Of Stack

Install the waf module for nginx under Linux

  • 2020-05-10 23:31:08
  • OfStack

Recently, when building nginx for a new project, I decided to install the waf module to ensure security. The following are the specific steps. First, download the required installation package and install each one: 


wget http://luajit.org/download/LuaJIT-2.0.3.tar.gz
tar -zxvf LuaJIT-2.0.3.tar.gz
cd LuaJIT-2.0.3
make
make install

And then download nginx, 


wget http://nginx.org/download/nginx-1.7.6.tar.gz
tar -zxvf nginx-1.7.6.tar.gz

Download ngx_devel_kit, 


wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz  � no-check-certificate
tar -zxvf v0.2.19.tar.gz

Download nginx_lua_module 


wget https://github.com/openresty/lua-nginx-module/archive/v0.9.13rc1.tar.gz  � no-check-certificate
tar -zxvf v0.9.13rc1.tar.gz
cd nginx-1.7.6

Install pcre, 


tar -zxvf pcre-8.30.tar.gz
cd pcre-8.30
./configure
make
make install

Install openssl,

tar -zxvf openssl-1.0.0.tar.gz

Install the ngx_cache_purge module:

tar   -zxvf  ngx_cache_purge-1.3.tar.gz

Install zlib,       yum install zlib zlib-devel

Set the environment variables, compile, 


export LUAJIT_LIB=/usr/local/lib

export LUAJIT_INC=/usr/local/include/luajit-2.0

./configure  � prefix=/usr/local/nginx  � with-http_stub_status_module  � with-http_ssl_module  � add-module=/root/ngx_devel_kit-0.2.19  � add-module=/root/lua-nginx-
module-0.9.13rc1  � with-http_ssl_module  � with-openssl=/root/openssl-1.0.0  � add-module=/root/ngx_cache_purge-1.3  � with-pcre=/root/pcre-8.30  � with-ld-opt= " -Wl,-rpat
h,$LUAJIT_LIB " 

make -j2

make install

Create a directory to store attack logs: 


mkdir -p /data/logs/hack/
chown -R nobody:nobody /data/logs/hack/
chmod -R 755 /data/logs/hack/

Download waf, 


wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip  � no-check-certificate
unzip master.zip
cd ngx_lua_waf-master/
mkdir /usr/local/nginx/conf/waf
mv * /usr/local/nginx/conf/waf/
cd /usr/local/nginx/conf/
vi nginx.conf

Add in the http segment:

lua_package_path "/ usr/local/nginx/conf/waf / & # 63; . lua ";
lua_shared_dict limit 10m;
init_by_lua_file   /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Before the start of operation: ln - s usr/local/lib/libluajit - 5.1 so. 2 / lib64 libluajit - 5.1 so. 2   otherwise you will find this module error.

The filtering rules can be adjusted according to the requirements under wafconf, and each rule needs to be wrapped or split with |
global is a global filter file, where rules are filtered for both post and get
get is a rule that only requests filtering in get
post is a rule that requests filtering only in post
whitelist is a whitelist, where url matches without filtering
user-agent is a filtering rule for user-agent

Related articles: