找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11788|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。2 W3 x' a5 d& K$ L' T' r

/ _9 |5 F# w0 N: f# X1 {% l9 b0 Q一.准备工作
1 e4 F4 O4 y2 q" |# m
, ?9 e+ e7 k1 Z' ]系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
/ S3 {. r8 r3 t+ N0 Z1 B  I# I6 e3 D: L- q8 G- i
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz1 |+ q1 P& O  ?; p

! X; Y+ w! t# G/ Pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
' l$ k7 x6 m% [$ p. Y. R
8 f: U' D6 s* _, X: h/ n5 rOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs" R0 I1 `1 o4 s, l" D; B
. u# q; U( ]  u. z
依赖关系:
) `$ F3 B" `6 Q, n3 d" ?7 jtengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:/ k3 {( `) [! k' x2 `9 F
  q" o8 ]) o1 `/ I% \# D0 f
yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
* K. A6 r) c5 x0 X* C  Rmodsecurty依赖的包:pcre httpd-devel libxml2 apr
. k! ^: k; q6 t' D- }: J' {% W0 [2 W" {' {6 F* T, V5 C! ~  q- B  F
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
1 z3 S! c) B3 ?1 H% p二.启用standalone模块并编译: N3 [! Q/ g* Z- p! K3 Q
5 d/ R6 |' u) p" m
下载modsecurity for nginx 解压,进入解压后目录执行:8 N, Q* ~! V1 _# C# s( c
, J+ L- I# v8 L) _6 L: V
./autogen.sh2 I0 h9 h# y" m: z! V  l
./configure --enable-standalone-module --disable-mlogc. s. X" V/ F6 ]2 N* P( S
make # h7 h$ c8 H! I+ l7 \
三.nginx添加modsecurity模块) l: F5 y( y7 C& T" i

3 J% ~6 U7 s' }# _6 _+ j0 I7 f在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:- q: P1 L9 L- E) \# f2 U
7 J9 H! G6 ?/ D. X
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
- Z0 p  O9 p3 ]0 I* f* D# V/ Amake && make install
/ t( i- M9 {- O3 [四.添加规则
) d, _. G( e/ m. ~, }: b! E! B8 o! @: }4 b. P
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。5 }! Y0 W* T( e& W! K& `

# G/ J* w! e. ]7 T: \/ \1.下载OWASP规则:
' a+ }4 z" ^% U' O" g6 S
8 e$ J6 s  `" e6 x0 W, ^+ C. dgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
; v) P3 K: V; o% w. b  b; t& l. Q# v  k% i# _
mv owasp-modsecurity-crs /opt/tengine/conf/+ V1 B) M( V8 t
6 ^% p( ~1 `. q4 o
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf. k. X) K% N  E  C7 m
2.启用OWASP规则:
1 N& H/ h' `/ F' z, O0 v# M4 v' [; f# X+ D0 H5 ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。: f2 ]" X, w3 H- |4 F6 V+ j

  ~1 I$ N1 z; t( w1 b  `编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
5 F4 e! }2 o6 N7 f" x. M
0 R4 q  J4 p9 u! O; Yowasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。+ Q! p+ G; f9 R" N. n

- F4 y' Q7 w* AInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf$ J9 l5 P8 O9 i! V
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf8 d" r' M, p4 F1 a5 f2 u
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf5 L! F/ R8 m) Q3 y7 h; j
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
2 S0 m8 E2 {  z( F4 b8 C5 eInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf' y* T# L4 o$ M7 S9 u# i4 L. P8 m$ ^
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf5 O, x# n4 g( v& D5 N( `
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf/ I! c" x$ `+ }8 r& i  y) M0 r
五.配置nginx
! h7 u. K5 Z4 T# e
4 [- t; _$ x: I' B2 l. I1 C在需要启用modsecurity的主机的location下面加入下面两行即可:
8 Y+ R7 ?) }  ]- E% `/ ], P" @7 U$ y# O# S2 m  F* ^5 ], J
ModSecurityEnabled on;  
0 X* {7 d( P( K& GModSecurityConfig modsecurity.conf;
+ R# J' x, }2 y/ C3 L下面是两个示例配置,php虚拟主机:: H; S/ T* h& @7 l) y) [/ ]

6 K! _! Z1 M2 G' E, Z0 ^1 Fserver {- W1 o" i8 |6 b* q2 z
      listen      80;7 `& w& R( N5 @( l
      server_name 52os.net www.52os.net;
3 _7 i& j! q: z     
) p3 g5 a7 x" e      location ~ \.php$ {
% s2 l0 K% J4 i- y0 K' c3 m      ModSecurityEnabled on;  - H/ F9 q2 O& g2 {0 u* U1 ~
      ModSecurityConfig modsecurity.conf;, S' r5 T" O) L% E* q: k+ T
) u4 v" r3 j( t+ U  X7 s6 `
      root /web/wordpress;
0 A* [" _1 W% W) i" @( k6 b8 V/ Z      index index.php index.html index.htm;
. L" j8 g9 x, x; U& ]  
5 B; k" X* w$ Q+ r1 Z      fastcgi_pass   127.0.0.1:9000;
+ u1 r9 v' c" L$ m2 v+ d      fastcgi_index  index.php;
0 L) Z# b) g" _4 \- W2 n. S      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;! @; b" b5 ^- z
      include        fastcgi_params;
0 J3 U( E7 y3 v  F0 x" Y      }6 ?; a( v$ G5 A% D9 T- [
  }' z8 j, R" {/ I. O, {! l/ e
upstream负载均衡:1 W4 G  `1 q2 M( s) v& m
5 P4 G2 J' f& k# k9 T6 a1 y
upstream 52os.net {& H" Y) Q, c# O, Y; N
    server 192.168.1.100:8080;
6 Z; \( I4 o8 w5 s! ~  n+ Q    server 192.168.1.101:8080 backup;
. F1 n2 n  l3 k: i}! C, C& k* y1 m

6 \$ [+ N" j5 a; }$ `2 Zserver {6 x: k: B1 {0 m8 y& m( G" i% ~) \
listen 80;
1 {! y- g7 b* iserver_name 52os.net www.52os.net;
* C. D4 s  Z( j) t6 S: T/ o$ Z: Q; M+ R4 S4 Q
location / {8 `7 s9 E) B5 ?( B( O6 d1 u! B
    ModSecurityEnabled on;  " I- }! N* K. V
    ModSecurityConfig modsecurity.conf;  
) e! z' `4 @% o9 f4 Q, s+ p) G( @5 o$ l, L" P$ {8 S4 _
        proxy_pass http://online;
4 ~8 }' N! _2 j' x0 A* ^/ M        proxy_redirect         off;0 V7 j& y, Y- H' \
        proxy_set_header Host $host;) p0 g( h+ y0 G8 _8 F
        proxy_set_header X-Real-IP $remote_addr;# k( B' D( e3 K5 V* M3 R! W
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;; f) E6 Q# \2 L6 g( S
    }1 Q; q# a  m5 s& \
}
# s9 @! {) i' B% U) K1 I六.测试
9 H1 o, i( {- q) D. h& `5 r; @$ `5 _. k0 f9 v7 z" h, o
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
) H2 l3 m9 E  k% k) w3 W" U' P( {! w
6 t1 x1 g; Z5 i( u9 \7 M<?php1 Y* B( x/ {" Q% J0 h3 y1 M- f
    phpinfo();    $ t1 p" k, w+ Y. W5 s. D
?>8 \8 d, C$ A) n) r6 ~
在浏览器中访问:- u( X" O& C$ k# L# ?# v  A: \2 ~: ]

3 t1 o, F2 P' A( N. ihttp://www.52os.net/phpinfo.php?id=1 正常显示。4 M( K# P1 W+ {2 N1 I
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。+ E) c8 ^4 |2 n8 R0 _7 ]; a) m& I! g
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
* V% u, f) H% b2 e说明sql注入和xss已经被过滤了
% a3 s4 E2 ~7 k8 L0 ]! g. H, f1 _& ~- v# [& E/ r+ T5 H* E$ b: i
七、安装过程中排错
4 {1 J( D: v+ n3 @( P3 i) ?
3 F* g; T! x) o1.缺少APXS会报错  @) \* N4 t1 n
# |/ h3 O- b5 `
configure: looking for Apache module support via DSO through APXS
, r. _  F2 o, D8 {configure: error: couldn't find APXS
+ z' Y' w9 r! H! |% y' O/ yapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
  N4 h* H. \" A7 u+ {% u' s& C解决方法:/ W$ N$ X8 c& j. q

. I" Z# o5 f; L  J% c' m7 c% xyum install httpd-devel& k5 T; _' h0 W" x
2.没有pcre: J5 C5 O9 `5 B6 N: g$ s$ y

' T( M+ \9 s. G" [) o7 aconfigure: *** pcre library not found.0 e/ u; ~7 w$ z8 t& W1 ~( p; ^
configure: error: pcre library is required
+ o( g4 I, l5 ]8 ?+ B解决方法:: V. S1 C' G: c6 N( {

  ]# H$ B: R$ p7 n  R" Myum install pcre pcre-devel1 S5 W' @2 p, H- [+ f
3.没有libxml2
$ r$ ^! K3 q! D# R9 S# h
) C# p$ P  v! {; t% P! s; g$ T/ \/ }0 G" U$ B% D5 r$ H
configure: *** xml library not found.9 P% I# i1 m1 A
configure: error: libxml2 is required
, U7 M* ]/ V$ `7 t1 l解决方法:
- r- x; P' z% f! c* Q3 g% o$ Z
; a' N1 u& K: ?2 m  L. [yum install  libxml2 libxml2-devel
: @2 @# o. p  P' v- [4.执行 /opt/tengine/sbin/nginx -m 时有警告  ?" W1 J. K. S5 D' i

: w  U3 A7 A8 kTengine version: Tengine/2.1.0 (nginx/1.6.2)
1 M- \% b1 E, \/ X3 D3 I+ i* q: N( Xnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
+ o2 k5 R# W) C6 G原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
7 [8 S# z8 [9 Q- ]; A+ L
! D8 e, h* b2 x, m2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.* K5 |# e4 O% [7 t3 k: F. ?
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"; Y$ G0 p, U( D' K0 e: ^
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
9 u0 l# l2 T( o. B4 n) ?4 |. ]2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
% }" G, T& ]8 y( f" s. U" @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 e; K4 \2 R" A- \& `. m2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
1 n: a# [5 z/ A/ P解决方法,移除低版本的APR (1.3.9)5 B& {: n) k/ J: |2 _! H  r6 i

3 h- l( H" x. m% tyum remove apr: G/ F. u8 ^5 w) E# {
5.Error.log中有: Audit log: Failed to lock global mutex: b( ?% C  S- T2 i+ ^" L0 j. C, G
' k) k. t5 g2 j
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
* I: B- |6 j& v' u, [8 |- V! I; hglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
* p- D9 z4 B0 w6 r解决方法:, x3 x9 b  T* h# x0 u8 a
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
$ i6 h6 n( U! x: `; w. g5 a! U. x' }2 O8 C
SecAuditLogDirMode 0777
5 @3 g$ ?: ]) F# \5 D# O" ?SecAuditLogFileMode 0550
" x4 T4 F/ N6 k9 Y8 I; iSecAuditLogStorageDir /var/log/modsecurity/ @* o* H8 g+ g0 Y& H
SecAuditLogType Concurrent
$ F3 |/ g0 W, n4 b9 w+ F+ m; x+ d参考文章:
7 g2 C1 ~& t9 `& dhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
1 y; f5 F. z2 M: vhttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-7-13 10:00 , Processed in 0.065598 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表