Through the deployment of nginx ﹣ Lua ﹣ WAF, it has the advantages of simple use, high performance and lightweight. It can effectively prevent SQL injection, file inclusion, XSS, fuzzy and other web attacks, shield abnormal network requests, and prevent web shell upload. Compared with the commercial version of WAF such as security dog, it can adjust the filtering rules according to the actual needs, and edit the filtering rules that meet the business needs of the enterprise.
Experimental installation environment: RedHat 6.2 and 7.3
Manually install nginx? Lua? WAF
Install dependency package
yum install -y zlib zlib-devel readline-devel pcre pcre-devel openssl-devel gcc
Openresty installation mode nginx and Lua environment
Add a Yum source for openresty:
yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
sed -i ‘s/$releaserver/6/g’ /etc/yum.repos.d/openresty.repo
sed -i ‘s/$basearch/x86_64/g’ /etc/yum.repos.d/openresty.repo
Yum install openresty:
yum install openresty -y
yum install openresty-resty -y
List all software packages for all openresty repositories:
yum --disablerepo="*" --enablerepo="openresty" list available
Installable packages:
openresty-asan.x86_64
openresty-asan-debuginfo.x86_64
openresty-debug.x86_64
openresty-debug-debuginfo.x86_64
openresty-debuginfo.x86_64
openresty-doc.noarch
openresty-openssl-asan.x86_64
openresty-openssl-asan-debuginfo.x86_64
openresty-openssl-asan-devel.x86_64
openresty-openssl-debug.x86_64
openresty-openssl-debug-debuginfo.x86_64
openresty-openssl-debug-devel.x86_64
openresty-openssl-debuginfo.x86_64
openresty-openssl-devel.x86_64
openresty-opm.noarch
openresty-pcre-asan.x86_64
openresty-pcre-asan-debuginfo.x86_64
openresty-pcre-asan-devel.x86_64
openresty-pcre-debuginfo.x86_64
openresty-pcre-devel.x86_64
openresty-valgrind.x86_64
openresty-valgrind-debuginfo.x86_64
openresty-zlib-asan.x86_64
openresty-zlib-asan-debuginfo.x86_64
openresty-zlib-asan-devel.x86_64
openresty-zlib-debuginfo.x86_64
openresty-zlib-devel.x86_64
perl-Lemplate.noarch
perl-Spiffy.noarch
perl-Test-Base.noarch
perl-Test-LongString.noarch
perl-Test-Nginx.noarch
. -- --- --- --- ---
Configure nginx file, change the open port of web page to 8090 or other ports:
vim /usr/local/openresty/nginx/conf/nginx.conf
vim /etc/sysconfig/iptables
Start nginx:
/usr/local/openresty/nginx/sbin/nginx -c /usr/local/openresty/nginx/conf/nginx.conf
nginx -p /usr/local/openresty/nginx/ -c /usr/local/openresty/nginx/conf/nginx.conf
Or go to the nginx installation directory and execute:
nginx -p `pwd`/ -c conf/nginx.conf
If there is a prompt as follows, the port is occupied or nginx has been started:
PS view the process started by nginx:
If the browser accesses port 8090 and the page is normal, the openresty deployment is successful:
Download configuration WAF
Download NGX ﹣ Lua ﹣ WAF to the conf directory of nginx, https://github.com/loveshell/ngx ﹣ Lua ﹣ WAF download ZIP format with WGet or download with git clone
The download tips of GIT clone are as follows:
Check whether git remote HTTPS exists under / usr / libexec / git core. If not, you need to reinstall GIT. If so, next add / usr / libexec / git core to the path:
Download complete:
Downloaded file content
HTTP section configuration in nginx.conf:
lua_package_path "/usr/local/openresty/nginx/conf/ngx_lua_waf/?.lua"lua_shared_dict limit 10minit_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/init.luaaccess_by_lua_file /usr/local/openresty/nginx/conf/ngx_lua_waf/waf.lua
修改ngx_lua_waf下的config.lua:
RulePath = "/usr/local/openresty/nginx/conf/ngx_lua_waf/wafconf"
attacklog = "on"
logdir = "/usr/local/nginx/logs/waf"
chown -R nginx.nginx /data/logs/waf
After starting nginx, you can see that the user of the process is nginx:
Test successfully written to log:
Reference resources
https:https:
Thanks for the help of suspension mirror security, and answers the problem of writing protection log.