OpenResty实战案例_WAF防火墙实现-【官方】百战程序员_IT在线教育培训机构


xxxxxxxxxx
# 下载waf
git clone https://github.com/unixhot/waf.git
# 拷贝waf
cp -r ./waf/waf /usr/local/openresty/nginx/conf/
# 创建openresty包软连接
ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty

waf部署


xxxxxxxxxx
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

waf的模块


xxxxxxxxxx
[root@linux-node1 waf]# pwd
/usr/local/openresty/nginx/conf/waf
[root@linux-node2 waf]# cat config.lua
 --WAF config file,enable = "on",disable = "off" 
 --waf status    
 config_waf_enable = "on"   #是否开启配置
 --log dir 
 config_log_dir = "/tmp/waf_logs"    #日志记录地址
 --rule setting 
     config_rule_dir = "/usr/local/nginx/conf/waf/rule-config"        
                              #匹配规则缩放地址
     --enable/disable white url 
     config_white_url_check = "on"  #是否开启url检测
     --enable/disable white ip 
     config_white_ip_check = "on"   #是否开启IP白名单检测
     --enable/disable block ip 
     config_black_ip_check = "on"   #是否开启ip黑名单检测
     --enable/disable url filtering 
     config_url_check = "on"      #是否开启url过滤
     --enalbe/disable url args filtering 
     config_url_args_check = "on"   #是否开启参数检测
     --enable/disable user agent filtering 
     config_user_agent_check = "on"  #是否开启ua检测
     --enable/disable cookie deny filtering 
     config_cookie_check = "on"    #是否开启cookie检测
     --enable/disable cc filtering 
     config_cc_check = "on"   #是否开启防cc攻击
     --cc rate the xxx of xxx seconds 
     config_cc_rate = "10/60"   #允许一个ip60秒内只能访问10次
     --enable/disable post filtering 
     config_post_check = "on"   #是否开启post检测
     --config waf output redirect/html 
     config_waf_output = "html"         #action一个html页面，也可以选择跳转
     --if config_waf_output ,setting url 
     config_waf_redirect_url = "http://www.baidu.com" 
     config_output_html=[[        #下面是html的内容
     <html> 
     <head> 
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
     <meta http-equiv="Content-Language" content="zh-cn" /> 
     <title>网站防火墙</title> 
     </head> 
     <body> 
     <h1 align="center"> 请安全上网，注意操作规范。 
     </body> 
     </html> 
     ]]

检测顺序：先检查白名单，通过即不检测；再检查黑名单，不通过即拒绝，检查UA，UA不通过即拒绝；检查cookie；URL检查;URL参数检查，post检查；

2.4.1 模拟sql注入即url攻击


xxxxxxxxxx
http://192.168.66.50/hello/a.sql

日志显示如下,记录了UA，匹配规则，URL，客户端类型，攻击的类型，请求的数据

2.4.2 模拟URL参数检测

2.4.3 cc攻击


xxxxxxxxxx
安装ab压测工具
yum -y install httpd-tools
ab -c 100 -n 100 http://127.0.0.1/hello

2.4.4 模拟ip白名单


xxxxxxxxxx
将请求ip放入ip白名单中
[root@linux-node1 rule-config]# echo “192.168.66.10” >>/usr/local/openresty/nginx/conf/waf/rule-config/whiteip.rule

2.4.4 模拟ip黑名单


xxxxxxxxxx
将请求ip放入ip黑名单中
[root@linux-node1 rule-config]# echo “192.168.66.10” >>/usr/local/openresty/nginx/conf/waf/rule-config/blackip.rule

OpenResty实战案例_WAF防火墙概述 OpenRestyz实战案例_微服务网关概述

北京市昌平区回龙观镇南店村综合商业楼2楼226室