nginx+waf(应用防火墙)的实战操作

背景

　　为了增强web服务器的安全性，减轻服务器的压力，给服务器增加一道安全屏障，减少服务器受到"不必要"的攻击。

需求

　　因为原有的服务器使用nginx做web服务器(至于为什么使用nginx？以及nginx的优势在哪里？我在这里就不过多的赘述了。想了解的自行学习相关知识),所以要想给服务器增加一道安全屏障，想通过nginx的模块扩展性，使用lua来做这道墙。毕竟openresty可以说是lua版的么！相比较起来，实现更快，性能更好，主要是有openresty做参考(别人能实现的我也能实现。哼...)。

技术实现

• 环境所需要的依赖软件

1. luajit2-2.1-20201027.tar.gz
2. lua-nginx-module-0.10.19.tar.gz
3. lua-resty-core-0.1.21.tar.gz
4. lua-resty-lrucache-0.10.tar.gz
5. nginx-1.16.1.tar.gz
6. ngx_lua_waf-0.7.2.tar.gz
7. ngx_devel_kit-0.3.1.tar.gz

• 实操过程

　　　首先将所有的压缩包解压.tar -zxvf filename.tar.gz

　　　luajit的安装

[root@cluste-black-node1 opt]# cd luajit2-2.1-20201027/
[root@cluste-black-node1 luajit2-2.1-20201027]# ls
COPYRIGHT  doc  dynasm  etc  Makefile  README  README.md  src  t
[root@cluste-black-node1 luajit2-2.1-20201027]# make install PREFIX=/usr/local/LuaJIT

　　　　提示如下即表示成功：

==== Installing LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ====
mkdir -p /usr/local/LuaJIT/bin /usr/local/LuaJIT/lib /usr/local/LuaJIT/include/luajit-2.1 /usr/local/LuaJIT/share/man/man1 /usr/local/LuaJIT/lib/pkgconfig /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit /usr/local/LuaJIT/share/lua/5.1 /usr/local/LuaJIT/lib/lua/5.1
cd src && install -m 0755 luajit /usr/local/LuaJIT/bin/luajit-2.1.0-beta3
cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/LuaJIT/lib/libluajit-5.1.a || :
rm -f /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2
cd src && test -f libluajit.so && 
  install -m 0755 libluajit.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 && 
  ( ldconfig -n 2>/dev/null /usr/local/LuaJIT/lib || : ) && 
  ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so && 
  ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so.2 || :
cd etc && install -m 0644 luajit.1 /usr/local/LuaJIT/share/man/man1
cd etc && sed -e "s|^prefix=.*|prefix=/usr/local/LuaJIT|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && 
  install -m 0644 luajit.pc.tmp /usr/local/LuaJIT/lib/pkgconfig/luajit.pc && 
  rm -f luajit.pc.tmp
cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/LuaJIT/include/luajit-2.1
cd src/jit && install -m 0644 bc.lua bcsave.lua dump.lua p.lua v.lua zone.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua dis_mips64.lua dis_mips64el.lua vmdef.lua /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit
ln -sf luajit-2.1.0-beta3 /usr/local/LuaJIT/bin/luajit
==== Successfully installed LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ====

　　　　lua_resty_core的安装

[root@cluste-black-node1 opt]# cd lua-resty-core-0.1.21/
[root@cluste-black-node1 lua-resty-core-0.1.21]# ls
dist.ini  lib  Makefile  README.markdown  t  valgrind.suppress
[root@cluste-black-node1 lua-resty-core-0.1.21]# make install PREFIX=/usr/local/LuaLIB
install -d /usr/local/LuaLIB/lib/lua//resty/core/
install -d /usr/local/LuaLIB/lib/lua//ngx/
install -d /usr/local/LuaLIB/lib/lua//ngx/ssl
install lib/resty/*.lua /usr/local/LuaLIB/lib/lua//resty/
install lib/resty/core/*.lua /usr/local/LuaLIB/lib/lua//resty/core/
install lib/ngx/*.lua /usr/local/LuaLIB/lib/lua//ngx/
install lib/ngx/ssl/*.lua /usr/local/LuaLIB/lib/lua//ngx/ssl/

　　　　lua_resty_lrucache的安装

[root@cluste-black-node1 opt]# cd lua-resty-lrucache-0.10/
[root@cluste-black-node1 lua-resty-lrucache-0.10]# ls
dist.ini  lib  Makefile  README.markdown  t  valgrind.suppress
[root@cluste-black-node1 lua-resty-lrucache-0.10]# make install PREFIX=/usr/local/LuaLIB
install -d //usr/local/LuaLIB/lib/lua//resty/lrucache
install lib/resty/*.lua //usr/local/LuaLIB/lib/lua//resty/
install lib/resty/lrucache/*.lua //usr/local/LuaLIB/lib/lua//resty/lrucache/

　　　　注意：lua_nginx_module的编译需要改动文件。

[root@cluste-black-node1 opt]# cd lua-nginx-module-0.10.19/
[root@cluste-black-node1 lua-nginx-module-0.10.19]# ls
config  doc  dtrace  misc  README.markdown  src  t  tapset  util  valgrind.suppress

　　　　添加环境变量如下：

[root@cluste-black-node1 lua-nginx-module-0.10.19]# vim config 

  1 LUAJIT_INC=/usr/local/LuaJIT/include/luajit-2.1
  2 LUAJIT_LIB=/usr/local/LuaJIT/lib
  3 
  4 ngx_lua_opt_I=
  5 ngx_lua_opt_L=
  6 luajit_ld_opt=
  7 
  8 ngx_feature_name=
  9 ngx_feature_run=no
 10 ngx_feature_incs=
 11 ngx_feature_test=
 12 
 13 if [ -n "$LUAJIT_INC" -o -n "$LUAJIT_LIB" ]; then
 14     # explicitly set LuaJIT paths

　　　　编译nginx。增加模块编译，相应编译参数如下：

./configure --with-debug --with-http_realip_module --with-stream_realip_module --prefix=/usr/local/nginx --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib" --add-module=/opt/ngx_devel_kit-0.3.1 --add-module=/opt/lua-nginx-module-0.10.19

　　　　编译通过以后生成Makefile执行make&& make install

　　　　然后将解压后的waf模块存放在nginx安装路径下的conf目录下。

　　　　修改waf文件夹下config.lua文件中的RulePath路径和logdir路径，保存退出。

[root@cluste-black-node1 conf]# vim waf/config.lua 

  1 RulePath = "/usr/local/nginx/conf/waf/wafconf/"
  2 attacklog = "on"
  3 logdir = "/usr/local/nginx/logs/hack/"

　　　　修改nginx的配置文件在http块添加lua的路径配置

lua_package_path "/usr/local/nginx/conf/waf/?.lua;/usr/local/LuaLIB/lib/lua/?.lua;;";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginxk/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

　　　　修改nginx的配置文件在server块添加/lua访问资源

location /lua {
            default_type 'text/html';
            content_by_lua 'ngx.say("Hi Lua")';
}

　　　　通过curl访问即可访问到Hi Lua字符串。

curl http://ip+port/Lua

　　　　通过curl访问非法的资源输出waf设定的字符串，说明应用防火墙生效。

curl http://ip+port/Lua?id=/etc/passwd

• 问题解决

 　　　　在下载Luajit的时候下载了很早之前的版本，导致环境搭建失败。切记LuaJIT下载时时openresty开源代码中的LuaJIT.

　　　　lua_nginx_module两个环境变量的设置，通过export设置好像没生效导致出现下面的情况

checking for LuaJIT 2.x ... not found
    ./configure: error: unsupported LuaJIT version; ngx_http_lua_module requires LuaJIT 2.x.

f-stack平台同理可以编译通过并且waf应用防火墙生效。只不过在编译nginx的时候需要修改生成的objs目录下的Makefile.将其中的Werror删除即可

 f-stack平台报错如下：

/opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c: In function ‘ngx_http_lua_udp_connect’:
/opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c:1435:9: error: the address of ‘ngx_add_event’ will always evaluate as ‘true’ [-Werror=address]
     if (ngx_add_event) {
         ^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/src/ngx_http_lua_socket_udp.o] Error 1
make[1]: Leaving directory `/opt/f-stack/app/nginx-1.16.1'
make: *** [build] Error 2

　　dpdk在虚拟机的环境下可能会出现问题，出现网卡不支持的问题。