找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11432|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。3 [# C& x' l1 o! N, `

+ j0 `6 D: P$ Q4 \) e一.准备工作
9 o2 H. v. K/ V
2 ]/ I! s. I/ z+ \* z, Z系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0" f. a) ^2 P( \6 ], q, C
/ F2 l) {4 Y( M3 _
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz; ?! V9 T6 r4 H# w/ J( s% g

) a; M: _- v( Jmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
% Z9 Q; W7 V8 y4 d  ~4 h  Z% a5 F3 j5 [3 v% g  J5 e
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
% ]$ R6 ^7 s* x) L) c9 T; n  J* ?/ u/ T  v% c
依赖关系:
1 G: D' N$ O" ^9 g/ ^$ M3 `tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:" Y, Z- Z5 V- W5 c7 Y& M: @; e) Q

8 H4 _. j( Q" I+ G/ t9 kyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
4 m$ }' |6 d$ tmodsecurty依赖的包:pcre httpd-devel libxml2 apr' f. h  x0 N$ {+ N6 \) p

3 _! a% w, a0 A3 ?yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
7 L, X& J) U# j0 n6 @二.启用standalone模块并编译! b5 a& b  Q9 s- ^
/ i0 h& L0 C; d' ]8 m. P1 B! {
下载modsecurity for nginx 解压,进入解压后目录执行:7 j- I, a- z3 z: f5 v
/ n4 g, V3 @) M
./autogen.sh
+ P0 R$ j8 u% h4 _& B./configure --enable-standalone-module --disable-mlogc4 Z" z) j: I. k* S: L3 S$ P
make 6 `& A4 M6 [* ^. s& L5 b5 a! c/ l5 ]* {
三.nginx添加modsecurity模块
7 w& I. L& _/ A9 {9 h
. B$ M7 Y' }" a+ K4 R% l$ f在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:4 a2 W, X9 u$ m! I: n  k: c9 _4 ~

& u  x* y. S( h3 k2 q% A' D% H; Y./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine' K6 M  \5 ]; t+ T
make && make install
/ w  e0 X) k3 R: A7 F9 M四.添加规则
" O3 i) y$ a" |% v# ]* q: s) {! G2 ~! ^2 a( ?4 x5 A8 l' I
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。" Y* r$ p! e7 x5 t3 g

9 Z6 i; i- E2 S% J" K1.下载OWASP规则:
" H2 \. b3 Q( S: s7 A5 d# w; ~
" U" b9 H  V0 E  A9 _git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
9 T2 n2 a' o4 a/ G( w2 ^6 X+ B
! p2 v; n; r( _( Amv owasp-modsecurity-crs /opt/tengine/conf/' n7 e& D/ g1 ?. T3 X

* A; ?2 I1 |7 p7 ^6 ?, b5 G! lcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf8 R) z; R; L/ ~" w* A
2.启用OWASP规则:
% Z6 ^0 J* J' S$ ~
- N$ n1 m% _# M8 g2 [$ l- ?9 E复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。5 @3 f5 x# l) C# B% l) N+ a8 I
2 L+ s+ P. I' n9 L7 ~6 P# |% H
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
6 M1 Y+ e) D) }& a3 Q; M
* Q  i8 I: ~( U. ~0 @3 e6 Kowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
9 C2 S7 [+ O& J5 S% X% e8 V; S4 U+ k2 \/ j6 q  u5 }, n0 }
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
2 p* A2 K7 z  n; N' e# @7 WInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf; X- X8 a6 u6 Q, u9 m" J8 Y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
( H( ~$ ?6 l- J) R% I' \) t6 cInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' x1 q8 j  x- A5 h, I4 ~
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf+ O% b4 Y- n- v$ ]! x, H# I
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf! P" t* A9 v8 A3 X4 p4 q- i: O
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
* b2 L4 p- m4 R0 t; P五.配置nginx9 x; U8 c, f/ P9 r
; Z( J" C+ v, c6 d3 x! T
在需要启用modsecurity的主机的location下面加入下面两行即可:
( q8 C( L/ Y) h' R; K, X
2 k$ {! K( J2 B6 EModSecurityEnabled on;  
8 W0 Z4 h  H. S% a2 b1 @ModSecurityConfig modsecurity.conf;
. a* \9 ~4 C* A- T下面是两个示例配置,php虚拟主机:
- y% F# e9 E: o3 Z  L0 u6 G( X  f# Z" K% `
server {
9 Y6 l! W# S6 j9 O$ {6 f7 M) C      listen      80;
5 }! `8 t2 t  W4 x4 z) ]      server_name 52os.net www.52os.net;
/ _: J+ ^6 Y+ S       e, w. ]+ Z% @' `% M
      location ~ \.php$ {
# k$ r" e3 M# C9 G* b$ ^" ]5 Y7 g      ModSecurityEnabled on;  ! n. w7 }! Q7 t6 B
      ModSecurityConfig modsecurity.conf;/ K' w- @. w3 b. V
5 D+ i4 h- A8 }+ K: h, D6 ~
      root /web/wordpress;. k! z2 L/ C7 `- R4 u7 w6 _0 X0 W
      index index.php index.html index.htm;
, @5 e% Q0 s: I0 \9 R    T7 \" a$ i' X% }* E
      fastcgi_pass   127.0.0.1:9000;0 m; {# R" r* B, E
      fastcgi_index  index.php;* S2 V) F, j5 d
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;5 g7 x5 J* `  _9 X5 X. c) v
      include        fastcgi_params;0 ^* S: [9 e+ j3 E2 P5 R% t/ {; Z
      }! i# }8 x) h5 o! i7 [
  }
, w! c0 S- {+ R5 T& Vupstream负载均衡:- m  o8 Q0 L+ I( G

9 p, ^- W2 i, {: p6 rupstream 52os.net {
7 Z  ~) u1 @9 [8 m    server 192.168.1.100:8080;
8 t( m. ^# N) D8 o  z* ^    server 192.168.1.101:8080 backup;
/ P+ ^! h) j  \  L5 F$ r}' }/ o) p& m+ h- S

6 s4 |$ d: ?8 l& S, ]* Fserver {
- w! q* F: ~9 L& G5 |listen 80;
# u! G; a" u" k" g$ B+ V7 t0 lserver_name 52os.net www.52os.net;
7 \( A5 @+ w' a# h5 r( T) `8 F- F. Y
location / {3 Z5 z' W# f* N% [  z* S$ \
    ModSecurityEnabled on;  # T' a/ y, {/ I
    ModSecurityConfig modsecurity.conf;  
7 S5 R8 `1 a# ^, A/ g8 Q5 a+ B6 {( `9 ]# p" `
        proxy_pass http://online;$ j& l( d; C9 I9 T% Q, ^
        proxy_redirect         off;, n& X8 b0 e* @& N: H7 N% g7 P7 ]
        proxy_set_header Host $host;5 Q% P& g  F4 Y2 K% k- E1 _& s
        proxy_set_header X-Real-IP $remote_addr;
+ j# O) Y9 z- D6 e6 f) A# f5 n. A        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
8 N# r' z2 |  A( w    }9 ^9 H9 |5 ^0 A7 e' t) K- U
}
, b+ R- J! d7 ]1 z六.测试
6 \) F- c) [. d4 F7 F- Y- c. \$ k* i$ o4 x6 t
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:0 g. I4 ]. T/ A1 e3 E
# m/ O0 T- ]. i/ j  L
<?php! F* H1 P% A1 K. V
    phpinfo();    0 l. u: C$ u3 k
?>% Q) A! O/ Z  d/ L! \7 g1 T
在浏览器中访问:- o8 A0 B+ w/ }* Y- L4 S

% K9 K7 T" t" Y: Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。/ q0 m- }2 M2 _' ^, t
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。: @. g, d& S: ?
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
1 B$ q: _1 I& _: d3 U1 T/ y  d5 @说明sql注入和xss已经被过滤了
7 p4 G6 ~5 a5 s" x: j* e. [) J+ |* N
七、安装过程中排错
5 \. B9 k8 D* e" U6 _, k
- C1 n' p) M7 n2 V+ E6 r1.缺少APXS会报错- \* f; q# M' ^+ S3 p& J

2 ^- q) }" |; Y! Gconfigure: looking for Apache module support via DSO through APXS
4 ]4 v! q, {0 B5 T7 _3 Fconfigure: error: couldn't find APXS
9 b- z7 q' @" Qapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。  x4 d( H1 X( f9 @! a- B- [
解决方法:4 W6 K8 c1 z$ W( [; H

- P7 Q7 v- }1 q# byum install httpd-devel
4 h) W# X  l, C  z  f: C2.没有pcre
* f- l$ T. w# ^1 u% Q
2 c- X& A! X  N6 L* I3 bconfigure: *** pcre library not found.
' F+ Q/ O# Z# Q" [- e& Gconfigure: error: pcre library is required- \+ j, U3 \& m4 d$ y% z- {) j
解决方法:
4 q* C1 h  v; V2 m5 z, v6 }
0 M. b1 _! i9 F& m: Y. T- yyum install pcre pcre-devel
5 s6 K2 s9 H3 G) v: u3.没有libxml2
8 \. |% {. f4 }3 ?: b+ o! [0 X4 t6 B* y' O7 p' A2 v# P2 E) s# {

+ o' q! C0 k* ]4 ?/ |, R& Lconfigure: *** xml library not found.8 y9 `& P' e7 p7 i! h+ o1 ]
configure: error: libxml2 is required
9 I7 u6 f5 `( G5 |1 `0 q解决方法:8 ?- I, C, D% C8 F: M, |0 Q
9 r: P2 ^8 k$ A- r( L
yum install  libxml2 libxml2-devel
1 N, f0 t1 G! O5 U4.执行 /opt/tengine/sbin/nginx -m 时有警告
- Y; E! C8 d/ z  j; l: m, P2 ?  V
Tengine version: Tengine/2.1.0 (nginx/1.6.2), V9 P" j0 D/ E% s1 p
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
& H* Y( ]6 b/ G2 p3 m& N$ }原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log" ~* I# n$ B$ Z) }
4 n# `2 P% {' @& O" d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
$ d- X/ x! B, F+ ^: v9 u2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
( j# a, V" ~; J; E8 j2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!) s* j6 Z* G1 \$ {2 O, Z0 i( \" S. k
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" t' q7 i. a. E% D; y. ~. o' G$ c
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- ~* J, ?! O! \/ e! B) T
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
) s( x1 @0 m  D: k解决方法,移除低版本的APR (1.3.9)
0 B% x7 ]! S9 f
- G. C6 ^  g( s* syum remove apr
# V. K: K9 G9 A+ D; y$ r" u" f5.Error.log中有: Audit log: Failed to lock global mutex
7 Y4 e, M0 C5 W1 h2 |0 L& @! x0 b5 D* S1 R( M6 o. n# A% m
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
" @0 ?  T) B- dglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]$ J' B5 Z+ v1 o7 G  {
解决方法:. f+ `* g# F/ v1 ]& r
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:' ]/ H; m( H3 m5 m
9 X3 k$ \% C4 |' l; x) f
SecAuditLogDirMode 0777
: [5 ?& P% M  f* f, X- ISecAuditLogFileMode 0550( S9 Q9 E: ]: u( h- ]
SecAuditLogStorageDir /var/log/modsecurity: J- [4 \! E/ e" ~
SecAuditLogType Concurrent  i0 S/ z1 ]' i8 T$ B5 Z8 r
参考文章:6 o; V  P, U& |$ V1 N1 A9 a  g
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( L7 P# }) l, n( ]! Chttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-6-18 03:50 , Processed in 0.073454 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表