Linux下给nginx安装waf模块

最近上新项目，搭建nginx的时候为保证安全，决定安装下waf模块，以下是具体步骤，首先下载需要的安装包，进行每个安装：

				?

									wget http://luajit.org/download/LuaJIT-2.0.3.tar.gz

									tar -zxvf LuaJIT-2.0.3.tar.gz

									cd LuaJIT-2.0.3

									make

									make install

然后下载nginx，

				?

									wget http://nginx.org/download/nginx-1.7.6.tar.gz

									tar -zxvf nginx-1.7.6.tar.gz

下载ngx_devel_kit，

				?

									wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz –no-check-certificate

									tar -zxvf v0.2.19.tar.gz

下载nginx_lua_module

				?

									wget https://github.com/openresty/lua-nginx-module/archive/v0.9.13rc1.tar.gz –no-check-certificate

									tar -zxvf v0.9.13rc1.tar.gz

									cd nginx-1.7.6

安装pcre,

				?

									tar -zxvf pcre-8.30.tar.gz

									cd pcre-8.30

									./configure

									make

									make install

安装openssl,

tar -zxvf openssl-1.0.0.tar.gz

安装ngx_cache_purge模块：

tar -zxvf ngx_cache_purge-1.3.tar.gz

安装zlib, yum install zlib zlib-devel

设置环境变量，进行编译，

				?

									export LUAJIT_LIB=/usr/local/lib

									export LUAJIT_INC=/usr/local/include/luajit-2.0

									./configure –prefix=/usr/local/nginx –with-http_stub_status_module –with-http_ssl_module –add-module=/root/ngx_devel_kit-0.2.19 –add-module=/root/lua-nginx-

									module-0.9.13rc1 –with-http_ssl_module –with-openssl=/root/openssl-1.0.0 –add-module=/root/ngx_cache_purge-1.3 –with-pcre=/root/pcre-8.30 –with-ld-opt=”-Wl,-rpat

									h,$LUAJIT_LIB”

									make -j2

									make install

建立目录存放攻击日志：

				?

									mkdir -p /data/logs/hack/

									chown -R nobody:nobody /data/logs/hack/

									chmod -R 755 /data/logs/hack/

下载waf,

				?

									wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip –no-check-certificate

									unzip master.zip

									cd ngx_lua_waf-master/

									mkdir /usr/local/nginx/conf/waf

									mv * /usr/local/nginx/conf/waf/

									cd /usr/local/nginx/conf/

									vi nginx.conf

在http 段加入：

lua_package_path “/usr/local/nginx/conf/waf/?.lua”;
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

启动前运行： ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2 否则会找不到这个模块报错。

过滤规则在wafconf下，可根据需求自行调整，每条规则需换行,或者用|分割
global是全局过滤文件，里面的规则对post和get都过滤
get是只在get请求过滤的规则
post是只在post请求过滤的规则
whitelist是白名单，里面的url匹配到不做过滤
user-agent是对user-agent的过滤规则

Linux下给nginx安装waf模块

相关文章

热门资讯