一、编译安装Nginx

1.安装依赖环境
$ yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libtool git autoconf automake libxml2-devel  zlib-devel libgo-devel openssl-devel
2.安装Nginx
$ wget  http://nginx.org/download/nginx-1.14.0.tar.gz

$ tar xvf nginx-1.14.0.tar.gz -C /usr/local/src/

$ cd /usr/local/src/nginx-1.14.0

$ ./configure \

--prefix=/usr/local/nginx \

--with-http_ssl_module \

--with-http_flv_module \

--with-http_stub_status_module \

--with-http_gzip_static_module \

--with-pcre \

--with-file-aio \

--with-http_secure_link_module \

--with-compat \

--with-http_addition_module \

--with-http_auth_request_module \

--with-http_dav_module \

--with-http_flv_module \

--with-http_gzip_static_module \

--with-http_mp4_module  \

--with-http_random_index_module \

--with-http_realip_module \

--with-http_secure_link_module


$ make && make install

  

3.编写Nginx启动脚本
$ vim /usr/lib/systemd/system/nginx.service

    [Unit]

    Description=nginx - high performance web server

    After=network-online.target remote-fs.target nss-lookup.target

    [Service]

    Type=forking

    PIDFile=/usr/local/nginx/logs/nginx.pid

    ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

    ExecReload=/bin/kill -s HUP $MAINPID

    ExecStop=/bin/kill -s TERM $MAINPID

    [Install]

    WantedBy=multi-user.target
4.修改环境PATH
$ vim /etc/profile.d/nginx.sh

    PATH=/usr/local/nginx/sbin:$PATH

$ source /etc/profile

二、下载并编译libmodsecurity

$ cd /usr/local/src

$ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

$ cd ModSecurity/

$ git submodule init

$ git submodule update

$ ./build.sh

$ ./configure

# 此步骤时间较长

$ make && make install

  

在编译的时候出现如下情况是正常情况

三、配置ModSecurity和Nginx的连接

1.下载ModSecurity和Nginx的连接器
$ cd /usr/local/src/

$ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

$ nginx -V

$ cd /usr/local/src/nginx-1.14.0/

$ ./configure ...(-V获取的configure arguments) --add-dynamic-module=/usr/local/src/ModSecurity-nginx

$ make modules

# 如果之前的是二进制的nginx的话,直接cp objs/ngx_http_modsecurity_module.so  /etc/nginx/modules/

$ make install

# 会显示如下信息,如果之前没有modules目录,也会生成

cp objs/ngx_http_modsecurity_module.so '/usr/local/nginx/modules/ngx_http_modsecurity_module.so'
2.加载Nginx ModSecurity
$ vim /usr/local/nginx/conf/nginx.conf

在顶级区间内加上

load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;

$ nginx -t
3.下载默认的配置文件
$ cd /usr/local/src

$ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

$ mv modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

$ vim /usr/local/nginx/conf/modsecurity.conf

    SecRuleEngine On

1.SecRuleEngine:是否接受来自ModSecurity-CRS目录下的所有规则的安全规则引擎。因此,我们可以根据需求设置不同的规则。要设置不同的规则有以下几种。SecRuleEngine On:将在服务器上激活ModSecurity防火墙,它会检测并阻止该服务器上的任何恶意攻击。SecRuleEngine Detection Only:如果设置这个规则它只会检测到所有的攻击,并根据攻击产生错误,但它不会在服务器上阻止任何东西。SecRuleEngine Off:这将在服务器上上停用ModSecurity的防火墙。

2.SecRequestBodyAccess:它会告诉ModSecurity是否会检查请求,它起着非常重要的作用。它只有两个参数ON或OFF。

3.SecResponseBodyAccess:如果此参数设置为ON,然后ModeSecurity可以分析服务器响应,并做适当处理。它也有只有两个参数ON和Off,我们可以根据求要进行设置。

4.SecDataDir:定义ModSecurity的工作目录,该目录将作为ModSecurity的临时目录使用。

4.配置核心规则
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

$ cp -R owasp-modsecurity-crs/rules /usr/local/nginx/conf/

$ cp owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf

$ vim /usr/local/nginx/conf/modsecurity.conf

    include crs-setup.conf

    include rules/*.conf
5.修改nginx的配置文件
$ vim /usr/local/nginx/conf/nginx.conf

# 放在server下的话,就是全局,如果只要某一个的话,可以放在location中

    modsecurity on;

    modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;


$ nginx -t

nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/conf/modsecurity.conf. Line: 237. Column: 17. Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/usr/local/nginx/conf/unicode.mapping', '/usr/local/nginx/conf/unicode.mapping'.  in /usr/local/nginx/conf/nginx.conf:73

方法一:

如果有如上错误的话,可以修改 /usr/local/nginx/conf/modsecurity.conf

搜索mapping,将SecUnicodeMapFile unicode.mapping 20127  注释掉

方法二:

将unicode.mapping复制到modsecurity.conf同一目录下。

$ cp /usr/local/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/

$ nginx -t

$ systemctl restart nginx

  

四.测试

1.正常访问 192.168.1.93

2.带上正常的参数访问 192.168.1.93/?id=1

3.在正常的参数的基础上其他参数

加上AND 1=1 ,整个请求为: 192.168.1.93/?id=1 AND 1=1 (模拟简单的SQL注入)

此时Nginx就会返回403 Forbidden的信息,说明Modsecurity成功拦截了此请求。

访问192.168.1.93/?search=<scritp>alert('xss');</script> (模拟简单的XSS跨站攻击)

访问被拒绝,查看日志cat /var/log/modsec_audit.log

---CN4pqdMj---A--

[10/Jan/2019:14:02:56 +0800] 154710017669.078147 192.168.1.235 2139 192.168.1.235 80

---CN4pqdMj---B--

GET /?id=1%20AND%201=1 HTTP/1.1

Host: 192.168.1.93

Connection: keep-alive

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: zh,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7


---CN4pqdMj---D--


---CN4pqdMj---E--

<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body bgcolor="white">\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a


---CN4pqdMj---F--

HTTP/1.1 403

Server: nginx

Date: Thu, 10 Jan 2019 06:02:56 GMT

Content-Length: 564

Content-Type: text/html

Connection: keep-alive


---CN4pqdMj---H--

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `192.168.1.93' ) [file "/usr/local/nginx/conf/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "768"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "192.168.1.93"] [severity "4"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.1.235"] [uri "/"] [unique_id "154710017669.078147"] [ref "o0,12v38,12"]

ModSecurity: Warning. detected SQLi using libinjection. [file "/usr/local/nginx/conf/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: 1&1 found within ARGS:id: 1 AND 1=1"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [hostname "192.168.1.235"] [uri "/"] [unique_id "154710017669.078147"] [ref "v9,9"]

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/usr/local/nginx/conf/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.1.235"] [uri "/"] [unique_id "154710017669.078147"] [ref ""]

ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `8' ) [file "/usr/local/nginx/conf/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection; individual paranoia level scores: 8, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "192.168.1.235"] [uri "/"] [unique_id "154710017669.078147"] [ref ""]


---CN4pqdMj---I--


---CN4pqdMj---J--


---CN4pqdMj---Z--

  

Nginx1.14.0+ModSecurity实现简单的WAF的更多相关文章

  1. nginx1.14.0版本https加密配置

    修改host文件,为最后访问域名准备 C:\Windows\System32\drivers\etc host文件目录192.168.10.140 www.joyce.com 在最后添加这个自定义域名 ...

  2. nginx1.14.0下载、安装、启动

    nginx1.14.0下载及安装 wget http://nginx.org/download/nginx-1.14.0.tar.gztar -zxvf nginx-1.14.0.tar.gzcd n ...

  3. CentOS 安装Nginx1.14.0

    原文地址:http://www.cnblogs.com/ascd-eg/p/9275441.html 一.安装所需环境   1.gcc 安装         yum install gcc-c++   ...

  4. 编译安装和apt安装Nginx1.14.0

    安装依赖 yum -y install gcc gcc-c++yum -y install zlib zlib-devel openssl openssl-devel pcre-devel 在Ubun ...

  5. nginx: [emerg] unknown directive "聽" in D:\software03\GitSpace\cms\nginx-1.14.0/conf/nginx.conf:36

    nginx: [emerg] unknown directive "聽" in D:\software03\GitSpace\cms\nginx-1.14.0/conf/nginx ...

  6. CentOS7 安装nginx-1.14.0

    nginx源码包:http://nginx.org/en/download.html 1.安装gcc gcc是用来编译下载下来的nginx源码 yum install gcc-c++ 2.安装pcre ...

  7. Centos7安装Nginx1.14.0

    一.官网下载 http://nginx.org/en/download.html 版本说明: Nginx官网提供了三个类型的版本 Mainline version:Mainline 是 Nginx 目 ...

  8. elementaryos5安装mysql5.7、php7.2、nginx1.14.0

    一.mysql5.7 安装mysql5.7: sudo apt-get install mysql-server-5.7 查看安装的mysql版本: mysql -V 5.7版本mysql安装过程中以 ...

  9. 2018.7.3 lnmp一键安装包无人值守版本 php7.2 + nginx1.14.0 + mariadb5.5 + centos7.1(1503) 环境搭建 + Thinkphp5.1.7 配置

    给自己练习用的,整个过程追求一个简单粗暴,没有配置虚拟主机,现在记录一下过程. 1. 进入到lnmp解压缩后的文件夹conf/rewrite,把thinkphp.conf复制一份到/usr/local ...

随机推荐

  1. JQuery实现一个轮播图

    1.HTML <div class="banner"> <div class="b_main"> <div class=" ...

  2. 意外的php之学习笔记

    版权声明:本文为博主原创文章,未经博主同意不得转载. https://blog.csdn.net/gc_gongchao/article/details/37312039     什么是php? ph ...

  3. 3.2.2 SpringMVC配置式开发

    SpringMVC配置式开发 1. SpringMVC运行原理(执行过程) 2. 需求 用户提交一个请求, 服务端处理器接收到请求后, 给出一条信息,在相应页面中显示该条信息 3. 开发步骤 (1) ...

  4. jsp四大作用域

  5. Cocos Creator 监听安卓屏幕下方返回键

    addEscEvent = function(node){ cc.eventManager.addListener({ event: cc.EventListener.KEYBOARD, onKeyP ...

  6. Backup &recovery备份和还原

    实践版本:MySQL5.7 备份类型(backup type)物理和逻辑备份(Physical Versus Logical Backup)        物理备份是指直接复制存储数据库内容的目录和文 ...

  7. 如何通过轮询实现session自动注销

    每个用户在访问完网站后,经常会忽略注销账户,session默认存在的时间为30分钟,因此如果需要立即关闭session而又不用麻烦用户则可以通过轮询的方法来实现. 以下通过代码的讲解: xml配置文件 ...

  8. ESP8266清理flash学习记录

    学习来源:http://bbs.eeworld.com.cn/thread-497588-1-1.html 还稍看了电子产品世界 主要内容 1在windows 上通过 命令行 安装  Python环境 ...

  9. 关于表格table嵌套,边框合并问题的解决方法,table嵌套(转)

    原文地址:http://www.cnblogs.com/zhangym118/archive/2016/05/16/5496931.html [问题] 外层table与内层table嵌套,内外表格都需 ...

  10. 【SS & KCP centos7配置】

    1 依赖和环境配置 1.1 升级 yum $ yum update 1.2 安装 screen $ yum install screen 关于 screen 的详情:http://www.vpser. ...