找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9790|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 B& j! N7 u. y8 r. A* K' `

7 l- ^8 {- c. u1 ~一.准备工作. v' m1 ^) u3 \2 |% I, r
2 y; \1 ?. L1 t% a- A+ l
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
! j* w# p9 D6 \3 P* F7 `3 I  \* n
) X+ w4 y% _9 R: P% Z2 g/ ztengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
+ D" s: E! K' \+ Z
2 F" r5 t7 I9 i$ G5 rmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' K* @8 [; |" Z5 [8 w# K& r1 |( J4 R, o8 H
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs, h& E- Q+ N7 O7 S/ E- U

; [4 B, y6 p0 g& Z" Y9 B6 U$ `依赖关系:
1 F( u6 g4 N  t" h9 N0 I3 C' Mtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
  c& Y2 |+ @/ M6 I. w% C. D! Z% T+ |0 N) d
yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
6 F" ]) L' R% |8 t9 _modsecurty依赖的包:pcre httpd-devel libxml2 apr
7 u) n9 ]9 K/ ^' b2 T+ |' w* U- H0 n7 u; I
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
) z! m$ p) e5 y' {! W1 ?二.启用standalone模块并编译
' c+ `6 Z9 r9 r0 |! e3 z& V8 ~; l$ T9 M1 v/ v" F1 S/ ?) V. `% T
下载modsecurity for nginx 解压,进入解压后目录执行:
5 ~$ T6 Q" r7 Z. _2 E$ v
& ~4 L/ D5 D) k+ ?% ~./autogen.sh- S  T% i7 A" Y
./configure --enable-standalone-module --disable-mlogc
" e& i* T6 N9 P! X: a$ dmake 6 q  N! N1 ^- ^# F$ X: R# S3 t
三.nginx添加modsecurity模块, K# v: ]( y3 K* E$ I
6 o" R, }+ L+ B3 A" _
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:( L8 X, D7 Z  n+ `8 z7 C
" n7 S7 b" @( o7 g% t8 ~' y
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
1 A* O8 ?9 F. x6 smake && make install; D! |: S( }4 d" |. a2 A
四.添加规则% w2 ]7 J5 d* \1 R
. ]8 h$ j, o: E, @  K; j
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。& R* D/ Q* @  W7 r
" b# ?' H. i0 _3 Q2 q& B& X; g
1.下载OWASP规则:
, a) B$ b9 i3 k. N. T1 f0 W
9 e+ |8 G; T' T) Kgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
) r3 Z% W: }6 y" b/ a3 V
* [3 S& C' l, N4 v% t2 E& M7 \* [mv owasp-modsecurity-crs /opt/tengine/conf/
: {4 a- `' ^: D6 ?. c+ K# Y% |3 D! s7 j5 b6 e% u
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf  R1 E) O) s" Q3 S
2.启用OWASP规则:
5 Q; p9 K# \! _+ ^6 C, M) Q9 T$ I& [, |% H& F) R- f! N6 h" C# U" A6 t$ E
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
! j7 w; ?" W2 z! G7 _8 T1 h- H1 t& c. `. Z7 x
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on& D0 [& h5 T3 S* N# Z9 g, z2 B/ y& i

& n! b( j! ~  aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。3 H& c! A( A# b* e4 O

/ i# p; K, [) X5 S% x( n3 l# TInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf# ]0 K0 p2 [8 l) U3 W- y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 d- X' t$ I# A- {7 M- O% X
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf0 B" E4 _( k3 a/ x1 n* ?, J
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
# i7 C' Y: u/ d& [$ ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
9 t' |9 Q. u2 f( [' P  B6 [. sInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! }0 {) C6 Q/ m5 |# U4 Y! R* R
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
! r) C* ~/ U" {0 }: F6 x五.配置nginx3 `9 f+ z$ h# W- G% p2 \

' w' e$ q2 K6 u! B4 _# n在需要启用modsecurity的主机的location下面加入下面两行即可:8 c' A+ c& f9 I4 x8 w5 J/ n

. _: Q3 o* K3 J+ |ModSecurityEnabled on;  6 ^7 m# A8 v0 O' X/ |
ModSecurityConfig modsecurity.conf;. o6 j# L+ }8 C0 a! u6 i$ s4 n, V+ ^
下面是两个示例配置,php虚拟主机:
' J9 G+ S5 t, ]- M7 ~, o  H, E
3 a+ E. ]; H0 `, t& ]! Z+ zserver {
3 m0 |% z7 K4 r+ l) }      listen      80;
  `& y0 S4 ?# ]0 n0 c; Q      server_name 52os.net www.52os.net;, o& n+ _1 I6 e
     
; {0 ^1 x3 {/ g; q+ ]3 c      location ~ \.php$ {0 F0 ~: w' ^1 B2 Z. g7 P0 n+ f' `
      ModSecurityEnabled on;  % y7 F+ [0 l5 [
      ModSecurityConfig modsecurity.conf;
2 ^1 B2 x! P' P$ T/ a4 n3 j, k5 |- D4 z7 f' O
      root /web/wordpress;
" Y9 Q. T! q+ z      index index.php index.html index.htm;
( i6 b  Q8 m5 j5 x  
5 r1 e8 G8 W) x4 H8 L  t2 a      fastcgi_pass   127.0.0.1:9000;2 a) x8 c8 W3 e; A" @2 V
      fastcgi_index  index.php;
/ P4 `3 x6 x4 r4 Z2 H" w      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;3 P, A. f2 Z7 r- H2 F( A
      include        fastcgi_params;& X/ A) r% U6 `. c, L) ^9 B
      }
: i4 ]7 G* r0 D  G! B, Y0 W  }- G5 s9 Y; F+ R3 O5 V# O% b, \/ {$ p, [
upstream负载均衡:
; r/ P/ A: z7 E  O4 u( t2 E6 g1 B7 Q$ ~( c7 H" v1 s$ O
upstream 52os.net {
& h0 t3 m  J, M$ s: e    server 192.168.1.100:8080;* v: E- z0 {: d$ j) }7 t2 E! [
    server 192.168.1.101:8080 backup;
- R4 j  K7 W/ b( a1 L}
2 L" ?5 v$ j' R# }& U7 m" p3 u
8 r0 Y4 t' W& g1 N+ b0 Yserver {
( ^) v" |- W: C3 tlisten 80;  g, d6 C5 Z; R! V% x. j
server_name 52os.net www.52os.net;8 H+ y, }+ d+ i2 G/ _/ q

% D9 j8 ^  S1 @2 ~- Jlocation / {1 M. ~  b3 N' z) v* h
    ModSecurityEnabled on;  . K2 {+ L: K( V  y" e+ W  b) N  Z2 v
    ModSecurityConfig modsecurity.conf;  # p2 W  t, m. Y/ n  a8 c+ @
3 `+ a( R% b' r2 K$ f
        proxy_pass http://online;
8 c! U9 {  Q  ?        proxy_redirect         off;
# V- v- g# l* p+ i" k$ t2 p        proxy_set_header Host $host;
& X$ v' |! o; i7 W2 G; G! ~7 q% p        proxy_set_header X-Real-IP $remote_addr;% |" c' h9 S4 Q- U+ R' ?
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
. T- ^& b& w& P0 r$ l) h    }
  l. L; T3 _4 t5 g}
9 o. R# j& O( w. k* M0 M& q六.测试
" u2 h9 ?+ p5 M; _
! r+ t6 r2 B2 H( t4 L我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:) N6 N- t2 Z. r

& v1 w  Q# `# [. {. Z# ^9 J<?php. X, }' T/ H* D2 Z
    phpinfo();   
0 F2 N3 P; W. D. S" r8 [?>% K! ?9 i. I/ ^. ?, L
在浏览器中访问:
! |. h( w& R4 V" i+ z
# `3 q; n$ R' N4 z' R$ s. [; {, J, jhttp://www.52os.net/phpinfo.php?id=1 正常显示。
6 u/ Z/ d# S, G; @http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
7 J" D8 g/ K8 B* d+ Phttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。, j  L$ U8 _7 ^
说明sql注入和xss已经被过滤了
6 P0 m3 q; O3 A" P) Z
7 H/ u* t8 c8 J/ O- j3 b7 P9 x七、安装过程中排错
3 J, ~; n) o, Z6 j+ q$ L/ b
1 A% j- [" A# Z2 |1.缺少APXS会报错* K, N& T0 B( U, @8 d

6 x! m: t  p& h% I" Aconfigure: looking for Apache module support via DSO through APXS
1 b# w9 @( A1 p: y( e: D4 hconfigure: error: couldn't find APXS
$ e( ^3 f9 P- P  t0 s6 h' K  k2 \apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。: F5 @$ {0 Z8 o- A8 `
解决方法:3 G2 m: p1 l  D" @6 x/ P, ^( M" G7 B
+ q: Z  q* J  F/ I
yum install httpd-devel
# e" B4 ]; y4 y! N3 X2.没有pcre
8 L$ {- B+ B' m% s
5 L) X2 x/ S% e) @) {' s1 wconfigure: *** pcre library not found.
6 g- w  E3 b0 a( @3 U) C4 Aconfigure: error: pcre library is required* N/ A( R% K, q: J& j
解决方法:
8 ]1 d( Y9 M2 B# D' u5 b: k
' ~2 ?. n& @% ]yum install pcre pcre-devel
+ [5 {0 C& e1 A- k+ W6 j3.没有libxml2
! q+ K0 Q8 y2 U( S8 x, }$ r8 t4 W' O3 o" U7 z6 W4 o

, M4 z  [' `( t5 Z( k; A% bconfigure: *** xml library not found.
: C2 s7 E: \8 u4 U1 q5 h; J5 V$ }configure: error: libxml2 is required" ]) B9 c, [% |5 B9 G
解决方法:
& j, l6 Q5 S4 o) ?, s+ z8 \( e
4 h' B6 z4 g1 }- y; x% syum install  libxml2 libxml2-devel1 g9 ^9 B8 G6 \9 c6 Q
4.执行 /opt/tengine/sbin/nginx -m 时有警告" b; Z) G3 U# Y. J( Q7 e+ v

7 Y( Q+ ~1 ~  o: g+ S9 |/ STengine version: Tengine/2.1.0 (nginx/1.6.2)6 K( \' O! L- o) V; Y
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
) \5 Y$ h$ b0 s原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, Z. D+ E/ F' ?. J6 \& K/ e$ h+ B6 i* H7 {: u; _* a6 [; c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
0 x/ h  m+ q* m- G, [% |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"! D; F/ \* @% `# ^4 N' s0 |5 }
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
3 r. A+ l+ y+ E, k9 @" G' r2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
7 C1 g. n5 d1 R1 |. g% w8 ]9 p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"6 `4 X6 E1 j# Q. E4 G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
, |4 Y- z4 N7 \! W4 y  s; @9 O解决方法,移除低版本的APR (1.3.9)
1 i3 T( ~$ J0 r' z
# N+ g' I2 P$ S; J7 y: cyum remove apr
# L" G- l) I4 {% a5 N. E5.Error.log中有: Audit log: Failed to lock global mutex
! D- B  D2 q3 ^6 C+ H6 C9 H. @  i/ e( H
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
7 u9 B& t- K/ g5 _' b  h7 l, a( f) ~$ aglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]8 s* j( z7 ]( ~( N8 f
解决方法:: U) O2 @# O3 k9 Y
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:# x, ]3 z7 @4 s  Q& H. d
. y! B6 E* S9 M
SecAuditLogDirMode 0777
8 |! U# D8 M$ g9 P8 ^1 h1 \SecAuditLogFileMode 0550
8 e* C: y: T& }; ZSecAuditLogStorageDir /var/log/modsecurity
) n5 T7 H2 N7 ~& P% q. VSecAuditLogType Concurrent
! B! {. p; r( y$ @* r0 R参考文章:
- P6 B. |5 g: G) f% Thttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
$ D/ D* B0 b/ hhttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-2-1 20:54 , Processed in 0.064876 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表