找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9332|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。: ~& o8 ~9 D. c! ?% ~! Q; ~8 j

5 O3 @" h5 T6 ?) K  K一.准备工作4 ?) v' M, Q! n. |' u

/ _3 Z4 {6 z. a  h9 M) ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! k: n: S  f) ?3 U- ?6 Y1 b5 C+ U# Q9 q6 N$ V3 e2 y
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, ]6 s9 f- s* E' {

$ ]- Q* N- `" ~. i* }6 W# X2 R0 imodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz9 }) ^$ x' h& m; B2 w+ d

9 A* R6 M& F" S# [( _  V4 I' NOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
$ e) n: d, K7 b9 W# i, i# `: X  l
依赖关系:
' i) z3 J" H* c2 I  K; S" Dtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:4 Y0 h- W. G0 T7 Q/ O

# ~+ Y% p( k  @/ x4 I1 t# uyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
. f9 Z2 y7 G0 q$ ]modsecurty依赖的包:pcre httpd-devel libxml2 apr/ Z2 _; a) l& H; \4 Q9 L) P# o
7 f/ B6 _, ]# Y# |# M' ?' j3 P
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel: L7 Z7 N9 g8 w
二.启用standalone模块并编译
0 Q+ ?! U% [7 w; k5 R% b' B/ V& @0 U9 D# v
下载modsecurity for nginx 解压,进入解压后目录执行:, b! H- O$ R! ?- L& ]1 X+ ^# E

7 d7 A9 z$ n0 @% J4 s4 ?& N./autogen.sh
( o/ V: A3 C: _2 p/ J./configure --enable-standalone-module --disable-mlogc  F5 b: w2 C3 S
make 8 I- T$ w0 a3 X# V3 J  j+ y
三.nginx添加modsecurity模块3 x4 P7 E! P- J' K; c' x: E

- ^; o- t4 G! E/ t" E8 m" t在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:0 i: R% ?& q% \2 q9 W) w
4 r6 k  V& N) p
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine! K4 ]1 n+ g1 y5 ]* ?4 Y, _; j5 l
make && make install, R- ]9 f5 \# j& |) H
四.添加规则% b4 [6 L" b( a1 ~$ [

9 |# [% T4 N3 i& \2 \- amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。) D) `# s, l7 {- R

8 Z  Y6 ?& ^6 [$ @1.下载OWASP规则:6 R: n4 t3 h1 h& S7 u
4 j+ J/ z- v* W) p* E
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs! P2 C1 l( f5 r) _% ~' V# q' U
$ Z: b/ f2 M; r; @- a! T( S
mv owasp-modsecurity-crs /opt/tengine/conf/
) w% a3 g: ^" R/ u" k: @. w, e& Q6 o" C4 ?
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf# Q6 S5 ]& w2 V
2.启用OWASP规则:
, G! G- o, \5 C' D: i- K+ K& @/ P! I! k
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 C9 `9 k6 z8 K5 [; O8 O* D

% h3 ?$ u' |% |. a5 Q9 K编辑modsecurity.conf 文件,将SecRuleEngine设置为 on, K/ }3 J1 |* B

. |; k& }/ G% j0 m7 F+ b6 w& }owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。9 O. N! b' S: G# n( l

% x  \/ N1 \3 HInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf' R+ P" I8 k7 ]2 k
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf' p$ t7 b  v/ ]% l4 V$ w: `" u( o
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* F5 A' _* M/ q' B- k3 m; R' g
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# d' r3 \9 Z  C" R9 X) D2 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
) R( Z! x% c. Z/ V( pInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
* E" I" t/ K; u; ^( r" m: ]Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
$ J+ S% t9 {1 u$ q4 q) ?1 \1 }五.配置nginx
# K, R+ i, X+ H8 R- n8 p& T& i3 c
$ n) s# H, `6 Q" R) M在需要启用modsecurity的主机的location下面加入下面两行即可:: K  [  Q7 o7 X& R7 O4 w

* F6 X* h2 u0 e4 g+ d" @ModSecurityEnabled on;  
9 y5 |- P# ~5 fModSecurityConfig modsecurity.conf;
) t& m3 N8 Q. {& I. S1 T7 L% A# ?下面是两个示例配置,php虚拟主机:
' s# t% ^% q0 u# M# ^& `$ r$ l! _
  y2 B* q, l" |1 d! S8 g  _server {0 l5 Q  D" b& A/ f! n) L
      listen      80;
  _' O; B4 h) }% q      server_name 52os.net www.52os.net;
# \+ c6 p5 w8 b' [, I( s3 ]6 ^0 `     7 l0 z) K9 t, H1 y4 k" I. s/ O, X
      location ~ \.php$ {1 e8 p9 j# s+ {
      ModSecurityEnabled on;  
9 |6 M+ o+ U3 ]      ModSecurityConfig modsecurity.conf;
0 B9 d+ \5 ^+ `. y: q( @, w* U9 |$ N. {
+ a6 a2 w& a$ v$ R2 I+ _      root /web/wordpress;
2 L2 z9 R9 r- ]/ g      index index.php index.html index.htm;/ Q3 c" ~: h. y% z4 t9 z1 o& X
  , x6 q9 H  @5 n6 G; U7 o; N1 l
      fastcgi_pass   127.0.0.1:9000;. u7 e" {, h3 s4 h% Z$ ~. z
      fastcgi_index  index.php;8 A8 S; \+ N( l3 s* Q: g
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;! g9 G/ \# g4 z* Z2 ~
      include        fastcgi_params;
: E/ C% R7 q. b( p& H2 S      }
  H: [9 W3 z& ^, O, P, [$ E  }) e& \- f2 n  c4 t# r  ?5 P
upstream负载均衡:
% ?8 M0 B" F% `' e# \0 v, w" A7 S) u& O) a, q
upstream 52os.net {
5 L; c$ c/ Z8 ^/ H: W    server 192.168.1.100:8080;- U# s7 V7 N" i  I
    server 192.168.1.101:8080 backup;' V$ J4 F( s1 Y8 i- b: i' ~
}
/ }( d4 H% N' H' E- K" N& Z# V6 c
server {
' |1 Y# E2 o; ^0 W2 ~  k1 jlisten 80;
0 W1 H* j3 I: vserver_name 52os.net www.52os.net;$ F2 G6 w0 S( T$ ^; D

. I: j- p' m/ w; flocation / {
9 E5 p! ~' y0 \    ModSecurityEnabled on;  0 z3 Q/ F# `3 T1 B2 W7 ~
    ModSecurityConfig modsecurity.conf;  " L( m+ @$ t5 h6 S" Q
" m& U1 P' E5 X; N9 h5 t# i
        proxy_pass http://online;7 \7 q, c4 ~" g- A' [0 b
        proxy_redirect         off;) [+ \' t2 s# Q
        proxy_set_header Host $host;# A9 {" ^% E; n8 ^
        proxy_set_header X-Real-IP $remote_addr;( d# N& I2 v7 y5 f3 s5 @
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;5 J, |6 P. M( B6 F: l7 ?9 {: M
    }
' c$ D! `* z$ i  K}
9 |/ }, u, [; l' x0 Z( ^六.测试
/ ~. }; ]3 l4 d4 K/ R* b' ~
% G3 k0 h" [3 s9 Q: I9 W我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:& M$ N' {: }: n" d1 O; Q3 \/ X
2 d) B; e$ e' S) E1 d& }# r
<?php
& }. C7 A, `. m    phpinfo();   
( W9 D3 C" K" _, G$ J- g- S7 c7 {# C/ M?>
" c/ F0 [& ]# m; h7 _. P3 u6 Z在浏览器中访问:
; k0 r5 r, Z: Z! R9 O- v: J4 o6 f4 ^( A' s2 k' y" S5 G5 N
http://www.52os.net/phpinfo.php?id=1 正常显示。- h7 Q# x& i) m# d( U
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
$ m3 X9 x& W4 @http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
/ R4 O$ E* _4 Z. Z, g$ b说明sql注入和xss已经被过滤了& s" d5 |) c! c( p  t
( z/ f- n* t4 e0 c& `3 x+ k
七、安装过程中排错$ C" R5 Z) f/ ~# L
: c8 h8 L" }, N6 b) d  \  n
1.缺少APXS会报错9 W% {6 R- f; V+ V7 `
" T3 ~8 c- }1 i
configure: looking for Apache module support via DSO through APXS; J8 R1 x$ p" ^
configure: error: couldn't find APXS& M2 s) S' f3 T2 u
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。. u$ }0 J% x3 Y7 {% P1 h. X
解决方法:
$ L' g: s- I& g# C5 \2 o
* f- X7 Q# t, t# U8 r/ C; U, V3 Cyum install httpd-devel! _$ p8 Y1 l: U8 r  G- u8 i$ Q
2.没有pcre
" j$ J9 w) B/ F( a1 x8 ]6 Y/ j% T) p! o$ {& A
configure: *** pcre library not found.
9 p+ l: Y/ [8 g% M8 R' P) y1 W, Dconfigure: error: pcre library is required
! O/ E- m; `1 `9 V% a" r解决方法:
8 P. j( c! G7 N9 a! b7 x% b( b/ y; }8 p( K/ g
yum install pcre pcre-devel
% D6 T" {, K/ o+ e3.没有libxml2
5 y' ?6 V; M& V3 s. L1 u& Q: X8 Q- c3 j, A

# [  u6 c5 U( X; u. jconfigure: *** xml library not found.
) a& J" A, s6 @  ^$ W# oconfigure: error: libxml2 is required
; I' l/ {6 Q  s2 |3 P( h解决方法:
+ [2 ?; r* I+ j0 x
- ^! Z: u0 W$ b# Oyum install  libxml2 libxml2-devel
1 P% V* u) _$ t3 h6 B4.执行 /opt/tengine/sbin/nginx -m 时有警告
. w6 [! c/ w3 G8 x+ W8 y$ z/ p3 b
8 w7 ~) Q) W, b6 dTengine version: Tengine/2.1.0 (nginx/1.6.2), [$ T, j  C# i+ N
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
* Q  o1 d& s' P3 T/ `! l5 b' s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log2 H1 R6 Y! K7 J: \$ j6 R
: Q' Q1 \- b$ S9 i7 a/ e
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.( c1 h* X' s4 u& E
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
  H6 c- K- T. V3 n; k& _2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( e+ |8 J( v. N4 z) u" Q1 A9 @2 l7 W# G2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"* n# V# t# q- z& z: k  r+ ]
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
' E% Y1 b" {' X' b' \- L0 _) M- L2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.( C. P+ w. P1 i( v2 _4 ?
解决方法,移除低版本的APR (1.3.9): p4 ?* b2 [3 h/ y8 n

9 ^% [: P" O# v; R" Qyum remove apr, R7 s$ Z$ [& V. i) L( {+ ~, U
5.Error.log中有: Audit log: Failed to lock global mutex5 e3 V( S+ A- m: k
! |5 b; d% v9 h! r) l9 a
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
2 q- E! k: p0 pglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
, ]# S" g2 k, r- V. ~解决方法:
6 x7 Z( @0 Y# z; q编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 X& s6 n6 H$ q, S
2 ~  {1 G; q! a9 P8 ]1 f8 T& Q
SecAuditLogDirMode 07776 e  M( v$ n3 C2 _7 K2 y; ^
SecAuditLogFileMode 0550
) P& S6 C3 C9 ?SecAuditLogStorageDir /var/log/modsecurity
, J" a" q% @% K5 ?7 mSecAuditLogType Concurrent
# s0 _/ Y  c! r; v, {! R& k' f( u参考文章:+ \8 h  C6 w# y6 M) f4 _+ \
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX+ _. Q- X8 g3 b- b7 ]. h
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2025-12-6 20:36 , Processed in 0.071171 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表