nginx 添加 lua 模块
启动和安装 nginx
- yum install -y nginx
- systemctl daemon-reload
- systemctl enable nginx
- # 为了实验方便这里就直接 yum 安装了, 配置了开机启动
注意: 出现报错
- [[email protected] ~]# useradd nginx -M -s /sbin/nologin
- useradd: cannot open /etc/shadow
表示 你曾经锁定了 / etc/shadow 文件
- # 添加 nginx 系统启动:
- VIM /usr/lib/systemd/system/nginx.service
添加以下内容:
- #----------------------------------------------------------
- [Unit]
- Description=nginx - high performance Web server
- Documentation=http://nginx.org/en/docs/
- After=network.target remote-fs.target nss-lookup.target
- [Service]
- Type=forking
- PIDFile=/run/nginx.pid
- ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
- ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
- ExecReload=/bin/kill -s HUP $MAINPID
- ExecStop=/bin/kill -s QUIT $MAINPID
- PrivateTmp=true
- [Install]
- WantedBy=multi-user.target
- #----------------------------------------------------------
- # 启动 nginx
- [[email protected] ~]# systemctl daemon-reload
- [[email protected] ~]# systemctl start nginx
- # 查看状态
- [[email protected] ~]# systemctl status nginx
- # 停止
- [[email protected] ~]# systemctl stop nginx
- # 获取默认编译参数, 用于后面添加 lua 模块
- [[email protected] ~]# nginx -V
- nginx version: nginx/1.16.1
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
编译安装 lua 模块
- echo "export LUAJIT_LIB=/usr/local/luajit/lib
- export LUAJIT_INC=/usr/local/luajit/include/luajit-2.0 ">>/etc/profile
- #ngx_devle_kit 下载解压
- mkdir /leilei
- cd /leilei
- wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
- tar -xf v0.3.0.tar.gz
- #lua-nginx-module 模块下载解压
- wget https://github.com/openresty/lua-nginx-module/archive/v0.10.8.tar.gz
- tar xf v0.10.8.tar.gz
- # 安装 luajit
- wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
- tar zxf LuaJIT-2.0.5.tar.gz
- cd LuaJIT-2.0.5
- make
- make install
- # 增加环境变量
- export LUAJIT_LIB=/usr/local/lib
- export LUAJIT_INC=/usr/local/include/luajit-2.0
- #---------------- 至此 模块都配置好了, 需要在 nginx 中导入模块 ------------------------#
- # 编译模块可能出现的报错:
- [[email protected] LuaJIT-2.0.5]# make PREFIX=/usr/local/luajit
- ==== Building LuaJIT 2.0.5 ====
- make -C src
- make[1]: gcc: Command not found
- make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.4/src'
- make[1]: gcc: Command not found
- make[1]: gcc: Command not found
- make[1]: gcc: Command not found
- make[1]: gcc: Command not found
- make[1]: gcc: Command not found
- Makefile:233: *** Unsupported target architecture. Stop.
- make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.4/src'
- make: *** [default] Error 2
解决办法: yum install -y gcc
- # 编译安装 lua 模块:
- tar xf LuaJIT-2.0.5.tar.gz
- cd LuaJIT-2.0.5
- make PREFIX=/usr/local/luajit
- make install PREFIX=/usr/local/luajit
下载扩展模块:
- cd /server/tools/leilei
- wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
- tar -xf v0.3.0.tar.gz
- wget https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz
- tar xf v0.10.11.tar.gz
- [[email protected] leilei]# ll
- total 680
- drwxrwxr-x 10 root root 4096 Nov 4 2017 lua-nginx-module-0.10.11
- drwxrwxr-x 9 root root 4096 May 10 2016 ngx_devel_kit-0.3.0
- -rw-r--r-- 1 root root 616653 Jan 5 04:32 v0.10.11.tar.gz
- -rw-r--r-- 1 root root 66455 Jan 5 04:32 v0.3.0.tar.gz
nginx 添加扩展模块
- # 获取原来的编译参数
- [[email protected] tools]# nginx -V
- nginx version: nginx/1.16.1
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
- # 下载 nginx 1.16.1 安装包:
- cd /server/tools/leilei
- wget http://nginx.org/download/nginx-1.16.1.tar.gz
- tar xf nginx-1.16.1.tar.gz
- cd nginx-1.16.1/
- # 重新编译 nginx
- ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' --add-module=/server/tools/leilei/ngx_devel_kit-0.3.0 --add-module=/server/tools/leilei/lua-nginx-module-0.10.11
- # 这是添加了这两个模块后编译的:
- --add-module=/server/tools/leilei/ngx_devel_kit-0.3.0 --add-module=/server/tools/leilei/lua-nginx-module-0.10.11
编译也有可能会报错: ./configure: error: the invalid value in --with-ld-opt="-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E"
解决方法:
yum -y install RedHat-rpm-config.noarch
编译出错: ./configure: error: ngx_http_lua_module requires the Lua library.
解决办法:
yum install lua-devel -y
编译出错:/configure: error: the HTTP XSLT module requires the libxml2/libxslt
解决办法:
yum install libxslt-devel -y
编译出错: ./configure: error: the HTTP image filter module requires the GD library.
解决办法:
yum install gd gd-devel -y
编译出错: ./configure: error: perl module ExtUtils::Embed is required
解决办法:
yum install perl-ExtUtils-Embed -y
编译出错: ./configure: error: the Google perftools module requires the Google perftools
解决办法:
yum install gperftools -y
安装完毕:
- Configuration summary
- + using system PCRE library
- + using system OpenSSL library
- + using system zlib library
- nginx path prefix: "/usr/share/nginx"
- nginx binary file: "/usr/sbin/nginx"
- nginx modules path: "/usr/lib64/nginx/modules"
- nginx configuration prefix: "/etc/nginx"
- nginx configuration file: "/etc/nginx/nginx.conf"
- nginx pid file: "/run/nginx.pid"
- nginx error log file: "/var/log/nginx/error.log"
- nginx http access log file: "/var/log/nginx/access.log"
- nginx http client request body temporary files: "/var/lib/nginx/tmp/client_body"
- nginx http proxy temporary files: "/var/lib/nginx/tmp/proxy"
- nginx http fastcgi temporary files: "/var/lib/nginx/tmp/fastcgi"
- nginx http uwsgi temporary files: "/var/lib/nginx/tmp/uwsgi"
- nginx http scgi temporary files: "/var/lib/nginx/tmp/scgi"
- ## 编译安装 nginx
- make
- ## 平滑升级:
- \cp -af /usr/sbin/nginx ~
- [[email protected] nginx-1.16.1]# cp -af objs/nginx /usr/sbin/
- cp: overwrite '/usr/sbin/nginx'? y
- # 发送协同工作信号
- [[email protected] nginx-1.16.1]# kill -USR2 `cat /run/nginx.pid`
- [[email protected] nginx-1.16.1]# ps -ef|grep nginx
- root 21305 23677 0 01:31 ? 00:00:00 nginx: master process /usr/sbin/nginx
- nginx 21306 21305 0 01:31 ? 00:00:00 nginx: worker process
- root 21311 1443 0 01:31 pts/2 00:00:00 grep --color=auto nginx
- root 23677 1 0 Jan04 ? 00:00:00 nginx: master process /usr/sbin/nginx
- nginx 23678 23677 0 Jan04 ? 00:00:00 nginx: worker process
- # 发送退出信号
- [[email protected] nginx-1.16.1]# kill -QUIT `cat /run/nginx.pid`
- [[email protected] nginx-1.16.1]# ps -ef|grep nginx
- root 21368 1443 0 01:32 pts/2 00:00:00 grep --color=auto nginx
- root 23677 1 0 Jan04 ? 00:00:00 nginx: master process /usr/sbin/nginx
- nginx 23678 23677 0 Jan04 ? 00:00:00 nginx: worker process
升级完毕!
lua 模块添加
步骤整理:
- wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
- tar xf LuaJIT-2.0.5.tar.gz
- cd LuaJIT-2.0.5
- make PREFIX=/usr/local/LuaJIT/include/luajit
- make install PREFIX=/usr/local/nginx/lua/luajit
- wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz
- tar xf v0.3.0.tar.gz
- get https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz
- tar xf v0.10.11.tar.gz
- export LUAJIT_LIB=/opt/programs/nginx_1.12.2/lua/luajit/lib
- export LUAJIT_INC=/opt/programs/nginx_1.12.2/lua/luajit/include/luajit-2.0
配置:
- #nginx.conf 配置文件中的 http 区块加入如下:
- #----------waf 防火墙 -----------------------------#
- lua_package_path "/etc/nginx/conf.d/waf/?.lua";
- lua_shared_dict limit 10m;
- init_by_lua_file /etc/nginx/conf.d/waf/init.lua;
- access_by_lua_file /etc/nginx/conf.d/waf/waf.lua;
- #----------waf 防火墙 -----------------------------#
- #nginx 目录下创建相关目录:
- mkdir -p /etc/nginx/conf.d/waf/
- # 进入相关目录下载 lua 配置文件:
- cd /etc/nginx/conf.d/waf/
- Git clone https://github.com/loveshell/ngx_lua_waf.git
- mv ngx_lua_waf waf
- cd waf/
- [[email protected] waf]# ll
- total 32
- -rw-r--r-- 1 root root 2377 Jan 5 04:50 config.lua
- -rw-r--r-- 1 root root 6405 Jan 5 04:50 init.lua
- -rw-r--r-- 1 root root 1587 Jan 5 04:50 install.sh
- -rw-r--r-- 1 root root 4612 Jan 5 04:50 README.md
- drwxr-xr-x 2 root root 4096 Jan 5 04:50 wafconf
- -rw-r--r-- 1 root root 2295 Jan 5 04:50 waf.lua
- # 添加到 nginx 配置文件中
- VIM /etc/nginx/nginx.conf
- http {
- ...
- ...
- #----------waf 防火墙 -----------------------------#
- lua_load_resty_core off;
- lua_shared_dict limit 30m;
- lua_package_path "/etc/nginx/conf.d/waf/?.lua";
- init_by_lua_file /etc/nginx/conf.d/waf/init.lua;
- access_by_lua_file /etc/nginx/conf.d/waf/waf.lua;
- #----------waf 防火墙 -----------------------------#
- ...
- ...
- }
- # 修改 VIM /etc/nginx/conf.d/waf/config.lua 配置文件, 将规则路径改为: /etc/nginx/conf.d/waf/
- RulePath = "/etc/nginx/conf.d/waf/wafconf/"
- attacklog = "on"
- logdir = "/etc/nginx/logs/hack/"
- # 没有相关目录就创建相关目录
- mkdir -p /etc/nginx/conf.d/waf/wafconf/
- mkdir -p /etc/nginx/logs/hack/
通过以上配置并没有让他生效, 如果需要生效还需要取 config.lua 中开启规则才可以.
nginx 中添加配置:
开启 waf 防火墙:
VIM /etc/nginx/conf.d/waf/config.lua config_waf_enable= "on"
由于版本更新, 新版本的 lua 配置中已经没有了 waf 开关了, 默认就是开启状态, 如果需要关闭则需要去 nginx.conf 中注释 lua.
waf 防火墙规则配置:
目录: /etc/nginx/conf.d/waf/config.lua
VIM /etc/nginx/conf.d/waf/config.lua # 没修改之前都是默认规则. RulePath = "/usr/local/nginx/conf/waf/wafconf/"
-- 规则存放目录
attacklog = "on"
-- 是否开启攻击信息记录, 需要配置 logdir
logdir = "/usr/local/nginx/logs/hack/"
--log 存储目录, 该目录需要用户自己新建, 切需要 nginx 用户的可写权限
UrlDeny="on"
-- 是否拦截 url 访问
Redirect="on"
-- 是否拦截后重定向
CookieMatch = "on"
-- 是否拦截 cookie 攻击
postMatch = "on"
-- 是否拦截 post 攻击
whiteModule = "on"
-- 是否开启 URL 白名单
black_fileExt={"php","jsp"}
-- 填写不允许上传文件后缀类型
ipWhitelist={"127.0.0.1"}
--ip 白名单, 多个 ip 用逗号分隔
ipBlocklist={"1.0.0.1"}
--ip 黑名单, 多个 ip 用逗号分隔
CCDeny="on"
-- 是否开启拦截 cc 攻击 (需要 nginx.conf 的 http 段增加 lua_shared_dict limit 10m;)
CCrate = "100/60"
-- 设置 cc 攻击频率, 单位为秒.
-- 默认 1 分钟同一个 IP 只能请求同一个地址 100 次
HTML=[[Please go away~~]]
-- 警告内容, 可在中括号内自定义
备注: 不要乱动双引号, 区分大小写
访问测试:
http://115.159.79.190/index.php?id=../etc/passwd
访问一个敏感信息, 检查是否会被阻止
看到这个提示说明 waf 防火墙配置成功!
错误页面也有可能是这样:
测试禁止 IP 访问:
# 黑名单 ipBlocklist={ "1.0.0.1","117.186.242.158" } #添加上我们自己的 IP 地址 117.186.242.158, 分号分隔 # 白名单 ipWhitelist={ "127.0.0.1" } #添加上我们自己的 IP 地址 117.186.242.158, 分号分隔
实际黑名单效果:
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_mod
自定义的网站阻止页面:
网站根目录下创建 50x.HTML 写入以下内容
cat /usr/share/nginx/HTML #------------------------------------------------------- <HTML xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title > 网站防火墙 </title> <style> p { line-height:20px; } ul{ list-style-type:none;} li{ list-style-type:none;} </style> </head> <body style="padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体, sans-serif; color:#555;"> <div style="margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;"> <div style="width:600px; float:left;"> <div style="height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;"> 网站防火墙 </div> <div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;"> <p style="margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style="font-weight:600; color:#fc4f03;"> 您的请求带有不合法参数, 已被网站管理员设置拦截!</span></p> <p style="margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"> 可能原因: 您提交的内容包含危险的攻击请求 </p> <p style="margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;"> 如何解决:</p> <ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style="margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1) 检查提
交内容;</li>
<li style="margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2) 如网站托管, 请联系空间提供商;</li> <li style="margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3) 普通网站访客, 请联系网站管理员手机号: 18816997176 </li></ul> </div> </div> </div> </body></HTML> #-------------------------------------------------------
效果图:
来源: http://www.bubuko.com/infodetail-3526302.html