备注:
使用的是modsecurity 3.0 的版本,也是nginx 官方推荐使用的,同时使用的是nginx 的dynamic module
1. 环境准备
https://github.com/SpiderLabs/ModSecurity
https://github.com/SpiderLabs/ModSecurity-nginx
https://nginx.org/download/nginx-1.13.8.tar.gz
2. 编译libmodsecurity
a.预备(编译依赖)
yum install -y pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel gcc gcc-c++ gcc-g77 autoconf automake
geoip geip-devel libcurl libcurl-devel yajl yajl-devel lmdb-devel ssdeep-devel lua-devel
备注:比较多,实际安装会有提示
b.编译
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install
备注:fatal:No names found,cannot describe anything.提示这个错误可以不用管(官方说明)
c.modsecurity nginx dynamicmodule编译
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget https://nginx.org/download/nginx-1.13.8.tar.gz
tar xvfnginx-1.13.8.tar.gz
cd nginx-1.13.8
./configure --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/modules(此处为Nginx安装位置,我的nginx也是源码编译)
d.nginx源码编译
参考上面的nginx下载
./configure
make
make install
3. 配置模块加载
load_module modules/ngx_http_modsecurity_module.so;
备注:位置nginx main
4. 测试nginx 环境准备
a.实际业务应用
/usr/local/nginx/cong/nginx.conf
server{
listen localhost:8085;
location /{
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
}
}
b.waf(modsecurity nginx出口,以及数据入口)nginx proxy
server{
listen 80;
location /{
proxy_pass http://localhost:8085;
proxy_set_header Host $host;
}
}
5. modsecurity 配置文件
a.官方模版
mkdir -p/usr/local/nginx/modsec
cd /usr/local/nginx/modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf
启用规引擎
SecRuleEngine On
b.创建主配置文件
main.conf
内容如下:
Include /usr/local/nginx/modsec/modsecurity.conf
SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
c.waf上面的nginx80配置)
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
6. 加载配置
sbin/nginx-t
备注:如果不报错说明没有问题,报错可以参考日志解决
7. 测试
实际上,上面的配置是如果请求参考testparam包含test就提示403
测试结果:
curl -i http://localhost/foo?testparam=dalongtest
HTTP/1.1403Forbidden
Server:nginx/1.13.8
Date:Sun,18Feb201810:45:43GMT
Content-Type:text/html
Content-Length:169
Connection:keep-alive
403Forbidden
403Forbidden
nginx/1.13.8
curl -i http://localhost/foo?testparam=dalong
HTTP/1.1200OK
Server:nginx/1.13.8
Date:Sun,18Feb201810:46:14GMT
Content-Type:text/plain
Content-Length:47
Connection:keep-alive
Thank you for requesting/foo?testparam=dalong
8. 扩展
同时支持OWASP的crs
配置参考:
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/ v3.0.2.tar.gz
tar -xzvf v3.0.2.tar.gz
sudo mv owasp-modsecurity-crs-3.0.2 /usr/local
cd /usr/local/owasp-modsecurity-crs-3.0.2
sudo cp crs-setup.conf.example crs-setup.conf
# Include the recommended configuration Include /usr/local/nginx/modsec/modsecurity.conf
# OWASP CRS v3 rules
Include /usr/local/owasp-modsecurity-crs-3.0.2/crs-setup.confInclude /usr/local/owasp-modsecurity-crs-3.0.2/rules/*.conf
8. 参考资料
https://github.com/SpiderLabs/ModSecurity/tree/v3/master
https://github.com/SpiderLabs/ModSecurity
https://www.nginx.com/resources/library/modsecurity-3-nginx-quick-start-guide/