Nginx+lua implements a simple WAF Web Firewall feature

Original: http://www.2cto.com/net/201608/534272.html

Installing Luajit

Http://luajit.org/download/LuaJIT-2.0.4.tar.gz

Tar XF luajit-2.0.4.tar.gz

CD LuaJIT-2.0.4

Make && make install

Download Ngx_devel_kit

Https://codeload.github.com/simpl/ngx_devel_kit/zip/master

Unzip Ngx_devel_kit-master.zip

The path after decompression is: Root/ngx_devel_kit-master

Download Nginx_lua_module Unzip

Https://github.com/openresty/lua-nginx-module#readme

Unzip Lua-nginx-module-master.zip

CD Lua-nginx-module-master

Install Nginx or patch the Nginx

Nginx-v to view Nginx version number

# nginx-v

Nginx version:nginx/1.8.0

Nginx-v to view previous compilation parameters

# nginx-v

Nginx version:nginx/1.8.0

Built by GCC 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

Built with OpenSSL 1.0.1e-fips 2013

TLS SNI Support Enabled

Configure arguments:--user=www--group=www--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl _module--with-http_spdy_module--with-http_gzip_static_module--with-ipv6--with-http_sub_module--with-google_ Perftools_module

I've already installed nginx1.8 here.

Then the following is a patch to the nginx thing. As follows:

Enter the source code directory of the nginx1.8. Execute the following series of commands:

# import environment variables, compile

# Exportluajit_lib=/usr/local/lib #这个很有可能不一样

# exportluajit_inc=/usr/local/include/luajit-2.0# This is probably not the same

# cd/home/tools/lnmp1.2-full/src/nginx-1.8.0

#./configure \

--user=www--group=www \

--prefix=/usr/local/nginx \

--with-http_stub_status_module \

--with-http_ssl_module \

--with-http_spdy_module \

--with-http_gzip_static_module \

--with-ipv6 \

--with-http_sub_module \

--with-google_perftools_module \

--add-module=/root/ngx_devel_kit-master\

--add-module=/root/lua-nginx-module-master\

--with-ld-opt= "-wl,-rpath, $LUAJIT _lib"

# Make-j4 && make install

Prepare the Nginx attack log directory

# mkdir-p/home/wwwlogs/attack

# chown Www.www/home/wwwlogs/attack

# Chmod-r 755/home/wwwlogs/attack

Installation of Nginx LUA_WAF module

Official address: Https://github.com/loveshell/ngx_lua_waf

# wget Https://codeload.github.com/loveshell/ngx_lua_waf/zip/master

# Unzip Ngx_lua_waf-master.zip

# CD Ngx_lua_waf-master

# MKDIR/USR/LOCAL/NGINX/CONF/WAF

# cp-a.//USR/LOCAL/NGINX/CONF/WAF

Modify the Nginx configuration file and add the following to the HTTP segment:

Lua_package_path "/usr/local/nginx/conf/waf/?" Lua ";

Lua_shared_dict limit 10m; This rule must be added to activate the Intercept cc attack.

Init_by_lua_file/usr/local/nginx/conf/waf/init.lua;

Access_by_lua_file/usr/local/nginx/conf/waf/waf.lua;

You can modify the following 2 parts of the/usr/local/nginx/conf/waf/config.lua:

Rulepath = "/usr/local/nginx/conf/waf/wafconf/"

Attacklog = "On"

LogDir = "/home/wwwlogs/attack"

Urldeny= "On"

Redirect= "On"

Cookiematch= "On"

Postmatch= "On"

Whitemodule= "On"

black_fileext={"PHP", "JSP"}

ipwhitelist={"127.0.0.1"}

ipblocklist={"1.0.0.1"}

Ccdeny= "On"

Ccrate= "100/60"

Configuration file Description:

Rulepath = "/usr/local/nginx/conf/waf/wafconf/"--rule storage Directory

Attacklog = "Off"--whether to open the attack information record, need to configure LogDir

LogDir = "/usr/local/nginx/logs/hack/"--log storage directory, the directory requires users to create their own new, require Nginx user's writable permission

Urldeny= "On"--whether to block URL access

Redirect= "On"--whether to intercept after redirection

Cookiematch = "On"-whether to block cookie attacks

Postmatch = "On"--whether to intercept post attacks

Whitemodule = "On"--whether to open the URL whitelist

black_fileext={"PHP", "JSP"}--fill in the file suffix type not allowed to upload

ipwhitelist={"127.0.0.1"}--ip Whitelist, multiple IPs separated by commas

ipblocklist={"1.0.0.1"}--ip blacklist, multiple IPs separated by commas

Ccdeny= "on"-whether to turn on intercept cc attack (requires nginx.conf HTTP segment increase lua_shared_dict limit 10m;)

Ccrate = "100/60"--sets the frequency of the CC attack, in seconds. Default 1 minutes The same IP can only request the same address 100 times

Html=[[please go away~~]]--warning content can be customized within brackets

Note: Do not tamper with double quotes, case-sensitive

Re-start Nginx

# nginx-t

#/etc/init.d/nginx Restart Restart Nginx

Rogue Access Testing

# Curl HTTP://XXXX/TEST.PHP?ID=../ETC/PASSWD

# curl Http://192.168.2.12/index.php?cmd=phpinfo ();

or request it directly on the Web page

The results are as shown and are intercepted.

In addition, there are already log files under the/home/wwwlogs/attack directory that record the entire attack log.

Some notes:

Filter rules under WAFCONF, can be adjusted according to demand, each rule needs to be wrapped, or split with |

The rule get parameter inside args is filtered

URLs are rules that are filtered only at GET request URLs

Post is a rule that filters only on post requests

Whitelist is a whitelist, inside the URL matches to do not filter

User-agent is the filter rule for user-agent.

The Get and post filters are turned on by default, and you need to turn on cookie filtering to edit the Waf.lua cancellation section--Comments.

The illegal request to intercept is logged in the log file name format as follows: virtual hostname _sec.log

Description

This thing seems to only prevent some simple SQL injection class statements, for some well-constructed malicious statements can not be intercepted.

In addition, I installed it in the company's server, the background customer service response will appear in the form form the picture can not upload the situation.

Nginx+lua implements a simple WAF Web Firewall feature