Nginx security basics (nginx + waf + lua)

Source: Internet
Author: User
: This article mainly introduces the security basics of nginx (nginx + waf + lua). For more information about PHP tutorials, see. Thanks to the documents provided by the online experts.

Nginx waf + lua security module, web application firewall on nginx

Required software:

1. LuaJIT download site: http://luajit.org (Current stable version: 2.0.4)
2、ngx_devel_kit-0.2.19.tar
3、lua-nginx-module-0.9.5rc2.tar
4、master.zip
5. nginx
Optimizing nginx packages
1. libunwind
2. gperftools

1. install LuaJIT

Tar-zxvf LuaJIT.tar.gz

Make

Make install

After installation,IncludeDirectly put in/usr/local/lib and/usr/local/IncludeMedium

2. decompress ngx_devel_kit and lua-nginx-module

3. set environment variables

Export LUAJIT_LIB =/usr/local/lib
Export LUAJIT_INC =/usr/local/IncludeLuajit-2.0
Export LD_LIBRARY_PATH =/usr/local/lib/: $ LD_LIBRARY_PATH

4. install nginx (version 1.6.1, failed in 1.9.4)

4.1 nginx optimization

Vim/usr/local/src/nginx-1.6.1/auto/cc/gcc

Note: # debug
# CFLAGS = "$ CFLAGS-g"

Explanation: disable the nginx debug module to reduce the size of the nginx installation package.

4.2 nginx optimization

Explanation: to optimize nginx performanceMemory allocationThe efficiency and speed are greatly improved to reduce the load. Install libunwind and gperftools

4.2.1 install libunwind

Tar-xf/usr/local/src/libunwind.tar.gz

Cd/usr/local/src/libunwind
CFLAGS =-fPIC./configure
Make CFLAGS =-fPIC
Make CFLAGS =-fPIC install

4.2.2 install gperftools

Tar-xf/usr/local/src/gperftools.tar.gz
Cd/usr/local/src/gperftools
Make & make install

Mkdir/tmp/tcmalloc // Create a tcmalloc thread to write files
Chmod777/tmp/tcmalloc

Echo "/usr/local/lib">/etc/ld. so. conf. d/usr_local_lib.conf # enable the configuration of google_perftools_profiles in nginx. conf to take effect.

4.2.3 install nginx

Cd/usr/local/src/nginx-1.6.1/

For example: production environment: pay attention to ngx_devel_kit-0.2.19, lua-nginx-module-0.9.5rc2 path must be correct
-- Prefix =/usr/local/nginx -- user = nginx -- group = nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-file-aio -- with-http_realip_module -- add-module =/usr/local/nginx_upstream_check_module-master -- with-http_stub_status_module -- add-module =/usr/local/src/ngx_devel_kit-0.2.19 -- add-module =/usr/local/src/lua-nginx-module-0.9.5rc2 -- with-google_perftools_module
Make & make install

4.2.4 add ngx_lua_waf_master

Unzip-o/usr/local/src/ngx_lua_waf_master.zip
Mv/usr/local/src/ngx_lua_waf_master/usr/local/nginx/conf/waf

# Creating a folder to store waf logs requires the write permission
Mkidr/home/nignx_waf_log/
Chmod777/home/nginx_waf_log/

Vim/usr/local/src/nginx/conf/waf/conf. lua
RulePath = "/usr/local/nginx-help/conf/waf/wafconf/" # specify the folder where waf rules are stored
Logdir = "/home/nginx_waf_log" # specify the location where waf logs are stored

Vim/usr/local/nginx/conf/nginx. conf
# Add a pid to support the gperftools Library
Google_perftools_profiles/tmp/tcmalloc .;
# Add in http
Lua_package_path "/usr/local/nginx/conf/waf /?. Lua ";
Lua_shared_dict limit 10 m;
Init_by_lua_file/usr/local/nginx/conf/waf/init. lua;
Access_by_lua_file/usr/local/nginx/conf/waf. lua;

Then start nginx
What is added after the url of the website sub-connection? Id = ../etc/passwd; check whether the firewall blocking page appears
Lsof-n | greo tcmalloc

During official use, use the waf module provided on www.wooyun.org and modify the rules according to your needs.

The above describes the security basics of nginx (nginx + waf + lua), including some content, and hope to help those who are interested in PHP tutorials.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.