找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9953|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
& _) m, w2 o0 Q# i! C% F9 q
1 @/ E3 k. C6 }) [/ ], ^一.准备工作" X5 o6 t0 n2 N( `) i
  o4 b0 o2 U" L/ z4 A& A
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.02 i. F, V8 K' l7 p& y# K. d) h

& r8 g7 \0 E% J  `9 Jtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ \1 R/ C: y9 l# O7 Q5 t
" [# x* Y, `+ E! D- G( E4 R! Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# W: D- S, U* u; I2 f& Y1 d. s2 d8 w

$ C4 y( o" H6 z' F' Z1 nOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
+ t& z+ s+ L" D" B6 l. R" e
. C3 H* b' a4 d( K7 {. a依赖关系:. B# D& j0 C, R+ l/ q+ v$ O
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:; ?: q3 a- C, p4 }& I6 ?

& X, G% P* j6 l7 Pyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
8 p7 x# T# y" f5 J/ g/ Vmodsecurty依赖的包:pcre httpd-devel libxml2 apr
9 L) v# k- y2 b+ i  V+ M( `# P& L" v4 l  q
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel/ ]/ n7 C# _" W. ^
二.启用standalone模块并编译: G5 J  d4 N8 D' Y& s& z

  @* r  ~! N  ?) Q下载modsecurity for nginx 解压,进入解压后目录执行:
' ]; q% N- t8 L! }. g7 q
4 n# X/ h/ }4 |, ?) N./autogen.sh
9 y! x' C* d9 U# K./configure --enable-standalone-module --disable-mlogc1 c# _9 s7 c! r: I  v$ G
make
2 L$ k5 n+ B1 y; ]" l三.nginx添加modsecurity模块
4 h' u' K& L$ p; X' @( i3 \/ C2 [. O+ q5 O" H% O# ]$ s
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 \) o' v! V6 h0 M1 [8 n( W8 d9 U9 u  L' v; A2 s' G# }+ z5 @2 w
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
% S" D4 P* R8 K% Gmake && make install: e/ U5 X8 E' U# D- I
四.添加规则
; A* C2 d3 {$ i1 T2 l1 [" |
) K$ h; z% I* V9 z3 vmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。* M5 G5 `7 }1 `* k; a, D# }0 _/ J
* }1 |* O/ x9 a9 r5 Y4 a
1.下载OWASP规则:0 |4 \! i# A1 g( T! ?1 |% {
  m" d0 |9 V' d; L9 ^5 M$ k. H" e
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs: h6 K8 l: ]# W$ m
) [" w  F+ Z2 I9 K
mv owasp-modsecurity-crs /opt/tengine/conf/9 R, t6 ^+ c) c* N5 Q! T- p4 M! ^
, _( D7 L- ^# i
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
  F7 f' r; P* W. c9 e2.启用OWASP规则:: i6 Y" G  F7 E1 I0 V2 j( `
+ T3 z$ X' O7 \& ^# }$ Z
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。( W) \% O' A6 ?  u6 k3 t# f

- ]4 J, ?( r" ^* J+ r; V7 W" M9 K' A% b编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
3 J3 a% ^* L3 s  ?$ V
& ?! p2 F% V3 P9 p- U: @owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
* z1 _. g( N% B3 j- `$ ?9 w' m% s( D2 n, o
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
( W: x) P5 B+ E! ?" ?( ^Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# z* u. X  R: wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
$ k- z( n* O$ t. H% ~8 u" g* RInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
! p, y4 }6 @: m* _6 QInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
* M. Z- e- x4 p* sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
0 j. z& g% Q; c/ w. gInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- W3 E. u7 y& Q: q8 j  `五.配置nginx! @# q+ P6 L# o! u6 H5 o
3 U! Q. V; W# Q
在需要启用modsecurity的主机的location下面加入下面两行即可:
9 O/ E: u1 _5 y- f# M+ |
0 v2 j1 w- q! ], A5 ~" h0 bModSecurityEnabled on;  ; _! o% g" x2 ~* v* J$ j
ModSecurityConfig modsecurity.conf;
" J/ ^6 r5 E& V) O0 T; p下面是两个示例配置,php虚拟主机:
' l* m4 T: s* U1 t! l$ x9 h1 c) x. ^, {. S
server {
" G* t1 b4 r; {1 D$ v      listen      80;6 F8 f9 Q, k( G" U
      server_name 52os.net www.52os.net;+ n# r5 [- s  t) `
     
. F* d0 @, C, C5 D0 ]      location ~ \.php$ {
( W& z3 h, T7 {. L  ~      ModSecurityEnabled on;  / E) Q/ K. e5 C1 E2 Q' P
      ModSecurityConfig modsecurity.conf;
% K3 [, L/ d5 b& h8 W! t( A: x* Q& T: |, y. M/ I6 X8 g- n" j
      root /web/wordpress;! O5 j8 B- H% h4 e8 Z2 K
      index index.php index.html index.htm;7 _( k! @' B' I, R' x3 V. K; A
  1 ]( I2 M" K- i
      fastcgi_pass   127.0.0.1:9000;' k0 C$ W) A8 H; C% U) R
      fastcgi_index  index.php;1 `$ B) W% J, z9 V8 t- `- g
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
, }3 v1 x9 ]" t      include        fastcgi_params;# p! @9 `1 b! ]5 t
      }
  D1 W7 K* S6 N. K' f  ?  }
3 U( b3 L! ~* ~) l  r( ^) p9 J! Gupstream负载均衡:- \9 Z/ B- ?: Y: \$ r' M5 m. i% c
! b: ]4 b) E; j
upstream 52os.net {$ T2 W: N* h4 w6 q9 r- k9 G
    server 192.168.1.100:8080;
/ W, N* j5 s1 F- P( _* e    server 192.168.1.101:8080 backup;) T  @6 ^8 T  n" }4 b
}* R5 S3 k# s9 n+ T' t
" w; p/ ~. n: M8 ?# {2 N
server {9 [/ B6 ]8 t# f+ Y% O
listen 80;0 A3 t' h# P  a# i9 H9 O, T
server_name 52os.net www.52os.net;: `+ [( R+ A7 g# k4 G2 H  [

# V) d( F; t0 |- Nlocation / {% M" s! x- @2 X7 ~1 y' g
    ModSecurityEnabled on;  
4 l) g0 e4 P5 K9 V: H    ModSecurityConfig modsecurity.conf;  
/ O- x2 t, G0 j% [: w$ b9 `' o/ X6 W; U( |9 x6 ?* u7 ?
        proxy_pass http://online;- h$ k# {$ c9 u$ F  _
        proxy_redirect         off;- W4 M- I5 s# Z' w5 o+ A+ V! l
        proxy_set_header Host $host;5 @" D* w2 P) H4 X% o. U3 N2 ~' i
        proxy_set_header X-Real-IP $remote_addr;* a$ w; o: E7 [$ n6 b& l
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
, b$ F: f0 c3 [! b- K    }
4 B8 f9 ~6 U. i% A9 A) e, g$ C3 A}2 b9 M! E# u* v: x# v* J! q
六.测试
* p  b- ~2 J6 M1 m8 H4 E7 {
9 j0 y" b# X$ R8 l我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:  P+ M; O% T9 ?5 `
. X5 ^2 \: ?0 D4 z
<?php! N, u: \" Q5 J3 K7 K' A
    phpinfo();   
& O- P3 v7 t+ s! \, v. w?>+ S" e; K! @4 b" p
在浏览器中访问:
+ O; E1 D1 {. u; j4 J& x
& h( _8 Y  b# U, rhttp://www.52os.net/phpinfo.php?id=1 正常显示。9 {0 n  Z/ `" P0 a+ T
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。8 R3 S( N+ L3 d" I7 D1 W
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。- d) c  U! W, C6 f. v- C) S( p
说明sql注入和xss已经被过滤了
+ b! o2 Q7 r) |+ O( a$ p2 L) J3 T: D) w" t5 {9 P4 E# x
七、安装过程中排错
" ]7 ?. x9 p/ p, j4 m* p+ @8 \& s4 E
5 O0 `( k4 h3 t+ v% C1.缺少APXS会报错
6 k+ K* M1 T' _8 l% l# c! ~; R, i
configure: looking for Apache module support via DSO through APXS
6 o5 N: W7 h0 @: J2 `0 \- E  I3 \) Nconfigure: error: couldn't find APXS
6 X% I! Y* V4 n3 m* ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) T2 O) Y( E& k1 s) K
解决方法:  J7 }: M3 \7 W6 a' X9 I

9 M) v0 E5 s* A0 ~# P. Yyum install httpd-devel
: ^( t/ h# I( ^, d( D+ z/ x* v9 u2.没有pcre
4 o$ e  U! l, k
0 [# E7 Y  \, H% r% s. A, E- Rconfigure: *** pcre library not found.5 `) a7 G2 X' q5 n1 w
configure: error: pcre library is required
. j( k- ~! O0 a4 t9 |' d8 y解决方法:: D$ ^4 }- E$ r. U! @8 L
: b! I- a4 i5 ?5 D
yum install pcre pcre-devel. e& B0 q) p# Z7 B
3.没有libxml25 Q) n4 U3 W' {" f9 ^& Q: G

7 U, |, B( T. a+ w' P# g* o
# o5 A5 q" K( N# sconfigure: *** xml library not found.4 H9 o3 O- Z5 `3 h
configure: error: libxml2 is required
1 G2 j: F' _  B8 a5 n' T/ p( |解决方法:3 O* V, S2 F5 w4 h2 Z+ I: \1 x5 T
1 w7 a  g4 X1 g2 ]
yum install  libxml2 libxml2-devel' \5 J) k& x0 V7 }
4.执行 /opt/tengine/sbin/nginx -m 时有警告
% L8 o$ e9 Q3 G. L. f" A* h# z3 \3 |6 j2 e. H7 T0 ?6 Y
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
% [* [1 D' N: j( ?6 \nginx: [warn] ModSecurity: Loaded APR do not match with compiled!) p/ B) M2 q  o7 d$ U
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log- l" D0 r8 U, K& t3 w
# M3 E/ B: q: w! w
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
" j: J0 B! c( T4 `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"0 B( G9 A  B! t, h; S. S& S
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!% Q  @3 U1 f3 |$ u, [; q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
8 K$ k0 N9 Q9 |/ ?- D2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"* v5 Q7 V# }/ n: v, Y6 C' S) _
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# |0 {+ o8 m6 {  a$ F+ P1 n& K/ C! h- U
解决方法,移除低版本的APR (1.3.9)- d; Q; _' ~# u* g! e

+ P" i' }" h, y  s" b. `6 V4 }yum remove apr- J- G. q* O! }1 W; b% k& r
5.Error.log中有: Audit log: Failed to lock global mutex
4 K. t; y- e4 t" z7 @9 p- ^# U' r$ _3 A+ Z! d* r6 G" s& n
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     9 V4 u: k% l  W/ T$ r
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
2 V" Z1 e! e7 |# l- `解决方法:" V2 h' y3 Z$ I- X8 Q4 i# f3 t
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" X# Z/ J4 R1 r: D7 T1 L. g7 x& D1 I! E3 Y7 V3 _1 ~1 D' U' ?3 Y/ [
SecAuditLogDirMode 0777
  \& W" Q$ i/ p  l5 `% s) T: w6 z8 RSecAuditLogFileMode 0550: Z2 u. Z4 u6 g) a# L8 v2 v
SecAuditLogStorageDir /var/log/modsecurity% ?8 @, b% g6 {# B: R; m8 }: W9 u
SecAuditLogType Concurrent$ v5 u0 F/ r- v4 i
参考文章:
' u4 t% s7 p9 H  l; R" e: O. d+ ?https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX. `  p4 P' y# J% \
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-2-16 04:37 , Processed in 0.059408 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表