nginx添加lua模块
启动和安装nginx
yum install -y nginx
systemctl daemon-reload
systemctl enable nginx
#为了实验方便这里就直接yum安装了,配置了开机启动
注意:出现报错
[root@wh02 ~]# useradd nginx -M -s /sbin/nologin
useradd: cannot open /etc/shadow
表示 你曾经锁定了/etc/shadow 文件
#添加nginx系统启动:
vim /usr/lib/systemd/system/nginx.service
添加以下内容:
#----------------------------------------------------------
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
#----------------------------------------------------------
#启动 nginx
[root@wh02 ~]# systemctl daemon-reload
[root@wh02 ~]# systemctl start nginx
#查看状态
[root@wh02 ~]# systemctl status nginx
#停止
[root@wh02 ~]# systemctl stop nginx
#获取默认编译参数,用于后面添加 lua模块
[root@wh02 ~]# nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
编译安装lua模块
echo "export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.0 " >>/etc/profile
#ngx_devle_kit下载解压
mkdir /leilei
cd /leilei
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
tar -xf v0.3.0.tar.gz
#lua-nginx-module模块下载解压
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.8.tar.gz
tar xf v0.10.8.tar.gz
#安装luajit
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar zxf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make
make install
#增加环境变量
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
#----------------至此 模块都配置好了,需要在nginx中导入模块 ------------------------#
#编译模块可能出现的报错:
[root@wh02 LuaJIT-2.0.5]# make PREFIX=/usr/local/luajit
==== Building LuaJIT 2.0.5 ====
make -C src
make[1]: gcc: Command not found
make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.4/src'
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
Makefile:233: *** Unsupported target architecture. Stop.
make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.4/src'
make: *** [default] Error 2
解决办法: yum install -y gcc
#编译安装lua模块:
tar xf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit
下载扩展模块:
cd /server/tools/leilei
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
tar -xf v0.3.0.tar.gz
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz
tar xf v0.10.11.tar.gz
[root@wh02 leilei]# ll
total 680
drwxrwxr-x 10 root root 4096 Nov 4 2017 lua-nginx-module-0.10.11
drwxrwxr-x 9 root root 4096 May 10 2016 ngx_devel_kit-0.3.0
-rw-r--r-- 1 root root 616653 Jan 5 04:32 v0.10.11.tar.gz
-rw-r--r-- 1 root root 66455 Jan 5 04:32 v0.3.0.tar.gz
nginx添加扩展模块
#获取原来的编译参数
[root@wh02 tools]# nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
# 下载nginx 1.16.1 安装包:
cd /server/tools/leilei
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar xf nginx-1.16.1.tar.gz
cd nginx-1.16.1/
#重新编译nginx
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' --add-module=/server/tools/leilei/ngx_devel_kit-0.3.0 --add-module=/server/tools/leilei/lua-nginx-module-0.10.11
#这是添加了这两个模块后编译的:
--add-module=/server/tools/leilei/ngx_devel_kit-0.3.0 --add-module=/server/tools/leilei/lua-nginx-module-0.10.11
编译也有可能会报错: ./configure: error: the invalid value in --with-ld-opt="-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E"
解决方法:
yum -y install redhat-rpm-config.noarch
编译出错: ./configure: error: ngx_http_lua_module requires the Lua library.
解决办法:
yum install lua-devel -y
编译出错:/configure: error: the HTTP XSLT module requires the libxml2/libxslt
解决办法:
yum install libxslt-devel -y
编译出错: ./configure: error: the HTTP image filter module requires the GD library.
解决办法:
yum install gd gd-devel -y
编译出错: ./configure: error: perl module ExtUtils::Embed is required
解决办法:
yum install perl-ExtUtils-Embed -y
编译出错: ./configure: error: the Google perftools module requires the Google perftools
解决办法:
yum install gperftools -y
安装完毕:
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/share/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib64/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/lib/nginx/tmp/client_body"
nginx http proxy temporary files: "/var/lib/nginx/tmp/proxy"
nginx http fastcgi temporary files: "/var/lib/nginx/tmp/fastcgi"
nginx http uwsgi temporary files: "/var/lib/nginx/tmp/uwsgi"
nginx http scgi temporary files: "/var/lib/nginx/tmp/scgi"
## 编译安装nginx
make
## 平滑升级:
cp -af /usr/sbin/nginx ~
[root@wh02 nginx-1.16.1]# cp -af objs/nginx /usr/sbin/
cp: overwrite ‘/usr/sbin/nginx’? y
#发送协同工作信号
[root@wh02 nginx-1.16.1]# kill -USR2 `cat /run/nginx.pid`
[root@wh02 nginx-1.16.1]# ps -ef|grep nginx
root 21305 23677 0 01:31 ? 00:00:00 nginx: master process /usr/sbin/nginx
nginx 21306 21305 0 01:31 ? 00:00:00 nginx: worker process
root 21311 1443 0 01:31 pts/2 00:00:00 grep --color=auto nginx
root 23677 1 0 Jan04 ? 00:00:00 nginx: master process /usr/sbin/nginx
nginx 23678 23677 0 Jan04 ? 00:00:00 nginx: worker process
#发送退出信号
[root@wh02 nginx-1.16.1]# kill -QUIT `cat /run/nginx.pid`
[root@wh02 nginx-1.16.1]# ps -ef|grep nginx
root 21368 1443 0 01:32 pts/2 00:00:00 grep --color=auto nginx
root 23677 1 0 Jan04 ? 00:00:00 nginx: master process /usr/sbin/nginx
nginx 23678 23677 0 Jan04 ? 00:00:00 nginx: worker process
升级完毕!
lua模块添加
步骤整理:
wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
tar xf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5
make PREFIX=/usr/local/LuaJIT/include/luajit
make install PREFIX=/usr/local/nginx/lua/luajit
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz
tar xf v0.3.0.tar.gz
get https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz
tar xf v0.10.11.tar.gz
export LUAJIT_LIB=/opt/programs/nginx_1.12.2/lua/luajit/lib
export LUAJIT_INC=/opt/programs/nginx_1.12.2/lua/luajit/include/luajit-2.0
配置:
#nginx.conf配置文件中的http区块加入如下:
#----------waf防火墙-----------------------------#
lua_package_path "/etc/nginx/conf.d/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /etc/nginx/conf.d/waf/init.lua;
access_by_lua_file /etc/nginx/conf.d/waf/waf.lua;
#----------waf防火墙-----------------------------#
#nginx目录下创建相关目录:
mkdir -p /etc/nginx/conf.d/waf/
#进入相关目录下载lua配置文件:
cd /etc/nginx/conf.d/waf/
git clone https://github.com/loveshell/ngx_lua_waf.git
mv ngx_lua_waf waf
cd waf/
[root@wh02 waf]# ll
total 32
-rw-r--r-- 1 root root 2377 Jan 5 04:50 config.lua
-rw-r--r-- 1 root root 6405 Jan 5 04:50 init.lua
-rw-r--r-- 1 root root 1587 Jan 5 04:50 install.sh
-rw-r--r-- 1 root root 4612 Jan 5 04:50 README.md
drwxr-xr-x 2 root root 4096 Jan 5 04:50 wafconf
-rw-r--r-- 1 root root 2295 Jan 5 04:50 waf.lua
# 添加到nginx配置文件中
vim /etc/nginx/nginx.conf
http {
...
...
#----------waf防火墙-----------------------------#
lua_load_resty_core off;
lua_shared_dict limit 30m;
lua_package_path "/etc/nginx/conf.d/waf/?.lua";
init_by_lua_file /etc/nginx/conf.d/waf/init.lua;
access_by_lua_file /etc/nginx/conf.d/waf/waf.lua;
#----------waf防火墙-----------------------------#
...
...
}
# 修改 vim /etc/nginx/conf.d/waf/config.lua 配置文件,将规则路径改为: /etc/nginx/conf.d/waf/
RulePath = "/etc/nginx/conf.d/waf/wafconf/"
attacklog = "on"
logdir = "/etc/nginx/logs/hack/"
#没有相关目录就创建相关目录
mkdir -p /etc/nginx/conf.d/waf/wafconf/
mkdir -p /etc/nginx/logs/hack/
通过以上配置并没有让他生效,如果需要生效还需要取config.lua中开启规则才可以.
nginx中添加配置:
开启waf 防火墙:
vim /etc/nginx/conf.d/waf/config.lua
config_waf_enable= "on"
由于版本更新,新版本的lua配置中已经没有了 waf 开关了,默认就是开启状态,如果需要关闭则需要去 nginx.conf中注释lua.
waf防火墙规则配置:
目录: /etc/nginx/conf.d/waf/config.lua
vim /etc/nginx/conf.d/waf/config.lua
#没修改之前都是默认规则.
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--规则存放目录
attacklog = "on"
--是否开启攻击信息记录,需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log存储目录,该目录需要用户自己新建,切需要nginx用户的可写权限
UrlDeny="on"
--是否拦截url访问
Redirect="on"
--是否拦截后重定向
CookieMatch = "on"
--是否拦截cookie攻击
postMatch = "on"
--是否拦截post攻击
whiteModule = "on"
--是否开启URL白名单
black_fileExt={"php","jsp"}
--填写不允许上传文件后缀类型
ipWhitelist={"127.0.0.1"}
--ip白名单,多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}
--ip黑名单,多个ip用逗号分隔
CCDeny="on"
--是否开启拦截cc攻击(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--设置cc攻击频率,单位为秒.
--默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]
--警告内容,可在中括号内自定义
备注:不要乱动双引号,区分大小写
访问测试:
http://115.159.79.190/index.php?id=../etc/passwd
访问一个敏感信息,检查是否会被阻止
看到这个提示说明 waf防火墙配置成功!
错误页面也有可能是这样:
测试禁止IP访问:
#黑名单
ipBlocklist={"1.0.0.1","117.186.242.158"} #添加上我们自己的IP地址 117.186.242.158,分号分隔
#白名单
ipWhitelist={"127.0.0.1"} #添加上我们自己的IP地址 117.186.242.158,分号分隔
实际黑名单效果:
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_mod
自定义的网站阻止页面:
网站根目录下创建 50x.html 写入以下内容
cat /usr/share/nginx/html
#-------------------------------------------------------
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>网站防火墙</title>
<style>
p {
line-height:20px;
}
ul{ list-style-type:none;}
li{ list-style-type:none;}
</style>
</head>
<body style=" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;">
<div style="margin: 0 auto; 1000px; padding-top:70px; overflow:hidden;">
<div style="600px; float:left;">
<div style=" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;">网站防火墙 </div>
<div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600; color:#fc4f03;">您的请求带有不合法参数,已被网站管理员设置拦截!</span></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">可能原因:您提交的内容包含危险的攻击请求</p>
<p style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;">如何解决:</p>
<ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style=" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1)检查提
交内容;</li>
<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2)如网站托管,请联系空间提供商;</li>
<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3)普通网站访客,请联系网站管理员手机号: 18816997176 </li></ul>
</div>
</div>
</div>
</body></html>
#-------------------------------------------------------
效果图:
