Nginx+Naxsi部署专业级Web应用防火墙
Naxsi简介:
Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙模块。Naxsi的主要目标是帮助人们加固他们的web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。
安装配置naxsi模块步骤如下:
一.首先要搭建lnmp环境并添加lua模块:
添加lua模块步骤如下:
1.下载并安装lua模块:
wget http://luajit.org/download/LuaJIT-2.0.1.tar.gz
tar zxvfLuaJIT-2.0.1.tar.gz
cd LuaJIT-2.0.1
make && make install
2.下载ngx_devel_kit 和nginx_lua_module并解压
tar zxvfngx_devel_kit-0.2.19.tar.gz
tar zxvflua-nginx-module-0.9.2.tar.gz
3.进入nginx源码文件夹,编译安装nginx
a.导入环境变量
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
b.查看nginx的先前的configure配置
/usr/local/webserver/nginx/sbin/nginx -V
nginxversion: nginx/1.2.9
configurearguments: --user=www --group=www --prefix=/usr/local/webserver/nginx --with- http_stub_status_module --with-http_ssl_module
c.重新编译安装nginx:
cd /tools/nginx-1.2.9
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2
make -j2
make install
此时检查nginx配置文件语法会出现错误:
/usr/local/webserver/nginx/sbin/nginx -t
/usr/local/webserver/nginx/sbin/nginx:error while loading shared libraries:
libluajit-5.1.so.2: cannot open sharedobject file: No such file or directory
原因是找不到libluajit-5.1.so.2
解决方法:
find / -name "libluajit-5.1.so.2"
/usr/local/lib/libluajit-5.1.so.2
echo "/usr/local/lib" >>/etc/ld.so.conf
ldconfig
/usr/local/webserver/nginx/sbin/nginx -t
nginx:the configuration file /usr/local/webserver/nginx/conf/nginx.conf syntax is ok
nginx:configuration file /usr/local/webserver/nginx/conf/nginx.conf test issuccessful
配置OK。
二.下载naxsi模块:
wget http://naxsi.googlecode.com/files/naxsi-core-0.50.tgz
tar zxvf naxsi-core-0.50.tgz
三.关联naxsi模块:
先查看nginx的原有./configure配置,然后复制后并添加naxsi模块的路径:
cd /tools/nginx-1.2.9
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tools/ngx_devel_kit-0.2.19 --add-module=/tools/lua-nginx-module-0.9.2 --add-module=/tools/naxsi-core-0.50/naxsi_src/
make && make install
四.配置naxsi模块:
官网说明见:
http://code.google.com/p/naxsi/wiki/Howto#Installing_nginx_+_naxsi
1.将naxsi_config目录下核心配置naxsi_core.rules拷贝到nginx/conf/目录下:
cp /tools/naxsi-core-0.50/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/
2.在nginx/conf/目录下新建naxsi_nbs.rules文件,用以配置使用;
touch naxsi_nbs.rules
3.配置nginx.conf文件:
user www;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
include/usr/local/webserver/nginx/conf/naxsi_core.rules;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location /xss {
include naxsi_nbs.rules;
include naxsi_BasicRule.conf;
default_type 'test/plain';
content_by_lua '
ngx.say("({\'Test xss ,come inplease!!!\'})");
';
root html;
}
location /RequestDenied {
return 403;
}
error_page 403 /403.html;
}
}
4.配置规则文件naxsi_nbs.rules
#LearningMode; #Enables learningmode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8"BLOCK;
CheckRule "$RFI >= 8"BLOCK;
CheckRule "$TRAVERSAL >=4"
BLOCK; CheckRule "$EVADE >=4" BLOCK;
CheckRule "$XSS >= 8"BLOCK;
5.配置白名单文件naxsi_BasicRule.conf
12 BasicRule wl:0"mz:$ARGS_VAR:script";
BasicRule wl:0"mz:$ARGS_VAR:id";
这表示xss攻击正常是被拦截的,若被添加白名单,则不被拦截:此处是Get 参数名若为id 或者script,则不被拦截;
BasicRule的规则说明,具体参见:http://code.google.com/p/naxsi/wiki/BasicRule
五.测试naxsi模块
1.检查语法并重启nginx服务:
12 /usr/local/webserver/nginx/sbin/nginx -t
/usr/local/webserver/nginx/sbin/nginx -s reload
2.测试连接:
http://192.168.1.11/xss/xss/
http://192.168.1.11/xss/xss/?id=40/**/and/**/1=1
http://192.168.1.11/xss/xss/?name=40/**/and/**/1=1
http://192.168.1.11/xss/xss/?name=%28%29
http://192.168.1.11/xss/xss/?term=%3Cscript%3Ewindow.open%28%22
http://192.168.1.11/xss/xss/?title=meta%20http-equiv=%22refresh%22%20content=%220;%22
测试结果:
1通过
2通过,因为配置到白名单
3不通过,含有条件注入
4不通过,特殊字符
5不通过,参数内容含脚本注入
6不通过
转载声明:本文为红盾科技技术分享平台的原创文章,转载请注明原文地址,谢谢合作
发表评论: