找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11149|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。6 d$ A6 J8 n! @( q5 `- _
) [6 O/ A& w% a( F% \, d( [& q3 `
一.准备工作3 `" Z" j4 ^" ^* x

  ~" T% p; s) ?8 J1 T6 V7 `系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
; S( h% q3 R$ Z! O$ w4 q0 ]) f8 D
1 r* L4 e7 F# E" p& j, X( @tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz' Z( Q! T; |4 v5 @( r

" P" x  P. b) m" G/ n0 umodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
" l* [# l5 C$ E+ D8 j# x& N1 W
1 B# s/ Z  o( I6 X4 @3 I3 D) rOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
3 ^2 G  `2 ]% y0 |5 y+ I2 H8 C/ }0 K& k/ v8 L3 j7 H& X  D5 E5 f, s
依赖关系:6 P; _& ?1 C' ?; }9 S
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:& e# E" N% o8 K0 `$ s# S: U2 _

/ G2 ^& I/ s( ?9 Wyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
4 ~4 k3 H* q  G  B2 C9 [1 q0 hmodsecurty依赖的包:pcre httpd-devel libxml2 apr
  j7 c9 Z3 e) [' t: o/ C
' B! G# G  E( E. Syum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
+ X" O6 A" d; Q0 A6 ?二.启用standalone模块并编译
" ?5 G! j3 \3 S$ \
$ M; D! r* j; G* z4 ~) x/ d; r下载modsecurity for nginx 解压,进入解压后目录执行:
% b& Q! p6 `" {: P0 L0 \7 b
" f6 j. \, S# F" J./autogen.sh( A3 J( t: w" p+ G, r) k
./configure --enable-standalone-module --disable-mlogc/ F1 b9 Q, Y+ E
make
& n, p: L$ ]2 J% Y三.nginx添加modsecurity模块
  D8 ?+ M9 B7 A+ d& p
9 @& N* D, F1 K0 [( Y  G6 P在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:* B" g8 D& R9 }# r2 z3 h9 b* J- \

- ?& r1 a. M8 q3 J% z3 G% w+ F./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine; a3 c$ G2 Z( M7 m- N9 O) E& }1 o
make && make install
- P# L9 Z' q' w3 s) z4 ^  k四.添加规则: m- s: E9 v* ]$ d; |& e% P1 X

* ~) N) r8 p6 B/ M% D) \" c9 b0 n8 |modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
, ?. Z7 ?5 @1 s- @4 D3 C6 X0 d' E# y( x4 n4 I; K$ G5 _+ p: o
1.下载OWASP规则:( E) d4 m% N! I- u# M, }
6 r. f* s0 V3 ?5 G; u
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
5 Q9 }1 Y- L+ P$ C7 u6 _* ~2 w4 n: E9 t* O$ n8 j5 o% q4 S
mv owasp-modsecurity-crs /opt/tengine/conf/
6 D/ Y! W: l" K' J4 r/ m8 T/ `" b' R" A% k( N$ ^) L  E7 l
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf, Y4 U/ @9 s+ T( ?+ b
2.启用OWASP规则:
* z8 q; X7 T9 U" d3 Y3 h2 p4 s, s- E: ]' B/ T; H" ^
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
7 _0 H! ?! y: k4 a+ p
4 A1 j7 I3 V2 D7 n& T" L$ F' F) x编辑modsecurity.conf 文件,将SecRuleEngine设置为 on/ z8 y2 `9 C4 d8 k0 v/ v
4 |" @- a7 E" b
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: A- b, y* v$ Y) `# |( E) ~) c

) L; J+ V9 d" k7 wInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' A7 r; l; b7 m) D+ |- @6 \5 OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ X, |- v3 Q% F3 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
" ]% e  \" L+ t4 U9 Y. UInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
6 K* P4 p! y+ D) mInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf, Z) V! m" ~/ \2 J; A, l/ X2 p- ]
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf: _! A# L$ b) Z, T: ~; `
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf; J# |  u, D. x* q5 {5 `
五.配置nginx+ w1 R* \; Y( N2 H- _3 \

: W% c8 H; y' V( o- _在需要启用modsecurity的主机的location下面加入下面两行即可:& C) m& S  q) K! _, r

( C" _5 |; X2 b% d, H8 B2 TModSecurityEnabled on;  " ]  Q1 r7 e% T1 q
ModSecurityConfig modsecurity.conf;6 @4 x; a. h6 x9 Y' y# K' f
下面是两个示例配置,php虚拟主机:
( h( Q4 b, V6 A
  f6 O9 h8 c1 ]9 |# m0 V: W& d$ Xserver {
$ {" L0 I. t: h6 |/ `! h+ q% u      listen      80;
; m3 x8 B6 {6 }' y  t      server_name 52os.net www.52os.net;6 A4 o8 Y3 v( B* J- y! W/ m
     
& ]. b' l" N; r5 p: f      location ~ \.php$ {* T. c2 X# g; {: q, l; P7 f: M: m
      ModSecurityEnabled on;  , B1 K6 w5 [/ s8 M- x
      ModSecurityConfig modsecurity.conf;
) E$ ?2 c# Q) A. F
/ D! ?9 M# q- K" O7 V) _  E      root /web/wordpress;
* E1 Q6 A% T, F; o* y0 Z6 ^- }      index index.php index.html index.htm;
  U$ }( d) S# T4 i  b  / P: a/ _0 m$ q0 q  r
      fastcgi_pass   127.0.0.1:9000;, c3 ], b" h8 _  m( g* H1 S4 ]2 }
      fastcgi_index  index.php;
. Z" [. f8 m# f% S( k4 V      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;$ d" `% s9 O1 K% @
      include        fastcgi_params;
' Y8 o$ g2 ]7 [; s0 g2 A      }
4 ?6 _/ H4 }5 H- ]6 O( y  }
6 V# Q( a& N4 R  Dupstream负载均衡:, G* X. Q  p# Q! q0 E0 ?
1 Z* g) y' ]4 h# R! U/ G3 B1 ?6 a
upstream 52os.net {
% u/ }3 ^0 C# t5 A) N7 I- _+ O' ?: w0 S    server 192.168.1.100:8080;
  e7 q# n" ~* y) J  ^7 p+ u    server 192.168.1.101:8080 backup;3 i3 G4 D: r' V0 W* }- }
}& _/ B' l5 Q( @  r6 F, p7 J& m0 M
; }8 O+ U5 Z1 b
server {
' i7 J! v# L0 C! e: Q% llisten 80;& C* C: L+ Y" {: N: n& }0 |- P
server_name 52os.net www.52os.net;
; l% m9 G, u5 Z/ \- z: E) l7 |0 m4 H; O" h% n8 t! J! ^: H
location / {
( N& b9 `* u: h: K* \  |& ?    ModSecurityEnabled on;  7 H8 a1 x; _/ _- H4 K9 \
    ModSecurityConfig modsecurity.conf;  
$ S! c6 V1 i9 g: x# e8 e, @+ e2 Z' E3 L  {. F! N
        proxy_pass http://online;& ^) U/ N4 k* R5 B: {
        proxy_redirect         off;
4 V  y- @9 m6 @" S, p$ i' Z0 s0 g        proxy_set_header Host $host;7 H, {! t' Q) F
        proxy_set_header X-Real-IP $remote_addr;) i4 g" `1 W; c; j4 m
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;7 D1 T/ g5 W9 \2 c5 g6 D& w
    }
: ^. |% {3 D/ S8 V+ K2 k  ~}0 v+ J( x2 m9 x" ]  S
六.测试
$ S5 F& I+ ~  g
4 w5 K: _0 R" }; i& p+ b  N我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' z/ L, ^) d: z5 v3 Y2 c
2 S# ?; |( L: \- z7 b  k
<?php
) z/ c! t% _$ ?/ a) j    phpinfo();    % ^2 {  B3 e8 l; ?. m1 }: T; ]
?>, I4 [: G5 N9 I8 w4 R8 H( U
在浏览器中访问:
+ X- H3 e4 U9 J$ A- D/ f4 |! G. w) \5 O2 ^9 p) L
http://www.52os.net/phpinfo.php?id=1 正常显示。! d+ [" @/ w8 V/ {* f
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
0 l7 f' l& g2 F4 H1 C# r( O; lhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。7 ~2 E4 P7 J/ Y9 s# x9 g. s
说明sql注入和xss已经被过滤了
1 C7 {4 C  i7 a2 S, M, F
$ w+ r: R  ^8 L, c* l0 h七、安装过程中排错
9 [' t% \/ e0 \! M4 {' y; E
# G% T) _% K2 A( w& A) @; ~( g5 m1.缺少APXS会报错
. w. x& ?6 P) j* l' p% |1 P0 J% f3 U+ M2 a: t8 h. U5 h$ ?! q
configure: looking for Apache module support via DSO through APXS
  m( {; l! l- `configure: error: couldn't find APXS* G$ V4 c( ?1 l' r+ O4 l* l
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。* i: e1 k% |8 x9 }
解决方法:; ~- l, e, }7 e( |7 \6 V
0 g+ j( G) R5 R$ `& x
yum install httpd-devel
# A# c) T' s1 f2.没有pcre
# b, C% D' w* W+ p& L' \+ k3 r+ g+ _5 Q. [1 v7 f/ m9 i
configure: *** pcre library not found.
* u( |8 E5 h1 gconfigure: error: pcre library is required7 t5 B4 H1 C" b! U
解决方法:
/ o4 t/ I" X% g2 b: Y% U
3 _  J1 y" ]( t& L; x8 Ayum install pcre pcre-devel3 u5 K7 I3 a- R# |5 W/ b
3.没有libxml20 f$ S" U( H. d! H# m& a
* n) r% x. i' Q  F$ L

) u5 T+ V: G3 s) n% x7 Y6 q! i* |configure: *** xml library not found.
+ ~$ N. C: l, u" W( J' {configure: error: libxml2 is required
& Z* N4 q- z0 ?/ p% }5 k* C1 K解决方法:$ N" v! Q) P9 \6 Y7 P7 P+ n- p, W
! p% u' R* m) p
yum install  libxml2 libxml2-devel
# P- k/ K( U8 z9 C( k  u4.执行 /opt/tengine/sbin/nginx -m 时有警告8 n6 C( P& b+ Y! |; B

' H9 Q* I! }7 l% r0 q. `; \Tengine version: Tengine/2.1.0 (nginx/1.6.2)5 K7 @- K# t1 U! i- }/ w6 C2 q- k0 o
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!. Z8 d7 w4 c0 K& R6 r2 m' `7 @
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log  H0 s# z( p; ?. V( A4 f

, i) }7 E( d! y+ ^5 I" Q2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.0 }3 Y& E- {1 o6 @& e5 O6 T
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"$ _% w6 R8 s# g% _3 _( H* s
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
2 q2 r" Z8 s- c2 A  c) [& T  U2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"' G0 C& @& m: \
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6") A; V5 b# v; w; L/ _, x
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
- b! }. _& C1 H* K" B  h. c解决方法,移除低版本的APR (1.3.9)6 B4 N8 C$ h2 n* Y) _
! f1 G: Q; N+ k, F: W+ f
yum remove apr
# I! Y  A6 B: r, `5.Error.log中有: Audit log: Failed to lock global mutex
; o1 Q% v6 E' E$ a( y# i/ v1 K* H0 X
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
/ X, k% Q9 {1 Z$ w( tglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 S1 ^! k  K3 n4 r解决方法:/ @3 ?8 W1 I5 X: K  N" C4 i) _
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
& B9 o# w6 o% s1 K) Q8 j" ?. l5 n2 t
+ H5 s6 B( P0 f, b* _SecAuditLogDirMode 0777
2 ]& r9 q# ^, D6 t3 c- qSecAuditLogFileMode 0550
# j3 N: ~& d% B7 `* {0 @5 kSecAuditLogStorageDir /var/log/modsecurity& ^7 ]( z# }, Y( |  E& N, `
SecAuditLogType Concurrent
: ]! G( T3 c, C0 r0 M参考文章:
6 @& D& b9 V& [1 _' x3 |0 t1 hhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
2 ^- F5 D( D7 z4 Q  M7 l! Qhttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-5-24 18:53 , Processed in 0.067679 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表