找回密码
 立即注册

QQ登录

只需一步,快速开始

查看: 11562|回复: 0

nginx配合modsecurity实现WAF功能

[复制链接]
发表于 2017-10-19 16:53:31 | 显示全部楼层 |阅读模式
modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。- q! n/ z( M; U; J
& w7 K. Y; ^& Q3 Q, }
一.准备工作  Q2 k& w& U. h9 P4 B8 H
8 X' G* x5 E: F+ I% y8 A& Z
系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.8.0
  V$ u2 ]9 W8 j4 R; o) t1 d& V4 k7 D; {4 f) W# I2 k, i/ p) L, \
tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz% H3 U+ k; d) E5 Q
# |" \1 _- G3 ^/ J/ ]7 Y
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
3 _+ u  n( T/ {/ |) X
& T( p. P5 r/ v" y4 cOWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs; S1 u. {/ t6 T  C1 @# a

+ ]5 ?# A: e7 E5 U  {依赖关系:' i% `, }  {/ Y/ R* `* ~: s
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:5 j: l# ~  @8 y; u# ^
/ \: _6 N% Q! S- ^; W. S$ X8 }" x0 O+ z
yum install zlib zlib-devel openssl openssl-devel  pcre pcre-devel
# w0 _9 J5 B/ g1 d7 f3 a* Lmodsecurty依赖的包:pcre httpd-devel libxml2 apr
# f/ ]/ z& H8 ~) z5 P; }: ~6 X$ n! A$ T/ S$ @% m* ?" M. ]! h
yum install httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel: e$ a8 j& s, w0 ^3 U+ b2 r
二.启用standalone模块并编译
' q5 Z' N' J2 o9 u/ H* w' e2 A  I, O$ ]9 ]* `, ?
下载modsecurity for nginx 解压,进入解压后目录执行:
* i2 o. f2 w9 J8 W' X: x' p
% a0 @. b, l& l! A  k! l$ H9 H& I" B: t./autogen.sh
6 R/ Y( G  U& Z! [./configure --enable-standalone-module --disable-mlogc
* d! k. |% }+ w7 qmake
" P) \2 u! V2 P8 s( `三.nginx添加modsecurity模块5 H! _! d' V  P# w# k6 X5 M% X

2 _( Y* l! l1 u8 i% {在编译standalone后,nginx编译时可以通过"--add-module"添加modsecurity模块:
# r8 ]# \: {' N( S! }- x8 p
1 v4 {* Y) a# y; ]# q./configure --add-module=/root/modsecurity-2.8.0/nginx/modsecurity/  --prefix=/opt/tengine
2 r; v% g& R& ymake && make install% N; c$ v* R7 V8 @" D8 \+ G/ ]
四.添加规则7 _  j: D, ?. `" ]0 E& C. R

6 I1 q* f( K2 B% [- M. e* ]modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。( n- e( G& @, s

4 b+ a" ]0 ^6 Q: E' @6 A0 Q  ?1.下载OWASP规则:
5 r3 O8 {; r- r4 P6 a+ i& x0 w5 T6 t; |3 _; u
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs/ U+ C; i2 h9 C" I% g5 n/ h
% q. o5 g0 A# L; h9 L: z! j' J) F
mv owasp-modsecurity-crs /opt/tengine/conf/
" p5 ?1 _$ N! G6 c4 z
7 a( o2 R' x* b6 s( fcd /opt/tengine/conf/owasp-modsecurity-crs && mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf  @& h' F( _0 c5 v! K, z: |0 M
2.启用OWASP规则:
# m" B& r" _& S  @
8 |, {2 w  C. e9 y复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。8 Q$ ~- C! |1 t

# t1 n! G5 e! d- r( Y+ \编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
: z  z% c" t  N9 ]+ \& ~+ c6 D& s" e9 b, T
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用,需要启用的规则使用Include进来即可。5 N* @3 E8 ?& R: C

- `4 U. q+ C) f) M: U% Q, QInclude owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
3 @7 R$ G4 A# @5 h! QInclude owasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf+ d* A4 E; d# C* @' T2 y
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf* V1 p. U2 y- ~: Z$ ?
Include owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf# t4 l* g* r" W0 q2 v
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf. `0 o2 _8 }; Y4 b4 \+ @( |  }: C
Include owasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf
; A- G* x6 v8 N3 }! B, IInclude owasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
- G, s- X( q3 p& H五.配置nginx& x; J/ v- K0 p6 g  F! j) R" t

9 @* H( t* Q& i. W" n9 t在需要启用modsecurity的主机的location下面加入下面两行即可:- G2 c( q4 w5 T8 C8 n2 e8 S$ Q

' }* Q& D. \# fModSecurityEnabled on;  0 s* |5 d2 x/ t+ d# y
ModSecurityConfig modsecurity.conf;  m* C7 U/ l0 `, u# h# I
下面是两个示例配置,php虚拟主机:9 g( d% @: ?2 B$ I& \) J; M

- J. `6 Y9 c2 t$ f# w& o4 ]server {) H0 D4 l+ p, b/ W
      listen      80;
! X" w& H* ]% B! j. Y& r      server_name 52os.net www.52os.net;
) n2 X9 }; }' G  D1 M. G# X. @     / _$ q- v, m# D; G
      location ~ \.php$ {2 P$ n5 p  D7 T) d! l2 O% C
      ModSecurityEnabled on;  
$ x- I6 M. m6 X3 [      ModSecurityConfig modsecurity.conf;  J4 c3 ]% u* @" x, _3 a7 \
3 S: S) ^7 x3 v/ B
      root /web/wordpress;
; d( z4 A9 \- L! K      index index.php index.html index.htm;
/ X  w9 U- S7 V- C0 {  J  
7 n$ U: P6 c  z0 X. u% r9 P      fastcgi_pass   127.0.0.1:9000;
! C4 a( k6 f' ?" m      fastcgi_index  index.php;
' i. O$ p/ J$ q: W/ H      fastcgi_param  SCRIPT_FILENAME  $Document_root$fastcgi_script_name;$ N" T6 O9 k; \
      include        fastcgi_params;
8 q# n) N, I" l$ B* ]$ o) I( v      }0 p( m, \- N/ h
  }  g; E9 N4 @" Y1 `
upstream负载均衡:4 \4 A, [! X1 a8 ?

  f. {" F$ O! y* k# vupstream 52os.net {
* L( n7 {8 z- x5 Z    server 192.168.1.100:8080;
! Q# j1 H" G) x; a  f4 D    server 192.168.1.101:8080 backup;
: X) c5 K$ G8 B  n, u; t}
, F' S8 d* A3 A- c
- y% X# D- o% S- e6 Userver {
, ?2 t9 J/ G! U! \3 o* L: d6 rlisten 80;5 z+ ^! o# v. D  D$ |1 d& _' l7 ~( b
server_name 52os.net www.52os.net;7 E, W- t7 W8 Q# s- ~$ V* _

5 y5 r' O$ i% j# blocation / {) k  m4 l! }% e4 \) ]0 l
    ModSecurityEnabled on;  $ M1 ]- T9 o4 ^$ C  N0 M; K9 c+ I1 O. c
    ModSecurityConfig modsecurity.conf;  4 P% N2 R' `3 P  F8 m4 r5 ?! o

5 N$ Y& {* S* a: r8 t' j6 X5 S        proxy_pass http://online;
' p1 D" J, t/ f: W        proxy_redirect         off;
. q7 Q9 \- {/ p. J        proxy_set_header Host $host;3 T. l* D0 `9 S1 n! W' z
        proxy_set_header X-Real-IP $remote_addr;
4 S! E  o: ~6 R2 b  q2 u6 z5 h        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;9 d5 `9 B5 E- A( a$ C* c
    }
3 z" G( @) U) a9 ]# t' y}
2 Z6 j3 H% v& {$ M3 f  y' d1 B+ _六.测试( p; u8 d: C" O) b6 N& S1 K
3 @3 g1 `6 M; S3 m
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:+ c. J  B& N4 B% j. @& ?/ O

3 ?* T1 a- d5 C+ y$ x$ C% l5 R$ ?<?php
8 Z. _( S% Y3 S- G    phpinfo();    3 V3 T4 J7 _7 L; U' Y3 }
?>
$ |! Z+ J' L* t在浏览器中访问:5 V9 S) x) r1 G& \7 }! m- V# d

' q" J! h% \+ c1 `0 }. U" w# D8 Yhttp://www.52os.net/phpinfo.php?id=1 正常显示。
0 ]1 H$ K; m& n& h& Zhttp://www.52os.net/phpinfo.php?id=1 and 1=1  返回403。% c/ |. w# r! ~' |* h2 X$ ^
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script>  返回403。1 I: v( J( H, ]
说明sql注入和xss已经被过滤了9 q  i3 Q2 T3 d2 a+ j8 m
/ ~+ @, `. v3 k( X2 E! |; M
七、安装过程中排错
" k9 z0 D9 c( j  Z) `: z) T/ K
5 W" M% X! P4 f- ~! b; p' E% n1.缺少APXS会报错6 I- ~2 D0 [+ w- A3 R0 t0 e

& P. y; V& Z2 i- H# Gconfigure: looking for Apache module support via DSO through APXS1 A, v; W+ D  F& ~
configure: error: couldn't find APXS" S; J' h# t; d3 Y
apxs是一个为Apache HTTP服务器编译和安装扩展模块的工具,用于编译一个或多个源程序或目标代码文件为动态共享对象。
" |6 X- _0 k# g, S& q解决方法:
$ x: a2 b3 n# C
" K6 \$ p& U" k" q' u& O, a: x3 V5 w8 hyum install httpd-devel
# z! q- s. h, e9 ~8 H2.没有pcre5 R2 [: m. v5 {, [! y2 {- B

+ u& F+ B4 s; Y8 f( w( jconfigure: *** pcre library not found.
3 o: G3 W8 l$ g2 F6 oconfigure: error: pcre library is required- f0 v' b3 d0 G. z( J
解决方法:
" }" w, L4 [- w/ P6 C
; X; z% s- Q0 s) a; A1 M% |  xyum install pcre pcre-devel7 W- v& A$ }$ [9 C) S: E6 z- |/ }# t
3.没有libxml2
" F7 D9 c4 ?% s' @( |5 h4 Y* ]8 T8 j3 Y

# o+ f; `5 B6 I8 {% k1 g0 Fconfigure: *** xml library not found.
& e, e1 U; P: g( U1 v4 zconfigure: error: libxml2 is required
& `1 i. Q$ C6 q7 K; k5 d解决方法:
1 u+ J5 n: ?! b. B2 A- c) ^6 H' k. ^2 [! U, o  L0 A
yum install  libxml2 libxml2-devel! I/ t1 c1 z5 P2 t& G  }
4.执行 /opt/tengine/sbin/nginx -m 时有警告4 t$ M# k% d6 l  t; f% S) x3 M4 ^

- F1 B: @! d( W% x( w- {8 q- B* O8 MTengine version: Tengine/2.1.0 (nginx/1.6.2)* X: a: u+ r8 y: C4 n$ W& H
nginx: [warn] ModSecurity: Loaded APR do not match with compiled!0 l1 w; Q8 Z, R
原因:modsecurity编译时和加载时的apr版本不一致造成的,并且会有以下error.log' H$ \( d9 o1 W, J- j( J
" i7 R& x% W, J7 M6 n, [; K
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity for nginx (STABLE)/2.8.0 () configured.) W2 B  C2 A  |5 D% E4 X" G! d
2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: APR compiled version="1.5.0"; loaded     version="1.3.9"; O' J7 {* [4 c/ H
2015/01/26 02:04:18 [warn] 29036#0: ModSecurity: Loaded APR do not match with compiled!
* |; D6 G; t& I( }8 g$ Q  W7 F" {2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
6 ?2 Y+ F6 q8 ?2015/01/26 02:04:18 [notice] 29036#0: ModSecurity: LIBXML compiled version="2.7.6"7 C9 [6 b) w- a# }  I
2015/01/26 02:04:18 [notice] 29036#0: Status engine is currently disabled, enable it by set SecStatusEngine to On.
/ o. a3 D% D3 Q$ ]' O解决方法,移除低版本的APR (1.3.9)% r- S4 L7 C9 J2 j

2 y; Y& [, x! i  f8 Byum remove apr
% x. ?- I: y: D! J. z$ }' O5.Error.log中有: Audit log: Failed to lock global mutex
9 U$ o. @3 U9 X" H( v+ P- h; W/ E9 g+ N- U
2015/01/26 04:15:42 [error] 61610#0: [client 10.11.15.161] ModSecurity: Audit log: Failed to lock     6 J# w* K& u9 v9 @" v+ k  J( G
global mutex: Permission denied [hostname ""] [uri "/i.php"] [unique_id "AcAcAcAcAcAcAcA4DcA7AcAc"]+ j6 ^9 l5 k# B0 z9 \. y% p
解决方法:3 A5 G5 c; f: S5 B" V, U4 ^
编辑modsecurity.conf,注释掉默认的SecAuditLogType和SecAuditLog,添加以下内容:0 ^) i" a. k* _0 q5 O) k, l8 l2 X

0 f* G% T  ]0 D* |SecAuditLogDirMode 0777' A$ M' A0 y( B3 z
SecAuditLogFileMode 0550! d6 C* \5 E0 r- ~# p
SecAuditLogStorageDir /var/log/modsecurity0 R7 o2 @- p1 `" v
SecAuditLogType Concurrent
2 H7 j2 x. T" ]% I4 Y参考文章:# T7 v5 f& K: C3 x' t8 H2 G
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
( U6 q4 m' S; p1 K/ b, k0 xhttp://drops.wooyun.org/tips/2614
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|第一站论坛 ( 蜀ICP备06004864号-6 )

GMT+8, 2026-6-27 00:56 , Processed in 0.081945 second(s), 19 queries .

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表