系统:centos 6.5 64位、 ngx_openresty-1.7.10.1, modsecurity 2.9.0
openresty:http://openresty.org/download/ngx_openresty-1.7.10.1.tar.gz
modsecurity for Nginx: https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
OWASP规则集:https://github.com/SpiderLabs/owasp-modsecurity-crs
依赖关系:
modsecurty依赖的包:pcre httpd-devel libxml2 apr
yuminstallhttpd-develaprapr-util-develapr-develpcrepcre-devellibxml2libxml2-devel
openresty依赖的包:pcre 、zlib、 openssl
yuminstallzlibzlib-developensslopenssl-develpcrepcre-devel 二.启用standalone模块并编译
下载modsecurity for nginx 解压,进入解压后目录执行:
./autogen.sh ./configure–enable-standalone-module–disable-mlogc make
三.openresty添加modsecurity模块
在编译standalone后,openresty编译时可以通过"–add-module"添加modsecurity模块:
./configure–prefix=/opt/openresty–with-pcre-jit–with-ipv6–without-http_redis2_module–with-http_iconv_module-j2–add-module=../modsecurity-2.9.0/nginx/modsecurity/ make&&makeinstall 四.添加规则
modsecurity倾向于过滤和阻止web危险,之所以强大就在于规则,OWASP提供的规则是于社区志愿者维护的,被称为核心规则CRS(corerules),规则可靠强大,当然也可以自定义规则来满足各种需求。
1.下载OWASP规则:
gitclonehttps://github.com/SpiderLabs/owasp-modsecurity-crs mvowasp-modsecurity-crs/opt/openresty/nginx/conf/ cd/opt/openresty/nginx/conf/owasp-modsecurity-crs/&&mvmodsecurity_crs_10_setup.conf.examplemodsecurity_crs_10_setup.conf
2.启用OWASP规则:
复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下,并将modsecurity.conf-recommended重新命名为modsecurity.conf。
mvmodsecurity.conf-recommended/opt/openresty/nginx/conf/modsecurity.conf cpunicode.mapping/opt/openresty/nginx/conf/
编辑modsecurity.conf 文件,将SecRuleEngine设置为 on
sed-i\\\’s/^SecRuleEngine.*/SecRuleEngineOn/\\\’/opt/openresty/nginx/conf/modsecurity.conf
owasp-modsecurity-crs下有很多存放规则的文件夹,例如base_rules、experimental_rules、optional_rules、slr_rules,里面的规则按需要启用。
需要启用的规则使用Include到modsecurity.conf即可。
Includeowasp-modsecurity-crs/modsecurity_crs_10_setup.conf Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf Includeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf Includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.conf Includeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.conf Includeowasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
五.配置nginx
在需要启用modsecurity的主机的location下面加入下面两行即可:
ModSecurityEnabledon; ModSecurityConfigmodsecurity.conf;
下面是几个示例配置,PHP虚拟主机:
server{ listen80; server_nametest.netwww.test.net; location~.php${ ModSecurityEnabledon; ModSecurityConfigmodsecurity.conf; root/web/wordpress; indexindex.phpindex.htmlindex.htm; fastcgi_pass127.0.0.1:9000; fastcgi_indexindex.php; fastcgi_paramSCRIPT_FILENAME$Document_root$fastcgi_script_name; includefastcgi_params; } }
upstream负载均衡:
upstreamonline{ server192.168.1.100:8080; server192.168.1.101:8080backup; } server{ listen80; server_nametest.netwww.test.net; location/{ ModSecurityEnabledon; ModSecurityConfigmodsecurity.conf; proxy_passhttp://online; proxy_redirectoff; proxy_set_headerHost$host; proxy_set_headerX-Real-IP$remote_addr; proxy_set_headerX-Forwarded-For$proxy_add_x_forwarded_for; } }
泛域名解析,反向代理方式:
upstreamreal_webserver{ server192.168.0.12; server192.168.0.13; } server{ listen80; server_name_; location{ ModSecurityEnabledon; ModSecurityConfigmodsecurity.conf; proxy_set_headerHost$host; proxy_set_headerX-Real-IP$remote_addr; proxy_set_headerX-Forwarded-For$proxy_add_x_forwarded_for; proxy_passhttp://real_webserver; } }
六.测试
我们启用了xss和sql注入的过滤,不正常的请求会直接返回403。以php环境为例,新建一个phpinfo.php内容为:
<?phpphpinfo();?>
在浏览器中访问:
http://www.52os.net/phpinfo.php?id=1正常显示。 http://www.52os.net/phpinfo.php?id=1and1=1返回403。 http://www.52os.net/phpinfo.php?search=<scritp>alert(\\\’xss\\\’);</script>返回403。
说明sql注入和xss已经被过滤了
更多关于云服务器,域名注册,虚拟主机的问题,请访问西部数码官网:www.west.cn
