找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9211|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
( i0 N5 x$ U, y/ @- V1 }' i. j  K7 _( y8 Q# I
一.准备工作, V+ M9 h% B9 q2 Q2 y. u
9 K& F& A; d/ T- ?$ j" d
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
2 M0 s, b: r! ?8 ~2 j
! Y3 h( T! i2 o6 b/ Qtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
8 R7 _& G9 a  Z  U) `' P& _2 Y
, F: ^: C) Y9 Tmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
0 O( w; T9 I4 m1 L. V6 {
3 p% _; T) g2 |6 J" x3 j. iOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
6 n; l0 X1 e& \$ j  c6 h+ t
' C; @4 k/ b) F+ o依赖关系:
5 G8 l0 A, d3 H# B8 vtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:3 T! y) V0 v6 O, T( }' k

0 L* L$ c4 ?% jyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
5 {/ v0 `2 X& C) x5 f3 N6 C2 c0 mmodsecurty依赖的包:pcre httpd-devel libxml2 apr
$ Q( }6 ?5 m6 N5 e$ R
( H: ~, [, S+ K4 o7 f3 ryum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
( B9 h& z: q% r* y8 i) n' Z二.启用standalone模块并编译
( K% p0 p1 L8 p' i! {  n. u; }, z1 ~" k5 M3 J
下载modsecurity for nginx 解压,进入解压后目录执行:5 C- l, ?% B' Q7 F( U. g
" _) P7 P4 p) x6 R0 t3 v
./autogen.sh( {) I9 b" K2 Q- W" u3 v' a
./configure --enable-standalone-module --disable-mlogc0 r! J% y4 \* l" W; }- e+ R9 b  t
make
. J" t! Q5 h$ @, G4 ^, \7 }- ]三.nginx添加modsecurity模块
& C) N; A5 p- j- N; n/ D! Y
( k# M; [$ r0 R# S在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:5 G1 P6 D9 ?+ c  W0 u8 _9 J

# u2 @; F: ^" R$ [3 Q9 m5 `7 a9 G# L: s* C./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
; I4 }, l: Z9 o; y7 Omake && make install, v% O3 i4 Z! {: G
四.添加规则
& h2 _: x4 {( w- x/ {& V! w' y6 a' {) [  K' V7 e
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。/ F; F! M8 ?" R. d7 t

6 u+ u% e. `) ^( ?9 O) r0 n1.下载OWASP规则:
$ R* C# T& A8 s. e
& _0 ]+ B! I' B# ]$ y9 {! T  vgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 ]- R9 o2 f* V2 T0 Y$ a& Q; X
5 E2 y, s  u7 smv owasp-modsecurity-crs /opt/tengine/conf/, o7 [) Y. G9 j2 I7 u& r$ c6 Q4 I

. D0 \7 a  I2 N/ F: ycd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf+ Z' y. M! J/ Z: _
2.启用OWASP规则:4 E9 R  Z8 D$ b+ x$ D0 f
2 ~7 f1 ]4 o9 a3 p) Y
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
% w/ V0 v- y8 h' F- q  [& D, }5 m
9 w+ ^' ?4 v4 w- F编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
& Q2 }' u! I( \: B" b6 e
" L" N: B& S- _7 y% k' y- Z6 xowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ u* Y3 W# v# i4 W
  n* u( ]7 H' e' ~( s" U
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf4 |  s% g% _7 y- o8 u" x
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf7 w& j/ R! Y7 z5 b1 s) J; T% t
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf7 D+ t" l1 L' k7 V) q1 G
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf' d# B0 e5 e0 O; ^2 @
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf9 v. P* ~" w( I, O4 P% V. s9 ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
5 d& T3 F! R, mInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
) l3 m5 \7 H- o6 Z, g& b五.配置nginx8 N8 g  Q$ Q/ I& N9 [* c

1 O, [! H0 i$ U. X* D' y( ^在需要启用modsecurity的主机的location下面加入下面两行即可:$ A9 `+ }/ G( C) w3 a& f* E

4 W% U3 M( o/ B' H6 a# ^ModSecurityEnabled on;  3 o+ \0 ~! ]; c+ l$ x$ @
ModSecurityConfig modsecurity.conf;. g+ j. A& q# [0 p' Z( a
下面是两个示例配置,php虚拟主机:
% s) {; z1 O. o0 ^. u" z2 U
4 |: J# X3 @7 V$ Fserver {
$ o9 j3 o$ P. G+ A* }" }      listen      80;
2 F7 n( D8 b0 z, H. p6 z" T      server_name 52os.net www.52os.net;& d% r! j/ K4 K$ G# {
     
8 G( o( P# n. ?# z5 y$ e* [      location ~ \.php$ {
* q$ O7 K# l& k% y5 B      ModSecurityEnabled on;  7 j- Q: o- ^, D6 z) [
      ModSecurityConfig modsecurity.conf;% F( t: F* `* h2 [7 P/ _3 V/ F

0 \3 D: C9 k4 L* Q5 @- E      root /web/wordpress;
9 M1 P0 {" L  r" ^; A. A) @( V1 O* ^      index index.php index.html index.htm;
/ o( S* h. `7 g& @  d" x  0 c# I9 Q) d) t2 G- q
      fastcgi_pass   127.0.0.1:9000;
8 c3 W: a3 \. `3 e) B2 Y6 a' {      fastcgi_index  index.php;% E0 }4 Z5 M$ ?, Z
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
4 n5 a1 P) c& Y% @& U) M. D      include        fastcgi_params;
6 f4 r! K2 {9 ^2 }      }) R  s6 T. }& _( h/ `
  }
) p# q3 Q+ j2 C2 z2 mupstream负载均衡:
9 Q' m! u$ v. k+ u+ O# I4 S/ t# u. R
upstream 52os.net {: u: V: w0 Y* p" {+ ?: [$ y! K
    server 192.168.1.100:8080;
: o& C& ~0 L) g    server 192.168.1.101:8080 backup;/ X+ G; M1 E: i" H4 [2 L* Z5 v
}
' N2 Q" o; N: s, b; m" ?# I" x8 f" y1 C, U* F, A3 G; r
server {
# ^& U$ u* I1 C& G2 \listen 80;
: |1 a9 S" ~. xserver_name 52os.net www.52os.net;
2 e; a8 ]+ p+ H& E/ p
/ X4 Y3 p- {) W9 [  p8 O* Z0 xlocation / {, ?3 m; @/ n, N3 F% H- x" m
    ModSecurityEnabled on;  7 X6 T. F+ i. J( r) X% {+ h
    ModSecurityConfig modsecurity.conf;  
5 k( m0 v8 r- c& i2 n; K) u4 v/ W4 J8 }$ l) q* u3 b5 l0 q
        proxy_pass http://online;7 V0 o( Z/ V6 f7 ~
        proxy_redirect         off;" B) S  T6 q5 r. Y0 I- C7 z) ~
        proxy_set_header Host $host;$ U( `$ o! R# ~
        proxy_set_header X-Real-IP $remote_addr;
5 M$ A$ {4 Z8 G- }" F: }  a        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
5 B, b& ~# V" o5 b    }
3 x5 Z/ P. E0 K  o; S: R}" s3 O/ t6 w! ]; |8 N
六.测试' @3 P' G' r3 u( Z/ b

. O2 M4 _4 I% O" [$ e( X我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
/ ~! i, X1 e1 Z' q' }; \
0 T0 B& H6 J1 s! c9 i) b<?php
! E/ A7 I6 s' s) z" r1 y& v% C    phpinfo();    # n3 r1 |" h4 x! o) D0 H0 m
?>
4 S* {  Y4 O/ ?( N8 z" e3 t% F9 P在浏览器中访问:" L: L+ o; V4 T. O2 T
/ x$ h$ @8 p& Z2 m- `
http://www.52os.net/phpinfo.php?id=1 正常显示。
/ r3 c1 _/ ~* chttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。" p3 i2 V7 c/ v
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。' ]4 L% f( h$ q( a1 y- D$ ]
说明sql注入和xss已经被过滤了! Q3 u/ t( c4 R* ~8 x

; D+ x. R5 i7 ]七、安装过程中排错- q6 G7 i* u- U
& i) \5 R; z5 D% `4 {
1.缺少APXS会报错
9 R7 Q* r6 d* t( d5 J7 m
* ^: W* P$ s; B1 S% o7 pconfigure: looking for Apache module support via DSO through APXS
( v0 f7 E: Z- b- q6 }2 S  h4 u, H9 z: bconfigure: error: couldn't find APXS. V: s3 R6 L: j* \( i
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) e  C4 f4 C/ `, `  v
解决方法:- X9 q( e+ [2 b$ o) Q( n/ l
8 u. y$ M( N8 I% g1 i# b
yum install httpd-devel
( }8 ~1 G+ @% d. N& S% Y# e2.没有pcre
+ }: |/ J' K9 [/ R9 Z. v, s: a$ v$ `$ n+ C9 @: ?7 F/ \& J; y; Z
configure: *** pcre library not found.
0 U# d% f% Y* X: s1 B7 ^* z% rconfigure: error: pcre library is required
5 s1 i, Z- o! \  k解决方法:
. r3 J! P# a+ _: B- v1 o# r0 g
% l8 n( ^/ f7 b. _7 Myum install pcre pcre-devel6 ^4 V* X# f+ s, b' n& W
3.没有libxml2: q- o8 a5 Z& M# ~3 l  X

0 F. u  A! T8 C& ]" }0 n0 |* h% i& A
! G% y1 g  g8 i& D" n7 R- xconfigure: *** xml library not found.1 n3 p5 ~+ L/ Y$ Z) N
configure: error: libxml2 is required( e. d; I! s0 o2 W
解决方法:8 t" u0 x, R' n& }
/ ]! l/ L# c7 u" r
yum install  libxml2 libxml2-devel, r' `5 k- c6 E; h9 M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
8 T& e: w1 j% O1 y/ N" n- R/ Q
Tengine version: Tengine/2.1.0 (nginx/1.6.2)! \. c) _+ L+ `8 N5 S
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!  y% K$ y3 T5 f1 M
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log* Y/ Z4 v; f9 d% u6 i7 _$ Q) Y$ [, f

& m, v5 n' D4 _6 r: W" |2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* W1 `0 |0 T4 X
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
2 G6 L4 f! _- l3 x6 [# Q2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
7 ~0 `9 U. M" e; Z5 K2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
& C. c% H5 M; B+ b5 f& S. {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"- C5 Y2 c% H1 c! x* W' G
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.4 H6 `. X+ m/ |6 F- }2 n: q
解决方法,移除低版本的APR (1.3.9)
2 F/ D, I9 [+ z) B. X" u; L) ?( Q& K: B+ \$ J9 k7 A
yum remove apr
9 m  @$ B4 f, \, P5.Error.log中有: Audit log: Failed to lock global mutex# {+ {- D/ k! Y

1 t# V5 X! ^$ [6 _2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     ' h6 k& o: s. G1 U
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* G: M3 [4 N) @5 L解决方法:
: B% J, Y. {- s; l! t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ N: c7 I/ F& M" v1 X0 h$ D5 A) h- a- u* P2 L: @
SecAuditLogDirMode 0777
1 V% g  j: l2 _1 t9 K" A& E1 vSecAuditLogFileMode 05508 {6 m7 W7 w4 n/ l$ ~5 T' S. V& v
SecAuditLogStorageDir /var/log/modsecurity0 k- f" A3 [0 P# k
SecAuditLogType Concurrent
1 C7 Q2 l4 O8 v% _/ Z& R* }参考文章:
# E/ B5 O2 E3 a3 b  Hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX( x& d1 A/ @; Q
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2025-11-25 19:56 , Processed in 0.068224 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表