找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11791|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。0 u6 B& m3 X0 [7 X( g0 @

5 N; P  n$ v; e一.准备工作
( U6 G" r4 b0 Z! \6 d+ o8 j- H2 U6 D! a3 o. F. |, f" D' E
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0$ d( ?7 w6 T; w8 |1 w, E7 w7 z; n

9 @, B6 p& B/ Mtengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz$ X8 i1 U9 V- u# v

' t6 P% }( r- emodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz# i7 T0 G  S! N8 y" H
. W  I$ t% t" _% l7 @, @
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
# t9 H0 f! f9 X. ~. ~( x% `! e9 Z% h4 ~4 H3 t; a* O
依赖关系:" O) ~: v- l2 ~2 x( U
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:  {) X# k2 x" h/ N; I: [) n' S

) P$ T8 D! m( o1 v7 o4 }* Ryum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel. s+ {0 J; u2 a! [8 ~
modsecurty依赖的包:pcre httpd-devel libxml2 apr
8 o& o# W! U  {% J( P
, ?- l/ H& N9 q0 pyum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
3 u) s/ z8 Q7 @! l4 G8 R二.启用standalone模块并编译7 ~& B- D9 [0 ?& O
. b) v7 k7 [5 M0 p" F
下载modsecurity for nginx 解压,进入解压后目录执行:
* p9 q$ F% V6 \6 P: r1 W' g1 d. b; X/ W/ n+ Q5 f& @
./autogen.sh4 c8 r; s4 D$ r- t3 d- T
./configure --enable-standalone-module --disable-mlogc/ n0 y2 ?, l9 e0 F! g
make 0 U+ p) t( i; Z# o
三.nginx添加modsecurity模块2 h9 o* U. n8 t
% d% }/ s0 V9 ~
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:, Z5 V" ~8 e1 J; }5 S* D" s8 I

- ^2 n. T+ ?% g: Q3 `) o. E./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
/ t  l0 v/ }) x0 C: A8 O# omake && make install
3 i3 C3 S: i( R  b. P3 e四.添加规则0 v2 C8 C# E+ _1 h  \
2 o# P5 _2 N6 L: N) x
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
- s6 F& O6 W/ r. p% e4 x! H
* x6 `* @- i. Z1.下载OWASP规则:" G5 n, p$ l/ z* z7 _2 Y
$ i+ U# G$ Z& n/ r# a
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ ~/ [2 Z( @  M" I9 O

+ W( W+ G; V) S/ @mv owasp-modsecurity-crs /opt/tengine/conf/5 e9 b7 V6 |0 q& w; k
- @* X2 {, N3 ~, U; l+ }2 J; H
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf; f! j' V- b. R
2.启用OWASP规则:; x7 X) \" c5 f
6 Z* `& B, g# {; g8 p: o8 a8 @6 w) i
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
9 V9 H8 l4 H1 |& o
* e0 d$ Y# Q+ G$ _  U/ P+ ~编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
8 Y3 Y* H  }7 Y6 H6 T
7 Q4 z& j$ f( S) v& t8 aowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: a& S7 Z+ \# G) q- j3 h6 u

0 q. E& C$ A5 O! OInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
* o5 r) w) F6 \. g4 a" HInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
# b) G+ n$ V! q) T; s3 f; `- QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
8 z5 Y3 v* y8 a. ?$ GInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 ?$ D4 L, Q+ y, R  g/ ZInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
' _) i3 f( p8 q3 z! u, YInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf8 d) j' C5 I0 S  ?. F9 B
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf& a/ B! L; X4 @$ [) L
五.配置nginx: s1 h( h. u! g- Z9 R

5 P; V/ E( b* B5 x4 ?& K9 V0 j在需要启用modsecurity的主机的location下面加入下面两行即可:2 k+ i( ]- a+ d

; g# m# D& `( P, p) s) P) ^ModSecurityEnabled on;  
8 }( j. u, p( ?! P" g# `ModSecurityConfig modsecurity.conf;
5 j4 }  L3 Y9 m$ j$ ]% `下面是两个示例配置,php虚拟主机:
8 s2 c3 P- a+ w3 }  \* \
  f% b/ I; O$ K8 P+ yserver {. T1 l4 \1 n: v( ~- F- j
      listen      80;
# w: F( Q% j  D  J. R      server_name 52os.net www.52os.net;" ?! k! A9 u; N# o4 n
     
' ?0 \) B7 o6 A  f      location ~ \.php$ {, g$ U, ~% v9 U) r
      ModSecurityEnabled on;  
( m1 o( k; T0 l9 r) k1 S( {      ModSecurityConfig modsecurity.conf;: p/ o4 u. O- r# Y% d1 t
/ N& Z4 P- ~- K: m. s
      root /web/wordpress;" a( T( j$ p' G+ z3 k7 ^
      index index.php index.html index.htm;
5 r; h" M& h. }$ f0 k$ c6 I3 d  1 X; ?0 \8 g6 p8 f1 p
      fastcgi_pass   127.0.0.1:9000;
: A- w- J- L9 n      fastcgi_index  index.php;/ r0 W# S! F) ~% j  a
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;: h8 a' g' [( p% u1 ~$ G
      include        fastcgi_params;
0 j1 g8 [$ I2 c7 q! f) z      }% |$ u/ F) D8 Y6 z5 E
  }% Q+ b+ K# y$ w8 x4 ~0 y" T* [" d
upstream负载均衡:
4 s6 }0 c% ^+ X3 W% r: I# g
1 ?5 \" c: _$ I) hupstream 52os.net {2 h8 Z# T4 G* ]# U* l7 R, o
    server 192.168.1.100:8080;* y& d( q8 |; M) E/ ?
    server 192.168.1.101:8080 backup;6 u! u" e7 P; X- e; o" Q
}( U) v. ]! O+ a# m5 F# F
+ f% R" Q& |* j* M. \- B# P
server {, r5 W- G' |  y0 B9 L( P5 A5 n
listen 80;
2 ?& Z" D8 y2 o& J7 g; ?1 b, Wserver_name 52os.net www.52os.net;
  b" J+ @# d7 e$ ?& A! T( F+ h& a3 o7 J. e
location / {
# b; Z4 P7 Y. m    ModSecurityEnabled on;  6 r8 A9 t' M" _1 H1 x% m
    ModSecurityConfig modsecurity.conf;  3 D* n2 j& }( ?* w
2 C* S* ?: m- f" S! ~9 s
        proxy_pass http://online;  v* g" T; q4 {/ o  x! u. H2 i) u, b
        proxy_redirect         off;* I4 U% u0 L% H3 _" |' T
        proxy_set_header Host $host;* S* r( R5 L( H( P: V
        proxy_set_header X-Real-IP $remote_addr;3 |6 ?9 s# ~7 Y: s$ a
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;/ w( n4 \, r0 F
    }
; l& |; }4 o7 A! k1 ]: X0 Q' q}
" ~; w+ u6 g& B  S六.测试
! Y, o: H1 I7 h9 S" b8 s4 e' ]* D/ G/ q: u
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ ]/ |! x) x% y+ Y' B8 M
% d. y3 g+ _" V0 q0 L/ r
<?php
( g$ T" O! h$ B. ?    phpinfo();    ; V2 a* g' @, z
?>
' ^- e- e( O( A/ f( g3 k2 Y! ?' Q在浏览器中访问:
/ E$ U/ P  B, _" T- c2 [
# h( U' Q# m. h3 n" s* m$ shttp://www.52os.net/phpinfo.php?id=1 正常显示。
' S% i  b9 E6 ^1 Ahttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。" T0 w  H% \" \8 n; \
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。0 x8 w% }1 I7 `9 l
说明sql注入和xss已经被过滤了
9 Z: L! Z8 b8 `% e* m* M% t( U- g: c8 U
3 _; I& I  ~# L2 K七、安装过程中排错
6 K0 ?5 S% T4 H6 s; m' T4 H( Y- w0 J! D6 R5 p, N* O2 R4 t' @+ k
1.缺少APXS会报错
1 e* K2 ]% \& j$ L! _) X- J
6 m* U  v2 @; ]3 @3 E4 S3 Lconfigure: looking for Apache module support via DSO through APXS
# R- n# ~; m& U6 b5 yconfigure: error: couldn't find APXS
+ X# u- ^$ d4 [1 y, _apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! E' V- T, W/ v9 t解决方法:( X) x/ ~" {( A' J9 A! z4 f( h

+ S: t8 ^1 @+ n: E( f7 Dyum install httpd-devel
2 x1 W5 d. q$ E0 e2 g3 t3 ~2.没有pcre
# |9 B0 F+ }1 R+ |" Y% P" F
( f" c; m! Y7 e* |- `configure: *** pcre library not found.
! w6 z+ u$ a2 econfigure: error: pcre library is required
. ?) A( o- S. e  |3 c4 f7 t解决方法:0 M- E, [8 \& C+ T  P

. b% h! n9 v- n' }yum install pcre pcre-devel* J4 s4 j6 G' o+ i0 t3 R: Z7 x
3.没有libxml21 {' s2 u) u' O, }$ {' u2 [

: o4 `) V6 M" e" L% ]& x1 Q' P, e* N
configure: *** xml library not found.
' `5 \5 J3 b  C. m2 A, R9 @7 J$ econfigure: error: libxml2 is required
+ V: A' w9 F0 V' J% a( x# t. l' X解决方法:
7 Z1 E+ Y( m7 O* W5 h
7 v# Z; F( w+ T. Wyum install  libxml2 libxml2-devel
# D3 |' b& o; L* B' S4.执行 /opt/tengine/sbin/nginx -m 时有警告" O2 A# s' J! x6 i) v8 U

- a* e1 o8 S+ h- m5 L( }. Z; OTengine version: Tengine/2.1.0 (nginx/1.6.2): G4 ]: h3 r  Q& v4 F7 U* y1 T+ H8 d
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ e7 @: d& @7 W% r原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log& W- \, [( n6 q' z1 Z, `" W

: n9 d3 }! L0 b% j8 o" D# J8 W) l5 f2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
' X; s& g  @5 ^, i+ N5 J' A2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
: [2 C$ P6 L+ i0 b2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* n" G! }0 D) M# G# _+ B2 l2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"2 i- m1 Z$ Y" M: `4 ?3 _/ z! p: i
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 w$ V  h# R# P0 ]; S5 y8 v2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
6 E: v  L* M' C! @& l解决方法,移除低版本的APR (1.3.9)3 g7 W( |0 y9 Y# c4 E

$ n+ H4 z/ @' D/ {/ [1 |yum remove apr% V3 X0 t" A& Q. R
5.Error.log中有: Audit log: Failed to lock global mutex
8 O' G; d" c6 F
& I* u) Y- e) ?4 ^: s- j2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
+ t: W9 c$ s9 P0 Cglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
6 z2 n! P! K6 n/ L% N解决方法:
; J8 q& T9 V7 Z( j4 o' W& F编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:7 V) j5 J2 C( Z- q" ^# t9 b
8 d& U9 V/ H5 o) j; Q& a" r
SecAuditLogDirMode 0777' \" X- J5 k' x2 N' d
SecAuditLogFileMode 0550. s. U; o6 v9 O; O6 D& K( q
SecAuditLogStorageDir /var/log/modsecurity+ R* p5 \' e$ z% F7 E' a% h' k  s
SecAuditLogType Concurrent) u+ w# r% v) P( B8 ~
参考文章:
" m- B8 q: D  a) l$ Uhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
  U2 Z2 Y$ T7 G: T7 V: P4 }http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-7-13 16:29 , Processed in 0.071816 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表