一.OpenResty安裝和測試
官方網站:https://openresty.org/cn/
LUA學習:http://blog.jobbole.com/70480/
1.安裝OpenResty:
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
下載並編譯安裝openresty
# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz
# tar zxf ngx_openresty-1.9.3.2.tar.gz
# cd ngx_openresty-1.9.3.2
# ./configure --prefix=/usr/local/openresty-1.9.3.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.9.3.2/ /usr/local/openresty
2.測試openresty安裝:
vim /usr/local/openresty/nginx/conf/nginx.conf
server {
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
3.啓動openresty並測試:
/usr/local/openresty/nginx/sbin/nginx -t
/usr/local/openresty/nginx/sbin/nginx
http://172.16.1.211/hello #訪問後出現“HelloWorld”
二.WAF安裝和測試
參考資料: https://github.com/unixhot/waf
PS: 這個是趙班長寫的WAF安全檢測模塊,過濾了一些常見的入侵方式,性能也非常不錯。
1.安裝並配置WAF:
#git clone https://github.com/unixhot/waf.git
#cp -a ./waf/waf /usr/local/openresty/nginx/conf/
修改Nginx的配置文件,在HTTP字段加入以下配置。注意路徑,同時WAF日誌默認存放在/tmp/日期_waf.log
vim /usr/local/openresty/nginx/conf/nginx.conf
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx
2.WAF配置文件:
vim /usr/local/openresty/nginx/conf/waf/config.lua
--waf 是否開啓
config_waf_enable = "on"
--日雜文件目錄
config_log_dir = "/tmp"
--配置文件目錄
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--是否開啓 白名單鏈接
config_white_url_check = "on"
--enable/disable 白名單IP
config_white_ip_check = "on"
--enable/disable 黑名單IP
config_black_ip_check = "on"
--enable/disable URL檢測
config_url_check = "on"
--enalbe/disable url 參數檢查
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc 檢測
config_cc_check = "on"
--CC檢測限制60秒內同一URL只能訪問10次
config_cc_rate = "10/60"
--enable/disable post 檢測(這個功能作者沒完成)
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
3.驗證:
http://172.16.1.211/a.sql #訪問會出現安全檢測頁面
ab -n100 -c1 http://172.16.1.211/ #模仿CC攻擊