demand background
Websites similar to forums are often hacked. In addition to adding hardware protection, the effect is not very good, and they will occasionally be hacked. The function of waf just fulfills this requirement.
The role of waf:
Prevent sql injection, local include, partial overflow, fuzzing test, xss, SSRF and other web attacks Prevent file leakage such as svn/backup Prevents attacks from stress testing tools like ApacheBench Block common scanning hacking tools, scanners Block abnormal network requests Block the php execution permission of the image attachment class directory Prevent webshell upload
For nginx, I choose Chunge open source: OpenResty is a great project.
Introduction to OpenResty
OpenResty (also known as: ngx_openresty) is a scalable web platform based on NGINX, initiated by Chinese Zhang Yichun, and provides many high-quality third-party modules.
OpenResty is a powerful web application server. Web developers can use the Lua scripting language to mobilize various C and Lua modules supported by Nginx. More importantly, in terms of performance, OpenResty can quickly construct a super server that is capable of responding to more than 10K concurrent connections. High performance web application system.
360, UPYUN, Alibaba Cloud, Sina, Tencent, Qunar, Kugou Music, etc. are all deep users of OpenResty.
Ok steps to start:
1. Install Luagit:
yum install -y readline-devel pcre-devel openssl-devel
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -xzf LuaJIT-2.0.5.tar.gz && cd LuaJIT-2.0.5
make && make install
export LUAJIT_LIB=/usr/local/lib && export LUAJIT_INC=/usr/local/include/luajit-2.0
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
#Be sure to create this soft link, otherwise an error will be reported. If the symbolic link is not created, the following exception may occur: error while loading shared libraries: libluajit- 5.1.so. 2: cannot open shared object file: No such file or directory
2. Install openresty:
wget https://openresty.org/download/openresty-1.11.2.2.tar.gz
tar -zxf openresty-1.11.2.2.tar.gz && cd openresty-1.11.2.2
./configure --prefix=/usr/local/openresty \ --user=www \ --group=www \ --with-luajit \ --with-http_v2_module \ --with-http_stub_status_module \ --with-http_ssl_module \ --with-http_gzip_static_module \ --with-ipv6 --with-http_sub_module \ --with-pcre \ --with-pcre-jit \ --with-file-aio \ --with-http_dav_module
gmake && gmake install
3. Test openresty:
vim /usr/local/openresty/nginx/conf/nginx.conf can add location rules in the server{..} section
Test and start nginx
/usr/local/openresty/nginx/sbin/nginx -t
/usr/local/openresty/nginx/sbin/nginx
Test whether the visit outputs hello world, there should be some column introductions later.
4. Download the open source project:
cd /usr/local/openresty/nginx/conf/
git clone https://github.com/loveshell/ngx_lua_waf.git
5. Then modify nginx to add configuration, support lua script address, in http segment location:
lua_package_path "/usr/local/openresty/nginx/conf/ngx_lua_waf/?.lua"; ###Related project storage address
lua_shared_dict limit 10m; ###Store the size of the limit table
init_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/init.lua; ###corresponding address
access_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/waf.lua; ##Corresponding address
6. Modify the related configuration of ngx_lua_waf:
vim config.moon
RulePath = "/opt/openresty/nginx/ngx_lua_waf/wafconf/" ##Specify the corresponding location
attacklog = "on" ##Open the log
logdir = "/opt/openresty/nginx/logs/hack/" ##Log storage location
UrlDeny="on" ##Whether to enable URL protection
Redirect="on" ##address redirection
CookieMatch="on" ##cookie拦截
postMatch="on" ##post interception
whiteModule="on" ##whitelist
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"} ##Whitelist IP
ipBlocklist={"1.0.0.1"} ##Blacklist IP
CCDeny="on" ##Enable CC protection
CCrate="100/60" ##Allow the same IP to access 100 times within 60 seconds
7. Create a log storage directory:
mkdir /opt/openresty/nginx/logs/hack/
chown -R nobody:nobody /opt/openresty/nginx/logs/hack/
8. Restart the nginx test:
10. Stress test CC attack:
Change the frequency of config.lua to the following:
CCDeny="on"
CCrate="50/60"
Test Results:
[root @ www ngx_lua_waf] # ab -c 100 -n 100 http://192.168.63.242/index.heml
This is ApacheBench, Version 2.3
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.63.242 (be patient).....done
Server Software: openresty/1.11.2.2
Server Hostname: 192.168.63.242
Server Port: 80
Document Path: /index.heml
Document Length: 2078 bytes
Concurrency Level: 100
Time taken for tests: 0.052 seconds
Complete requests: 100
Failed requests: 49 ###Because I have done it now, so many are failed.
A set of waf defense systems has been successfully built everywhere. I am very grateful to loveshell for providing such a great waf open source project, as well as Chunge's openresty.