Shulou(Shulou.com)06/01 Report--

Ngx_lua_waf is a web application firewall based on lua-nginx-module (openresty). It is the first choice for small and medium-sized enterprises or enterprises that do not want to buy a hardware firewall, and can effectively ensure the security of the website.

Source code: https://github.com/loveshell/ngx_lua_waf

0x1 installation and deployment

System version: Centos7 x86x64

Install dependency packages

Yum install-y readline-devel pcre-devel openssl-devel

1. Installation and configuration of openresty

Cd / usr/local/src

Wget https://openresty.org/download/openresty-1.9.15.1.tar.gz

Tar-zxvf openresty-1.9.15.1.tar.gz

Cd openresty-1.9.15.1

. / configure-- prefix=/usr/local/openresty-1.9.15.1-- with-luajit-- with-http_stub_status_module-- with-pcre--with-pcre-jit

Gmake & & gmake install

Ln-s / usr/local/openresty-1.9.15.1/ / usr/local/openresty

Test start nginx

/ usr/local/openresty/nginx/sbin/nginx-t

The successful startup of nginx is shown as follows

Nginx: the configuration file / usr/local/openresty-1.9.15.1/nginx/conf/nginx.conf syntax is ok nginx: configuration file / usr/local/openresty-1.9.15.1/nginx/conf/nginx.conf test is successful

Start nginx

/ usr/local/openresty/nginx/sbin/nginx

2. Configure nginx_lua_waf

Git clone https://github.com/loveshell/ngx_lua_waf.git

Put the files obtained by git into the conf directory of nginx

Add to the http section of nginx.conf

Lua_package_path "/ usr/local/openresty/nginx/conf/ngx_lua_waf/?.lua"

Lua_shared_dict limit 10m

Init_by_lua_file / usr/local/openresty/nginx/conf/ngx_lua_waf/init.lua

Access_by_lua_file / usr/local/openresty/nginx/conf/ngx_lua_waf/waf.lua

Configure the waf rule directory in config.lua (usually under the ngx_lua_waf/wafconf/ directory)

RulePath = "/ usr/local/openresty/nginx/conf/ngx_lua_waf/wafconf"

Attacklog = "on"

Logdir = "/ usr/local/nginx/logs/waf"

3. Waf log configuration

# remove the "#" comment of "# user nobody;" in the first line of nginx.conf, restart the nginx service user nobody # and change the user and group of the protection log directory to nobody. The directory permission can be set to 700or write, of course, you can also default.

Cd / usr/local/nginx/conf

/ / chown-R nobay.nobady waf

/ / chmod 700 waf

Because nginx, php modules, etc., are installed separately, you need to restart the corresponding services every time you restart the server

Start nginx

Cd / usr/local/openresty/nginx/sbin

. / nginx (reload the configuration file without closing nginx. / nginx-t)

0x2 nginx_lua_waf test

Start php

Direct execution / usr/sbin/php-fpm

Testing SQL injection vulnerabilities

Test result

Test arbitrary file reading

Conduct a CC*** test

By viewing waf_logs, you can see all the * operations intercepted by waf.

Through waf_logs, we can see that whether sql injection, arbitrary file reading or CC*** has been successfully intercepted, the deployment of waf is successful and reliable!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.