: This article mainly introduces the security basics of nginx (nginx + waf + lua). For more information about PHP tutorials, see. Thanks to the documents provided by the online experts.
Nginx waf + lua security module, web application firewall on nginx
Required software:
1. LuaJIT download site: http://luajit.org (Current stable version: 2.0.4)
2、ngx_devel_kit-0.2.19.tar
3、lua-nginx-module-0.9.5rc2.tar
4、master.zip
5. nginx
Optimizing nginx packages
1. libunwind
2. gperftools
1. install LuaJIT
Tar-zxvf LuaJIT.tar.gz
Make
Make install
After installation,IncludeDirectly put in/usr/local/lib and/usr/local/IncludeMedium
2. decompress ngx_devel_kit and lua-nginx-module
3. set environment variables
Export LUAJIT_LIB =/usr/local/lib
Export LUAJIT_INC =/usr/local/IncludeLuajit-2.0
Export LD_LIBRARY_PATH =/usr/local/lib/: $ LD_LIBRARY_PATH
4. install nginx (version 1.6.1, failed in 1.9.4)
4.1 nginx optimization
Vim/usr/local/src/nginx-1.6.1/auto/cc/gcc
Note: # debug
# CFLAGS = "$ CFLAGS-g"
Explanation: disable the nginx debug module to reduce the size of the nginx installation package.
4.2 nginx optimization
Explanation: to optimize nginx performanceMemory allocationThe efficiency and speed are greatly improved to reduce the load. Install libunwind and gperftools
4.2.1 install libunwind
Tar-xf/usr/local/src/libunwind.tar.gz
Cd/usr/local/src/libunwind
CFLAGS =-fPIC./configure
Make CFLAGS =-fPIC
Make CFLAGS =-fPIC install
4.2.2 install gperftools
Tar-xf/usr/local/src/gperftools.tar.gz
Cd/usr/local/src/gperftools
Make & make install
Mkdir/tmp/tcmalloc // Create a tcmalloc thread to write files
Chmod777/tmp/tcmalloc
Echo "/usr/local/lib">/etc/ld. so. conf. d/usr_local_lib.conf # enable the configuration of google_perftools_profiles in nginx. conf to take effect.
4.2.3 install nginx
Cd/usr/local/src/nginx-1.6.1/
For example: production environment: pay attention to ngx_devel_kit-0.2.19, lua-nginx-module-0.9.5rc2 path must be correct
-- Prefix =/usr/local/nginx -- user = nginx -- group = nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-file-aio -- with-http_realip_module -- add-module =/usr/local/nginx_upstream_check_module-master -- with-http_stub_status_module -- add-module =/usr/local/src/ngx_devel_kit-0.2.19 -- add-module =/usr/local/src/lua-nginx-module-0.9.5rc2 -- with-google_perftools_module
Make & make install
4.2.4 add ngx_lua_waf_master
Unzip-o/usr/local/src/ngx_lua_waf_master.zip
Mv/usr/local/src/ngx_lua_waf_master/usr/local/nginx/conf/waf
# Creating a folder to store waf logs requires the write permission
Mkidr/home/nignx_waf_log/
Chmod777/home/nginx_waf_log/
Vim/usr/local/src/nginx/conf/waf/conf. lua
RulePath = "/usr/local/nginx-help/conf/waf/wafconf/" # specify the folder where waf rules are stored
Logdir = "/home/nginx_waf_log" # specify the location where waf logs are stored
Vim/usr/local/nginx/conf/nginx. conf
# Add a pid to support the gperftools Library
Google_perftools_profiles/tmp/tcmalloc .;
# Add in http
Lua_package_path "/usr/local/nginx/conf/waf /?. Lua ";
Lua_shared_dict limit 10 m;
Init_by_lua_file/usr/local/nginx/conf/waf/init. lua;
Access_by_lua_file/usr/local/nginx/conf/waf. lua;
Then start nginx
What is added after the url of the website sub-connection? Id = ../etc/passwd; check whether the firewall blocking page appears
Lsof-n | greo tcmalloc
During official use, use the waf module provided on www.wooyun.org and modify the rules according to your needs.
The above describes the security basics of nginx (nginx + waf + lua), including some content, and hope to help those who are interested in PHP tutorials.