Ubuntu下使用nginx+ModSecurity部署WAF(Web Application Firewall)
齐典
业务场景
服务器8000端口运行着一个存在多个漏洞的web应用,现在需要搭建一个web应用防火墙,部署在80端口上,通过80端口可以访问到受到防火墙保护的web应用
解决方案
使用nginx反向代理,监听80端口的请求并转发到8000端口上,并部署ModSecurity模块,根据owasp核心规则拦截攻击请求,检测到攻击时返回403
详细部署方式
1.安装项目依赖
apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfaac-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev
2.下载nginx1.18.0,编译安装
注:
源码目录/usr/local/.src
安装目录/usr/local/nginx
$ wget http://nginx.org/download/nginx-1.18.0.tar.gz
$ tar xvf nginx-1.18.0.tar.gz -C /usr/local/src/
$ cd /usr/local/src/nginx-1.18.0
$ ./configure \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-file-aio \
--with-http_secure_link_module \
--with-compat \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module
$ make && make install
3.编写Nginx启动脚本
使用新建文件/usr/lib/systemd/system/nginx.service,内容如下
[Unit]
Description=nginx - high performance web server
After=network-online.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
4.将nginx加入环境变量
$ vim /etc/profile
最后一行加入
PATH=/usr/local/nginx/sbin:$PATH
$ source /etc/profile
5.下载并编译libmodsecurity
$ cd /usr/local/src
$ git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
$ cd ModSecurity/
$ git submodule init
$ git submodule update
$ ./build.sh
$ ./configure
$ make && make install
6.下载ModSecurity和Nginx的连接器
$ cd /usr/local/src/
$ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
$ nginx -V
$ cd /usr/local/src/nginx-1.14.0/
$ ./configure ...(-V获取的configure arguments) --add-dynamic-module=/usr/local/src/ModSecurity-nginx
$ make modules
$ make install
$ cp objs/ngx_http_modsecurity_module.so /usr/local/nginx/modules/ngx_http_modsecurity_module.so
7.加载Nginx ModSecurity
$ vim /usr/local/nginx/conf/nginx.conf
第一行加上
load_module /usr/local/nginx/modules/ngx_http_modsecurity_module.so;
8.下载默认的配置文件
$ cd /usr/local/src
$ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
$ mv modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf
9. 开启ModSecurity拦截模式
$ vim /usr/local/nginx/conf/modsecurity.conf
将SecRuleEngine后面的字段改为On
10.配置owasp核心规则
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ cp -R owasp-modsecurity-crs/rules /usr/local/nginx/conf/
$ cp owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/conf/crs-setup.conf
$ vim /usr/local/nginx/conf/modsecurity.conf
加入以下两行
include crs-setup.conf
include rules/*.conf
11.修改nginx的配置文件
$ vim /usr/local/nginx/conf/nginx.conf
在server块中加入
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
$ cp /usr/local/src/ModSecurity/unicode.mapping /usr/local/nginx/conf/
12.验证nginx配置文件,重启nginx服务
$ nginx -t
$ systemctl restart nginx
类似资料: