源码安装openresty
安装依赖库
- centos
yum install -y pcre-devel openssl-devel gcc postgresql-devel
- debian
apt install
libpcre3 \
libpcre3-dev \
zlib1g-dev \
openssl \
libssl-dev \
libxml2-dev \
libxslt-dev \
libgd-dev \
libgeoip-dev \
build-essential
下载源码包并且安装
从下载页 Download http://openresty.org/cn/download.html 下载最新的 OpenResty® 源码包,并且像下面的示例一样将其解压:
wget https://openresty.org/download/openresty-1.19.9.1.tar.gz
tar -zxvf openresty-1.19.9.1.tar.gz
cd openresty-1.19.9.1/
./configure --prefix=/usr/local/openresty \
--sbin-path=/usr/local/openresty/nginx/sbin/nginx \
--conf-path=/usr/local/openresty/nginx/conf/nginx.conf \
--pid-path=/usr/local/openresty/nginx/run/nginx.pid \
--error-log-path=/usr/local/openresty/nginx/logs/error.log \
--http-log-path=/usr/local/openresty/nginx/logs/access.log \
--user=nginx \
--group=nginx \
--with-pcre \
--with-stream \
--with-threads \
--with-file-aio \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module
make && make install
配置环境变量
echo '# 配置OpenResty环境变量' >> /etc/profile
echo 'export OPENRESTY_HOME=/usr/local/openresty/' >> /etc/profile
echo 'export PATH={OPENRESTY_HOME}/bin:PATH' >> /etc/profile
echo 'PATH=/usr/local/openresty/nginx/sbin:$PATH' >> /etc/profile
echo 'export PATH' >> /etc/profile
立即生效
source /etc/profile
安装WAF
git clone https://github.com/unixhot/waf.git
cd /usr/local/openresty/nginx/conf/
git clone https://gitee.com/funet8/waf.git waf-git
cp -a ./waf-git/waf /usr/local/openresty/nginx/conf/
配置详解
cat /usr/local/openresty/nginx/conf/waf/config.lua
config_waf_enable = "on" --是否启用waf模块,值为 on 或 off
config_log_dir = "/tmp" --waf的日志位置,日志格式默认为json
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config" --策略规则目录位置,可根据情况变动
config_white_url_check = "on" --是否开启URL检测
config_white_ip_check = "on" --是否开启IP白名单检测
config_black_ip_check = "on" --是否开启IP黑名单检测
config_url_check = "on" --是否开启URL过滤
config_url_args_check = "on" --是否开启Get参数过滤
config_user_agent_check = "on" --是否开启UserAgent客户端过滤
config_cookie_check = "on" --是否开启cookie过滤
config_cc_check = "on" --是否开启cc攻击过滤
config_cc_rate = "10/60" --cc攻击的速率/时间,单位为秒;默认示例中为单个IP地址在60秒内访问同一个页面次数超过10次则认为是cc攻击,则自动禁止此IP地址访问此页面60秒,60秒后解封(封禁过程中此IP地址依然可以访问其它页面,如果同一个页面访问次数超过10次依然会被禁止)
config_post_check = "on" --是否开启POST检测
config_waf_output = "html" --对于违反规则的请求则跳转到一个自定义html页面还是指定页面,值为 html 和 redirect
config_waf_redirect_url = "https://www.unixhot.com" --指定违反请求后跳转的指定html页面
指定违反规则后跳转的自定义html页面
config_output_html=[[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>网站防火墙</title>
</head>
<body>
<h1 align="center"> 防火墙拦截
</body>
</html>
]]
防火墙我自己稍微优化调整了下,文件放在下面了
- 1739612722-waf
Comments NOTHING