找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 10001|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 ^4 d" q: U- V2 ~9 E2 t

8 k$ Z9 Z: n4 v1 E5 b一.准备工作( W3 j7 k2 M3 n

: F0 o$ a* c1 X" x( C系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
' E2 K; r$ I2 g. w1 c4 Q7 M3 x8 }$ h; h: t8 m
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
3 c: b+ y1 Z0 x5 `) \5 d* I
& R0 |5 s6 E8 I9 G: Vmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
$ R: z. v8 ?9 M( ]* z, c0 e
' E4 p( \7 G! _( ?+ F* w" ROWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs) E! N0 N( ^4 D: z: C
3 c% f5 o$ B8 O5 S6 C6 B# a
依赖关系:5 j* u9 N  C3 a, }
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 K9 T3 _! T# C1 z6 R8 l1 r4 N
  A1 {. J' ~& _8 w
yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel; k3 z! e* X5 W
modsecurty依赖的包:pcre httpd-devel libxml2 apr
2 i4 H2 m4 |, `
7 `+ _2 t; [7 D/ ]4 D  Qyum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
" ]$ \- O( d1 e: t. U8 D9 a二.启用standalone模块并编译0 R5 ?$ O$ A, j
% F0 D: L1 f# k8 x8 V2 E2 d6 T8 `
下载modsecurity for nginx 解压,进入解压后目录执行:  r6 S6 M; {  J7 O

: k8 E4 x: a4 v./autogen.sh
$ i) S+ F- z5 e! j, H" T3 A./configure --enable-standalone-module --disable-mlogc
, ~8 x# e$ M: T2 H7 z& o" Q1 k; jmake : X! J, u+ r2 T( M
三.nginx添加modsecurity模块
: _& j" _6 {$ y( d5 r8 |) N% c5 i
8 V& I. K6 O5 h在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
6 v- d* p) T# s2 R$ E: s& f# K0 H8 Z$ E& y; Q% n8 F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
( [* E+ D2 N: B8 O/ m; omake && make install. e0 ?8 ^: u8 o- }0 X) Z, j8 K
四.添加规则/ S7 j9 i" Z/ k. U7 O4 l

- }4 ]: O' |/ {% G4 V5 F) w0 v4 amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
5 I6 o/ A1 A! L! A2 H% ~  {5 ]# y5 L9 ]) p/ h
1.下载OWASP规则:" S: f  J7 q' \
( z4 w" d4 i2 O
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs5 N: N3 a' h0 a; R: s( A

4 H5 t  S' T  }. [9 z6 j" \( ?# omv owasp-modsecurity-crs /opt/tengine/conf/2 r1 w! n( w% |: m: }
4 a! I5 E( w8 e3 U/ p
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
' \7 o1 Y" J$ R- `- h* D2.启用OWASP规则:, m8 Y) U/ Q$ {! q% k6 m

: D' r1 G  U4 o+ G复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* i. N% l% p1 F1 H7 Z8 \  p
5 o1 G& ]4 O/ `/ u. V4 \. \
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
; D/ i& O" \0 e) Q, y+ ^8 ^# j+ ]  N% P4 V
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
# k; c9 k1 a5 _0 d; D' J( h# D1 k! o$ c; R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
6 {2 n. @, v0 \+ b" X  H! XInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
( s+ @: I& `5 w0 p" wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf& B- ]  C7 m* v/ E) Z& ~
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf; v, V" D! e$ f. p: g1 r
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf" a1 p! ^4 C6 v) o. ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf" ~6 M: q8 p5 s; z3 g
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; N- U7 f! K- P+ N
五.配置nginx
& W. ?. g8 {! n% Z% n* W' f$ u8 x# S) ]. U2 l$ r3 d& @6 b0 @
在需要启用modsecurity的主机的location下面加入下面两行即可:2 H& |3 {+ n$ D) |* i* ~. |7 K

' i' E7 j( G% H( w/ x$ vModSecurityEnabled on;  + l- k! V# ]% S8 |; D9 L
ModSecurityConfig modsecurity.conf;& ~6 N% I! i/ m" t
下面是两个示例配置,php虚拟主机:4 L1 r; L! H- N- U  g, i

# r- X  n7 n+ w$ @; zserver {
3 S5 u; o( [( T& X( Y      listen      80;1 i4 [& [; W+ ]4 v8 R
      server_name 52os.net www.52os.net;2 N) _) P8 t& j( E1 g3 t
     4 M5 f: R. J; Q& B1 a) S* ?. x
      location ~ \.php$ {
. H7 }/ J# M3 L! t0 n; e4 |. c* R      ModSecurityEnabled on;    C) f- O$ r+ Y& D0 Q
      ModSecurityConfig modsecurity.conf;
4 M7 D2 x( ^. @5 {+ H1 d2 N& Q/ o2 M8 l
      root /web/wordpress;8 l2 K+ k3 v# H4 R
      index index.php index.html index.htm;
( u0 [& }0 C+ P3 _( i, D( I/ h% e4 Y  / H  o: O+ p' ], k0 n
      fastcgi_pass   127.0.0.1:9000;
" ]$ r$ C* C2 t- o+ W! N9 B      fastcgi_index  index.php;
$ g6 a' c' b; \; S# a( u: R& n      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;! {7 o) ~4 g# z) }
      include        fastcgi_params;" V: U' E  }! ]) c6 h$ G3 ?
      }
, h0 T1 H, U# k2 \$ Z4 L3 h  }8 m, y7 Y% Z  X, r$ s/ K
upstream负载均衡:. z2 d; V  b! X, ^% Q! ?" @8 e

# s0 b4 c% k1 H0 b3 N5 y' a2 supstream 52os.net {; [, F/ l, Q  ~7 ~& Y( ?7 e
    server 192.168.1.100:8080;/ {0 r5 D# f1 \6 E2 O  N2 u
    server 192.168.1.101:8080 backup;
" m0 ]; ?9 r: l5 V# H}( }" B) }/ ^$ k+ N
" i& f0 w: \& E
server {
' v9 d  E( F$ `2 D# T: Elisten 80;4 W' [/ V3 s/ y, w
server_name 52os.net www.52os.net;
. B7 d9 P/ q- f+ |0 O4 B' g) L; p8 @# A9 r' ?) ?( q) y9 `4 ^1 i; X) k# j
location / {
8 A) d# f0 n4 m  U/ b/ z    ModSecurityEnabled on;  # m4 V0 z1 w1 v; h, G% W
    ModSecurityConfig modsecurity.conf;  
, g& B' ~2 v- A' V* [: r+ y' G6 M1 B' L7 l- s5 \% }5 J+ d7 A# A
        proxy_pass http://online;: H( \; [2 ?3 @+ `% ]9 _
        proxy_redirect         off;
, j! ~; X2 t5 j        proxy_set_header Host $host;6 R: m7 O/ _5 R# p; ]- D' S/ }$ M- g7 c
        proxy_set_header X-Real-IP $remote_addr;
" k2 [5 y9 Y4 c  l0 J) P$ f        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;& U4 i2 P$ m! _8 c2 g7 v% V
    }
6 ~' c/ [( i# \4 U+ Q  Z5 Z}; v. D' N2 {( T7 m# ^4 |- F5 p2 t, P
六.测试
. E* _) Y4 U& I: C$ p( b
& o2 v/ F% R. h我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, o# q/ A; q+ v& z. i% z" D+ p( s, r# ^) _3 b: H5 V
<?php
5 _# m4 i3 _" N4 G    phpinfo();   
& y1 V0 o3 e1 v* P4 u?>
1 U2 t4 ^$ R3 Y( ]! E7 o在浏览器中访问:
# B5 v- m2 a6 O" t; M9 Y4 d$ B
9 |; n% {: x7 w8 Qhttp://www.52os.net/phpinfo.php?id=1 正常显示。( U4 N$ Y. A/ N( ~
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
2 F; D% b+ G+ R) rhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。$ X: W& {0 L: |3 p6 p2 k
说明sql注入和xss已经被过滤了
" K! R) R9 b* n. c/ E. M* M+ X& N2 H& B( u
七、安装过程中排错7 Y! B" F! J" n. y) D! a% f
" q. H" v7 Q! z
1.缺少APXS会报错& O3 ?4 j/ \1 X3 |& N

0 D# P/ F% s" J0 kconfigure: looking for Apache module support via DSO through APXS
+ g2 {# u! G( O% h6 o8 l+ T3 u& vconfigure: error: couldn't find APXS
* J# {1 a; d9 k; j& K9 \- E2 @. Papxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
& w: ]) @! t" c1 `1 B5 D解决方法:4 D0 P# x3 k/ p; W. p8 K6 P9 m. Y

1 M  ]2 A: n" \yum install httpd-devel
9 Q2 N2 ]( S6 S3 h5 F6 y2 j2.没有pcre& J9 T! f6 O) A: o$ M* {6 a
) w/ w' G5 V8 l2 L) U1 u. G
configure: *** pcre library not found.
! F. O' g/ m& tconfigure: error: pcre library is required. i. M- h/ {0 m! A# v+ z$ Z
解决方法:
9 l$ Y$ m( `' _7 z3 n; [7 O/ q7 V& W- |, e, Y
yum install pcre pcre-devel
2 o" ^. o- ^/ ^+ ~3.没有libxml2
! q' @6 C/ u4 d( u( ]# J& C, T; |' w8 {: g. X- q+ ^

- ]+ p, }; W9 b1 s, pconfigure: *** xml library not found.0 y# ^6 c9 A9 ?+ A
configure: error: libxml2 is required
. m5 `+ ]8 B/ R2 e2 V# {解决方法:% n4 R! T8 W; m3 Q( k) Y5 E: `
* J( g7 p; f4 i, @( x% _
yum install  libxml2 libxml2-devel
% I8 S4 x" W. `; }4.执行 /opt/tengine/sbin/nginx -m 时有警告
5 E9 g6 K' x: w, _2 ?+ Q$ }' N; {) `8 _
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
* A; s' l, K% p0 Pnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ V% R" @6 W+ f0 i# @原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 e2 [& p5 W# k4 Z2 |* J4 [# ~

/ ~, k  M' q/ H: e4 A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
9 A! n( o) B3 w" u5 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
" z/ x7 N9 U4 O6 Z4 D2 @6 t0 p. i8 ?2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
1 \0 N4 q  \8 u1 C' `2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 f; B: ~0 g2 |! r' q# Y( p2 }0 h2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"( D) H' @% {0 Q: H
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.# {  E6 C6 ?# U6 V% \% M* W
解决方法,移除低版本的APR (1.3.9)
' p- k! f9 q/ [5 O2 [2 s! [) A8 A9 B/ C# D& r7 k5 \
yum remove apr
+ y( g! k7 ^/ f% ?: o& ~5.Error.log中有: Audit log: Failed to lock global mutex% F+ ]6 O+ K& S9 e8 h4 n
" ^) u: Z1 Z3 }: x7 q
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     2 b/ {5 h( \+ G1 Q4 j: s  i
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
- @2 O- h: G. x* ^& G1 W1 a& a1 d解决方法:8 r! ~, M% M  t/ m! |3 B3 p
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" J: I7 v6 r! p, Q# U; a" F* y% G1 ^" W  I
SecAuditLogDirMode 0777
6 n9 w5 S1 u# f2 R5 Q( BSecAuditLogFileMode 05504 n7 _* B: Z+ I0 r; d
SecAuditLogStorageDir /var/log/modsecurity
. v: {( i+ ^; |8 U* ESecAuditLogType Concurrent" t: ^/ O- e9 {+ {2 j
参考文章:
. h% p0 ]# I: _  ^https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX* c# S  W! R2 Q' W( ?9 ^* R( c0 U4 J
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-2-20 16:53 , Processed in 0.068430 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表