找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 9244|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。5 R. X" X; @. O, ^2 \
9 q4 _' K9 S4 w, z
一.准备工作, r6 x: }' B' q
, j: J. D( Z5 J( Z. F
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
4 ^9 P! M$ ^/ Y$ }3 E1 ~! i, W. f
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz, [( \) a% g- G% y' d& d2 Q+ l

7 U) H; H) Z$ w" D5 q8 R  pmodsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz) s+ s/ R4 X" T$ _* j
) u) r9 P+ S0 U$ i
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
- O5 u" V8 t. k1 z4 Q, Z2 @. D- t8 L
& a- m; z- S& I- R! y  B依赖关系:, R9 F( E& ^8 b( Y0 h& s: C1 S1 K
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
$ U( g4 _: b# o8 L5 E3 |. F" K  H* y- A
yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
$ |8 P' F! f2 m) v- Pmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 L' G. ?: o# @- i$ c. l5 ~: R. l$ c" e' ?
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel# w1 H7 X/ `+ o  |# K4 u0 n
二.启用standalone模块并编译
  O; _- Z" k' a# |# u* G% |  F: Y4 r" F4 R" F) v) a/ z
下载modsecurity for nginx 解压,进入解压后目录执行:
9 j9 Z* [/ F: l+ X
5 O! _9 C- w2 N1 F1 U./autogen.sh
; o, ^- G3 V, W  t/ b, B; m1 u./configure --enable-standalone-module --disable-mlogc% T- p/ }0 G$ a! a% h
make
" H# O- ^8 m7 Q2 _+ e0 Z+ ]8 ~三.nginx添加modsecurity模块
" R! I1 a( v- ]
3 I( D( M2 p. w  \  A在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
1 u* a: a8 x) M4 z# o, r' [' x9 k3 N  u% N  t7 I
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine2 ~4 v: }" f! I  J
make && make install
% H9 R/ {& y$ T: l四.添加规则
/ J" Y( H& T8 U. }9 Q& A- j6 t% e- ^% q3 Q$ c; I7 F+ C; Y
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
0 t0 a' x6 z' Y% t; T1 U% k" I9 h0 q
0 r& K  B# y8 L* P8 Z- U& Q1.下载OWASP规则:: F4 _# g# ^- v0 @" d

7 p. {6 l4 k" |8 a! `8 [- }git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
2 G# N( K+ o+ Z" h- F4 I) }  m9 Z4 W) J
mv owasp-modsecurity-crs /opt/tengine/conf/
/ R' f5 R2 j& _) V2 o0 R: K! j: f4 f) k- c
cd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf/ a/ E+ [0 h* d
2.启用OWASP规则:0 W% ]6 l3 t8 }7 B, o# ]5 {) ~

) L% n- [& y8 @/ i复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
$ \2 I& i1 Z1 G9 d" @8 J/ x: [: z# C6 G3 s- `
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. t! D1 }9 e. h- ?% e6 J* Q# c+ U: P" z
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。
6 `6 N, B- F- s8 T; s7 ^$ j! ?. V! n% K
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf9 M( ^8 C# \6 g  r3 m
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
2 X3 F7 J& C/ ^2 pInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf, V3 w6 S& g' k* Q
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf" ^2 ]% g' a% p6 h6 U) s. y1 ^; n( S
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf2 W, ~/ L! }9 R
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf+ z9 m- h+ D; P! {, a/ X( A* K
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
9 v5 }0 x8 T. c6 w5 b6 \& h五.配置nginx  a  Q8 u: r2 ~+ f; d

5 l7 P. x  _1 z# ^/ \! \在需要启用modsecurity的主机的location下面加入下面两行即可:
. C6 ]9 k7 {# U' r; t5 u
  W9 [- y( a! p8 v8 YModSecurityEnabled on;  7 u1 F* Z! w% E( T9 m
ModSecurityConfig modsecurity.conf;" H1 M) z4 Q9 ^) M, l% G
下面是两个示例配置,php虚拟主机:6 \1 y' y5 S/ G/ w6 |
, L0 H. Z8 |' m% k1 O
server {2 o8 v9 t7 X$ P/ C' A
      listen      80;
1 ~, m2 f/ n$ P      server_name 52os.net www.52os.net;2 L& w" ?- ?+ q, c4 k5 Q) G
     6 k" @6 J6 T: a2 s
      location ~ \.php$ {
' o- t  a/ W6 _: w6 @; ]1 A: R      ModSecurityEnabled on;    w1 v$ M3 B: t, s- X6 [% V
      ModSecurityConfig modsecurity.conf;6 B7 c( Q0 R1 E# o* l, K# L' k

3 V! D! q' f: z  B2 V- u; u      root /web/wordpress;
2 a5 t( @1 O1 E; l6 s8 g, v& W6 L# S! h      index index.php index.html index.htm;
0 A* `2 u- G* f/ X5 M9 v1 k  ' Y4 M. j. s6 h
      fastcgi_pass   127.0.0.1:9000;/ o2 b1 S8 V2 q, Q5 j, i0 H7 E
      fastcgi_index  index.php;2 }  j1 c7 T% I  w9 Z) Z
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;7 m' u1 K/ p/ q0 E+ T
      include        fastcgi_params;1 ]' _- X+ ?1 ^, T4 ]- l2 c
      }4 q/ {/ K  P  O7 [" t* P9 J2 P  P8 c$ n
  }
, T( k: c6 Y8 |- {- o% p/ lupstream负载均衡:
" i+ p- ~4 \4 C$ |! Y3 ]) ]( d: t& {/ u- [. M& L9 B
upstream 52os.net {
1 g( L' ], S) J' C    server 192.168.1.100:8080;/ g( L( B& [$ B% e
    server 192.168.1.101:8080 backup;
0 Y9 J, s$ m+ e( i& I}) P! V& r& `0 H* a, Y$ O
" @" P# A8 n" w: K5 Z
server {
( [9 s& b& R1 e! v. G8 b# zlisten 80;7 v: n) E% p  }& S( n: e) q4 Q7 L' Y# @
server_name 52os.net www.52os.net;
) s( d, k; r0 [: S) Z: a$ p  ^, r: ^$ m2 {7 C, i
location / {
  f0 `2 [. P3 L    ModSecurityEnabled on;  * g* i2 `  b! q, a
    ModSecurityConfig modsecurity.conf;  4 V+ D/ u7 P0 `
( B7 P6 k2 ~! L, y' ^2 b
        proxy_pass http://online;- ^+ J. N8 l, t2 ?( W
        proxy_redirect         off;
' a# X' }! J4 {5 n9 Z. f        proxy_set_header Host $host;
( }- N% g1 k* g. O5 P  R8 a        proxy_set_header X-Real-IP $remote_addr;
- n% G4 f7 _, {8 f4 |- b        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
5 ]! A( @( n4 N0 }7 G    }
: R: o1 i3 Y4 |! C. f$ e" p; F/ T; X}
5 Y, C7 w  }8 f( q六.测试- x; a" G7 u9 d) W
" C$ M: R$ G, M: Y
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:$ i* Q! f5 }# F5 d1 O
0 w: g+ {( Z; ~, v0 A! W
<?php2 y* p9 B& k1 O( J' y& B2 j  s
    phpinfo();    4 V" i. X: ^. x, M7 }
?>
" l+ X% C, i2 W) n1 U0 j5 U在浏览器中访问:
$ P* Z! U' h, p5 ?! v- B4 I4 n
! |  i" I7 u- ]+ khttp://www.52os.net/phpinfo.php?id=1 正常显示。
  v7 w2 m% e  Q7 Rhttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。8 r/ F; C% ]! H0 }+ f
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
( F- k) M  v7 b& {8 I+ R' {) |$ Y说明sql注入和xss已经被过滤了
, s9 W5 C- y! [$ Z) p8 Z
2 R& h6 p5 H: B0 M; ?7 p. ?七、安装过程中排错5 @, J$ m) w/ n0 C6 `9 g# f
  M8 G* Z, b" W- j! P; ]
1.缺少APXS会报错
) C! P- H3 Z- [# Z/ _
7 V8 @! I1 g: aconfigure: looking for Apache module support via DSO through APXS
7 a1 n+ ?4 Q2 I1 ^, \0 econfigure: error: couldn't find APXS3 H0 I- p, X  k' `
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
! C' l# V' u, W. |. a解决方法:
# A4 H' o; L' ^6 M
0 T% [( J; F" _6 @8 q8 \9 \yum install httpd-devel
9 v+ u; J% r' \- I/ p5 k* {2.没有pcre" w9 H0 v  y; p+ n
" I, }' d+ c9 F% s, D3 ^4 z
configure: *** pcre library not found.
* s! i5 r& p1 _8 E6 ^& s1 Gconfigure: error: pcre library is required
* f& ]6 p. l1 k$ @3 `; z4 i解决方法:( d0 P% k+ }2 ?. b# |; f

6 t. H1 D- T4 c* e8 B, D6 u, w( gyum install pcre pcre-devel
0 S( U6 x' f1 R3.没有libxml2
1 r4 Q' w( s3 p7 W+ \9 V' E$ h( d% B% r6 ^8 X0 ~+ P7 W" _, b  u

. M0 ^* K  z& j3 k+ W+ \$ }) h4 i# ~configure: *** xml library not found.
; q  [7 J) l" |; b$ p* {; Kconfigure: error: libxml2 is required4 s( K$ H' L5 h) I' M
解决方法:0 d" V8 x9 {6 M+ P2 ?; J, u
$ e7 Z6 B! V5 l! A) F8 L" W
yum install  libxml2 libxml2-devel
4 H0 D8 R$ p0 m, O; Z$ `2 |4.执行 /opt/tengine/sbin/nginx -m 时有警告* R6 V8 l# N  a8 m$ G, W( G
! }$ N1 a% ^5 x6 a. O
Tengine version: Tengine/2.1.0 (nginx/1.6.2)
: u; f2 t* n3 F: n7 Znginx: [warn] ModSecurity: Loaded APR do not match with compiled!- J: Y% `% `5 ]2 S+ Z, j
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log  v' Z7 c  N. x/ P
, Y( X, p6 U5 v# i4 Q& I) Z
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 R# z7 `/ l/ A, x4 s2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
8 {# c3 F8 T  x% P" P2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
, z* Q2 m  h/ m: P# ~$ i4 @2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
4 v( w" l  Y% N& s! R6 _' p+ y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 m: x/ d) c" c8 @
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
7 y$ C- n0 l$ D% i6 f解决方法,移除低版本的APR (1.3.9)
; z! P$ F7 N/ ^) w1 |: J1 h' `( S
. H5 L. g! ^9 `yum remove apr
. q" \+ p4 V4 \+ t; y- k5.Error.log中有: Audit log: Failed to lock global mutex
. |: x! `5 i$ U3 j  \7 d+ s4 l5 I6 _) {
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
% n' P* j* P) Wglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
; o) Y. B0 `- _# M, N解决方法:
3 E* |# h0 M. X8 t% o, ]1 q' L5 t编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
3 _/ f) w+ a2 p. N+ [1 d! A5 r; r# l$ z9 \" d, N1 {
SecAuditLogDirMode 07779 r4 S" H2 ~( W1 [6 u, v! g3 ?0 w( Q+ {
SecAuditLogFileMode 0550
2 y3 K' q: \: @4 I" mSecAuditLogStorageDir /var/log/modsecurity
; b0 X2 e7 B4 ^* Y) J0 {SecAuditLogType Concurrent
0 n' b1 P0 `' E& x$ t- w参考文章:( ?, I  K' S& a# R8 d+ l
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
6 s0 ~; M0 r- l/ thttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2025-12-1 12:12 , Processed in 0.066600 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表