亚洲国产成人,色呦呦内射午夜,无码一级片,无码人妻少妇色欲AV一区二区

<samp id="jg8hh"></samp>

<p id="jg8hh"></p><delect id="jg8hh"><em id="jg8hh"><blockquote id="jg8hh"></blockquote></em></delect><acronym id="jg8hh"><dd id="jg8hh"></dd></acronym><button id="jg8hh"><dd id="jg8hh"><acronym id="jg8hh"></acronym></dd></button><samp id="jg8hh"><em id="jg8hh"><blockquote id="jg8hh"></blockquote></em></samp>

<p id="jg8hh"></p>

<samp id="jg8hh"><legend id="jg8hh"></legend></samp>
<samp id="jg8hh"><legend id="jg8hh"><samp id="jg8hh"></samp></legend></samp>

<samp id="jg8hh"></samp>

<p id="jg8hh"></p><acronym id="jg8hh"></acronym><p id="jg8hh"><dd id="jg8hh"><acronym id="jg8hh"></acronym></dd></p><p id="jg8hh"></p>

<p id="jg8hh"></p><delect id="jg8hh"><legend id="jg8hh"><var id="jg8hh"></var></legend></delect><button id="jg8hh"><listing id="jg8hh"><i id="jg8hh"></i></listing></button>
<delect id="jg8hh"><legend id="jg8hh"><var id="jg8hh"></var></legend></delect>

nginx配合modsecurity實(shí)現(xiàn)WAF功能

發(fā)布時(shí)間:2024-05-04
一.準(zhǔn)備工作
系統(tǒng):centos 6.5 64位、 ngx_openresty-1.7.10.1, modsecurity 2.9.0
openresty:‍‍http://openresty.org/download/ngx_openresty-1.7.10.1.tar.gz‍‍
modsecurity for nginx: https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
owasp規(guī)則集:https://github.com/spiderlabs/owasp-modsecurity-crs
依賴關(guān)系:
modsecurty依賴的包:pcre httpd-devel libxml2 apr
yuminstallhttpd-develaprapr-util-develapr-develpcrepcre-devellibxml2libxml2-devel
openresty依賴的包:pcre 、zlib、 openssl
yuminstallzlibzlib-developensslopenssl-develpcrepcre-devel 二.啟用standalone模塊并編譯
下載modsecurity for nginx 解壓,進(jìn)入解壓后目錄執(zhí)行:
./autogen.sh ./configure–enable-standalone-module–disable-mlogc make
三.openresty添加modsecurity模塊
在編譯standalone后,openresty編譯時(shí)可以通過"–add-module"添加modsecurity模塊:
./configure–prefix=/opt/openresty–with-pcre-jit–with-ipv6–without-http_redis2_module–with-http_iconv_module-j2–add-module=../modsecurity-2.9.0/nginx/modsecurity/ make&&makeinstall 四.添加規(guī)則
modsecurity傾向于過濾和阻止web危險(xiǎn),之所以強(qiáng)大就在于規(guī)則,owasp提供的規(guī)則是于社區(qū)志愿者維護(hù)的,被稱為核心規(guī)則crs(corerules),規(guī)則可靠強(qiáng)大,當(dāng)然也可以自定義規(guī)則來滿足各種需求。
1.下載owasp規(guī)則:
gitclonehttps://github.com/spiderlabs/owasp-modsecurity-crs mvowasp-modsecurity-crs/opt/openresty/nginx/conf/ cd/opt/openresty/nginx/conf/owasp-modsecurity-crs/&&mvmodsecurity_crs_10_setup.conf.examplemodsecurity_crs_10_setup.conf
2.啟用owasp規(guī)則:
復(fù)制modsecurity源碼目錄下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目錄下,并將modsecurity.conf-recommended重新命名為modsecurity.conf。
mvmodsecurity.conf-recommended/opt/openresty/nginx/conf/modsecurity.conf cpunicode.mapping/opt/openresty/nginx/conf/
編輯modsecurity.conf 文件,將secruleengine設(shè)置為 on
sed-i\\\’s/^secruleengine.*/secruleengineon/\\\’/opt/openresty/nginx/conf/modsecurity.conf
owasp-modsecurity-crs下有很多存放規(guī)則的文件夾,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的規(guī)則按需要啟用。
需要啟用的規(guī)則使用include到modsecurity.conf即可。
includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf includeowasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
五.配置nginx
在需要啟用modsecurity的主機(jī)的location下面加入下面兩行即可:
modsecurityenabledon; modsecurityconfigmodsecurity.conf;
下面是幾個(gè)示例配置,php虛擬主機(jī):
server{ listen80; server_nametest.netwww.test.net; location~.php${ modsecurityenabledon; modsecurityconfigmodsecurity.conf; root/web/wordpress; indexindex.phpindex.htmlindex.htm; fastcgi_pass127.0.0.1:9000; fastcgi_indexindex.php; fastcgi_paramscript_filename$document_root$fastcgi_script_name; includefastcgi_params; } }
upstream負(fù)載均衡:
upstreamonline{ server192.168.1.100:8080; server192.168.1.101:8080backup; } server{ listen80; server_nametest.netwww.test.net; location/{ modsecurityenabledon; modsecurityconfigmodsecurity.conf; proxy_passhttp://online; proxy_redirectoff; proxy_set_headerhost$host; proxy_set_headerx-real-ip$remote_addr; proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for; } }
泛域名解析,反向代理方式:
upstreamreal_webserver{ server192.168.0.12; server192.168.0.13; } server{ listen80; server_name_; location{ modsecurityenabledon; modsecurityconfigmodsecurity.conf; proxy_set_headerhost$host; proxy_set_headerx-real-ip$remote_addr; proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for; proxy_passhttp://real_webserver; } }
六.測(cè)試
我們啟用了xss和sql注入的過濾,不正常的請(qǐng)求會(huì)直接返回403。以php環(huán)境為例,新建一個(gè)phpinfo.php內(nèi)容為:
<?phpphpinfo();?>
在瀏覽器中訪問:
http://www.52os.net/phpinfo.php?id=1正常顯示。 http://www.52os.net/phpinfo.php?id=1and1=1返回403。 http://www.52os.net/phpinfo.php?search=&
上一個(gè):win10從u盤啟動(dòng)怎么設(shè)置(拯救者u盤啟動(dòng)怎么設(shè)置)
下一個(gè):打架拉傷頭發(fā)會(huì)有什么后果

氣體進(jìn)樣器 SY87-JYQ-2的特點(diǎn)及技術(shù)性能介紹
毛發(fā)快速篩查儀結(jié)構(gòu)、使用特點(diǎn)介紹
選擇適合的電機(jī)規(guī)格和防護(hù)等級(jí)
R9plus處理器怎么樣
拉力試驗(yàn)機(jī) 材料試驗(yàn)機(jī)
wf連接不上怎么回事,手機(jī)鏈接不起Wf
油位傳感器適用于哪些場(chǎng)合
枕式包裝機(jī)注重質(zhì)量和性能才能一直發(fā)展
CPM粉末鋼CPM10V高速鋼
更換電腦硬盤需要多長時(shí)間,有人知道電腦硬盤壞了拿去保修換硬盤得要多久不