一.準(zhǔn)備工作
系統(tǒng):centos 6.5 64位、 ngx_openresty-1.7.10.1, modsecurity 2.9.0
openresty:http://openresty.org/download/ngx_openresty-1.7.10.1.tar.gz
modsecurity for nginx: https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
owasp規(guī)則集:https://github.com/spiderlabs/owasp-modsecurity-crs
依賴關(guān)系:
modsecurty依賴的包:pcre httpd-devel libxml2 apr
yuminstallhttpd-develaprapr-util-develapr-develpcrepcre-devellibxml2libxml2-devel
openresty依賴的包:pcre 、zlib、 openssl
yuminstallzlibzlib-developensslopenssl-develpcrepcre-devel 二.啟用standalone模塊并編譯
下載modsecurity for nginx 解壓,進(jìn)入解壓后目錄執(zhí)行:
./autogen.sh ./configure–enable-standalone-module–disable-mlogc make
三.openresty添加modsecurity模塊
在編譯standalone后,openresty編譯時(shí)可以通過"–add-module"添加modsecurity模塊:
./configure–prefix=/opt/openresty–with-pcre-jit–with-ipv6–without-http_redis2_module–with-http_iconv_module-j2–add-module=../modsecurity-2.9.0/nginx/modsecurity/ make&&makeinstall 四.添加規(guī)則
modsecurity傾向于過濾和阻止web危險(xiǎn),之所以強(qiáng)大就在于規(guī)則,owasp提供的規(guī)則是于社區(qū)志愿者維護(hù)的,被稱為核心規(guī)則crs(corerules),規(guī)則可靠強(qiáng)大,當(dāng)然也可以自定義規(guī)則來滿足各種需求。
1.下載owasp規(guī)則:
gitclonehttps://github.com/spiderlabs/owasp-modsecurity-crs mvowasp-modsecurity-crs/opt/openresty/nginx/conf/ cd/opt/openresty/nginx/conf/owasp-modsecurity-crs/&&mvmodsecurity_crs_10_setup.conf.examplemodsecurity_crs_10_setup.conf
2.啟用owasp規(guī)則:
復(fù)制modsecurity源碼目錄下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目錄下,并將modsecurity.conf-recommended重新命名為modsecurity.conf。
mvmodsecurity.conf-recommended/opt/openresty/nginx/conf/modsecurity.conf cpunicode.mapping/opt/openresty/nginx/conf/
編輯modsecurity.conf 文件,將secruleengine設(shè)置為 on
sed-i\\\’s/^secruleengine.*/secruleengineon/\\\’/opt/openresty/nginx/conf/modsecurity.conf
owasp-modsecurity-crs下有很多存放規(guī)則的文件夾,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的規(guī)則按需要啟用。
需要啟用的規(guī)則使用include到modsecurity.conf即可。
includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf includeowasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
五.配置nginx
在需要啟用modsecurity的主機(jī)的location下面加入下面兩行即可:
modsecurityenabledon; modsecurityconfigmodsecurity.conf;
下面是幾個(gè)示例配置,php虛擬主機(jī):
server{ listen80; server_nametest.netwww.test.net; location~.php${ modsecurityenabledon; modsecurityconfigmodsecurity.conf; root/web/wordpress; indexindex.phpindex.htmlindex.htm; fastcgi_pass127.0.0.1:9000; fastcgi_indexindex.php; fastcgi_paramscript_filename$document_root$fastcgi_script_name; includefastcgi_params; } }
upstream負(fù)載均衡:
upstreamonline{ server192.168.1.100:8080; server192.168.1.101:8080backup; } server{ listen80; server_nametest.netwww.test.net; location/{ modsecurityenabledon; modsecurityconfigmodsecurity.conf; proxy_passhttp://online; proxy_redirectoff; proxy_set_headerhost$host; proxy_set_headerx-real-ip$remote_addr; proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for; } }
泛域名解析,反向代理方式:
upstreamreal_webserver{ server192.168.0.12; server192.168.0.13; } server{ listen80; server_name_; location{ modsecurityenabledon; modsecurityconfigmodsecurity.conf; proxy_set_headerhost$host; proxy_set_headerx-real-ip$remote_addr; proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for; proxy_passhttp://real_webserver; } }
六.測(cè)試
我們啟用了xss和sql注入的過濾,不正常的請(qǐng)求會(huì)直接返回403。以php環(huán)境為例,新建一個(gè)phpinfo.php內(nèi)容為:
<?phpphpinfo();?>
在瀏覽器中訪問:
http://www.52os.net/phpinfo.php?id=1正常顯示。 http://www.52os.net/phpinfo.php?id=1and1=1返回403。 http://www.52os.net/phpinfo.php?search=&