CentOS7下Nginx使用ModSecurity进行WAF防护

1 安装nginx

yum install nginx -y
yum update nginx
yum info nginx

2 安装编译依赖环境

yum install autoconf automake bzip2 flex gcc git httpd-devel libaio-devel libass-devel libjpeg-turbo-devel libpng12-devel libtheora-devel libtool libva-devel libvdpau-devel libvorbis-devel libxml2-devel libxslt-devel perl texi2html unzip zip openssl openssl-devel geoip geoip-devel

yum install -y gcc make automake autoconf libtool
yum install -y pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

4 编译ModSecurity lib

git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make && make install

输入路径为:/usr/local/modsecurity/lib

5 编译ModSecurity-Nginx[需要nginx源码]

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.12.2.tar.gz

解压nginx: tar zxvf nginx-1.12.2.tar.gz
查看nginx参数: nginx -V CentOS7源中nginx的输出为,复制configure arguments后面的参数备用

cd nginx-1.12.2 开始编译,注意add-dynamic-module前面是两个横线

./configure –prefix=/usr/share/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/tmp/client_body –http-proxy-temp-path=/var/lib/nginx/tmp/proxy –http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi –http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi –http-scgi-temp-path=/var/lib/nginx/tmp/scgi –pid-path=/run/nginx.pid –lock-path=/run/lock/subsys/nginx –user=nginx –group=nginx –with-file-aio –with-ipv6 –with-http_auth_request_module –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_xslt_module=dynamic –with-http_image_filter_module=dynamic –with-http_geoip_module=dynamic –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_degradation_module –with-http_slice_module –with-http_stub_status_module –with-http_perl_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-pcre –with-pcre-jit –with-stream=dynamic –with-stream_ssl_module –with-google_perftools_module –with-debug –with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' --add-dynamic-module=../ModSecurity-nginx

make modules
编译完成的so文件在: ./objs/ngx_http_modsecurity_module.so

6 下载默认的配置文件

  • 下载ModSecurity配置文件:
mkdir modsec
cd modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended /etc/nginx/modsecurity.conf

打开此文件,设置启用waf设置,修改
SecRuleEngine DetectionOnly 为 SecRuleEngine On
  • 配置WAF核心规则:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp -R rules/ /etc/nginx/conf/
cp crs-setup.conf.example /etc/nginx/crs-setup.conf

设置启用这些规则:
vim /etc/nginx/modsecurity.conf

增加以下几行:
#加载规则配置文件
Include crs-setup.conf
#加载所有规则
Include rules/*.conf
#禁用某个规则方法
#SecRuleRemoveById 911250
  • 配置nginx启用so链接库
复制链接库
cp ./nginx-1.12.2/objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/
修改配置文件
vim /etc/nginx/nginx.conf
增加下面一行
load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so
修改主机定义,或者虚拟主机定义文件
load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so;
http {
    server {
        #针对全局启用
         modsecurity on;
        modsecurity_rules_file /etc/nginx/modsecurity.conf;
        location / {
            #如果需要针对单个应用启用,编辑这里
        }
    }
}

7 重启nginx

service nginx restart

tailf /var/log/modsec_audit.log

发表评论

电子邮件地址不会被公开。 必填项已用*标注