Openresty implements web application firewall (waf)

Introduction to Openresty

OpenResty is a software platform initiated by Zhang Yichun, a Chinese, that packages nginx and various three-party modules. The core is nginx+lua scripting language. The main reason is that nginx is written in C language, and the modification is very complicated, while the lua language is much simpler. Many large domestic companies such as 360, Jingdong, gitee, etc. are using it as a web application firewall.

install openresty

The deployment system is Centos7.9

1. Install dependent libraries

------------------------------------------------------------------------------------------
pcre-devel： 扩展的正则表达式引擎，为了使Nginx处理更复杂的正则表达式机制
openssl-devel：–with-http_ssl_module使用该模块必需装openssl库，来实现http支持https协议
zlib-devel：zlib库是网络通信压缩库，ngx_http_gzip_module（gzip压缩模块）所必需的
readline-devel：readline是安装Openresty所必须的依赖包
-------------------------------------------------------------------------------------------
yum install gcc-c++ libtool gmake make -y
yum install pcre pcre-devel openssl openssl-devel zlib zlib-devel readline readline-devel -y

2. Create nginx user group

The Master main process of Nginx runs as the root user, and the worker sub-process we specify it to run as the nginx user

groupadd nginx
useradd -d /home/nginx -g nginx -s /sbin/nologin nginx

3. Compile and install openresty

Download: wget https://openresty.org/download/openresty-1.19.9.1.tar.gz

After decompressing the tar.gz package, enter the openresty-1.19.9.1 directory, and start compiling

./configure --prefix=/usr/local/openresty --sbin-path=/usr/local/openresty/nginx/sbin/nginx --conf-path=/usr/local/openresty/nginx/conf/nginx.conf --pid-path=/usr/local/openresty/nginx/run/nginx.pid --user=nginx --group=nginx --with-pcre --with-stream --with-threads --with-http_v2_module --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-luajit 

gmake && gmake install 

4. Edit the nginx.conf file and configure the location as follows:

location / {
    
    

              default_type text/html;
              content_by_lua_block {
    
    
                  ngx.say("<p>hello, world</p>")
              }
          }

5. Start nginx, and the browser access will display hello, world, indicating that openresty is installed successfully

Deploy WAF

The implementation of custom WAF mainly uses nginx+Lua, and there are two implementation schemes:

One: You can choose to use native Nginx and add Lua module to implement deployment

Second: use OpenResty directly

The second solution is adopted here. Someone on github has realized the function of waf through lua (https://github.com/unixhot/waf)

功能列表：
* 支持IP白名单和黑名单功能，直接将黑名单的IP访问拒绝。
* 支持URL白名单，将不需要过滤的URL进行定义。
* 支持User-Agent的过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
* 支持CC攻击防护，单个URL指定时间的访问次数，超过设定值，直接返回403。
* 支持Cookie过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
* 支持URL过滤，匹配自定义规则中的条目，如果用户请求的URL包含这些，返回403。
* 支持URL参数过滤，原理同上。
* 支持日志记录，将所有拒绝的操作，记录到日志中去。
* 日志记录为JSON格式，便于日志分析，例如使用ELK进行攻击日志收集、存储、搜索和展示。

1. Download the waf module

git clone https://github.com/unixhot/waf.git

cp -a ./waf/waf /usr/local/openresty/nginx/conf/

2. Description of files in the waf directory

ls -al /usr/local/openresty/nginx/conf/waf/

access.lua  init.lua  lib.lub #waf功能实现lua代码
config.lua  #配置文件
rule-config  # 防御规则文件

Description of files in the rule-config directory

ls -al  /usr/local/openresty/nginx/conf/waf/rule-config/

args.rule          #异常get请求参数策略文件
blackip.rule       #IP黑名单策略文件
cookie.rule        #Cookie策略文件
post.rule          #异常post请求参数策略文件
url.rule           #异常url策略文件
useragent.rule     #异常useragent策略文件
whiteip.rule       #IP白名单策略文件
whiteurl.rule      #URL白名单策略文件

3. openresty introduces waf module

3.1. Edit the nginx.conf file and add the following content in http{}:

http {
    
    
      ...
      ...

      lua_shared_dict limit 50m;
      lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
      init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
      access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

       ...

}

3.2. Set soft connection

[root@localhost /]# ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty

4. Test the defense effect of waf

From the results, waf has already worked because it hits the url rule file

[root@localhost rule-config]# cat url.rule 
\.(htaccess|bash_history)
\.(bak|inc|old|mdb|sql|backup|java|class|tgz|gz|tar|zip)$
(phpmyadmin|jmx-console|admin-console|jmxinvokerservlet)
java\.lang
\.svn\/
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)