CentOS 7.7 Nginx achieve WAF application firewall module based on Lua

1, WAF Related Concepts:

(1) WAF Introduction:

WAF: Web Appalication Firewall , Web application firewall, is a work by a series of application layer for HTTP / HTTPS as security policies Web provides secure protection applications.

(2) the WAF can achieve the following functions:

a, prevent SQL injection, comprising local, overflowing, on Fuzzing test, XSS like the Web Attack ;

b, to prevent SVN / backup files such leakage;

c, preventing Apache Bench press metrology tool like Attack ;

d, shield common Hacker scan tool;

e, the shield abnormal network requests;

f, shielded image attachments class directory PHP execute permissions;

g, prevent Webshell uploading.

2, installation dependent packages:

# yum -y install gcc gcc-c++ make zlib zlib-devel openssl openssl-devel pcre pcre-devel perl-devel perl-ExtUtils-Embed gd-devel libxml2 libxml2-devel libxslt libxslt-devel GeoIP GeoIP-devel GeoIP-data git httpd-tools

3, installation LuaJIT 2.1 :

LuaJIT is to use C language prepared by Lua code interpreter, http://luajit.org/download.html stable version LuaJIT-2.0.5 , the version is too low, not recommended, use this demonstration is LuaJIT-2.1 beta3-.0 .

# git clone https://github.com/openresty/luajit2.git

# Cd luajit2

# make && make install PREFIX=/usr/local/luajit2

# Ln -sw /usr/lokl/luajit2/lib/libluajit-5klksok2 /lib64/libluajit-5klksok2

4, test Lua environment:

# vim /tmp/hello.lua --> print("Hello Lua")

# Contact /tmp/hello.lua

# Contact

5, downloading codecs ngx_devel_kit modules:

NDK : Nginx Development Kit , is an expansion of Nginx module server core functionality, https://github.com/vision5/ngx_devel_kit .

# Tar -xf ngx_devel_kit-0.3.1.tar.gz

6, the carrier extracting lua-nginx-module module:

Module1-Nginx-Lua : The Lua powerful features embedded Nginx server, https://github.com/openresty/lua-nginx-module .

# tar -xf lua-nginx-module-0.10.15.tar.gz

Compatible with the Nginx version (not compatible with the latest stable 1.16.1 version):

7, compile Nginx stable version 1.14.2 :

# useradd -s /sbin/nologin -M nginx

# tar -xf nginx-1.14.2.tar.gz -C /usr/src

# cd /usr/src/nginx-1.14.2/

export LUAJIT_LIB=/usr/local/luajit2/lib

export LUAJIT_INC=/usr/local/luajit2/include/luajit-2.1

# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_ssl_preread_module --with-compat --with-pcre --add-module=/software/ngx_devel_kit-0.3.1 --add-module=/software/lua-nginx-module-0.10.15 --with-ld-opt="-Wl,-rpath,/usr/local/luajit2/lib"

# make -j2 && make install

Remarks:

(. 1) --add-Module1 module in the directory have a config file

(2) There Makefile file needs to execute make and make install

8, configure Nginx environment variables, and start Nginx :

# vim /etc/profile.d/nginx.sh

export PATH=/usr/local/nginx/sbin:$PATH

# . /etc/profile.d/nginx.sh

# nginx -v

# nginx

# Ss -tunlp | grep -w: 80

9, test Nginx Lua modules:

# cd /usr/local/nginx/conf

# cp nginx.conf{,.bak}

# vim nginx.conf

In http new configuration code segment: lua_load_resty_core OFF;

在server配置段中新增如下location：

location /lua {

default_type 'text/plain';

content_by_lua 'ngx.say("Hello Lua")';

}

# nginx -t

# nginx -s reload

备注：在http配置段中新增lua_load_resty_core off;代码，启动Nginx时就不会提示上述错误信息。

10、创建保存日志的目录：

# mkdir -pv /usr/local/nginx/logs/hack

11、下载解压ngx_lua_waf模块：

ngx_lua_waf：基于lua-nginx-module的Web应用防火墙，https://github.com/loveshell/ngx_lua_waf。

# tar -xf ngx_lua_waf-0.7.2.tar.gz -C /usr/local/nginx/conf

# cd /usr/local/nginx/conf

# mv ngx_lua_waf-0.7.2 waf

# chown -R nginx.nginx /usr/local/nginx

备注：waf目录主要结构

（1）config.lua：配置文件；

（2）init.lua：规则函数；

（3）waf.lua：定义WAF检测顺序；

（4）wafconf：保存过滤规则的目录，每条规则需换行或用|分割；

（5）wafconf/args：按照GET参数过滤（默认已开启）；

（6）wafconf/cookie：按照Cookie过滤；

（7）wafconf/post：按照POST请求过滤（默认已开启）；

（8）wafconf/url：按照GET请求URL过滤；

（9）wafconf/user-agent：按照User Agent过滤；

（10）wafconf/whiteurl：按照白名单中的URL做匹配，匹配到则不做过滤。

12、确认config.lua配置文件中waf规则目录的路径是否正确：

# vim /usr/local/nginx/conf/waf/config.lua --> RulePath="/usr/local/nginx/conf/waf/wafconf/"

备注：config.lua配置文件

指令	含义
RulePath="/usr/local/nginx/conf/waf/wafconf/"	规则存放目录
attacklog="on"	开启日志
logdir="/usr/local/nginx/logs/hack/"	Log日志目录
UrlDeny="on"	拦截URL访问
Redirect="on"	拦截后重定向
CookieMatch="on"	拦截Cookie Attack
postMatch="on"	拦截Post Attack
whiteModule="on"	开启URL白名单
black_fileExt={"php","jsp"}	不允许上传的文件后缀类型
ipWhitelist={"127.0.0.1"}	IP白名单，多个IP之间使用逗号分隔
ipBlocklist={"1.0.0.1"}	IP黑名单，多个IP之间使用逗号分隔
CCDeny="on"	开启拦截CC Attack（需要在nginx.conf的http配置段中新增代码lua_shared_dict limit 10m;）
CCrate="100/60"	设置CC Attack频率，单位为秒默认1分钟同一个IP只能请求同一个地址100次

13、修改nginx.conf配置文件：

# vim /usr/local/nginx/conf/nginx.conf，在http配置段中新增如下代码：

lua_package_path "/usr/local/nginx/conf/waf/?.lua";

lua_shared_dict limit 10m;

init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";

access_by_lua_file "/usr/local/nginx/conf/waf/waf.lua";

# nginx -t

# nginx -s reload

14、测试WAF应用防火墙：

（1）模拟URL参数检测：http://192.168.0.120/lua?id=../etc/passwd

（2）使用ab命令模拟CC Attack：# ab -n 20000 -c 100 http://192.168.0.120/lua

备注：ab命令选项

-n requests：需要执行的请求总数，默认为1

-c concurrency：同时并发执行的请求数，默认为1

（3）查看日志：# tail /usr/local/nginx/logs/hack/localhost_2020-02-17_sec.log

CentOS 7.7 Nginx achieve WAF application firewall module based on Lua

Guess you like