nginx配合modsecurity实现WAF功能

系统：centos6.564位、ngx_openresty-1.7.10.1，modsecurity2.9.0

openresty:‍‍http://openresty.org/download/ngx_openresty-1.7.10.1.tar.gz‍‍

modsecurityfornginx:https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz

owasp规则集：https://github.com/spiderlabs/owasp-modsecurity-crs

依赖关系：

modsecurty依赖的包：pcrehttpd-devellibxml2apr

yuminstallhttpd-develaprapr-util-develapr-develpcrepcre-devellibxml2libxml2-devel

openresty依赖的包：pcre、zlib、openssl

yuminstallzlibzlib-developensslopenssl-develpcrepcre-devel二.启用standalone模块并编译

下载modsecurityfornginx解压，进入解压后目录执行：

./autogen.sh./configure--enable-standalone-module--disable-mlogcmake

在编译standalone后，openresty编译时可以通过"--add-module"添加modsecurity模块：

./configure--prefix=/opt/openresty--with-pcre-jit--with-ipv6--without-http_redis2_module--with-http_iconv_module-j2--add-module=../modsecurity-2.9.0/nginx/modsecurity/make&&makeinstall四.添加规则

modsecurity倾向于过滤和阻止web危险，之所以强大就在于规则，owasp提供的规则是于社区志愿者维护的，被称为核心规则crs（corerules）,规则可靠强大，当然也可以自定义规则来满足各种需求。

gitclonehttps://github.com/spiderlabs/owasp-modsecurity-crsmvowasp-modsecurity-crs/opt/openresty/nginx/conf/cd/opt/openresty/nginx/conf/owasp-modsecurity-crs/&&mvmodsecurity_crs_10_setup.conf.examplemodsecurity_crs_10_setup.conf

复制modsecurity源码目录下的modsecurity.conf-recommended和unicode.mapping到nginx的conf目录下，并将modsecurity.conf-recommended重新命名为modsecurity.conf。

mvmodsecurity.conf-recommended/opt/openresty/nginx/conf/modsecurity.confcpunicode.mapping/opt/openresty/nginx/conf/

编辑modsecurity.conf文件，将secruleengine设置为on

sed-i's/^secruleengine.*/secruleengineon/'/opt/openresty/nginx/conf/modsecurity.conf

owasp-modsecurity-crs下有很多存放规则的文件夹，例如base_rules、experimental_rules、optional_rules、slr_rules，里面的规则按需要启用。

需要启用的规则使用include到modsecurity.conf即可。

includeowasp-modsecurity-crs/modsecurity_crs_10_setup.confincludeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.confincludeowasp-modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.confincludeowasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.confincludeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_dos_protection.confincludeowasp-modsecurity-crs/experimental_rules/modsecurity_crs_11_brute_force.confincludeowasp-modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf

在需要启用modsecurity的主机的location下面加入下面两行即可：

modsecurityenabledon;modsecurityconfigmodsecurity.conf;

下面是几个示例配置，php虚拟主机：

server{listen80;server_nametest.netwww.test.net;location~.php${modsecurityenabledon;modsecurityconfigmodsecurity.conf;root/web/wordpress;indexindex.phpindex.htmlindex.htm;fastcgi_pass127.0.0.1:9000;fastcgi_indexindex.php;fastcgi_paramscript_filename$document_root$fastcgi_script_name;includefastcgi_params;}}

upstream负载均衡：

upstreamonline{server192.168.1.100:8080;server192.168.1.101:8080backup;}server{listen80;server_nametest.netwww.test.net;location/{modsecurityenabledon;modsecurityconfigmodsecurity.conf;proxy_passhttp://online;proxy_redirectoff;proxy_set_headerhost$host;proxy_set_headerx-real-ip$remote_addr;proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for;}}

泛域名解析，反向代理方式：

upstreamreal_webserver{server192.168.0.12;server192.168.0.13;}server{listen80;server_name_;location{modsecurityenabledon;modsecurityconfigmodsecurity.conf;proxy_set_headerhost$host;proxy_set_headerx-real-ip$remote_addr;proxy_set_headerx-forwarded-for$proxy_add_x_forwarded_for;proxy_passhttp://real_webserver;}}

我们启用了xss和sql注入的过滤，不正常的请求会直接返回403。以php环境为例，新建一个phpinfo.php内容为：

在浏览器中访问：

http://www.52os.net/phpinfo.php?id=1正常显示。http://www.52os.net/phpinfo.php?id=1and1=1返回403。http://www.52os.net/phpinfo.php?search=alert('xss');返回403。

说明sql注入和xss已经被过滤了