Shulou(Shulou.com)06/03 Report--

This article mainly explains "Nginx how to use Lua module to achieve WAF", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how Nginx uses the Lua module to implement WAF".

Catalogue

First, the background of WAF

What is WAF

Third, working principle

IV. WAF function

5. The difference between WAF and traditional firewall

VI. WAF and DDos

VII. Nginx WAF function

VIII. Nginx Waf protection process

9. WAF based on Nginx

9.1 install dependency package

9.2 install LuaJIT2.0

9.3 install ngx_devel_kit

9.4 install lua-nginx-module

9.5 install Nginx

9.6 install ngx_lua_waf

9.7 Test effect

First, the background of WAF

In the past, enterprises usually use firewalls as the first line of defense of security; at that time, firewalls only effectively block some data packets in the third layer (network layer). With the increasing abundance of web applications, Web servers become the main targets (layer 7 application layer) because of their powerful computing power, processing performance and high value. However, traditional firewalls have no way to prevent attacks that exploit application vulnerabilities; under this background, WAF (Web Application Firewall) arises at the historic moment.

What is WAF

Web Application Firewall (WAF-Web Application Firewall) is designed to protect Web applications from various application layer attacks, such as cross-site scripting (XSS), SQL injection, and cookie poisoning. Applications are the gateway to your important data, so attacks against applications have become the main cause of vulnerabilities. With WAF, you can intercept a series of attacks that attempt to leak data by hacking into the system.

Third, working principle

1. The user sends a web page request to the Web server through the browser.

two。 WAF filters the user's request before it reaches the Web server

3.WAF takes the user's HTTP request parameters to compare with the rules defined in the configuration file (such as ip blacklist). If there is a match, it returns 403 rejections, otherwise it is released.

The 4.WEB server responds to the user's request and returns the page data to the user.

IV. WAF function

Waf is a product that specifically protects Web applications by implementing a series of security policies for HTTP/HTTPS.

5. The difference between WAF and traditional firewall

1. Traditional firewalls work at the network layer (layer 3) and the transport layer (layer 4).

2.WAF works at the application layer (layer 7)

3. Traditional firewalls filter IP and ports more often.

4.WAF filters HTTP requests, including URL,IP,User-Agent, etc.

VI. WAF and DDos

The full name of DDos is Distributed Denial of service. It mainly relies on a group of computers to initiate requests for a single target system, which causes the target system to run out of resources and reject normal requests.

According to the OSI network model, there are three most common types of DDos: layer 3 (network layer) DDos, layer 4 (transport layer) DDos and layer 7 (application layer) DDos.

WAF mainly deals with layer 7 DDos attacks, and it is more efficient than other means of protection when dealing with layer 7 DDos attacks. WAF does a detailed analysis of HTTP traffic so that WAF can model normal access requests and then use these models to distinguish between normal requests and requests triggered by attackers using robots or scripts

VII. Nginx WAF function

Support IP whitelist and blacklist functions, and directly deny IP access to the blacklist (new cdip feature supports ip segment)

Support URL whitelist and define URL that does not need to be filtered

Support User-Agent filtering, match entries in custom rules, and then process them

CC attack protection is supported. The number of visits to a single URL at a specified time exceeds the set value (added for different domain names)

Support Cookie filtering, match entries in custom rules, and then process them

Support for URL filtering to match entries in custom rules if the URL requested by the user contains these

Support URL parameter filtering, the principle is the same as above

Support logging, record all rejected operations in the log

Added support for blocking cache (default 600 seconds)

VIII. Nginx Waf protection process

If whiteip () then

Elseif blockip () then

Elseif denycc () then

Elseif ngx.var.http_Acunetix_Aspect then

Ngx.exit (444)

Elseif ngx.var.http_X_Scan_Memo then

Ngx.exit (444)

Elseif whiteurl () then

Elseif ua () then

Elseif url () then

Elseif args () then

Elseif cookie () then

Elseif PostCheck then

Check the IP whitelist. If it is passed, it will not be tested.

Check the IP blacklist and reject if you don't pass.

Check for CC attacks. Match means reject.

Check if http_Acunetix_Aspect scanning is on

Check if http_X_Scan_Memo scanning is on

Check whitelist URL check

Check that UA,UA is rejected if it is not passed.

Check URL parameters check

Check cookie

Check post

9. Yum-y install gcc gcc-c++ autoconf automake make unzipyum-y install zlib zlib-devel openssl openssl-devel pcre pcre-devel9.2 installation LuaJIT2.0 of WAF9.1 installation dependency package based on Nginx

LuaJIT is the just-in-time compiler of Lua. Simply put, LuaJIT is an efficient Lua virtual machine.

# enter the directory cd / usr/local/src/ # download LuaJIT2.0wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz # extract tar xf LuaJIT-2.0.5.tar.gz & & cd LuaJIT-2.0.5 # compile make # install make install PREFIX=/usr/local/lj2 # establish a soft connection ln-s / usr/local/lj2/lib/libluajit-5.1.so.2 / lib64/ # add environment variable export LUAJIT_LIB=/usr/local/lj2/lib/export LUAJIT_INC=/usr/local/lj2/include/luajit-2.0/9.3 to install ngx_devel_kit

Kit module is a module that expands the core functions of nginx server, and third-party module development can be realized quickly based on it.

# enter the directory cd / user/local/src/ # download v0.3.0.tar.gzwget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz-O ngx_devel_kit.tar.gz # extract the tar xf ngx_devel_kit.tar.gz9.4 installation lua-nginx-module

Ngx_lua_module is a nginx http module that embeds the lua parser into nginx to parse and execute web page background scripts written in lua.

The principle of ngx_lua module

1. Each worker (worker process) creates a VM shared by all the collaborators in the Lua VM,worker

two。 Encapsulate and inject the Nginx IZP O primitive into Lua VM, allowing Lua code to directly access

3. Each external request is handled by a Lua co-program, and data is isolated between the co-programs.

4. When the Lua code calls an asynchronous interface such as the Iramo operation, it suspends the current protocol (and protects the context data) without blocking the worker

5. Restore relevant collaboration context data when asynchronous operations such as Icano are completed, and continue to run

Installation

# enter directory cd / user/local/src/ # download v0.10.9rc7.tar.gzwget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz # decompress tar-xzvf v0.10.9rc7.tar.gz9.5 installation Nginx# enter directory cd / user/local/src/ # download wget http://nginx.org/download/nginx-1.21.0.tar.gz # solution Press tar xf nginx-1.21.0.tar.gz # to enter the nginx directory cd nginx-1.21.0 # to compile. / configure-- prefix=/usr/local/nginx-- with-http_ssl_module-- with-http_flv_module-- with-http_stub_status_module-- with-http_gzip_static_module-- with-http_realip_module-- with-pcre-- add-module=/usr/local/src/lua-nginx-module-0.10 .9rc7-- add-module=/usr/local/src/ngx_devel_kit-0.3.0-- with-stream # install make & & make install # add nginx configuration Add the following to the server block [root@localhost_test_192.168.10.132 11:04:48 ~] # vim / usr/local/nginx/conf/nginx.conf location / lua {default_type 'text/plain' Content_by_lua 'ngx.say ("hello, lua")' } # check syntax [root@localhost_test_192.168.10.132 09:59:33 / usr/local/src] # nginx-tnginx: the configuration file / usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file / usr/local/nginx/conf/nginx.conf test is successful # launch [root@localhost_test_192.168.10.132 11:08:35 ~] # nginx # Test curl 127.0.0.1:80/lua9.6 Install ngx_lua_waf# into the directory cd / user/local/src/ # download ngx_lua_waf to the conf directory wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip # extract it and name it wafunzip master.zip-d / usr/local/nginx/conf/ # change the directory name mv / usr/local/nginx/conf/ngx_lua_waf-master / usr/local/nginx/conf/waf # in nginx Add lua_package_path "/ usr/local/nginx/conf/waf/?.lua" to the http section of .conf Lua_shared_dict limit 10m, adding users running user www on the outermost layer of nginx.conf # create log directory mkdir / usr/local/nginx/logs/hackchown www / usr/local/nginx/logs/hack # Lua_waf configuration [root@localhost_test_192.168.10.132 11:33:53 / usr/local/nginx/conf/waf] # cat config.lua# rule storage path RulePath = "/ usr/local/nginx/conf/waf/wafconf/" # whether to enable attack information recording, you need to configure logdirattacklog = "on" # log storage directory This directory needs to be created by the user. Writable permission of nginx user logdir = "/ usr/local/nginx/logs/hack/" # whether to block url access to UrlDeny= "on" # whether to redirect Redirect= "on" # whether to intercept cookie attacks CookieMatch= "on" # whether to intercept post attacks postMatch= "on" # whether to enable URL whitelist whiteModule= "on" # fill in the file suffix type black_fileExt= {"php", "jsp"} # ip whitelist Multiple ip use commas to separate ipWhitelist= {"127.0.0.1"} # ip blacklist, and multiple ip use commas to separate ipBlocklist= {"192.168.10.1"} # whether to enable blocking cc attacks (need to add lua_shared_dict limit 10m to the http segment of nginx.conf ) CCDeny= "off" # set the frequency of cc attacks Unit: seconds. # by default, the same IP can only request the same address 100times in 1 minute: CCrate= "100gam60" # alarm content html= [] # Rule file [root@localhost_test_192.168.10.132 11:42:12 / usr/local/nginx/conf/waf] # ll wafconf/total 24Muhashi RWMube-1 root root 749 Apr 6 2016 args-rw-r--r-- 1 root root 652 Apr 6 2016 cookie- Rw-r--r-- 1 root root 733 Apr 6 2016 post-rw-r--r-- 1 root root 335 Apr 6 2016 url-rw-r--r-- 1 root root 17777 Apr 6 2016 user-agent-rw-r--r-- 1 root root 8 Apr 6 2016 whiteurl args the cookie filtered in the row is cookie filtered for requests url is filtered only on get requests url filtered rules post is filtered only on post requests whiteurl is whitelist The url matches to not filtering user-agent is the filter rule for user-agent # loading Nginx [root @ localhost_test_192.168.10.132 11:32:41] # nginx-s reload9.7 test effect

Access URL with parameters

Http://192.168.10.132/?id=

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.