tengine安装lua，ngx_req_status,nginx_lua_waf

生产环境基础环境

yum install gcc zlib zlib-devel openssl openssl-devel pcre pcre-devel perl-ExtUtils-Embed -y

下载安装LuaJit

wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz

cd /usr/local/src 
tar  zxvf LuaJIT-2.0.1.tar.gz 
cd LuaJIT-2.0.1 

make

make install

安装tengine

wget http://tengine.taobao.org/download/tengine-2.2.2.tar.gz

tar zxvf tengine-2.2.2.tar.gz

wget https://github.com/zls0424/ngx_req_status/archive/master.zip -O ngx_req_status.zip

unzip ngx_req_status.zip

tar zxvf tengine

cd tengine

export LUAJIT_LIB=/usr/local/lib

export LUAJIT_INC=/usr/local/include/luajit-2.0

patch -p1 < ../ngx_req_status-master/write_filter.patch

./configure --prefix=/usr/local/ --with-http_gzip_static_module --with-http_gunzip_module --with-pcre --with-http_lua_module --with-luajit-inc=/usr/local/include/luajit-2.0 --with-luajit-lib=/usr/local/lib --add-module=../ngx_req_status-master --with-http_perl_module

make&make install

常见错误

# /usr/local/nginx-1.4.2/sbin/nginx -v

./objs/nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

解决方法：

# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

安装nginx_lua_waf淘宝第三方防火墙模块

下载ngx_lua_waf并解压
wget --no-check-certificate https://github.com/loveshell/ngx_lua_waf/archive/master.zip
unzip master

mv ngx_lua_waf-master /usr/local/conf/waf

vi /usr/local/conf/waf/config.lua

修改RulePath = "/usr/local/nginx/conf/waf/wafconf/"为:
RulePath = "/usr/local/conf/waf/wafconf/"

修改logdir = "/usr/local/nginx/logs/hack/"为:
logdir = "/data/logs/hack/

其他的根据你自己的需要进行修改.

config.lua配置文件说明:
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
--规则存放目录
attacklog = "off"
--是否开启***信息记录，需要配置logdir
logdir = "/usr/local/nginx/logs/hack/"
--log存储目录，该目录需要用户自己新建，切需要nginx用户的可写权限
UrlDeny="on"
--是否拦截url访问
Redirect="on"
--是否拦截后重定向
CookieMatch = "on"
--是否拦截cookie***
postMatch = "on"
--是否拦截post***
whiteModule = "on"
--是否开启URL白名单
ipWhitelist={"127.0.0.1"}
--ip白名单，多个ip用逗号分隔
ipBlocklist={"1.0.0.1"}
--ip黑名单，多个ip用逗号分隔
CCDeny="on"
--是否开启拦截cc***(需要nginx.conf的http段增加lua_shared_dict limit 10m;)
CCrate = "100/60"
--设置cc***频率，单位为秒.
--默认1分钟同一个IP只能请求同一个地址100次
html=[[Please go away~~]]
--警告内容,可在中括号内自定义
备注:不要乱动双引号，区分大小写

vi /etc/nginx/nginx.conf
在nginx.conf里的http配置里添加:
lua_need_request_body on;
lua_package_path "/usr/local/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/conf/waf/init.lua;
access_by_lua_file /usr/local/conf/waf/waf.lua;

重启nginx本地测试

curl http://localhost/test.php?id=../etc/passwd

test

--是否开启URL白名单
ipWhitelist={"127.0.0.1"} 取消本地白名单即可

开启防火墙

iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT