找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 10108|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。1 |" g/ e7 ?$ k8 e0 h
; i& g- L( N7 s8 t; ~: U/ Z  F$ [
一.准备工作5 m6 b( |2 [$ T5 R) [/ \

/ Q, {& X/ Y, l- J& ~3 M% Z" L系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0  i# j/ i+ K! a5 {

8 I  X$ k8 U4 @$ \2 Ftengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz" r1 L+ c+ f0 ~& R

: j5 |+ R5 a+ w4 R2 r' S0 i/ u. }modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ a. C: m& ]6 I+ i0 e6 [( b8 d9 J8 w
! K( r$ Z5 m3 @5 R1 T" i3 R" ?
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
, i; r1 H! D+ l  B2 T( A" x$ ^3 C( i( E4 [7 [# }
依赖关系:
) v$ X0 O; h, _% q0 _7 f( Itengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
2 e8 G; ]- s. R
# w! F* b5 }' d* eyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel0 Z' D( x+ z0 a& ?1 n) u! q* |6 v
modsecurty依赖的包:pcre httpd-devel libxml2 apr; L& u! U" I5 ~& c7 ^! @0 X; y8 ]
. W" {, z0 n3 q2 @, N' u2 s
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
3 [7 S& x: L; m) W, h二.启用standalone模块并编译
4 L3 ^1 z% Z9 n+ E- ~8 I0 J! @( Y- c1 z% H6 ~. V
下载modsecurity for nginx 解压,进入解压后目录执行:
( L5 q/ D# R0 `. I& V( U4 d% O) D# O: B$ J" [3 B
./autogen.sh
+ F( T- z. ^1 ]3 C./configure --enable-standalone-module --disable-mlogc* j' ?; V: V' h3 S, K' A8 o1 b
make $ d0 U4 z9 }. j! P" i8 ^
三.nginx添加modsecurity模块1 C1 x, ]* Q) W8 t7 B9 R
9 e! \/ X$ |1 b! ~- j7 H
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
3 f" H' ?3 I+ e& q' Y
4 S; N$ j. ]& F, ^./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine7 x4 r, `/ u3 i* t
make && make install: L  W8 M6 D  r& C+ d
四.添加规则
# J9 _  k' j4 `& B; a1 S( D: h6 c# \" \
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。' |1 C% q1 Y+ H8 C/ U

- E. {& l7 D. c1.下载OWASP规则:
' w, b$ N2 W* f- N' o
. \& A0 B$ \& n) H0 Bgit clone https://github.com/SpiderLabs/owasp-modsecurity-crs9 v9 m7 p/ z/ P: D/ n. ^
( c5 D2 ]2 `6 k* V
mv owasp-modsecurity-crs /opt/tengine/conf/, [$ l. s6 M. v6 [

- v5 l: E& J8 Q% Q+ Scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
/ e: o# ]5 S# O2.启用OWASP规则:& p$ A& ^/ O3 V; z2 j$ Q% G
0 B  G, e( q( L3 Z4 b
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。* A5 i1 `" D( I) r2 z

$ @" A! E* ~; e. d* q6 n编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: m- Z0 g+ H+ s1 C4 t" s1 B' e+ @4 R" J; ?: g/ i
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。: p( Y1 t% c+ y1 g" v5 @/ K

; O* g" d5 V2 z4 j. m; q6 h& qInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf" P, ~3 p: L3 }. V$ o5 A4 C
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
, j- U/ ], X( B8 E1 f- Z; wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
9 S. q2 [1 v7 P, A6 y' wInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
% X. v6 b- X; m8 E) bInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
  n  }! P  d: @! X5 WInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf) ^/ y7 g  D  V; U; y% W% y
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf# f$ e- I3 K/ U5 t% q$ c+ W
五.配置nginx
4 r# M: D1 Z; J- I6 n1 Y  k) X
8 n! k7 K5 B% a5 j在需要启用modsecurity的主机的location下面加入下面两行即可:( u8 [% @. r2 n: j0 D
/ c& v5 y/ b$ T( I! i- k9 T4 E
ModSecurityEnabled on;  
, V1 C( u6 _& ?. e, MModSecurityConfig modsecurity.conf;; c& {% P  j% W  i$ m' P
下面是两个示例配置,php虚拟主机:. P7 `5 [% f4 N9 H; {6 Q
1 h& {8 g2 ?( j
server {% m+ l; s  ]% {
      listen      80;/ H) K. h1 i6 P; c
      server_name 52os.net www.52os.net;
/ K% O) }# o  R  t+ \     : X5 ^( e1 F: \3 `4 t# g7 U' L
      location ~ \.php$ {
6 {: v' f, t/ @# P      ModSecurityEnabled on;  ; R$ R/ `9 q, L) s* f4 F
      ModSecurityConfig modsecurity.conf;
1 t- l; s8 f  i- g$ H
3 r; [, i0 T. U) P" k4 E7 R      root /web/wordpress;
& q5 h) `& e( E* T6 F      index index.php index.html index.htm;. o1 T* V6 X+ u6 R
  
/ }2 k. c6 h2 N: C' ^6 s5 h      fastcgi_pass   127.0.0.1:9000;
/ x1 |% c: Y1 ~& L/ a0 L9 J3 P      fastcgi_index  index.php;
# w+ M5 _( \& @      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;& i: }' U# F# n% q2 X6 {  F
      include        fastcgi_params;" x* I) Z* `  P7 f  ~/ p" d
      }. p, {0 ?" B0 o* F
  }- D2 i) n1 z. q8 b5 J1 H
upstream负载均衡:! u& R. Y, V$ b

4 X: F: w. W% q) j# oupstream 52os.net {3 ^( n- a6 Z$ ?3 W
    server 192.168.1.100:8080;
* m. m$ R' G) Z3 V" k    server 192.168.1.101:8080 backup;
  ]7 t4 B5 [8 m% S8 I}6 \9 ^! S9 K1 z3 ~( ?) s) d

1 }, i  n- \" j% K. Zserver {; z" Y- t0 g4 ~: W' g0 I( ^% J) R
listen 80;1 i2 A3 A& ]# H' i6 @5 z
server_name 52os.net www.52os.net;" o! }3 s7 O& g" \2 S

9 q! w5 H4 R* i8 Zlocation / {5 q! ]5 ~* X- H. D
    ModSecurityEnabled on;  4 q8 B6 \3 U: \+ I  d
    ModSecurityConfig modsecurity.conf;  + {# P2 _( V6 k% ~9 b4 w
3 b+ i0 {  @) y  V6 y
        proxy_pass http://online;3 R6 k( P3 r  g  }, N3 [  r8 U; n
        proxy_redirect         off;9 Z% T9 `* ~" b# ]+ H
        proxy_set_header Host $host;
  ?/ @( R! y& w# ?( p& n; j        proxy_set_header X-Real-IP $remote_addr;
2 ?8 E3 s3 r5 [/ k        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  U/ E( {# @$ ]8 ^" J# i4 Z
    }
) s# J1 V5 f/ e/ e}. B: z4 S9 O! y; u3 i; n' V
六.测试
* P+ q% D& _* v) g* O) q0 U$ K6 t- \  |2 E
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:4 O0 g& h  ?  @. u
, d% \* v5 O4 G# K% Y# K
<?php
. J  A0 F" C" x1 m- n    phpinfo();   
1 k$ w4 I) @. A( [: I?>* g, y; q8 Y. B5 s- Q4 w
在浏览器中访问:/ U! m2 F  w* @' j

3 u- K6 g) \" {0 @6 S1 j  ^http://www.52os.net/phpinfo.php?id=1 正常显示。
: v( _- k8 e, f# Uhttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。$ F( |9 }$ ?3 ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
3 Y1 a) M, Z/ R+ r! c7 A说明sql注入和xss已经被过滤了, d' {+ B+ s" B4 x9 d
0 {5 R- T+ W' u% k" ?  Z3 C2 l
七、安装过程中排错1 r6 u9 m+ x- T+ g
* `# O$ q, Z% b8 A5 p' }% O  `5 _
1.缺少APXS会报错3 G! l: P) R0 D- C: O1 ]- A
% s8 x8 y% t5 x+ k
configure: looking for Apache module support via DSO through APXS
2 s, d! n7 Y$ K7 q$ d  B0 \  Fconfigure: error: couldn't find APXS
- |8 y. W- p8 Q, [% \3 ?apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。0 M- b, {6 a! d) P* X
解决方法:8 g: O7 |; r% j1 w/ c

1 I, |  v# ]3 X0 ^" v6 nyum install httpd-devel
) X2 ?. U. c7 t/ e! Z* |2.没有pcre7 C% k% H& R& R3 x# m- k! v% e7 Z

6 V: ~4 i9 p; U* g- y2 j8 Mconfigure: *** pcre library not found.: ?+ c# R# i! X7 c& f) p$ R
configure: error: pcre library is required
5 {/ g$ ^% Z0 h2 y4 z* j解决方法:
" n) s1 }8 t# Q. L8 J" s$ x0 Q6 W3 [8 g2 Y& `  V5 Z& D0 S
yum install pcre pcre-devel/ U( c" a8 `- W# S" Y! S
3.没有libxml2
. j: _" H! _5 Q, [% ?3 A
5 ~2 A. x6 ]% T* Y2 q: Z
9 i' N6 ^' r5 m- `8 r) [configure: *** xml library not found.9 ?2 `$ q; ?  Q% _. x2 h# V
configure: error: libxml2 is required4 L) k. e3 |! f9 p$ i
解决方法:5 M1 R/ w; Q  D0 m1 p9 A7 k8 Q

/ P! l- b( q$ B1 i+ `8 yyum install  libxml2 libxml2-devel$ h5 }& B# h2 `% y9 n9 u) U
4.执行 /opt/tengine/sbin/nginx -m 时有警告
4 W  S: j! I+ }4 p+ {' Y5 `% l
1 b. V7 L) d, Y) a6 mTengine version: Tengine/2.1.0 (nginx/1.6.2)  G, v; R! b% n% E5 O8 e9 L
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!
: Z$ C, K$ A! p% E- R: c' k5 Y原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log
, y3 T- V8 s7 H' }! L4 s# G/ s" ~+ v7 D- T6 a& k2 z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.; e: H' d: @$ I( {9 N
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"$ s. f; p' M8 p
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
( K/ N4 b7 S0 `% d+ u, E/ `' A/ y  n2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
9 Z% w6 B. e; [. @) n1 S# R3 S2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
3 O, l4 `  B9 ]' Z! o2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
& s0 L. z8 Y8 s# P, \解决方法,移除低版本的APR (1.3.9): T& O% b& s# J, T7 `) S6 R
! M- [# U! r% p7 l; q- w( y( r3 \
yum remove apr
) R" W& f, r0 w5 I, S. M( e7 U5.Error.log中有: Audit log: Failed to lock global mutex
) x8 e  o1 E  ~- w+ T) G, D4 y" y( N4 U2 [7 K" }; @
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     , @& b) S/ U. |# a8 }  t
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
8 O+ s4 C" X" M7 S4 G; t解决方法:
+ r5 m$ o5 b7 L5 `编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
- U% Q$ ~: _  V* X, U. A# ?) ~& C2 y1 I  m# \6 u
SecAuditLogDirMode 0777
% T+ Y- T* }: W2 K+ @SecAuditLogFileMode 0550
' z, r* T* {5 I% K% X$ J% ~! USecAuditLogStorageDir /var/log/modsecurity5 |( f3 F7 b: R. v: \
SecAuditLogType Concurrent" w6 I5 F- Z' f% {% M' }
参考文章:1 Z% l, C% s1 }2 W
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX1 o  z: X  ~' f/ q) N  A' U
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-3-1 20:22 , Processed in 0.065282 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表