本文适用范围

环境:CentOS7,当前yum源中Nginx最新版本1.12.2。ModSecurity为3.x.本文适用于nginx反代Tomcat,或者nginx和php的环境,一切nginx可以反向代理的环境理论上都适合。

适用范围:与我一样产品被安全问题所困惑,希望加一道WAF来进行WEB应用防御。ModSecurity为动态链接库加载,nginx 1.10.2开始支持的,低于这个版本可以不用看了。之所以是动态链接库模式,是因为博主喜欢yum update,通过源来定时更新,方便,如果是编译到nginx里面,会造成更新后又得编译。当然,自编译的nginx和各种一键包理论上也支持,请自行研究。本文仅供参考。

1. 简单介绍

ModSecurity是开源界最有名的WAF防御软件,本来是Apache使用的,后来被修改也可以用于nginx,IIS等。现在有2.x和3.x,2.x代码对apache有依赖,3.x重构了,去掉了依赖,效率更高,bug也更少。

2. 准备编译环境

更新nginx到最新版本

yum update nginx

yum info nginx

安装编译环境

yum groupinstall ‘Development tools’

安装依赖库

yum install autoconf automake bzip2 flex gcc git httpd-devel libaio-devel libass-devel libjpeg-turbo-devel libpng12-devel libtheora-devel libtool libva-devel libvdpau-devel libvorbis-devel libxml2-devel libxslt-devel perl texi2html unzip zip openssl openssl-devel geoip geoip-devel

3. 编译libModSecurity

下载并且编译出来so动态库文件,备用

mkdir nginx_waf

cd nginx_waf

git clone https://github.com/SpiderLabs/ModSecurity

cd ModSecurity

git checkout -b v3/master origin/v3/master

sh build.sh

git submodule init

git submodule update

./configure

make && make install

安装完成后路径在

/usr/local/modsecurity/lib

4. 下载并编译ModSecurity-Nginx

cd nginx_waf

git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

这个模块的编译还需要nginx的源码,继续下载nginx的源码

wget http://nginx.org/download/nginx-1.12.2.tar.gz

解压缩源码

tar zxvf nginx-1.12.2.tar.gz

查看当前nginx的编译参数

nginx -V

CentOS7源中nginx的输出为,复制configure arguments后面的参数备用,下一步要用到

nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: –prefix=/usr/share/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/tmp/client_body –http-proxy-temp-path=/var/lib/nginx/tmp/proxy –http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi –http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi –http-scgi-temp-path=/var/lib/nginx/tmp/scgi –pid-path=/run/nginx.pid –lock-path=/run/lock/subsys/nginx –user=nginx –group=nginx –with-file-aio –with-ipv6 –with-http_auth_request_module –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_xslt_module=dynamic –with-http_image_filter_module=dynamic –with-http_geoip_module=dynamic –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_degradation_module –with-http_slice_module –with-http_stub_status_module –with-http_perl_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-pcre –with-pcre-jit –with-stream=dynamic –with-stream_ssl_module –with-google_perftools_module –with-debug –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic’ –with-ld-opt=’-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E’

开始编译,注意add-dynamic-module前面是两个横线,不知道博客为什么复制出来只有一个

cd nginx-1.12.2

./configure –prefix=/usr/share/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –http-client-body-temp-path=/var/lib/nginx/tmp/client_body –http-proxy-temp-path=/var/lib/nginx/tmp/proxy –http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi –http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi –http-scgi-temp-path=/var/lib/nginx/tmp/scgi –pid-path=/run/nginx.pid –lock-path=/run/lock/subsys/nginx –user=nginx –group=nginx –with-file-aio –with-ipv6 –with-http_auth_request_module –with-http_ssl_module –with-http_v2_module –with-http_realip_module –with-http_addition_module –with-http_xslt_module=dynamic –with-http_image_filter_module=dynamic –with-http_geoip_module=dynamic –with-http_sub_module –with-http_dav_module –with-http_flv_module –with-http_mp4_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_secure_link_module –with-http_degradation_module –with-http_slice_module –with-http_stub_status_module –with-http_perl_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-pcre –with-pcre-jit –with-stream=dynamic –with-stream_ssl_module –with-google_perftools_module –with-debug –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic’ –with-ld-opt=’-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E’ –add-dynamic-module=../ModSecurity-nginx

make modules

编译完成的so文件在

./objs/ngx_http_modsecurity_module.so

5. 下载默认的配置文件

下载ModSecurity配置文件

mkdir modsec

cd modsec

wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended

mv modsecurity.conf-recommended /etc/nginx/modsecurity.conf

打开此文件,设置启用waf设置,修改

SecRuleEngine DetectionOnly

SecRuleEngine On

6. 配置WAF核心规则

WAF进行web应用防护全靠规则的配置,我们下载热心网友维护的核心规则库

cd nginx_waf

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

cd owasp-modsecurity-crs/

cp -R rules/ /etc/nginx/conf/

cp crs-setup.conf.example /etc/nginx/crs-setup.conf

设置启用这些规则

vim /etc/nginx/modsecurity.conf

增加以下几行

#加载规则配置文件
Include crs-setup.conf
#加载所有规则
Include rules/*.conf
#禁用某个规则方法
#SecRuleRemoveById 911250

7. 配置nginx启用so链接库

复制链接库

cp ./nginx-1.12.2/objs/ngx_http_modsecurity_module.so /usr/share/nginx/modules/

修改配置文件

vim /etc/nginx/nginx.conf

增加下面一行

load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so

修改主机定义,或者虚拟主机定义文件

load_module /usr/share/nginx/modules/ngx_http_modsecurity_module.so;
http {
server {
#针对全局启用
         modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

location / {
#如果需要针对单个应用启用,编辑这里
}
}
}

8. 重启nginx

service nginx restart

9. 日志位置

tailf /var/log/modsec_audit.log

然后可以进行注入等等的操作,来检测一下。有日志输出即代表正常。或者通过专业工具来检测。

4 对 “CentOS7下Nginx使用ModSecurity进行WAF防护”的想法;

  1. 修改你的一个错误;
    “`
    #加载规则配置文件
    Include crs-setup.conf
    #加载所有规则
    Include rules/*.conf
    #禁用某个规则方法
    #SecRuleRemoveById 911250
    “`

    其中的这个行 `Include rules/*.conf` 更改为 `Include rules/*.conf`

    或者修改
    第6步骤中
    `cp -R rules/ /etc/nginx/conf/`
    更改为 `cp -R rules/ /etc/nginx/`

发表评论

电子邮件地址不会被公开。 必填项已用*标注