LuaJIT安裝

yum -y install gcc gcc-c++ autoconf automake make unzip
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel

cd /usr/local/src/
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar xf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make && make install

安裝Lua Ngx模塊

wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz
tar xf v0.10.13.tar.gz

echo "export LUAJIT_LIB=/usr/local/lib" >> /etc/profile
echo "export LUAJIT_INC=/usr/local/include/luajit-2.0" >> /etc/profile
source /etc/profile

Nginx添加Lua模塊

cd /usr/local/src/
wget http://nginx.org/download/nginx-1.14.0.tar.gz
tar xf nginx-1.14.0.tar.gz
cd nginx-1.14.0
useradd -s /sbin/nologin -M www
 ./configure --user=www --group=www \
--prefix=/usr/local/nginx-1.14.0 \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--pid-path=/usr/local/nginx-1.14.0/nginx.pid \
--with-http_realip_module \
--add-module=/usr/local/src/ngx_devel_kit-0.3.0 \
--add-module=/usr/local/src/lua-nginx-module-0.10.13 \
--with-ld-opt="-Wl,-rpath,$LUAJIT_LIB"
make -j2
make install
ln -s /usr/local/nginx-1.14.0 /usr/local/nginx

準備Lua waf防護腳本

https://github.com/loveshell/ngx_lua_waf

mkdir -p /usr/local/nginx/logs/hack/
chown -R www.www /usr/local/nginx/logs/hack/
chmod -R 755 /usr/local/nginx/logs/hack/

至此nginx支持WAF防護功能已經(jīng)搭建完成方援！

使用說明：

nginx配置文件路徑為:/usr/local/nginx/conf/

把ngx_lua_waf下載到conf目錄下,解壓命名為waf

wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip
unzip master.zip -d /usr/local/nginx/conf/
mv /usr/local/nginx/conf/ngx_lua_waf-master /usr/local/nginx/conf/waf

在nginx.conf的http段添加下面這段：

lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

配置config.lua里的waf規(guī)則目錄(一般在waf/conf/目錄下)：

RulePath = "/usr/local/nginx/conf/waf/wafconf/"   #絕對路徑如有變動欢揖，需對應(yīng)修改

然后重啟nginx即可。

配置文件詳細說明：

RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--規(guī)則存放目錄
attacklog = "off"
--是否開啟攻擊信息記錄玉凯，需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log存儲目錄，該目錄需要用戶自己新建漫仆，切需要nginx用戶的可寫權(quán)限
UrlDeny="on"
--是否攔截url訪問
Redirect="on"
--是否攔截后重定向
CookieMatch = "on"
--是否攔截cookie攻擊
postMatch = "on" 
--是否攔截post攻擊
whiteModule = "on" 
--是否開啟URL白名單
black_fileExt={"php","jsp"}
--填寫不允許上傳文件后綴類型
ipWhitelist={"127.0.0.1"}
--ip白名單嫉鲸，多個ip用逗號分隔
ipBlocklist={"1.0.0.1"}
--ip黑名單，多個ip用逗號分隔
CCDeny="on"
--是否開啟攔截cc攻擊(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--設(shè)置cc攻擊頻率歹啼，單位為秒.
--默認1分鐘同一個IP只能請求同一個地址100次
html=[[Please go away~~]]
--警告內(nèi)容,可在中括號內(nèi)自定義
備注:不要亂動雙引號玄渗，區(qū)分大小寫

啟動nginx：

/usr/local/nginx/sbin/nginx

檢查規(guī)則是否生效：

部署完畢可以嘗試如下命令：

curl http://your_ip/test.php?id=../etc/passwd

結(jié)果如下則說明規(guī)則生效（頁面修改地址：/usr/local/nginx/conf/waf/config.lua）：

圖片.png

注意:默認座菠，本機在白名單不過濾，可自行調(diào)整config.lua配置

一些說明：

過濾規(guī)則在wafconf下藤树，可根據(jù)需求自行調(diào)整浴滴，每條規(guī)則需換行,或者用|分割

args里面的規(guī)則get參數(shù)進行過濾的 url是只在get請求url過濾的規(guī)則 post是只在post請求過濾的規(guī)則 whitelist是白名單，里面的url匹配到不做過濾 user-agent是對user-agent的過濾規(guī)則

默認開啟了get和post過濾岁钓，需要開啟cookie過濾的升略，編輯waf.lua取消部分--注釋即可

日志文件名稱格式如下:虛擬主機名_sec.log

一件腳本

#!/bin/bash
#Author: Template
yum -y install gcc gcc-c++ autoconf automake make unzip wget
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel
cd /usr/local/src/

[ ! -f "LuaJIT-2.0.5.tar.gz" ] && wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz 
[ ! -f "nginx-1.14.0.tar.gz" ] && wget http://nginx.org/download/nginx-1.14.0.tar.gz && 
[ ! -f "v0.3.0.tar.gz" ] && wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz 
[ ! -f "v0.10.13.tar.gz" ] && wget https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz
[ ! -f "master.zip" ] && wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip --no-check-certificate

ls *.tar.gz | xargs -n 1  tar xf

cd LuaJIT-2.0.5 && make && make install && cd ..

echo "export LUAJIT_LIB=/usr/local/lib" >> /etc/profile && \
echo "export LUAJIT_INC=/usr/local/include/luajit-2.0" >> /etc/profile
source /etc/profile
cd nginx-1.14.0 && useradd -s /sbin/nologin -M www
./configure --user=www --group=www \
--prefix=/usr/local/nginx-1.14.0 \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--pid-path=/usr/local/nginx-1.14.0/nginx.pid \
--with-http_realip_module \
--add-module=/usr/local/src/ngx_devel_kit-0.3.0 \
--add-module=/usr/local/src/lua-nginx-module-0.10.13 \
--with-ld-opt="-Wl,-rpath,$LUAJIT_LIB" && make -j8 && make install && ln -s /usr/local/nginx-1.14.0 /usr/local/nginx

mkdir -p /usr/local/nginx/logs/hack/ && chown -R www.www /usr/local/nginx/logs/hack/ && chmod -R 755 /usr/local/nginx/logs/hack/

sed -i '25 a lua_package_path \"/usr/local/nginx/conf/waf/?.lua\";\nlua_shared_dict limit 10m;\ninit_by_lua_file  /usr/local/nginx/conf/waf/init.lua;\naccess_by_lua_file /usr/local/nginx/conf/waf/waf.lua;' /usr/local/nginx/conf/nginx.conf

cd /usr/local/src/ && unzip master.zip -d /usr/local/nginx/conf/ && mv /usr/local/nginx/conf/ngx_lua_waf-master /usr/local/nginx/conf/waf

/usr/local/nginx/sbin/nginx

來源

https://www.cnblogs.com/Template/p/9668305.html