.tar
3、lua-nginx-module-0.9.5rc2.tar
4、master.zip
5. nginx
Optimizing nginx packages
1. libunwind
2. gperftools

1. install LuaJIT

Tar-zxvf LuaJIT.tar.gz

Make

Make install

After installation,IncludeDirectly put in/usr/local/lib and/usr/local/IncludeMedium

2. decompress ngx_devel_kit and lua-nginx-module

3. set environment variables

Export LUAJIT_LIB =/usr/local/lib
Export LUAJIT_INC =/usr/local/IncludeLuajit-2.0
Export LD_LIBRARY_PATH =/usr/local/lib/: $ LD_LIBRARY_PATH

4. install nginx (version 1.6.1, failed in 1.9.4)

4.1 nginx optimization

Vim/usr/local/src/nginx-1.6.1/auto/cc/gcc

Note: # debug
# CFLAGS = "$ CFLAGS-g"

Explanation: disable the nginx debug module to reduce the size of the nginx installation package.

4.2 nginx optimization

Explanation: to optimize nginx performanceMemory allocationThe efficiency and speed are greatly improved to reduce the load. Install libunwind and gperftools

4.2.1 install libunwind

Tar-xf/usr/local/src/libunwind.tar.gz

Cd/usr/local/src/libunwind
CFLAGS =-fPIC./configure
Make CFLAGS =-fPIC
Make CFLAGS =-fPIC install

4.2.2 install gperftools

Tar-xf/usr/local/src/gperftools.tar.gz
Cd/usr/local/src/gperftools
Make & make install

Mkdir/tmp/tcmalloc // Create a tcmalloc thread to write files
Chmod777/tmp/tcmalloc

Echo "/usr/local/lib">/etc/ld. so. conf. d/usr_local_lib.conf # enable the configuration of google_perftools_profiles in nginx. conf to take effect.

4.2.3 install nginx

Cd/usr/local/src/nginx-1.6.1/

For example: production environment: pay attention to ngx_devel_kit-0.2.19, lua-nginx-module-0.9.5rc2 path must be correct
-- Prefix =/usr/local/nginx -- user = nginx -- group = nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-file-aio -- with-http_realip_module -- add-module =/usr/local/nginx_upstream_check_module-master -- with-http_stub_status_module -- add-module =/usr/local/src/ngx_devel_kit-0.2.19 -- add-module =/usr/local/src/lua-nginx-module-0.9.5rc2 -- with-google_perftools_module
Make & make install

4.2.4 add ngx_lua_waf_master

Unzip-o/usr/local/src/ngx_lua_waf_master.zip
Mv/usr/local/src/ngx_lua_waf_master/usr/local/nginx/conf/waf

# Creating a folder to store waf logs requires the write permission
Mkidr/home/nignx_waf_log/
Chmod777/home/nginx_waf_log/

Vim/usr/local/src/nginx/conf/waf/conf. lua
RulePath = "/usr/local/nginx-help/conf/waf/wafconf/" # specify the folder where waf rules are stored
Logdir = "/home/nginx_waf_log" # specify the location where waf logs are stored

Vim/usr/local/nginx/conf/nginx. conf
# Add a pid to support the gperftools Library
Google_perftools_profiles/tmp/tcmalloc .;
# Add in http
Lua_package_path "/usr/local/nginx/conf/waf /?. Lua ";
Lua_shared_dict limit 10 m;
Init_by_lua_file/usr/local/nginx/conf/waf/init. lua;
Access_by_lua_file/usr/local/nginx/conf/waf. lua;

Then start nginx
What is added after the url of the website sub-connection? Id = ../etc/passwd; check whether the firewall blocking page appears
Lsof-n | greo tcmalloc

During official use, use the waf module provided on www.wooyun.org and modify the rules according to your needs.

The above describes the security basics of nginx (nginx + waf + lua), including some content, and hope to help those who are interested in PHP tutorials.