use:
防止sql注入,本地包含,部分溢出,fuzzing测试,xss,×××F等web***
防止svn/备份之类文件泄漏
防止ApacheBench之类压力测试工具的***
屏蔽常见的扫描***工具,扫描器
屏蔽异常的网络请求
屏蔽图片附件类目录php执行权限
防止webshell上传1. Download and 2.0.5 unzip luajit
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
the tar-2.0.5.tar.gz -zxvf LuaJIT
CD-2.0.5 LuaJIT
the make the install the PREFIX = / data / luajit (selected own directory) 
2. soft connection
LN -s /usr/local/luajit/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2 
3. downloaded and unpacked ngx_devel_kit
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
the tar -zxvf v0.3.0.tar.gz 
4. downloaded and unpacked Nginx-Module1-Lua
wget https://github.com /openresty/lua-nginx-module/archive/v0.10.14rc3.tar.gz
the tar -zxvf v0.10.14rc3.tar.gz 
5. The compiler installation Nginx
① download dependencies
yum install -y gcc gcc-c ++ wget git geoip -devel gd-devel pcre-deve libcurl -devel libxml2 libxml2-devel libgd-devel openssl-devel
②下载nginx包
wget http://nginx.org/download/nginx-1.15.2.tar.gz
③编译安装(目录看对了 选自己的目录)
./configure \
--prefix=/data/nginx \
--error-log-path=/var/log/php-fpm/error.log \
--http-log-path=/phpstudy/server/nginx/logs/access.log \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
http_secure_link_module---with \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-PCRE \
--with-PCRE-the JIT \
--with-Stream \
--with-stream_ssl_module \
Debug---with \
--add-Module1 = / Data / ngx_devel_kit-0.3.0 \
--add-Module1 = / Data / Lua-Nginx-Module1-0.10.14rc3 \
--with-opt-LD = "- WL, -rpath, LUAJIT_LIB $ "; 
(error if Baidu to find their own answers and explain the problem has)
④ compile and install
the make the make install &&
6. the waf functional modules, unpacked rename waf (and moving to nginx configuration directory)
Music Videos /data/ngx_lua_waf-0.7.2/ waf
CP -rf / Data / waf / / Data / Nginx / the conf /
7. the modified rules configuration module waf path
8.vim / data / nginx / conf / waf / config.lua
RulePath = "/ usr / local / Nginx / the conf / WAF / wafconf /"
- Rules storage directory
attacklog = "OFF"
- whether to open *** information recording, you need to configure logdir
logdir = "/ usr / local / nginx / logs / hack /"
--log storage directory, which requires the user to own new cut nginx users need write permission
UrlDeny = "ON"
- is blocking access url
redirect = "ON"
- after if intercepted redirected
CookieMatch = "ON"
- *** whether to intercept the cookie
postMatch = "ON"
- whether the interception *** POST
whiteModule = "ON"
- whether to open the URL whitelist
black_fileExt = { "PHP", "JSP"}
- upload the file extension is not allowed to fill in the type of
ipWhitelist = { "127.0.0.1"}
- -ip whitelist, separated by commas plurality ip
Ipblocklist = { "1.0.0.1"}
--ip blacklist, separated by commas plurality ip
CCDeny = "ON"
- whether open knockdown cc *** (required nginx. http conf segment of lua_shared_dict limit 10m increase;)
CCRate = "100/60"
- Set cc *** frequency in seconds
- 1 minute with a default IP address 100 can request the same time
= HTML [[Please Go Away ~ ~]]
- content of the warning, can be customized within the brackets
NOTE: Do not tamper with double quotes, case sensitive
9. modify nginx configuration file so that it loads waf functional modules, and load the blog nginx configuration file
vim /data/nginx/conf/nginx.conf
HTTP inside add the following
lua_package_path "/data/nginx/conf/waf/config.lua ";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
10. The boot is provided to start nginx
systemctl start nginx.service
enable nginx.service systemctl
11. create a soft link nginx
LN -s / usr / local / nginx / sbin / * / usr / local / sbin /
12. HTTP: // your IP / test.php id = .. /? etc / passwd
This success! ! !