Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to build a WAF-based s3cmd security system". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to build a s3cmd security system based on WAF".

Requirement description

The wired project needs to whitelist control the access to the bucket of RGW. Only the IP in the whitelist is allowed to access the specified bucket, and simply write a demo. The basic idea is to write a WAF module through openresty to set bucket and IP whitelist settings.

Basic principles

OpenResty processes a request. For its processing flow, please see the following figure (starting with Request start):

A brief introduction to several key phases is as follows

Set_by_lua*: process branch processing determines variable initialization

Rewrite_by_lua*: forwarding, redirection, caching and other functions (for example, specific requests are proxied to the public network)

Centralized handling of access_by_lua*: IP admittance, interface permissions, etc. (for example, completing a simple firewall with iptable)

Content_by_lua*: content generation

Header_filter_by_lua*: response header filtering processing (such as adding header information)

Body_filter_by_lua*: response body filtering (for example, completing the reply in uppercase)

Logging is completed asynchronously locally after a log_by_lua*: session is completed (logs can be recorded locally or synchronized to other machines)

The principle of this article is very simple: by setting the whitelist of bucket and IP, the host and uri fields in request are matched by rules in the access_by_lua phase before deciding whether to release them.

Nginx configuration

Configuration file path / etc/nginx/conf.d/default.conf

Upstream zone_write {server 10.63.48.18 RGW civetweb 7480 weight=13;# corresponds to backend RGW civetweb node keepalive 30;} server {listen 80; server_name s3.ceph.work * .s3.ceph.work; # endpoint corresponding domain name location / {proxy_ignore_client_abort on; proxy_http_version 1.1; # specify http version to reduce security risks caused by lower version proxy_set_header Host $host Proxy_set_header X-Forwarded-For $remote_addr; access_by_lua_file / etc/nginx/conf.d/access.lua; # WAF script proxy_pass http://zone_write;}} WAF script

Script path / etc/nginx/conf.d/access.lua

Local uri = ngx.var.urilocal client_ip = ngx.var.remote_addrlocal host = ngx.var.hostlocal endpoint = 's3.ceph.work' # endpoint address local white_ip_list = {["127.0.0.1"] = true} # IP whitelist local bucket_list = {["bucket1"] = true, ["bucket2"] = true} # bucket whitelist function get_bucketname (host,uri,endpoint) local bucket_name = string.match (host,' ^ [% w -] +.'.. Tostring (endpoint).. If (string.match (host,'^'.. Tostring (endpoint).. '$') then if (string.match (uri,' ^ / $')) then return end local bucket_name = string.match (uri,' ^ / [% w -] + /') return string.sub (bucket_name,2,string.len (bucket_name)-1) elseif bucket_name then return string.sub (bucket_name,1 String.len (bucket_name)-string.len (endpoint)-1) else return endendif true = = bucket_ list [get _ bucketname (host,uri,endpoint)] then if true ~ = white_ip_ list [client _ ip] then ngx.log (ngx.ERR, "Forbidden:", client_ip) ngx.exit (ngx.HTTP_FORBIDDEN) endend function verification

Access from a machine other than an IP whitelist

Curl bucket1.s3.ceph.work/asdasd # virtual hosted style mode 403 Forbidden403 Forbiddennginxcurl s3.ceph.work/bucket2/1233 # path-style mode 403 Forbidden403 Forbiddennginx

Corresponding nginx log

14:05:42 on 2017-09-21 [error] 30725: * 28 [lua] access.lua:29: forbidden:10.xx.xx.xx, client: 10.xx.xx.xx, server: s3.ceph.work, request: "GET / asdasd HTTP/1.1", host: "bucket1.s3.ceph.work" 2017-09-21 14:02:47 [error] 30725: 0: * 22 [lua] access.lua:29: forbidden:10.xx.xx.xx, client: 10.xx.xx.xx Server: s3.ceph.work, request: "GET / bucket2/1233 HTTP/1.1", host: "s3.ceph.work" Thank you for reading The above is the content of "how to build a s3cmd security system based on WAF". After the study of this article, I believe you have a deeper understanding of how to build a s3cmd security system based on WAF, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.