Nginx+Lua实现自定义WAF(一)

安装环境:centOS7 1810 

Step1:安装编译所依赖的软件

pcre-devel: 扩展的正则表达式引擎,为了使Nginx处理更复杂的正则表达式机制
openssl-devel:–with-http_ssl_module使用该模块必需装openssl库,来实现http支持https协议
zlib-devel:zlib库是网络通信压缩库,ngx_http_gzip_module(gzip压缩模块)所必需的
readline-devel:readline是安装Openresty所必须的依赖包
[root@waf ~]#  yum install gcc-c++ libtool gmake make -y

[root@waf ~]# yum install pcre pcre-devel openssl openssl-devel zlib zlib-devel readline readline-devel-y

Step2:创建nginx用户/组

Nginx的Master主进程以root用户身份运行,而worker子进程我们指定它为nginx用户运行
[root@waf ~]# groupadd nginx
[root@waf ~]# useradd -d /home/nginx -g nginx -s /sbin/nginx nginx

step3:编译安装Openresty

[root@waf ~]# wget https://openresty.org/download/openresty-1.17.8.2.tar.gz

[root@waf ~]# tar zxvf openresty-1.17.8.2.tar.gz 

[root@waf ~]# cd openresty-1.17.8.2

[root@waf openresty-1.17.8.2]# ./configure --prefix=/usr/local/openresty \
 --sbin-path=/usr/local/openresty/nginx/sbin/nginx \
 --conf-path=/usr/local/openresty/nginx/conf/nginx.conf \
 --pid-path=/usr/local/openresty/nginx/run/nginx.pid \
--error-log-path=/usr/local/openresty/nginx/logs/error.log \
 --http-log-path=/usr/local/openresty/nginx/logs/access.log \
 --user=nginx \
 --group=nginx \
 --with-pcre \
--with-stream \
 --with-threads \
 --with-file-aio \
--with-http_v2_module \
 --with-http_ssl_module \
 --with-http_realip_module \
 --with-http_gzip_static_module \
 --with-http_stub_status_module
[root@waf openresty-1.17.8.2]# gmake
[root@waf openresty-1.17.8.2]# gmake install

step4:为Openresty添加环境变量

[root@waf ~]# vim /etc/profile.d/openresty.sh

export PATH=/usr/local/openresty/bin:$PATH

[root@waf ~]# source /etc/profile

Step5:下载WAF模块

[root@waf openresty-1.17.8.2]# git clone https://github.com/unixhot/waf.git

[root@waf openresty-1.17.8.2]# git clone https://github.com/openresty/lua-resty-core.git

[root@waf openresty-1.17.8.2]#     cp -a ./waf/waf /usr/local/openresty/nginx/conf/

[root@waf openresty-1.17.8.2]#    cp -a lua-resty-core /usr/local/openresty/nginx/conf/

Step6:Openresty引入WAF模块

[root@waf openresty-1.17.8.2]# vim /usr/local/openresty/nginx/conf/nginx.conf

在http下添加如下Lua路径
http {
lua_shared_dict limit 10m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua;/usr/local/openresty/lua-resty-core/lib/?.lua;;";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

 

Step7:启动服务

[root@waf openresty-1.17.8.2]# openresty
[root@waf openresty-1.17.8.2]# openresty -s reload

posted on 2023-07-16 21:26  CyberSecurityBook  阅读(180)  评论(0编辑  收藏  举报

导航