生產環境基礎環境
yum install gcc zlib zlib-devel openssl openssl-devel pcre pcre-devel perl-ExtUtils-Embed -y
下載安裝LuaJit
wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
cd /usr/local/src
tar zxvf LuaJIT-2.0.1.tar.gz
cd LuaJIT-2.0.1
make
make install
安裝tengine
wget http://tengine.taobao.org/download/tengine-2.2.2.tar.gz
tar zxvf tengine-2.2.2.tar.gz
wget https://github.com/zls0424/ngx_req_status/archive/master.zip -O ngx_req_status.zip
unzip ngx_req_status.zip
tar zxvf tengine
cd tengine
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
patch -p1 < ../ngx_req_status-master/write_filter.patch
./configure --prefix=/usr/local/ --with-http_gzip_static_module --with-http_gunzip_module --with-pcre --with-http_lua_module --with-luajit-inc=/usr/local/include/luajit-2.0 --with-luajit-lib=/usr/local/lib --add-module=../ngx_req_status-master --with-http_perl_module
make&make install
常見錯誤
# /usr/local/nginx-1.4.2/sbin/nginx -v
./objs/nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
解決方法:
# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
安裝nginx_lua_waf淘寶第三方防火牆模塊
下載ngx_lua_waf並解壓
wget --no-check-certificate https://github.com/loveshell/ngx_lua_waf/archive/master.zip
unzip master
mv ngx_lua_waf-master /usr/local/conf/waf
vi /usr/local/conf/waf/config.lua
修改RulePath = "/usr/local/nginx/conf/waf/wafconf/"爲:
RulePath = "/usr/local/conf/waf/wafconf/"
修改logdir = "/usr/local/nginx/logs/hack/"爲:
logdir = "/data/logs/hack/
其他的根據你自己的需要進行修改.
config.lua配置文件說明:
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--規則存放目錄
attacklog = "off"
--是否開啓***信息記錄,需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log存儲目錄,該目錄需要用戶自己新建,切需要nginx用戶的可寫權限
UrlDeny="on"
--是否攔截url訪問
Redirect="on"
--是否攔截後重定向
CookieMatch = "on"
--是否攔截cookie***
postMatch = "on"
--是否攔截post***
whiteModule = "on"
--是否開啓URL白名單
ipWhitelist={"127.0.0.1"}
--ip白名單,多個ip用逗號分隔
ipBlocklist={"1.0.0.1"}
--ip黑名單,多個ip用逗號分隔
CCDeny="on"
--是否開啓攔截cc***(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--設置cc***頻率,單位爲秒.
--默認1分鐘同一個IP只能請求同一個地址100次
html=[[Please go away~~]]
--警告內容,可在中括號內自定義
備註:不要亂動雙引號,區分大小寫
vi /etc/nginx/nginx.conf
在nginx.conf裏的http配置裏添加:
lua_need_request_body on;
lua_package_path "/usr/local/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/conf/waf/init.lua;
access_by_lua_file /usr/local/conf/waf/waf.lua;
重啓nginx本地測試
curl http://localhost/test.php?id=../etc/passwd
test
--是否開啓URL白名單
ipWhitelist={"127.0.0.1"} 取消本地白名單即可
開啓防火牆
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT