找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 10279|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。
# r) v: ~' J) o7 U3 D  D5 S
! D& ~+ P6 V0 O8 ^一.准备工作. J% m& p7 \# [

, W: `" }4 V) R+ J  u系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0# A5 a- T6 k8 Q4 }. r

5 I8 j. R$ P& L% a, Stengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
# b% f; a, e  b) S2 W! [2 _: {% @  K% C
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz/ ]  S6 L, j* b' J" \; ]% G  b

0 a+ c0 Q; O4 t8 K1 Y- pOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs! l  D- H$ h0 [7 v7 F1 A
1 o7 L0 O" R" ~
依赖关系:
1 K* R8 ~, g9 \7 [  stengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:
9 n% J. h7 W( R, `" K+ P* ?* j+ d
. [% h7 n% z. \; ~2 S- T' O( K/ wyum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
" n) v& Y4 [  j3 I5 b9 v: Wmodsecurty依赖的包:pcre httpd-devel libxml2 apr
6 V3 N: m- E- }. T' W
9 Z9 z! \& w! C9 V6 U8 jyum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel
. S$ q& p: p" z0 Q8 L/ O: G二.启用standalone模块并编译
" R9 h! R* C! I" y5 }
  S- i# J$ [: G& {, ^下载modsecurity for nginx 解压,进入解压后目录执行:
7 l; F2 |, ~- P$ Z
& U" v) H1 K, ]5 Z! J5 e; g./autogen.sh/ l5 P: D0 l8 m- g; F# ~
./configure --enable-standalone-module --disable-mlogc
7 Z0 e/ y. w! B. Lmake
. B4 @" @4 o3 N0 i' [; s. I% l三.nginx添加modsecurity模块
+ D% I" k& `* @9 ~3 j2 }
8 R  @4 L# j9 \' V在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
: b. n! @* s, j8 K/ F! `# J
  [" G) o# _* ]1 r8 F5 N./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
6 H6 _0 S1 d5 l  B( E- P/ ymake && make install# \8 G0 `6 X7 U; g
四.添加规则
4 O4 T6 w- B1 n/ s; a
, T' c+ r, d  M2 amodsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。7 ]$ R7 H( e1 n/ k" L( S! M( V

- d& y! m# w. h1.下载OWASP规则:$ J" J; b6 Q; t9 v5 T) Q% V8 F

6 C4 ~. [0 o+ h5 h+ ugit clone https://github.com/SpiderLabs/owasp-modsecurity-crs
/ v; c" y" V; p! \
6 L& ?- J) i0 w! O' o, r& Ymv owasp-modsecurity-crs /opt/tengine/conf/8 ]( Y8 ]; l; \

  u: T$ j2 V- V) gcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf1 B0 O: H3 ?& G% B4 P1 L  z! T
2.启用OWASP规则:3 `$ {  P# D# H
/ M+ }# \; y- e% ~
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
/ Y+ ]; g" e+ D- e- |0 A7 A' \6 p. \: i2 U, M* Z/ L
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
. K. i. c! [- [
9 ?) d- k2 \# u3 h5 s/ t6 l- t9 c7 {owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。/ l9 x7 S! q  n( O8 n
- `3 |% d8 ?) O) U9 u! L; c" J
Include owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
' ^7 M0 D9 U: m8 b( V& sInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
* A1 R3 e) W; |* h! j+ M/ t* YInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf9 \: X7 r1 g0 V! ?; T" k' @! }
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# m9 W+ ?( y$ L% ^  W" t+ t+ h, }
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf
# Z" B1 O+ ^/ CInclude owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
, _! h* c. L; w3 uInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
+ E. Q8 W. W8 e* r/ K4 @) {) h" M五.配置nginx
; N3 D- Z. j0 z" A* m1 _6 U- \* o9 b( a; j; b. I
在需要启用modsecurity的主机的location下面加入下面两行即可:- n6 O( H' j6 o8 U5 I1 O  N
. u* a* m* b6 q4 W3 r$ Y+ M
ModSecurityEnabled on;  
: B- P( G. \* a# d# hModSecurityConfig modsecurity.conf;
1 O/ T* |7 d' W) o下面是两个示例配置,php虚拟主机:! O% O* Q" b2 r  z' U1 A
- Z  w" Q/ ~8 i6 U6 ^5 K
server {
0 l- @" B+ n+ y- a+ z' T: p      listen      80;
  X/ n! K4 b; z5 H1 B      server_name 52os.net www.52os.net;5 A; {* X, d5 S" X! `
     + x3 v2 o0 U5 s" ^$ |. f
      location ~ \.php$ {9 w# x4 {9 x- I
      ModSecurityEnabled on;  ! N) B* b  V# C
      ModSecurityConfig modsecurity.conf;7 B+ ?$ ~& o) G& I4 n8 W# \
1 \. h2 ]. R3 p0 _5 `
      root /web/wordpress;: M% l: `6 z' N5 G5 h0 s" V$ z
      index index.php index.html index.htm;* ~7 m' p6 P& r) j" ?! [
  # |+ U# C1 _$ q8 M! a! O
      fastcgi_pass   127.0.0.1:9000;
5 W% O& O9 D% `0 x+ C! M& o2 P      fastcgi_index  index.php;; N' S8 b5 T) O" b# l) y
      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;; C$ c- V+ B$ \& v) e) ]0 d" P& N; h
      include        fastcgi_params;
+ _9 X0 r9 V/ a- C; x2 C      }5 U' g( v8 x0 b5 `7 |7 q, Y
  }
/ I- _; w% x4 y4 ?7 O* dupstream负载均衡:
0 d8 {8 P8 O/ s. N) ^- y! b% E' V% Q4 l4 S
upstream 52os.net {9 ]' q" p& j) A8 b8 G
    server 192.168.1.100:8080;
( S3 k% P' I* q$ N$ B- |0 |    server 192.168.1.101:8080 backup;
. s5 |9 H/ G0 V6 ~( {}# v5 {1 x6 T4 q# J. F, X' R

" s) `3 D# d5 L  D9 Iserver {
  J7 |0 a! u! r8 Flisten 80;
0 x1 w( |  u- {, }2 k5 d7 Xserver_name 52os.net www.52os.net;
7 S& R$ z: w/ \. y; ~, f# H% J0 I; w$ K) _2 I" K
location / {
* M" d+ ]9 Q* s0 V    ModSecurityEnabled on;  3 `8 I* t( h+ ?2 f+ ]0 D
    ModSecurityConfig modsecurity.conf;  
9 w- \( I# G+ T0 p( U+ ~: U+ ~+ v* G* q3 n1 t7 X( p, t
        proxy_pass http://online;
* a6 \8 r) ?3 T7 k        proxy_redirect         off;
  m2 v" l, Z4 }( {& D        proxy_set_header Host $host;; n6 |. X; t# y& z. N( j7 C7 r. a7 `
        proxy_set_header X-Real-IP $remote_addr;
: P8 L  ~% v: J1 \1 o0 x: M        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  {; C* I! N/ k
    }
8 E  |" }, P* p# }: N}
1 D$ [& i4 T% v. S. O' _# x6 g! e六.测试
8 |+ V' e9 D! F6 {' N* `* n- X; b1 J6 H
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
; h9 m6 q) N1 b, r7 I9 F
) V7 w! e" W1 x2 t& l3 D4 ^3 l  z<?php  ^# Y9 G2 k% F6 ?7 G# d9 R
    phpinfo();    ! \2 k& [3 c. [' V/ c" Z
?>
+ Z+ r! }+ h/ H5 P0 V在浏览器中访问:- @9 A7 Y+ h  _4 `6 J  X) I; v6 o! D/ _

3 ^! i# }$ x# v4 h% z! Jhttp://www.52os.net/phpinfo.php?id=1 正常显示。
/ P7 g( W  Y  `0 ~& Ohttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。
% b! \) U/ n. {0 j- F! i2 B" Z- Xhttp://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。
% S( K! r$ D- n/ P. J9 c# ?说明sql注入和xss已经被过滤了
: ~1 B' B/ X/ ?3 i$ i
3 w5 w/ l7 m! s' t8 O. ]七、安装过程中排错
( p2 g2 {3 h! `8 ^, e$ U: O$ _+ l# o' d8 `: |
1.缺少APXS会报错' ?/ w# F( N9 G. q8 R
) e: i1 B: `3 S( m
configure: looking for Apache module support via DSO through APXS! I7 m: B6 @. |$ \5 P" Q+ q
configure: error: couldn't find APXS
+ b+ S2 M+ N' w4 R/ L/ Gapxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。) H5 b: k$ [0 \5 M' L+ n, t0 g. g, U
解决方法:
) U1 p8 I/ ]9 I1 V. t( x; v" K0 m3 c3 C; ]" E5 h; t
yum install httpd-devel, ^7 L% o! @) v2 u& I: o
2.没有pcre
0 L) T, V: T& g* v9 t3 c
  x1 k: P  j  x5 P( O5 R6 Econfigure: *** pcre library not found.7 b8 K; C, {( p
configure: error: pcre library is required& i4 _7 K; Z/ {9 A. d$ N% s, E9 \
解决方法:
& a' f0 s9 \8 s  P6 Z3 n) {+ N( Y  ?/ {+ f8 Z5 ^* ?/ {* f
yum install pcre pcre-devel
# }6 N) e  t. i: u( ^3.没有libxml2. g9 R0 O  u8 _% @

9 D% p* O) _* y3 C$ F
* l1 i  T$ Y$ }configure: *** xml library not found.6 J/ }/ Q$ k% D" m: S4 R
configure: error: libxml2 is required
0 l* O  J+ C: v- o; p6 @# a解决方法:
0 X6 S) b; s. E! M$ |4 Z( F
! M) o" L, S- Qyum install  libxml2 libxml2-devel" ~. j7 u3 l& A. m! |/ K
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 x* Y/ {1 z. A. ^6 x$ L- Y

! z; z' X& F# ^  k- q, n9 S% D3 nTengine version: Tengine/2.1.0 (nginx/1.6.2)
, Y+ f! P6 R5 _" k1 s5 Y# `' j' s/ o# onginx: [warn] ModSecurity: Loaded APR do not match with compiled!
, c" j2 A/ }; {# B$ f原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log, d* [! ^9 j1 {. B7 |

+ h4 ]  K* T3 }6 o& h% p2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.4 M( \1 P( f! U9 J; v2 I
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"
4 l, O0 ]; B  ]% d. n& [2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
8 I2 \" t' U. x* F2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"& `5 G* ~- m# V/ t$ u1 b
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"
5 z8 n1 I3 m3 @0 q% |' Z/ L5 b2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.- u7 A5 a1 h  c0 K, N; l7 R% s
解决方法,移除低版本的APR (1.3.9)0 e& ^& d/ y$ h% w$ |1 R+ D

4 t# Y- j$ M# S) V6 p; q( Wyum remove apr# Z8 e7 i0 c* p4 w" \9 O
5.Error.log中有: Audit log: Failed to lock global mutex
% t. @0 p  t) w- |) z2 q5 ?2 Q
# K' q3 U' g0 s% h- Q2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     . r+ d. J3 C  _; r$ v% ]
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]. b% a6 n+ O2 {
解决方法:- s4 y( N3 I6 _/ E- N
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:
" b1 g7 x' V+ h0 D' r/ i
2 \8 {  F- Q/ s. V" kSecAuditLogDirMode 0777, D) l2 R% f2 \3 R* ~) `
SecAuditLogFileMode 0550: t7 t( j. F, T; p% S
SecAuditLogStorageDir /var/log/modsecurity. ?$ H) H% k5 k3 m
SecAuditLogType Concurrent
( N" t- `* S  V( V( P- F+ Y8 U参考文章:
1 ]8 f+ o  t6 S* ]3 i  a/ c8 qhttps://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX% C6 H3 T# a& T2 v7 k6 J/ ^
http://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-3-19 00:04 , Processed in 0.066967 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表