当前位置: 首页 > 工具软件 > OpenWAF > 使用案例 >

modsecurity+openwaf集成

黄永怡
2023-12-01

1.安装依赖

apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev

wget http://www.over-yonder.net/~fullermd/projects/libcidr/libcidr-1.2.3.tar.xz
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
tar -xvf libcidr-1.2.3.tar.xz
tar -zxvf pcre-8.43.tar.gz
tar -zxvf openssl-1.1.1d.tar.gz
tar -zxvf openresty-1.15.8.2.tar.gz
rm -rf pcre-8.43.tar.gz \
           openssl-1.1.1d.tar.gz \
           openresty-1.15.8.2.tar.gz
cd /opt/libcidr-1.2.3
make && make install

2.下载ModSecurity

git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure --with-yajl=yes
make
make install

3.下载ModSecurity-nginx

git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git

4.下载owasp规则库

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

5.搭建openwaf

git clone https://github.com/titansec/OpenWAF.git
cd OpenWAF/
mv /opt/OpenWAF/lib/openresty/configure /opt/openresty/    #可以不剪切
cp -RP /opt/OpenWAF/lib/openresty/* /opt/openresty/bundle/
make clean
make install
ln -s /usr/local/lib/libcidr.so /opt/OpenWAF/lib/resty/libcidr.so

6.openresty集成

./configure --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_geoip_module --with-openssl=/opt/openssl-1.1.1d --with-pcre=/opt/pcre-8.43 --add-dynamic-module=../ModSecurity-nginx

make
make install

7.配置

cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp /opt/ModSecurity/modsecurity.conf-recommended /opt/ModSecurity/modsecurity.conf
chmod 777 /var/log/modsecurity


 

 8.nginx.conf

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#modsecurity动态库加载
load_module /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info; 

pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /opt/openresty/bundle/nginx-1.15.8/conf/mime.types;
    default_type  application/octet-stream;
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    server {

        listen       80;
        server_name  _;
         include /opt/OpenWAF/conf/twaf_server.conf;
        #access_log  logs/host.access.log  main;
        #modsecurity 支持
        modsecurity on;
        location /dvwa/ {
            #modsecurity配置文件路径
            modsecurity_rules_file /opt/ModSecurity/modsecurity.conf;
           proxy_pass  http://192.168.0.138/dvwa/;
           # root   html;
           # index  index.html index.htm;
        }

        location = /50x.html {
            root   html;
        }
    }
}
~         

 

9.启动

openresty -p /data/geektime -c /data/geektime/conf/nginx.conf

 

 

 

 类似资料: