Nginx+lua implements a simple WAF Web Firewall feature

Source: Internet
Author: User
Tags lua simple sql injection

Original: http://www.2cto.com/net/201608/534272.html

Installing Luajit

Http://luajit.org/download/LuaJIT-2.0.4.tar.gz

Tar XF luajit-2.0.4.tar.gz

CD LuaJIT-2.0.4

Make && make install

Download Ngx_devel_kit

Https://codeload.github.com/simpl/ngx_devel_kit/zip/master

Unzip Ngx_devel_kit-master.zip

The path after decompression is: Root/ngx_devel_kit-master

Download Nginx_lua_module Unzip

Https://github.com/openresty/lua-nginx-module#readme

Unzip Lua-nginx-module-master.zip

CD Lua-nginx-module-master

Install Nginx or patch the Nginx

Nginx-v to view Nginx version number

# nginx-v

Nginx version:nginx/1.8.0

Nginx-v to view previous compilation parameters

# nginx-v

Nginx version:nginx/1.8.0

Built by GCC 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

Built with OpenSSL 1.0.1e-fips 2013

TLS SNI Support Enabled

Configure arguments:--user=www--group=www--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl _module--with-http_spdy_module--with-http_gzip_static_module--with-ipv6--with-http_sub_module--with-google_ Perftools_module

I've already installed nginx1.8 here.

Then the following is a patch to the nginx thing. As follows:

Enter the source code directory of the nginx1.8. Execute the following series of commands:

# import environment variables, compile

# Exportluajit_lib=/usr/local/lib #这个很有可能不一样

# exportluajit_inc=/usr/local/include/luajit-2.0# This is probably not the same

# cd/home/tools/lnmp1.2-full/src/nginx-1.8.0

#./configure \

--user=www--group=www \

--prefix=/usr/local/nginx \

--with-http_stub_status_module \

--with-http_ssl_module \

--with-http_spdy_module \

--with-http_gzip_static_module \

--with-ipv6 \

--with-http_sub_module \

--with-google_perftools_module \

--add-module=/root/ngx_devel_kit-master\

--add-module=/root/lua-nginx-module-master\

--with-ld-opt= "-wl,-rpath, $LUAJIT _lib"

# Make-j4 && make install

Prepare the Nginx attack log directory

# mkdir-p/home/wwwlogs/attack

# chown Www.www/home/wwwlogs/attack

# Chmod-r 755/home/wwwlogs/attack

Installation of Nginx LUA_WAF module

Official address: Https://github.com/loveshell/ngx_lua_waf

# wget Https://codeload.github.com/loveshell/ngx_lua_waf/zip/master

# Unzip Ngx_lua_waf-master.zip

# CD Ngx_lua_waf-master

# MKDIR/USR/LOCAL/NGINX/CONF/WAF

# cp-a.//USR/LOCAL/NGINX/CONF/WAF

Modify the Nginx configuration file and add the following to the HTTP segment:

Lua_package_path "/usr/local/nginx/conf/waf/?" Lua ";

Lua_shared_dict limit 10m; This rule must be added to activate the Intercept cc attack.

Init_by_lua_file/usr/local/nginx/conf/waf/init.lua;

Access_by_lua_file/usr/local/nginx/conf/waf/waf.lua;

You can modify the following 2 parts of the/usr/local/nginx/conf/waf/config.lua:

Rulepath = "/usr/local/nginx/conf/waf/wafconf/"

Attacklog = "On"

LogDir = "/home/wwwlogs/attack"

Urldeny= "On"

Redirect= "On"

Cookiematch= "On"

Postmatch= "On"

Whitemodule= "On"

black_fileext={"PHP", "JSP"}

ipwhitelist={"127.0.0.1"}

ipblocklist={"1.0.0.1"}

Ccdeny= "On"

Ccrate= "100/60"

Configuration file Description:

Rulepath = "/usr/local/nginx/conf/waf/wafconf/"--rule storage Directory

Attacklog = "Off"--whether to open the attack information record, need to configure LogDir

LogDir = "/usr/local/nginx/logs/hack/"--log storage directory, the directory requires users to create their own new, require Nginx user's writable permission

Urldeny= "On"--whether to block URL access

Redirect= "On"--whether to intercept after redirection

Cookiematch = "On"-whether to block cookie attacks

Postmatch = "On"--whether to intercept post attacks

Whitemodule = "On"--whether to open the URL whitelist

black_fileext={"PHP", "JSP"}--fill in the file suffix type not allowed to upload

ipwhitelist={"127.0.0.1"}--ip Whitelist, multiple IPs separated by commas

ipblocklist={"1.0.0.1"}--ip blacklist, multiple IPs separated by commas

Ccdeny= "on"-whether to turn on intercept cc attack (requires nginx.conf HTTP segment increase lua_shared_dict limit 10m;)

Ccrate = "100/60"--sets the frequency of the CC attack, in seconds. Default 1 minutes The same IP can only request the same address 100 times

Html=[[please go away~~]]--warning content can be customized within brackets

Note: Do not tamper with double quotes, case-sensitive

Re-start Nginx

# nginx-t

#/etc/init.d/nginx Restart Restart Nginx

Rogue Access Testing

# Curl HTTP://XXXX/TEST.PHP?ID=../ETC/PASSWD

# curl Http://192.168.2.12/index.php?cmd=phpinfo ();

or request it directly on the Web page

The results are as shown and are intercepted.


In addition, there are already log files under the/home/wwwlogs/attack directory that record the entire attack log.

Some notes:

Filter rules under WAFCONF, can be adjusted according to demand, each rule needs to be wrapped, or split with |

The rule get parameter inside args is filtered

URLs are rules that are filtered only at GET request URLs

Post is a rule that filters only on post requests

Whitelist is a whitelist, inside the URL matches to do not filter

User-agent is the filter rule for user-agent.

The Get and post filters are turned on by default, and you need to turn on cookie filtering to edit the Waf.lua cancellation section--Comments.

The illegal request to intercept is logged in the log file name format as follows: virtual hostname _sec.log

Description

This thing seems to only prevent some simple SQL injection class statements, for some well-constructed malicious statements can not be intercepted.

In addition, I installed it in the company's server, the background customer service response will appear in the form form the picture can not upload the situation.

Nginx+lua implements a simple WAF Web Firewall feature

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.