nginx添加modsecurity模块实现WAF功能

欢迎加入PHP|dba|Js技术交流群:14364084一起讨论

modsecurity原本是Apache上的一款开源waf,可以有效的增强web安全性,目前已经支持nginx和IIS,配合nginx的灵活和高效,可以打造成生产级的WAF,是保护和审核web安全的利器。

一.准备工作

系统:centos 6.5 64位、 tengine 2.1.0, modsecurity 2.9.0

tengine : http://tengine.taobao.org/download/tengine-2.1.0.tar.gz
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
OWASP规则集: https://github.com/SpiderLabs/owasp-modsecurity-crs

依赖关系:
tengine(nginx)依赖: pcre 、zlib、 openssl, 这三个包centos 6.5 系统源里都有:

yum install zlib zlib-devel openssl openssl-devel pcre pcre-devel

modsecurty依赖的包:pcre httpd-devel libxml2 apr

yum install httpd-devel apr apr-util-devel apr-devel pcre pcre-devel libxml2 libxml2-devel

二、安装modsecurity

[root@slave2 work]#

wget 'https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz'
tar -zxvf modsecurity-2.8.0.tar.gz
cd modsecurity-2.8.0
./configure --enable-standalone-module --disable-mlogc
make

如果提示没有apxs请执行

[root@slave2 conf]# yum install httpd-devel

三、安装nginx

wget 'http://nginx.org/download/nginx-1.6.1.tar.gz'
tar -zxf nginx-1.6.1.tar.gz
cd nginx-1.6.1
./configure --with-debug --prefix=/opt/nginx --add-module=../modsecurity-2.8.0/nginx/modsecurity/
make -j2 && make install

如果提示没有libxml2类似的请执行

[root@slave2 work]# yum install libxml2-devel

然后重新configure

四、配置nginx

以下为原文:

The ModSecurity configuration file must be linked in nginx.conf file using the following directives defined by nginx’s ModSecurity extension module:

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
ModSecurityPass @backend;
}

location @backend {
proxy_pass http://localhost:8011;
proxy_read_timeout 180s;
}
This configures ModSecurity as an Nginx request handler. The updated request flow is now: request -> modsecurity handler -> backend You will need to modify the @backend definition to point to your correct back-end web application that Nginx is proxying to. Starting with ModSecurity 2.7.2 the ModSecurityPass option was removed. So the config file looks like:

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
proxy_pass http://localhost:8011;
proxy_read_timeout 180s;
}

需要说明的是根据您下载的modsecurity的版本 配置稍有差别。

这里我使用的是当前最新版本2.8,应该使用

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
proxy_pass http://localhost:8011;
proxy_read_timeout 180s;
}

如果nginx提示你没有ModSecurityPass,很有可能你的版本为高版本。

五、添加OWASP ModSecurity CRS

参考了链接:http://blog.csdn.net/kaelrock/article/details/29840443

在你的modsecurity编译目录下文件目录类似这样

[root@slave2 modsecurity-2.8.0]# ll
total 1268
-rw------- 1 119 128 45789 Apr 15 12:44 aclocal.m4
drwx------ 2 119 128 4096 Apr 15 12:44 alp2
drwx------ 5 119 128 4096 Aug 27 02:49 apache2
-rw------- 1 119 128 381 Apr 15 12:44 authors.txt
-rwx------ 1 119 128 371 Apr 15 12:44 autogen.sh
drwx------ 2 119 128 4096 Aug 27 02:49 build
-rw------- 1 119 128 65609 Apr 15 12:44 CHANGES
-rw-r--r-- 1 root root 46341 Aug 27 02:49 config.log
-rwxr-xr-x 1 root root 67812 Aug 27 02:49 config.status
-rwx------ 1 119 128 518496 Apr 15 12:44 configure
-rw------- 1 119 128 20018 Apr 15 12:44 configure.ac
drwx------ 2 119 128 4096 Apr 15 12:44 doc
drwx------ 2 119 128 4096 Apr 15 12:44 ext
drwx------ 4 119 128 4096 Apr 15 12:44 iis
-rwxr-xr-x 1 root root 293135 Aug 27 02:49 libtool
-rw------- 1 119 128 11357 Apr 15 12:44 LICENSE
-rw-r--r-- 1 root root 29445 Aug 27 02:49 Makefile
-rw------- 1 119 128 1209 Apr 15 12:44 Makefile.am
-rw------- 1 119 128 28889 Apr 15 12:44 Makefile.in
drwx------ 2 119 128 4096 Apr 15 12:44 mlogc
-rw------- 1 119 128 8412 Apr 15 12:44 modsecurity.conf-recommended
drwx------ 3 119 128 4096 Apr 15 12:44 nginx
-rw------- 1 119 128 200 Apr 15 12:44 NOTICE
-rw------- 1 119 128 4089 Apr 15 12:44 README.TXT
-rw------- 1 119 128 7741 Apr 15 12:44 README_WINDOWS.TXT
-rw------- 1 119 128 40 Apr 15 12:44 stamp-h1
drwx------ 4 119 128 4096 Aug 27 02:50 standalone
drwx------ 7 119 128 4096 Aug 27 02:49 tests
drwx------ 2 119 128 4096 Aug 27 02:49 tools
-rw------- 1 119 128 53642 Apr 15 12:44 unicode.mapping
[root@slave2 modsecurity-2.8.0]# pwd
/root/work/modsecurity-2.8.0

复制 modsecurity.conf-recommended到nginx.conf 同级目录下并修改名字为nginx.conf中的文件名。

[root@slave2 conf]# cp modsecurity.conf-recommended /opt/nginx/conf/modsecurity.conf
[root@slave2 conf]# cp unicode.mapping /opt/nginx/conf/unicode.mapping

下载OWASP ModSecurity CRS

[root@slave2 conf]#

wget 'https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.zip'
[root@slave2 conf]# cp master.zip /opt/nginx/conf/

[root@slave2 conf]# unzip master.zip

[root@slave2 conf]# ll owasp-modsecurity-crs-master/
total 108
drwxr-xr-x 2 root root 4096 Apr 16 22:24 activated_rules
drwxr-xr-x 2 root root 4096 Aug 27 05:50 base_rules
-rw-r--r-- 1 root root 39431 Apr 16 22:24 CHANGES
drwxr-xr-x 2 root root 4096 Apr 16 22:24 experimental_rules
-rw-r--r-- 1 root root 7485 Apr 16 22:24 INSTALL
-rw-r--r-- 1 root root 11357 Apr 16 22:24 LICENSE
drwxr-xr-x 2 root root 4096 Apr 16 22:24 lua
-rw-r--r-- 1 root root 13813 Apr 16 22:24 modsecurity_crs_10_setup.conf.example
drwxr-xr-x 2 root root 4096 Apr 16 22:24 optional_rules
-rw-r--r-- 1 root root 1485 Apr 16 22:24 README.md
drwxr-xr-x 2 root root 4096 Apr 16 22:24 slr_rules
drwxr-xr-x 8 root root 4096 Apr 16 22:24 util

[root@slave2 conf]#

cp owasp-modsecurity-crs-master/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

在modsecurity.conf的顶部载入OWASP ModSecurity CRS,(根据需要载入特定的conf文件)。

像这样

[root@slave2 conf]# more modsecurity.conf
Include /opt/nginx/conf/modsecurity_crs_10_setup.conf
Include /opt/nginx/conf/owasp-modsecurity-crs-master/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

# — Rule engine initialization ———————————————-

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
SecRuleEngine On

# — Request body handling —————————————————

# Allo

Comments are closed.