security,nginx

编译安装nginx使用ngx_lua_waf对网站进行安全防护

编译安装nginx使用ngx_lua_waf安全防护

下面这一段是从ngx_lua_wafGit仓库抄来的。

ngx_lua_waf是一个基于ngx_lua的web应用防火墙,使用简单,高性能和轻量级。

  • 防止sql注入,本地包含,部分溢出,fuzzing测试,xss,SSRF等web攻击
  • 防止svn/备份之类文件泄漏
  • 防止ApacheBench之类压力测试工具的攻击
  • 屏蔽常见的扫描黑客工具,扫描器
  • 屏蔽异常的网络请求
  • 屏蔽图片附件类目录php执行权限
  • 防止webshell上传

nginx的limit_req模块只能有一个变量,而Tengine可以支持多个,建议使用Tengine。

-

准备开发环境

  • 试验环境为CentOS 7.3,腾讯云上面的VPS
  • 安装gcc、git等开发环境组件,逐个安装太麻烦,此处直接将”Development Tools”包组安装,建议生成环境不要这么干。
# yum groupinstall -y "Development Tools"

下载所需程序包

ngx_lua_waf推荐使用Luajit做lua支持,而Luajit需要ngx_devel_kit模块与lua-nginx-module模块。进入/usr/local/src目录准备以上文件。

  • 下载并安装Lua环境
# cd /usr/local/src
# git clone git@github.com:openresty/luajit2.git
# cd luajit2
# make && make install
  • 验证Luajit安装成功与否
# luajit -v

看到Luajit版本及版权信息输出,即为安装成功

  • 导入环境变量
# vim /etc/profile.d/luajit.sh
    插入如下两行
export LUAJIT_LIB=/usr/local/lib  
export LUAJIT_INC=/usr/local/include/luajit-2.0
# source /etc/profile.d/luajit.sh
# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig
  • 下载ngx_devel_kit,lua-nginx-module
# git clone git@github.com:openresty/lua-nginx-module.git
# git clone git@github.com:simplresty/ngx_devel_kit.git
  • 下载nginx,并编译安装

当前所下载的nginx为Mainline version,生产环境建议使用Stable version。

# wget http://nginx.org/download/nginx-1.15.8.tar.gz
# tar xf nginx-1.15.8.tar.gz
# cd nginx-1.15.8

-

编译安装之前对nginx源码的几个地方做了修改,将其名称、版本号之类的隐藏或改变,目的大家应该都清楚,并不是为了好玩而修改。大概是改了三个地方。0.0.1以及hahaha可以改成自己喜欢的。

1. src/core下的nginx.h文件
    #define NGINX_VERSION      "0.0.1"
     #define NGINX_VER          "hahaha/" NGINX_VERSION

2. src/http下的ngx_http_header_filter_module.c文件
    static u_char ngx_http_server_string[] = "Server: hahaha" CRLF;
    
3. src/http下的ngx_http_special_response.c文件
    static u_char ngx_http_error_tail[] =
    "<hr><center>hahaha</center>" CRLF
    

-

  • 编译nginx

增加lua-nginx-modulengx_devel_kit模块

nginx建议启用所需模块即可,在一定程度上提高一些安全性。

# groupadd -r nginx
# useradd -s /sbin/nologin -g nginx -r nginx
# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-pcre --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client --http-proxy-temp-path=/var/cache/nginx/proxy --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module  --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/lua-nginx-module --with-ld-opt='-Wl,-rpath,/usr/local/lib'
# make -j 8
# make install

下载ngx_lua_waf

  • ngx_lua_waf下载至nginx配置文件所在目录,即/etc/nginx目录
  • 并将ngx_lua_waf重命名为waf
# cd /etc/nginx
# git clone git@github.com:loveshell/ngx_lua_waf.git
# mv ngx_lua_waf waf

配置nginx

此处配置nginx参考了通过nginx配置文件抵御攻击,防御CC攻击的经典思路

集体配如下:

# cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    lua_package_path "/etc/nginx/waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /etc/nginx/waf/init.lua;
    access_by_lua_file /etc/nginx/waf/waf.lua;

    #limit_req_zone $binary_remote_addr $uri zone=auth_limit:3m rate=1r/m;
    #limit_req_zone $binary_remote_addr $uri zone=reqzone:20m rate=15r/m;
    limit_req_zone $binary_remote_addr zone=auth_limit:3m rate=1r/m;
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    limit_req_zone $server_name zone=perserver:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
    limit_req_zone $cookie_token zone=session_limit:3m rate=1r/s;

    add_header X-Frame-Options SAMEORIGIN;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    rewrite_log on;
    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    gzip  on;

    index index.php index.html index.htm;
    server {
           listen 80;
        server_name www.s4lm0x.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }

    server {
           listen 443 ssl default_server;
        server_name www.s4lm0x.com;
        if ($host ~ "\d+\.\d+\.\d+\.\d") {
           return 403;
        }

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;

        add_header X-Frame-Options SAMEORIGIN;

        location ~ \.php$ {
           include fastcgi.conf;
            include    fastcgi_params;
            root /usr/local/src/nginx/html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

            limit_req zone=one burst=5;
            limit_req zone=perip burst=5 nodelay;
                   limit_req zone=perserver burst=10;

            index index.php index.html index.htm;
            autoindex on;
            }
        location / {
            try_files $uri $uri/ /index.php$is_args$args;

            limit_req zone=session_limit burst=5;

            }
    }
}

配置ngx_lua_waf

创建nginx Unit file

可能通过Unit file来启动nginx会失败,请根据实际情况调整参数。

# vim /usr/lib/systemd/system/nginx.service
# cat /usr/lib/systemd/system/nginx.service

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
[Unit]
escription=A high performance web server and a reverse proxy server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Unit file是从其它虚拟机复制来的,就简单的改了一下。

启动nginx

# systemctl daemon-reload
# systemctl enable nginx
# systemctl start nginx

访问测试

此时类似于curl命令这样的访问应该是直接被重定向。

# curl https://www.s4lm0x.com

如下

cur 302

进行测试,浏览器输入https://www.s4lm0x.com/index.php?id=../etc/passwd,返回如下图,表示waf配置成功。

waf deny

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

支付宝扫一扫,向我赞赏

回复

This is just a placeholder img.