Shulou(Shulou.com)06/02 Report--

I. OpenRenewal installation and testing

Official website: https://openresty.org/cn/

OpenResty ®

OpenResty ®is a high-performance Web platform based on Nginx and Lua, which integrates a large number of excellent Lua libraries, third-party modules, and most dependencies. It is used to conveniently build dynamic Web applications, Web services and dynamic gateways that can handle ultra-high concurrency and high scalability.

OpenResty ®effectively turns Nginx into a powerful general-purpose Web application platform by bringing together a variety of well-designed Nginx modules (mainly developed by the OpenResty team). In this way, Web developers and system engineers can use Lua scripting language to mobilize various C and Lua modules supported by Nginx to quickly build a high-performance Web application system capable of concurrent connections on a single machine of 10K or more than 1000K.

The goal of OpenResty ®is to have your Web service run directly inside the Nginx service, taking full advantage of Nginx's non-blocking IPUP O model to provide consistent, high-performance responses not only to HTTP client requests, but even to remote backends such as MySQL, PostgreSQL, Memcached, and Redis.

LUA Learning: http://blog.jobbole.com/70480/

1. Install OpenResty:

# yum install-y readline-devel pcre-devel openssl-devel

# cd / usr/local/src

Download and compile and install openresty

# wget https://openresty.org/download/ngx_openresty-1.9.3.2.tar.gz

# tar zxf ngx_openresty-1.9.3.2.tar.gz

# cd ngx_openresty-1.9.3.2

#. / configure-prefix=/usr/local/ngx_openresty-1.9.3.2\

-- with-luajit-- with-http_stub_status_module\

-- with-pcre--with-pcre-jit

# gmake & & gmake install

# ln-s / usr/local/openresty-1.9.3.2/ / usr/local/openresty

# error reminder:

Error in. / configure:

/ usr/bin/env: perl: No such file or directory

This error may be caused by not installing perl, resolving yum install perl-y

[root@localhost ngx_openresty-1.9.3.2] # / configure-- prefix=/usr/local/openresty-1.9.3.2\-- with-luajit-- with-http_stub_status_module\-- with-pcre--with-pcre-jitplatform: linux (linux) cp-rp bundle/ buildcd buildcd LuaJIT-2.1-20151028Can't exec "cc": No such file or directory at. / configure line 588.gmake TARGET_STRIP=@: CCDEBUG=-g CC=cc PREFIX=/usr/ Local/openresty-1.9.3.2/luajit==== Building LuaJIT 2.1.0-beta1 = gmake-C srcgmake [1]: cc: Command not foundgmake [1]: Entering directory `/ usr/local/ngx_openresty-1.9.3.2/build/LuaJIT-2.1-20151028/src'gmake [1]: cc: Command not foundgmake [1]: cc: Command not foundMakefile:237: * Unsupported target architecture. Stop.gmake [1]: Leaving directory `/ usr/local/ngx_openresty-1.9.3.2/build/LuaJIT-2.1-20151028/src'gmake: * [default] Error 2ERROR: failed to run command: gmake TARGET_STRIP=@: CCDEBUG=-g CC=cc PREFIX=/usr/local/openresty-1.9.3.2/luajit

Resolve:

Yum install * gcc*-y

two。 Test the openresty installation:

Vim / usr/local/openresty/nginx/conf/nginx.conf

Server {listen 80; server_name localhost; location / {root html; index index.html index.htm;}. Omit here}

Add a line where it is omitted here

Location / hello {default_type text/html; content_by_lua_block {ngx.say ("HelloWorld")}

3. Start openresty and test:

/ usr/local/openresty/nginx/sbin/nginx-t

/ usr/local/openresty/nginx/sbin/nginx

[root@localhost ~] # curl http://10.0.0.50/helloHelloWorld

4. Performance testing

-1. Install stress testing tools

[root@localhost ~] # yum install httpd-tools-y

-- 2. test

[root@localhost] # ab-c10-n5000 http://10.0.0.50/helloThis is ApacheBench, Version 2.3 Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Licensed to The Apache Software Foundation Http://www.apache.org/Benchmarking 10.0.0.50 (be patient) Completed 500 requestsCompleted 1000 requestsCompleted 1500 requestsCompleted 2000 requestsCompleted 2500 requestsCompleted 3000 requestsCompleted 3500 requestsCompleted 4000 requestsCompleted 4500 requestsCompleted 5000 requestsFinished 5000 requestsServer Software: openresty/1.9.3.2Server Hostname: 10.0.0.50Server Port: 80Document Path: / helloDocument Length: 11 bytesConcurrency Level: 10Time taken for tests: 0.505 secondsComplete requests: 5000Failed Requests: 0Write errors: 0Total transferred: 790000 bytesHTML transferred: 55000 bytesRequests per second: 9901.83 [# / sec] (mean) Time per request: 1.010 [ms] (mean) Time per request: 0.101 [ms] (mean Across all concurrent requests) Transfer rate: 1527.82 [Kbytes/sec] receivedConnection Times (ms) min mean [+ /-sd] median maxConnect: 0 00.2 1Processing: 0 10.3 1 2Waiting: 0 00.2 2Total: 1 10.3 1 3Percentage of The requests served within a certain time (ms) 50% 1 66% 1 75% 1 80% 1 90% 1 95% 2 98% 2 99% 2 100% 3 (longest request)

...

Due to the limited security protection functions of the original Nginx, I studied whether I could write a WAF by myself, refer to (copy) the ngx_lua_waf of the great god Kindle, and try to write one by myself. I used it for two days to learn Lua while writing. However, it is not a security major, but only implements some relatively simple functions:

# feature list:

Support IP whitelist and blacklist features, and directly deny IP access to the blacklist.

Support URL whitelist and define URL that does not need to be filtered.

Supports User-Agent filtering, matches entries in custom rules, and then processes them (returns 403).

CC*** protection is supported. If the number of visits to a single URL at a specified time exceeds the set value, 403 is returned directly.

Supports Cookie filtering, matches entries in custom rules, and then processes them (returns 403).

Supports URL filtering to match entries in custom rules, and returns 403 if the URL requested by the user contains these.

Support URL parameter filtering, the principle is the same as above.

Support logging, all rejected operations, recorded in the log.

Log records are in JSON format to facilitate log analysis, such as using ELKStack for log collection, storage, search and display.

# WAF implements WAF in one sentence, that is, parsing HTTP requests (protocol parsing module), rule detection (rule module), doing different defense actions (action module), and recording the defense process (log module). Therefore, the implementation of WAF in this paper consists of five modules (configuration module, protocol parsing module, rule module, action module, error handling module).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.