• OpenResty + lua构建waf功能测试


    OpenResty又被称为ngx_openresty,是基于Nginx的核心Web应用程序服务器。OpenResty是基于Nginx和Lua的高性能Web平台,OpenResty通过汇聚各种设计精良的Nginx模块,从而将Nginx有效地变成一个强大的通用Web应用平台。

    OpenResty同样也支持开源的waf组件,通过Nginx和Lua的结合,可以简化攻击的配置,OpenResty抵御CC攻击。

    # 1、安装依赖包

    yum -y install gcc make pcre pcre-devel zlib zlib-devel openssl-devel

     

    # 2、下载openresty 并解压

    cd /usr/local/src

    wget https://openresty.org/download/openresty-1.19.9.1.tar.gz

    tar zxf openresty-1.19.9.1.tar.gz

     

    # 3、编译安装

    ./configure --prefix=/root/openresty/application --with-http_stub_status_module --with-file-aio --with-threads --with-stream

    make -j 5 或者 gmake

    make install 或者 gmake install

     

    # 4、部署lua程序写的waf

    # git clone https://github.com/unixhot/waf.git

    # cp -r ./waf/waf /root/openresty/application/nginx/conf/

    # vim /root/openresty/application/nginx/conf/nginx.conf

    #在http{}中增加,注意路径,同时WAF日志默认存放在/tmp/日期_waf.log

    #WAF

    lua_shared_dict limit 50m;

    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";

    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";

    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

    # ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty

    # /root/openresty/application/nginx/sbin/nginx -t

    # /root/openresty/application/nginx/sbin/nginx -s reload

     

    # 5、修改配置

    在nginx.conf文件的http标签中增加配置

      # 4、增加waf配置

    # lua_load_resty_core off;

    lua_shared_dict limit 50m;

    lua_package_path "/root/openresty/application/nginx/conf/waf/?.lua";

    init_by_lua_file "/root/openresty/application/nginx/conf/waf/init.lua";

    access_by_lua_file "/root/openresty/application/nginx/conf/waf/access.lua";

     

    ## 启动过程中遇到的问题

    [root@linux-node3 core]# nginx

    nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:

    no field package.preload['resty.core']

    no file '/root/openresty/application/nginx/conf/waf/resty/core.lua'

    no file '/root/openresty/application/site/lualib/resty/core.so'

    no file '/root/openresty/application/lualib/resty/core.so'

    no file './resty/core.so'

    no file '/usr/local/lib/lua/5.1/resty/core.so'

    no file '/root/openresty/application/luajit/lib/lua/5.1/resty/core.so'

    no file '/usr/local/lib/lua/5.1/loadall.so'

    no file '/root/openresty/application/site/lualib/resty.so'

    no file '/root/openresty/application/lualib/resty.so'

    no file './resty.so'

    no file '/usr/local/lib/lua/5.1/resty.so'

    no file '/root/openresty/application/luajit/lib/lua/5.1/resty.so'

    no file '/usr/local/lib/lua/5.1/loadall.so') in /root/openresty/application/nginx/conf/nginx.conf:134

     

    # 解决办法:创建软链接

    ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty

    ln -s /root/openresty/application/lualib/resty/ /root/openresty/application/nginx/conf/waf/resty

     

    ## 在Nginx文件中增加了lua扩展模块,启动时遇到的问题

    2021/09/01 09:06:12 [error] 59260#59260: *3 failed to load external Lua file "/root/openresty/application/nginx/conf/waf/access.lua": cannot open /root/openres

    ty/application/nginx/conf/waf/access.lua: Permission denied, client: 192.168.56.1, server: localhost, request: "GET /hello HTTP/1.1", host: "192.168.56.7"

     

    2021/09/01 09:11:20 [error] 61312#61312: *1 lua entry thread aborted: runtime error: /root/openresty/application/nginx/conf/waf/init.lua:152: bad argument #1 t

    o 'pairs' (table expected, got nil)

    stack traceback:

    coroutine 0:

    [C]: in function 'pairs'

    /root/openresty/application/nginx/conf/waf/init.lua:152: in function 'user_agent_attack_check'

    /root/openresty/application/nginx/conf/waf/access.lua:6: in function 'waf_main'

    /root/openresty/application/nginx/conf/waf/access.lua:18: in main chunk, client: 192.168.56.1, server: localhost, request: "GET /hello HTTP/1.1", host:

    "192.168.56.7"

     

    # 解决办法:修改/waf/config.lua文件中的规则文件夹参数

    --rule setting

    config_rule_dir = "/root/openresty/application/nginx/conf/waf/rule-config"

     

    #6、 测试结果

    [root@linux-node3 logs]# curl http://192.168.56.7/hello

    This is a test html!!!

    [root@linux-node3 logs]# curl http://192.168.56.7/hello -A 'sqlmap' # 仿sqlmap的User-Agent测试URL

    <html>

    <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

    <meta http-equiv="Content-Language" content="zh-cn" />

    <title>OpsAny|Web应用防火墙</title>

    </head>

    <body>

    <h1 align="center"> 欢迎白帽子进行授权安全测试,安全漏洞请联系QQ:57459267

    </body>

    </html>

     

    鸣谢:https://www.unixhot.com/ 赵班长

  • 相关阅读:
    hdu6314 容斥+数学
    后缀数组+指针
    F. Dominant Indices
    牛客网挑战赛19 B,C,F
    拓展欧几里得理论基础(含一定证明)
    数字
    vue的自定义树形列表组件(及数据格式转换)
    Activiti实现会签功能
    7种单例模式
    MySQL中数据类型(char(n)、varchar(n)、nchar(n)、nvarchar(n)的区别)(转)
  • 原文地址:https://www.cnblogs.com/mengxp/p/15215354.html
Copyright © 2020-2023  润新知