找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9378|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& E0 s- d2 m8 s, c; {2 m6 q
! _2 }2 s& _9 V( N; N- l8 N2 I9 z; t
一.准备工作
" F/ m: w3 |$ }2 W' `; {9 O6 |# |# B! Q/ G- f5 N7 S
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0: K( m% I5 M+ U" x, v

# A9 X# N, I; |- ~# q! N- C8 Btengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' ]- e# [' U' ?! d  d3 k1 {2 i; l

# y( Y9 {+ v1 O0 Umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz! o) W, Y' H, S2 v" ?' D
3 M3 l" @1 u( K+ Q: t+ N
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs. R5 @2 D. _6 k7 ?4 u; m3 j
$ ~6 N1 L9 l5 h5 @6 n  t, y+ m+ m( O! k
依赖关系:9 X: {7 v% q, t+ v' ~
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 ]9 m& a$ u5 C, L) ]5 e- e$ k3 _/ C

5 Q' _8 [7 S  u9 S$ l7 _yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
$ ^0 G3 H- M3 O& \, y+ J5 @modsecurty依赖的包:pcre httpd-devel libxml2 apr+ A' F2 c: ~8 ?7 F4 g& y7 |
3 j/ T+ D7 J2 x3 |7 X
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
, g, H+ Q1 C# b# n8 W0 b+ P二.启用standalone模块并编译3 w/ D, w% B  x! C9 a( `( D

& L5 E! Z# a7 `下载modsecurity for nginx 解压,进入解压后目录执行:; N0 o! D* `6 i. m% ]  C  L
2 b- g6 b: S( B5 }) d" |: a% I
./autogen.sh6 d" z- ^( |0 P  t) b) e
./configure --enable-standalone-module --disable-mlogc
( e) `3 _+ ?$ l) gmake
6 V; u) U( ?! `: P( N# k三.nginx添加modsecurity模块, x; S( ?, c: D6 G+ }" \& m

2 J3 h$ h, D& _, z4 b在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:  l& t4 A% m7 L- l2 v
% \2 @( G5 N& z$ p  S/ r
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
: S7 R8 o! I: d% I0 h5 N- Zmake && make install
0 J5 R6 ^7 f8 X- B% P4 y2 w四.添加规则: Q& g0 ?9 P& m' [, S: N! R
: d1 {( r5 {4 G, h0 t, ]
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。! U6 |! c2 ]. h' ]3 @

8 i0 i1 H# e9 x/ K( [' E1.下载OWASP规则:
. u* u! i$ [. p6 m5 W: x* X3 y! G: k$ ~% D& h8 f/ H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ V) J/ T+ }. C9 |8 p
( j& w; Q5 \& `6 S+ u, Fmv owasp-modsecurity-crs /opt/tengine/conf/
/ U  f$ L/ a. V/ t
; l& R" U+ b; k! Q9 O: c  Z& ecd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf! c  ~( z% e6 b0 }) q( `
2.启用OWASP规则:( f# {* J' o- U$ E, ]
! F2 W! J& I, J$ S- N! _) s
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。6 V" T' q" H- V# \: Q
2 X3 p3 W- q4 ]6 g
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 q7 w' H6 Y. }4 o/ Y' X
% G2 S5 @, ~2 @. Vowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ d, H$ u1 y- o4 C
: f: q3 Q' I$ G* A: g
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
8 J2 I, S0 B; u( o: ^$ l3 \- ]8 Y' hInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
1 O. H6 a/ ?. t6 M/ }. [, @Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
4 P, g7 `( _7 ]- s' WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf, H  S* |- l/ m6 G! k
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
& i2 [8 w  o! z+ a7 g4 |, ]Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf7 k& U7 W+ B- l! C2 b  D
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
# A1 U! S% e7 n五.配置nginx* L3 j& m' s5 R  I

  H# }% i! G% H! R; R9 K在需要启用modsecurity的主机的location下面加入下面两行即可:
, K3 Q0 U" Z. [7 b$ j/ _% k. C# k5 e5 d8 K3 {
ModSecurityEnabled on;  $ q* x! }( Z; I
ModSecurityConfig modsecurity.conf;
' ~$ x2 @1 G* b. x下面是两个示例配置,php虚拟主机:% x5 C" e$ F2 P

4 `/ K  c. Z: l9 g0 A% e! K8 [0 iserver {0 o4 F* X. m0 |# h% `: t
      listen      80;
6 q3 }1 {$ X% M, G4 @) r9 e5 r9 q      server_name 52os.net www.52os.net;2 ]9 j5 X" P7 K2 c, _/ s
     - k, ]" N- F7 p9 M# \8 C- t! E) r
      location ~ \.php$ {- E2 j# H) H6 L& @* E7 e0 J1 d
      ModSecurityEnabled on;  
  ?4 _0 J0 K* H4 b8 a+ y! r& X2 H      ModSecurityConfig modsecurity.conf;9 W+ C! h% p8 S0 D6 V7 O
$ e/ a) Z; N: ~5 {: g3 l6 l
      root /web/wordpress;4 x# O% M+ m/ Z2 G
      index index.php index.html index.htm;
' z7 u5 [/ q2 _% U/ E& i, K& C# P  
1 b8 Q# v$ ?! [+ J6 q0 ^6 P  |      fastcgi_pass   127.0.0.1:9000;+ w! Z& z% O# l/ L5 ^
      fastcgi_index  index.php;0 T+ y- L, s1 z& B
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;( q8 G3 _. l% H
      include        fastcgi_params;
% J& }1 Z% a1 E- q. `" ]' i      }
* D' U; o. X2 m. O% C  }
# ]: d/ [8 F0 b* `0 hupstream负载均衡:
/ J1 a/ I/ z# ?( N
' w: C0 `/ U5 [# b& }upstream 52os.net {
* V5 a5 X5 Q6 h* ]- F    server 192.168.1.100:8080;
/ W- A& C( L( i6 @    server 192.168.1.101:8080 backup;
" o" T0 [3 z4 d+ [}8 r9 @& v- C: Y4 T

: c( c! u3 P! a8 ]server {
9 W3 q4 B4 G* @$ K( G! P; `4 ilisten 80;( t3 H$ g5 ?: |5 C' Z( o2 Z2 i* i
server_name 52os.net www.52os.net;" @2 c/ e- }8 y3 x* T
- z( D0 k% }. Q3 z
location / {1 Y! Y( v$ q; e' R
    ModSecurityEnabled on;  
6 A- d4 D2 b7 P, M    ModSecurityConfig modsecurity.conf;  
. ?- {: P& T! ?7 j; ]
8 o, d, l0 b9 `$ o( T        proxy_pass http://online;
& T2 p3 X4 e" A        proxy_redirect         off;
6 V# i% r$ u  y9 P        proxy_set_header Host $host;
" T  t( n& w) S. n, o8 T        proxy_set_header X-Real-IP $remote_addr;
7 B5 G! r# M: A        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
& u0 W6 e: C2 c' q5 y: D8 q; r: Y    }
% U, I! ?& f: z' X2 W" I}
2 t7 `2 c( ]2 y8 i4 [7 C# U# u! a* \六.测试3 S2 a$ y. f# k/ ^2 t
$ ?* e+ l! d7 V% g( x; A8 s
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
, i, a3 I1 g3 j( s/ b' e4 {+ p# D! L
<?php) ^5 l9 M; _/ m4 e3 V  P+ Q
    phpinfo();   
4 m3 Q0 u' @8 ~5 J3 A+ F' U?>
/ B7 c% k6 i3 d$ R5 e2 i: K在浏览器中访问:
: u2 ]1 b% [( {7 E5 n% C5 o4 d
http://www.52os.net/phpinfo.php?id=1 正常显示。  ^' v& ?( @6 J8 z. A* q! s
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
" |" K1 {/ _  n0 Dhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
! i' n( B% K6 }) Q说明sql注入和xss已经被过滤了
0 ?; k3 n  _, g: K  v% ^( @" L0 ]
% Q  I/ i; i& P七、安装过程中排错7 p" j% p2 z9 ~2 [% D4 v, R

/ d( H: D% O: |1 B' F+ d& }& c8 ~1.缺少APXS会报错3 C6 W- C/ l) `" [, ~+ g) C

. ]7 v6 j, P4 w. l5 Y3 t+ k1 j! nconfigure: looking for Apache module support via DSO through APXS
! V5 y1 B! t' l0 N4 n0 wconfigure: error: couldn't find APXS
9 A7 w  C% i. m+ T1 L) {/ {. Iapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。/ @9 o0 h( b3 ^7 s- x- c
解决方法:
7 J) d& e) |8 m: ]0 y+ N, X. ?, I6 i" F) v: [3 }! G
yum install httpd-devel+ }& i0 {. [( O* S3 Z: y
2.没有pcre0 [' u5 g& s( |+ p' k9 b; I1 R
$ D, N+ T5 m( E" P( h9 ?, B7 @
configure: *** pcre library not found.. ^& F- ~: s7 ?2 P, q
configure: error: pcre library is required
$ j- E" E2 P, w9 u; S: S5 J: I解决方法:
2 L/ ~) ~8 R# F
: P; p1 H+ F. Fyum install pcre pcre-devel& b1 A5 M& e) v2 p
3.没有libxml2$ u' i7 o; O  B" _/ Z2 ~5 F4 B& g
2 x: i) D. D7 h, u
7 X1 k; t+ C$ x2 c9 _5 @. b$ Q
configure: *** xml library not found.$ ~- W. L5 g) V7 L" S0 S$ s7 M
configure: error: libxml2 is required
$ ~5 L2 e) a* e* d' J7 G+ M# G解决方法:. m4 _9 y$ }# U

9 c0 O# w% C1 D1 Tyum install  libxml2 libxml2-devel
& ~9 R; A7 S( d9 m1 i1 n! Q! F' @) q4.执行 /opt/tengine/sbin/nginx -m 时有警告
; C9 K: E4 o8 W6 C" b( O4 Z( D0 ?% Y+ Y4 Y1 w) \' y9 X
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
; T' R; X7 j# Z0 T9 I* c$ Onginx: [warn] ModSecurity: Loaded APR do not match with compiled!  d8 y- n* K+ e' D5 a3 T8 w
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
1 T+ C9 W* A) P2 }* `$ x! n4 N7 u! V0 k9 f+ O+ t2 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* q' ~) b" [' B- Q
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"+ b% Q$ o+ J6 c
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
: [! Q* M6 X: @: E" i5 o2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
* p3 _+ h) b% i( o& `+ _2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- B) v2 e, b3 G. n
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" u4 r+ ~. ~( Z8 L7 C/ a. Y解决方法,移除低版本的APR (1.3.9)
7 S* h/ K  {( q$ ~& ?% K% Q! s; a8 |1 p6 `9 ^  B# r
yum remove apr
. ?# l# L9 Z, F+ @. g/ n5.Error.log中有: Audit log: Failed to lock global mutex4 ]; U8 E" {9 ~
6 _! u; s' C; a# I/ r$ n1 }. h
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
2 V; g) q; }. O- k: Kglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]# K8 E' W. U: w$ U6 e& w
解决方法:
% H/ d6 y- D4 T编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:& I( O7 t& x& ^2 i% f

9 H6 _! E, ^2 v% W% zSecAuditLogDirMode 0777
7 V1 r  G6 r5 g! dSecAuditLogFileMode 0550, Z! _# E3 N& ?' H
SecAuditLogStorageDir /var/log/modsecurity
% l- j; a+ I0 y. g- ~' L9 aSecAuditLogType Concurrent
: E- K! W$ w4 l4 k2 J, ?6 l6 j参考文章:' _, ]0 Q; i: M: e) s8 I  ]$ A" T
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX0 n( o4 b1 B" B& I7 c1 n  s
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2025-12-12 23:15 , Processed in 0.062663 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表