找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11687|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。" s% D0 _( X1 B: R0 r

# D& y7 v; ?. `$ W. I( Z/ q# `一.准备工作$ _) j) z, ~( C( V  [5 G) ~
& i: O9 j1 z/ [; T
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0& Y& {: H. Z. k' P3 x; V! v
8 i5 \+ B4 U( u4 H9 z4 n
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
& G! W/ {8 n( N: q, i, s4 l5 G1 d& y' t5 c! w
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
. X2 a! v+ ~  s7 Q+ v/ r# v1 V' o2 q" [5 @  ^
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs
2 J: U  m- U/ h
; \& Y7 Q8 @- P3 R1 B" S, C依赖关系:. k# s" H+ L- y. @- e1 T
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:, A9 D: {( r. z1 ]3 j7 D

. `/ n% G3 V$ K+ \3 G( g; U. }. Gyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel* {% J! M9 B  Z7 w" h
modsecurty依赖的包:pcre httpd-devel libxml2 apr) P' E+ e7 h! T
5 X1 U6 R8 E% S9 k! ]
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
2 a* A1 h( a0 ?! A9 u; J; h二.启用standalone模块并编译" q' Q4 |1 [) ]5 i

& L& o- ?$ X: w% [6 H& a下载modsecurity for nginx 解压,进入解压后目录执行:  L; V% L: J! ?9 ?4 R7 W

1 G* [9 _* q& m; [, A: [- s./autogen.sh
7 b; H- E- y& g2 G& \( U: m./configure --enable-standalone-module --disable-mlogc+ @/ S/ F5 X) f5 t2 u
make 4 e# W8 i" O* V, K
三.nginx添加modsecurity模块
$ D; ]- @$ b6 B8 y4 b& F9 ?7 l  |7 a' Q- B$ u9 I
在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
) |7 ?4 |7 S) h, E' x9 |; q' A  A/ F
./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
  ]' ~1 I3 p7 o' [9 fmake && make install
% B( A" m: Q+ _: |四.添加规则
9 A9 R" R' R) H2 `7 V) `3 [2 R8 c& V$ G$ l6 A2 c% Q5 C
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。: i' \) u  Q2 ?; N' Q& d& }5 w

; l8 F% K8 Z3 {; O! \' N1.下载OWASP规则:8 V, b/ v. A: c: H
: X9 O( o* p& H
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
# [# R9 x8 w' ?% D' I2 H0 V& A$ a* b7 f
mv owasp-modsecurity-crs /opt/tengine/conf/
" ]) M+ }# Y9 k1 f0 Y9 D8 f0 v
6 e' g# k: f% z1 p  z( scd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf' y- ?, u2 ~& d3 j
2.启用OWASP规则:
+ P5 w; k, K" g0 T$ v" k4 y) v7 u5 f) S
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ L7 I1 L- D1 s) r" @* z9 ]3 o+ r7 v/ I8 c/ [3 T1 G! U
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
  T8 Z) q3 Z  G1 Z# v' N- T; @5 T" N* r- @+ Q  K4 ?0 |
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。; b- x7 E9 b% p

6 t) k! S  o5 X! g( j# G8 z  hInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
4 e& P# e3 `% g5 o. q' OInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf1 s& H" q3 k; X; M
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
! _6 o% R. D5 c, i. o% e2 VInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
7 N/ M& [+ {  Y( j4 d1 EInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
" g: C- `/ q- e; S" ~Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf, x, n; C/ t9 p. D/ Q
Include owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf2 S  z! D8 p  F. l  O: n0 q
五.配置nginx
1 u; Z. y( q; A3 `( J  }6 a7 w  s* t; S* @  \
在需要启用modsecurity的主机的location下面加入下面两行即可:1 d5 t9 }+ p6 x4 U1 x8 a
/ g8 Z6 `4 U" D9 N# T" A8 m. [
ModSecurityEnabled on;  & Z- S0 s! m& |4 \( f6 S
ModSecurityConfig modsecurity.conf;0 n# W5 B& I9 T* }1 {) V
下面是两个示例配置,php虚拟主机:
  A, @8 d0 S  m
4 E! A( R( W$ x* q7 o( _4 H- `: G, R7 Lserver {+ Y& k$ E, ?7 I5 q
      listen      80;! ?4 Q$ }1 c7 f+ t
      server_name 52os.net www.52os.net;
' D2 F6 u) B; P6 N     0 {$ o" O6 i1 e7 p% \0 u  N1 s8 @
      location ~ \.php$ {+ K6 |0 [+ s0 c2 _5 k' h; [
      ModSecurityEnabled on;  % v* {1 u+ r8 D5 \- K+ x& ?6 s
      ModSecurityConfig modsecurity.conf;6 h  ]0 p. D% y' |* U) _- e
: e8 f2 _* G7 C) j) n, z9 c7 O; a$ ^
      root /web/wordpress;
5 p- }& q( t# h      index index.php index.html index.htm;6 R9 c9 W' }" p' {  H! ~
  ( S% b' [' e- w( T$ t) l
      fastcgi_pass   127.0.0.1:9000;4 f* r( p  W/ ]& R& {% H
      fastcgi_index  index.php;/ u" `9 v  l/ ^$ P# H
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;
$ x& [. h  [% p2 ?      include        fastcgi_params;& g( ?. _9 Q4 p! n/ c
      }2 ^' |4 |/ ]" J: B% s3 F1 l# k+ F4 @
  }; `  a  T' ~8 ]3 g  J, Y( B( y
upstream负载均衡:4 S/ {( j# d; R( Z4 F
3 t# j5 H& V7 \+ B* c0 e( I; u) v
upstream 52os.net {8 S. B2 R9 k) K! u- G
    server 192.168.1.100:8080;
! n9 D7 X! O* Y) l# F    server 192.168.1.101:8080 backup;
5 G: |% \  }- f: I' u}
& ~' W* v* o: [+ A0 n- Z# Y( r/ @0 U( b  S6 `1 S
server {! L6 Z  ~& K3 Q: U9 t( }, q
listen 80;
; c- q  V: F% z8 W: l! rserver_name 52os.net www.52os.net;% q+ |  l% t# q, B

) c. W6 J0 ^: `" llocation / {
4 Y6 a; b. c1 S3 \0 {! ~* g9 P    ModSecurityEnabled on;  " Y5 c: E* H2 N% j& E: V
    ModSecurityConfig modsecurity.conf;  
4 O6 @% ~; `4 y5 o  k6 Y0 _( `' h) r3 s: G0 a
        proxy_pass http://online;: W5 p; J" n3 ?. F1 Q% n( U
        proxy_redirect         off;" K. [+ J& l$ a6 Q) y: P
        proxy_set_header Host $host;
( F; V0 F6 k  u/ E/ D& x; h: Y        proxy_set_header X-Real-IP $remote_addr;  W& O* \! X5 K* L6 E- G
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
. @0 U# z" b: Z& D  x    }
* d2 a# ~, f5 D/ Y3 X5 ~}  D3 T7 [) T- e8 J% G1 ?( o
六.测试
7 v/ L) i; P5 b7 @, F2 S# W
/ S3 Z8 M% R$ S5 {' l3 u. h9 r$ B我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:' P/ |/ J: Z1 C( N5 Q

8 v# m  G+ K' V, G3 c<?php
4 Z5 _. i. ^9 S9 I& ]7 R, c) n    phpinfo();   
9 d- O% J' L( x# i3 \?>
/ o& U, r1 n1 D! Z在浏览器中访问:! }( A( S: `/ x! d( E  T$ I

' W6 e% E! q% t  Xhttp://www.52os.net/phpinfo.php?id=1 正常显示。. m& Y# M% Z) _8 Y5 H: m* u
http://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。* z6 Q5 H* \0 r
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
1 z$ l; f, p2 ]; c5 Y) W$ L说明sql注入和xss已经被过滤了6 v# O2 g; I/ ]) g) b. j
  R* P; T+ ~$ Y# \- o3 C6 @1 V
七、安装过程中排错. q1 U  `! F! i: i3 u; z) S

4 k4 H" m9 x: R, O% H1.缺少APXS会报错1 N2 V  c2 M$ I* c. E
2 A$ d! i* I8 O- m$ A  U
configure: looking for Apache module support via DSO through APXS7 e' c- W9 }8 Z& E7 H  Z) E6 d
configure: error: couldn't find APXS3 [" c0 r7 x0 E$ T
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。; ?* |* v; T! i2 t; ~3 ^. i
解决方法:
- Z& Y5 {. \8 ^. q5 _, [% }8 B: @, E1 q2 H; Z9 l
yum install httpd-devel
7 V( C: ~. ]- n8 n+ t2.没有pcre
3 ?/ }( S; F9 O1 ^1 f. L, ]1 |8 J) N; Y* N5 _4 L1 `% y
configure: *** pcre library not found.
0 W1 Q1 b7 ?, J' X% iconfigure: error: pcre library is required3 h0 s" [. n- P6 R1 K" l
解决方法:* K- M0 W0 T7 u) i  Q; h- c% t
  ~# Z8 n" V' u7 @5 r5 U
yum install pcre pcre-devel9 z) o! c! F) O
3.没有libxml2
" ~2 h9 |/ n! ?( _) p/ I, R3 s4 q2 Q' T6 m0 l1 ~

5 y$ S5 R; w- v, M* _4 u2 x' o- \: N' J+ Pconfigure: *** xml library not found.1 x7 K8 b* J$ O8 B
configure: error: libxml2 is required
" h5 O8 m5 L- u解决方法:# D  h5 ?; a- B3 T

" j. k: x) @$ dyum install  libxml2 libxml2-devel! y1 z" i2 \5 V0 t% P' ~2 S5 A7 W! v* M
4.执行 /opt/tengine/sbin/nginx -m 时有警告
# v0 |4 M4 b' A) q
! i' }5 D$ e4 d1 Q" h- t+ y$ tTengine version: Tengine/2.1.0 (nginx/1.6.2)
; Y; V! u( g# A' a- b% tnginx: [warn] ModSecurity: Loaded APR do not match with compiled!
  Q4 l8 {3 m( H( x; W5 P原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log6 B; j1 z: m% S) A
7 g+ M3 s; L7 `. J) M
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.
8 s- [5 q2 q. b7 B: s2 }2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"+ ]: C3 @3 ~. C6 F, F
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
  _4 L2 }4 s: B" Y2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
# |$ h4 Q/ E4 e9 J2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
& h! E4 o% i( a2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
" y7 E+ k* Z6 _1 U解决方法,移除低版本的APR (1.3.9)
% m, @9 V% w, _& g
' @" K; t2 A- z3 |: Q) cyum remove apr
& F7 o3 ], X$ R* L& O' m5.Error.log中有: Audit log: Failed to lock global mutex
" f% Q+ _9 v- D/ g4 D* D5 j5 |& V, ?/ A0 c+ l# c
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     
+ B4 ?( o9 |6 v7 Iglobal mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]
5 s* a1 J8 f( O# h' z解决方法:3 n, M0 K# E; Z( i. v( w1 k' }
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" Z1 s' q! }$ w- k" B1 k4 b- H0 L* E# f) ^& w4 m( F+ C
SecAuditLogDirMode 0777  B7 G# ]  O3 q5 q2 F
SecAuditLogFileMode 0550
) n7 u, s8 V- _$ L- ISecAuditLogStorageDir /var/log/modsecurity8 n, F9 m  {3 _% h2 B/ \
SecAuditLogType Concurrent
2 [6 R' x* A. s% Q2 `9 e- z6 g; |6 z参考文章:2 v/ c% H/ u; R
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
/ P7 O0 b+ R4 e6 N: [0 G# g1 q$ h, s0 [http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-7-6 00:21 , Processed in 0.063770 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表