找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11426|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。& T8 \3 T& X3 c/ j& z2 d5 `5 t

) H8 I! Q6 l5 \  V& ?; d+ a8 @0 D一.准备工作6 z  W" B( I+ T7 r( D

# D* `" t4 N: L1 U; J$ l4 t系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
1 z! E( F3 G' L7 {0 j! W; j1 v
5 p5 e  j3 f3 B/ p; N$ ctengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
, I+ e( C4 a1 u/ c; Z2 |: D' ]# N* v% w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
( F7 \) }3 ?* ?+ U7 Z- M- [6 n" V5 u" |+ B( `
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; k& D3 K9 c1 O5 a. u
& k% f- i' R! f, j4 }2 g
依赖关系:
" F# J* e1 g/ ]) j* Ctengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:' v, `9 [' k  A3 S- m

8 m( I7 P  l5 q' z! P; v- y. s8 Ayum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel; J6 T+ M" r- g. _/ E& x
modsecurty依赖的包:pcre httpd-devel libxml2 apr4 V7 W* S" y- |9 e) b

' V8 O! N8 v" g' ~yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
* l2 S$ v3 V5 [' D二.启用standalone模块并编译
: k; p* p! G2 t! o+ \- W& F2 Q0 ^' K" I1 `0 r7 T
下载modsecurity for nginx 解压,进入解压后目录执行:, H( L' X$ _1 \* N: p2 L
- g; O& t! G5 `, P& u
./autogen.sh) t$ V6 X! ^) q/ I& d
./configure --enable-standalone-module --disable-mlogc
+ B2 Q( k! w/ H4 Q% A: A% E4 Kmake
4 ]. {; @0 I- W9 c% d- M三.nginx添加modsecurity模块2 H; ^+ b0 Y: H% X& X

# [" u0 u5 }. L8 z& k在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
7 ^' d* R* ~* M* A: a$ z- V1 j- b2 I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine6 |9 h9 a3 K' P2 Y5 s
make && make install, S7 x8 V' ^, i+ T) @2 S8 O, Z
四.添加规则
/ `( [/ v; _3 z* A# B* v
$ U$ U* u! s6 h" l, _2 m9 jmodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
& T3 [3 E: c5 `. S, ~5 G) T
" I2 p( r9 J$ i  y& d1.下载OWASP规则:, q, Y5 S: M  r/ K

& W, w' r4 @* _/ l6 }5 l" T# Pgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs6 [4 d) f4 V1 {6 ~+ X: O% U' j4 H. K8 T

/ a' x* l3 [% g' smv owasp-modsecurity-crs /opt/tengine/conf// S2 Z) y  D: U% j

6 P1 T2 d5 s3 N+ {1 ^1 zcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 R4 M1 _$ p8 B7 H
2.启用OWASP规则:
; v* R- E2 v8 Y# L
1 R, e/ D2 r: i% }3 ^6 X8 m9 r复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
( W) c% Y, ^9 ~# o4 w/ a" u
  ^0 m7 w8 h* S编辑modsecurity.conf 文件,将SecRuleEngine设置为 on- P! D( m+ b3 b: E; y( w/ {
) w& K: J- Q. l9 \0 j. X
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。* \' i: ^4 V; J
! |; u" q- D2 p% R
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
" H6 F0 j/ n: bInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ W) G2 S( ]- g: A! j* v  l5 |' Y7 K
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf2 M& x( j' G$ i5 h* ~4 j+ d# ]
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf/ ?( g2 J! R2 d, L2 L; a
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# ~$ ]' a6 S9 d1 M* JInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
9 x  K8 w, H$ kInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf* ]% _8 Y0 O! B1 |% n. g8 Q
五.配置nginx
- a7 p! U6 n2 _" h8 x4 ~1 b* h6 `+ n& S' _) q7 M
在需要启用modsecurity的主机的location下面加入下面两行即可:$ b! M) `& o7 Q4 ^

/ P; J. c* J9 sModSecurityEnabled on;  
7 T/ \  g3 J8 |% S/ QModSecurityConfig modsecurity.conf;6 W. {& @, ^) E) F1 g* `
下面是两个示例配置,php虚拟主机:. C( t7 u1 ?1 }* y: D4 ^: O. ?9 ?

4 K# `5 E6 i( N7 pserver {
! z1 A' E' d& s      listen      80;
1 a3 G6 E1 ^' ]( `/ [/ u6 A# F1 _      server_name 52os.net www.52os.net;
  U; D( T1 D. V7 K& d: J4 P  W. }5 I2 t     
6 W( @' F5 r, ^6 h      location ~ \.php$ {( V. _2 N! ^' X; k
      ModSecurityEnabled on;  
, d- N0 {1 g7 r+ o) W      ModSecurityConfig modsecurity.conf;0 h1 o0 S& h6 b; H% D" t
* Y& w0 \. C$ q  y: l
      root /web/wordpress;
) \0 o. c- A$ s" u      index index.php index.html index.htm;
) v  }9 y2 c- t5 ?4 w& Q  
  Q) {' l% z1 t$ @      fastcgi_pass   127.0.0.1:9000;
9 B+ |! ?$ L" [; J& u( X+ Q$ r' P: G; P      fastcgi_index  index.php;3 }8 R/ z0 n0 E4 l3 I- k+ Y
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;$ g5 n' v6 A( d
      include        fastcgi_params;4 `6 ?5 @7 W5 ^( b" t
      }
8 [6 z% q. v6 x5 Y& I0 ~  }
$ z+ N, a7 m; f+ U3 oupstream负载均衡:% Y9 Z' s* [# @' y5 N9 t
/ B, R: m) M% b, }* {/ C
upstream 52os.net {) a' q7 O% Y& }9 b
    server 192.168.1.100:8080;; n* f' `/ W4 s$ Q- L! h
    server 192.168.1.101:8080 backup;% P) Z; _. G6 c- T( M
}8 B% Q  e3 W4 b7 E' }( d, N1 Q
, m2 ]( ?( e! A( d& X2 m4 C& V2 {" Z
server {
. C6 X: S7 ^) q2 H) L4 U$ Slisten 80;
! C' z+ x# }6 [- M; \5 Qserver_name 52os.net www.52os.net;* t  {0 Y  y  Z7 ?9 g1 V
/ s# U. p1 f% v4 t! r3 C( L
location / {
3 p. R# _# a1 f) h. L1 |/ ?. [    ModSecurityEnabled on;  
% n( @' K: W# u5 P5 v    ModSecurityConfig modsecurity.conf;  
- Y6 U+ U: `: `) P. d. Y$ N( L) O2 B" ~
4 V5 _- Y$ b' L4 T+ v: e        proxy_pass http://online;
2 q" Y" N' \1 W' h: n1 U        proxy_redirect         off;# y' ?, {4 V- m. D
        proxy_set_header Host $host;0 ?: p; ^8 d7 D8 x. P7 @
        proxy_set_header X-Real-IP $remote_addr;3 [: Z0 j6 ?" X1 }( d
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
4 p+ K5 w# r! }2 A    }' h) J/ P& J: m! G- j
}# b* Y1 k. J) w" T
六.测试
7 n1 z( c, o: Z9 C2 T" A6 o9 W% |, j3 z
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:2 v0 u: Z3 l( v- V& L' @  _( V' I  @
0 I: [3 m7 U/ M) H( T. l9 H4 O
<?php
$ H& M: C; c' R3 M, J    phpinfo();    ( e( m' }- [& D$ q; [+ L! c
?>
! _/ e* g2 n$ t( u, W  H# Y在浏览器中访问:
/ |( h, C; R( b# q
. H, {$ B- F0 h3 V7 V/ ~http://www.52os.net/phpinfo.php?id=1 正常显示。" j6 L# G8 k( n$ T( J
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。- M9 P: i9 X7 l* m
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。- K7 `$ e0 d, l1 u3 P  s
说明sql注入和xss已经被过滤了. Y6 a" n0 r& d, x+ W! f) p2 g

4 V: W) k5 P! l七、安装过程中排错+ Q9 `2 u' E: C9 u4 O9 F
" @8 i: D7 Z# ^* g: [& R: A) B
1.缺少APXS会报错
# O% \; y! u8 d
) w: ~# D  _- ~8 c; J' iconfigure: looking for Apache module support via DSO through APXS4 ]+ e6 {! k9 x* ^+ p; U! c" y
configure: error: couldn't find APXS
, {  {4 N  n' t$ I; D. Q, dapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
* {2 X! h/ ]8 g" {0 C7 u解决方法:" f$ j; a* ]' {
7 ^' Y+ F% d$ l4 I- N! L) Q- L- T
yum install httpd-devel1 F4 E8 O$ F. p0 h6 v
2.没有pcre
+ x! m; u* w/ c2 o/ i$ \! u9 v  l+ w* N/ z; y# Y1 m
configure: *** pcre library not found.
6 r1 p8 s  b; Gconfigure: error: pcre library is required
! o% t. z! k) n$ r+ g解决方法:/ V8 M- p+ O4 \: G  q* {7 Z! W6 y
! Q# e. d+ r  D0 }% e2 n
yum install pcre pcre-devel# A4 r; l( I# z" A2 m0 h1 Y) p
3.没有libxml2
, a: X  T! Z0 S6 u" R% t8 J# w9 r! n2 D* ^2 g# W# H0 B
  U8 B" `. ]- m2 I+ e0 E* M* j
configure: *** xml library not found.5 s+ A& f. o1 O2 p: A- U
configure: error: libxml2 is required" J5 K# P( [* f. t
解决方法:
, h9 O1 G+ x; n  y
( f6 |- F" d3 M9 L: Myum install  libxml2 libxml2-devel
2 d" Q8 L8 G# D' J" e4.执行 /opt/tengine/sbin/nginx -m 时有警告( a+ v0 Z. K6 e7 t) |( o" X
3 s# s9 s& h& Z" m$ W  g+ @
Tengine version: Tengine/2.1.0 (nginx/1.6.2)& F2 I0 X$ b. U: n
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
/ [2 Z$ V  J5 E2 ~' ]原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
% }6 h! T0 S: f9 W* @2 p- p4 W5 }: Y. A) G9 c' r9 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
1 u6 \3 w: E$ i6 D3 }: E. m3 X2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"  B7 {: g4 E, ?
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
! u+ Q3 j1 z6 C1 r' |! E2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"" D4 v% P1 q$ T" v& H( @' O1 O
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
; l0 d3 u% K# p; s' _' N1 `! z2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.$ V7 s% Y5 `3 b; O/ m! r
解决方法,移除低版本的APR (1.3.9)
. y4 w$ M4 C2 [( c+ w3 u% }) g6 F7 Y" W7 C  |' l
yum remove apr
* e5 B! ]' ^* |0 E. N1 Z0 P5.Error.log中有: Audit log: Failed to lock global mutex" z0 r& W, \2 H, D

* i" E  X- ?4 K7 Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     / ~. U: I0 c5 n; m! u7 v
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* a& L  p& h, A( j# F9 e0 s+ e解决方法:. c9 F% Z" q! }0 E; O( o! {
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:8 G7 Z( m* H( T" y' _

) U3 ]4 E/ \2 n: Z3 B2 P; e) mSecAuditLogDirMode 0777
8 q  ~1 W9 J& ESecAuditLogFileMode 0550
9 o0 q# Y' n- L! L7 O/ pSecAuditLogStorageDir /var/log/modsecurity
$ g5 c5 d8 L& p$ v: h6 lSecAuditLogType Concurrent- z$ g$ B2 y( C- s4 C6 Q6 F* C
参考文章:
6 _8 o3 l# G4 w. ohttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
  k7 }2 Z+ j6 N# ]9 C  E) x0 M2 rhttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-6-17 14:40 , Processed in 0.076575 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表