nginx+nginx_lua实现waf防护

一、下载所需软件包

　　wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

　　git clone https://github.com/simpl/ngx_devel_kit

　　git clone -b 0.10.14 https://github.com/openresty/lua-nginx-module（下载指定版本，否则会报错nginx启动不了）

　　wget http://nginx.org/download/nginx-1.12.1.tar.gz

　　wget -c https://github.com/loveshell/ngx_lua_waf/archive/master.zip

 

二、安装配置

LuaJIT:
# tar xf LuaJIT-2.0.5.tar.gz
# cd LuaJIT-2.0.5
# make -j 2 && make install
设置环境变量
# vim /etc/profile.d/LuaJIT.conf
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH
# . /etc/profile.d/LuaJIT.conf

Nginx:
# tar xf nginx-1.12.1.tar.gz
# cd nginx-1.12.1
# yum install -y openssl-devel pcre-devel
#./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=../ngx_devel_kit --add-module=../lua-nginx-module --user=nginx --group=nginx
# make && make install

Nginx_lua_waf:
# mkdir -p /usr/local/nginx/conf/waf
# unzip master.zip 
# cd ngx_lua_waf-master
# cp -rf * /usr/local/nginx/conf/waf/
# mkdir -p /usr/local/nginx/logs/hack
# chown -R nginx /usr/local/nginx/logs/hack

 

 

三、修改配置

vim /usr/local/nginx/conf/nginx.conf
  http段添加如下配置：
  lua_need_request_body on;
  lua_package_path "/usr/local/nginx/conf/waf/?.lua";
  lua_shared_dict limit 10m;
  init_by_lua_file  /usr/local/nginx/conf/waf/init.lua; 
  access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

　

四、启动nginx并验证

启动：/usr/local/nginx/sbin/nginx

访问验证：192.168.1.1:8080/?id=select * from mysql;    出现如下页面表示已生效

 

 

 

 

问题记录：

 

 

 出现上图的原因主要是因为lua-nginx-module包的版本不对，需要提供0.10.14版本包