nginx+nginx_lua实现waf防护
一、下载所需软件包
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
git clone https://github.com/simpl/ngx_devel_kit
git clone -b 0.10.14 https://github.com/openresty/lua-nginx-module(下载指定版本,否则会报错nginx启动不了)
wget http://nginx.org/download/nginx-1.12.1.tar.gz
wget -c https://github.com/loveshell/ngx_lua_waf/archive/master.zip
二、安装配置
LuaJIT: # tar xf LuaJIT-2.0.5.tar.gz # cd LuaJIT-2.0.5 # make -j 2 && make install 设置环境变量 # vim /etc/profile.d/LuaJIT.conf export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.0 export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH # . /etc/profile.d/LuaJIT.conf Nginx: # tar xf nginx-1.12.1.tar.gz # cd nginx-1.12.1 # yum install -y openssl-devel pcre-devel #./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=../ngx_devel_kit --add-module=../lua-nginx-module --user=nginx --group=nginx # make && make install Nginx_lua_waf: # mkdir -p /usr/local/nginx/conf/waf # unzip master.zip # cd ngx_lua_waf-master # cp -rf * /usr/local/nginx/conf/waf/ # mkdir -p /usr/local/nginx/logs/hack # chown -R nginx /usr/local/nginx/logs/hack
三、修改配置
vim /usr/local/nginx/conf/nginx.conf http段添加如下配置: lua_need_request_body on; lua_package_path "/usr/local/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/waf/init.lua; access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
四、启动nginx并验证
启动:/usr/local/nginx/sbin/nginx
访问验证:192.168.1.1:8080/?id=select * from mysql; 出现如下页面表示已生效
问题记录:
出现上图的原因主要是因为lua-nginx-module包的版本不对,需要提供0.10.14版本包