nginx+lua实现waf配置

安装luajit

sudo wget -P /usr/local/src http://luajit.org/download/LuaJIT-2.0.5.tar.gz

tar xf /usr/local/src/LuaJIT-2.0.5.tar.gz -C /usr/local/src

sed -i 's@/usr/local/@/usr/local/luajit@' /usr/local/src/LuaJIT-2.0.5/Makefile

cd /usr/local/src/LuaJIT-2.0.5

sudo make && sudo make install

下载lua-nginx-moudle模块

sudo wget -P /usr/local/src https://github.com/openresty/lua-nginx-module/archive/v0.10.13.tar.gz

sudo git clone https://github.com/oneinstack/ngx_lua_waf.git

# 设置lua的环境变量
export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/luajit/lib/:$LD_LIBRARY_PATH

编译nginx

sudo ./configure --prefix=/usr/local/nginx --enable-mods-shared=all --user=nginx --group=nginx --with-select_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_degradation_module --with-google_perftools_module --with-libatomic --with-jemalloc --with-pcre=/usr/local/src/pcre-8.38 --add-module=/usr/local/src/ngx_http_geoip2_module --add-module=/usr/local/src/ngx_cache_purge --add-module=/usr/local/src/lua-nginx-module-0.10.13 --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib

在nginx的http段中添加

http {
  ....
  #lua_waf
    lua_package_path "/usr/local/src/ngx_lua_waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file /usr/local/src/ngx_lua_waf/init.lua;
    access_by_lua_file /usr/local/src/ngx_lua_waf/waf.lua;
  ....
}

修改config.lua

...
RulePath = "/usr/local/src/ngx_lua_waf/wafconf/"  #文件存放位置
attacklog = "on"
logdir = "/usr/local/nginx/logs/hack/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp"}
ipWhitelist={"113.61.47.184"}
ipBlocklist={"1.0.0.1"}
CCDeny="on"
CCrate="100/60"
...

配置文件说明

RulePath = "/usr/local/nginx/conf/waf/wafconf/"    --规则存放目录
attacklog = "off"                                  --是否开启攻击信息记录，需要配置logdir
logdir ="/usr/local/nginx/logs/hack/"              --log存储目录，该目录需要用户自己新建，需要nginx用户的可写权限
UrlDeny="on"                                       --是否拦截url访问
Redirect="on"                                      --是否拦截后重定向
CookieMatch = "on"                                 --是否拦截cookie攻击
postMatch = "on"                                   --是否拦截post攻击
whiteModule = "on"                                 --是否开启URL白名单
black_fileExt={"php","jsp"}                        --填写不允许上传文件后缀类型
ipWhitelist={"127.0.0.1"}                          --ip白名单，多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}                            --ip黑名单，多个ip用逗号分隔
CCDeny="on"                                        --是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate ="20/60"                                    --设置cc攻击频率，单位为秒. 默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]                          --警告内容,可在中括号内自定义