60

ubuntu Install nginx Lua and configure waf

 5 years ago
source link: https://www.linuxprobe.com/nginx-lua-waf.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
下载ngx_devel_kit
# cd /opt
# git clone https://github.com/simplresty/ngx_devel_kit.git && cd ngx_devel_kit && git checkout master
下载lua-nginx-module
# cd /opt
# git clone https://github.com/openresty/lua-nginx-module.git && cd lua-nginx-module && git checkout master
下载并安装Lua环境
# cd /opt
# git clone http://luajit.org/git/luajit-2.0.git && cd luajit-2.0 && git pull
# make && make install
导入Lua环境变量
# cd /opt/nginx-1.12.2
# export LUAJIT_LIB=/usr/local/lib
# export LUAJIT_INC=/usr/local/include/luajit-2.0
编译nginx (参考我之前的nginx编译安装过程)
# cd /opt/nginx-1.12.2/
# ./configure  --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --with-pcre=/opt/pcre-8.38 --with-zlib=/opt/zlib-1.2.11 --with-openssl=/opt/openssl-1.0.2n --add-module=/opt/ngx_devel_kit --add-module=/opt/lua-nginx-module --with-ld-opt=-Wl,-rpath,$LUAJIT_LIB
# make
# mv /usr/sbin/nginx /usr/sbin/nginx.old
# cp objs/nginx /usr/sbin/nginx
# vim Makefile
    ## /usr/share/nginx/sbin/nginx -t
    ## 注释或修改上面这行,输入正确的路径
    /usr/sbin/nginx -t
# make upgrade
下载并配置Luajit
# cd /etc/nginx/
# git clone https://github.com/loveshell/ngx_lua_waf.git && cd ngx_lua_waf && git checkout master
# vim /etc/nginx/nginx.conf
http {
        ...
        ##在nginx.conf的http段添加
        lua_package_path "/etc/nginx/ngx_lua_waf/?.lua";
        lua_shared_dict limit 10m;
        init_by_lua_file /etc/nginx/ngx_lua_waf/init.lua;
        access_by_lua_file /etc/nginx/ngx_lua_waf/waf.lua;
        ##
        ...
}
# vim /etc/nginx/ngx_lua_waf/config.lua
    RulePath = "/etc/nginx/ngx_lua_waf/wafconf/"
     ##--规则存放目录
    attacklog = "on"
     ##--是否开启攻击信息记录,需要配置logdir
    logdir = "/home/wwwlogs/"
     ##--log存储目录,需要nginx用户的可写权限。
     ##--日志文件名称格式如下:虚拟主机名_sec.log
    UrlDeny="on"
     ##--是否拦截url访问
    Redirect="on"
     ##--是否拦截后重定向
    CookieMatch = "on"
     ##--是否拦截cookie攻击
    postMatch = "on"
     ##--是否拦截post攻击
    whiteModule = "on"
     ##--是否开启URL白名单
    black_fileExt={"php","jsp"}
     ##--填写不允许上传文件后缀类型
    ipWhitelist={"127.0.0.1"}
     ##--ip白名单,多个ip用逗号分隔
    ipBlocklist={"1.0.0.1"}
     ##--ip黑名单,多个ip用逗号分隔
    CCDeny="on"
     ##--是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
    CCrate = "100/60"
     ##--设置cc攻击频率,单位为秒.
     ##--默认1分钟同一个IP只能请求同一个地址100次
    html=[[Please go away~~]]
     ##--警告内容,可在中括号内自定义
     ##备注:不要乱动双引号,区分大小写

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK