ngx_lua_waf

共2875个字

Ubuntu14.04 / 16.04环境

1、下载ngx_devel_kit

# cd /opt
# git clone https://github.com/simplresty/ngx_devel_kit.git && cd ngx_devel_kit && git checkout master
2、下载lua-nginx-module
# cd /opt
# git clone https://github.com/openresty/lua-nginx-module.git && cd lua-nginx-module && git checkout master
3、下载并安装Lua环境
# cd /opt
# git clone http://luajit.org/git/luajit-2.0.git && cd luajit-2.0 && git pull
# make && make install
4、导入Lua环境变量
# cd /opt/nginx-1.12.2
# export LUAJIT_LIB=/usr/local/lib
# export LUAJIT_INC=/usr/local/include/luajit-2.0
5、编译nginx (参考我之前的nginx编译安装过程)
# cd /opt/nginx-1.12.2/
# ./configure  –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_addition_module –with-http_dav_module –with-http_geoip_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_v2_module –with-http_sub_module –with-http_xslt_module –with-stream –with-stream_ssl_module –with-mail –with-mail_ssl_module –with-threads –with-pcre=/opt/pcre-8.38 –with-zlib=/opt/zlib-1.2.11 –with-openssl=/opt/openssl-1.0.2n –add-module=/opt/ngx_devel_kit –add-module=/opt/lua-nginx-module –with-ld-opt=-Wl,-rpath,$LUAJIT_LIB
# make
# mv /usr/sbin/nginx /usr/sbin/nginx.old
# cp objs/nginx /usr/sbin/nginx
# vim Makefile
    ## /usr/share/nginx/sbin/nginx -t
    ## 注释或修改上面这行,输入正确的路径
    /usr/sbin/nginx -t
# make upgrade
6、下载并配置Luajit
# cd /etc/nginx/
# git clone https://github.com/loveshell/ngx_lua_waf.git && cd ngx_lua_waf && git checkout master
# vim /etc/nginx/nginx.conf
http {
        …
        ##在nginx.conf的http段添加
        lua_package_path “/etc/nginx/ngx_lua_waf/?.lua”;
        lua_shared_dict limit 10m;
        init_by_lua_file /etc/nginx/ngx_lua_waf/init.lua;
        access_by_lua_file /etc/nginx/ngx_lua_waf/waf.lua;
        ##
        …
}
# vim /etc/nginx/ngx_lua_waf/config.lua
    RulePath = “/etc/nginx/ngx_lua_waf/wafconf/”
     ##–规则存放目录
    attacklog = “on”
     ##–是否开启攻击信息记录,需要配置logdir
    logdir = “/home/wwwlogs/”
     ##–log存储目录,需要nginx用户的可写权限。
     ##–日志文件名称格式如下:虚拟主机名_sec.log
    UrlDeny=”on”
     ##–是否拦截url访问
    Redirect=”on”
     ##–是否拦截后重定向
    CookieMatch = “on”
     ##–是否拦截cookie攻击
    postMatch = “on”
     ##–是否拦截post攻击
    whiteModule = “on”
     ##–是否开启URL白名单
    black_fileExt={“php”,”jsp”}
     ##–填写不允许上传文件后缀类型
    ipWhitelist={“127.0.0.1”}
     ##–ip白名单,多个ip用逗号分隔
    ipBlocklist={“1.0.0.1”}
     ##–ip黑名单,多个ip用逗号分隔
    CCDeny=”on”
     ##–是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
    CCrate = “100/60”
     ##–设置cc攻击频率,单位为秒.
     ##–默认1分钟同一个IP只能请求同一个地址100次
    html=[[Please go away~~]]
     ##–警告内容,可在中括号内自定义
     ##备注:不要乱动双引号,区分大小写
❤ 喜欢 0

发表评论

电子邮件地址不会被公开。

归档于 Ubuntu