首页 > 代码库 > [security][modsecurity][nginx] nginx安装modsecurity
[security][modsecurity][nginx] nginx安装modsecurity
参考文档:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx
nginx不支持动态加载模块,所以需要重新编译,将modsecurity和nginx整合。
一: 软件准备:
ModSecurity-2.9.1.zip
nginx-1.10.1.tar.gz
根据文档所述,有一些依赖包需要安装。
yum install httpd httpd-devel pcre pcre-devel libxml2-devel
二, 编译安装:
从 2.6开始,modsecurity的编译方式发生了调整。参考:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#GitHub_Access
[root@dpdk ModSecurity-2.9.1]# ./autogen.sh [root@dpdk ModSecurity-2.9.1]# ./configure --enable-standalone-module --disable-mlogc [root@dpdk ModSecurity-2.9.1]# make
编译nginx
[root@dpdk nginx-1.10.1]# ./configure --prefix=/root/modsecurity/output --add-module=../ModSecurity-2.9.1/nginx/modsecurity/
[root@dpdk nginx-1.10.1]# make
[root@dpdk nginx-1.10.1]# make install
三, 运行nginx
1. 修改配置文件,conf/nginx.conf, 增加如下行:
user root;
2. 使用如下命令启动/停止:
[root@dpdk output]# ./sbin/nginx -c conf/nginx.conf
[root@dpdk output]# ./sbin/nginx -s stop
四,配置modsecurity
已经在nginx中设置了两个监听端口80,81,分别对应于两个静态页。
[root@dpdk conf]# cat nginx.conf user root; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ # ‘$status $body_bytes_sent "$http_referer" ‘ # ‘"$http_user_agent" "$http_x_forwarded_for"‘; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; include custom.conf; include mod.conf; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache‘s document root # concurs with nginx‘s one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} }
[root@dpdk conf]# cat custom.conf server { listen 81; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
增加配置文件 mod.conf 监听于端口82
[root@dpdk conf]# cat mod.conf server { listen 82; server_name localhost; location / { ModSecurityEnabled on; ModSecurityConfig modsecurity.conf; proxy_pass http://127.0.0.1:81; proxy_read_timeout 180s; } } [root@dpdk conf]#
其中引用了两个配置文件,模板如下:
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping
五: 规则/语法/配置
文档:
https://www.feistyduck.com/library/modsecurity-handbook-free/online/
Everything in ModSecurity revolves around two things: configuration and rules.
The configuration tells ModSecurity how to process the data it sees;
the rules decide what to do with the processed data.
For example: SecRule ARGS "<script>" log,deny,status:404 Even without further assistance, you can probably recognize the part in the rule that specifies what we wish to look for in input data (<script>). Similarly, you will easily figure out what will happen if we do find the desired pattern (log,deny,status:404). Things will become more clear if I tell you about the general rule syntax, which is the following: SecRule VARIABLES OPERATOR ACTIONS The three parts have the following meanings: The VARIABLES part tells ModSecurity where to look. The ARGS variable, used in the example, means all request parameters. The OPERATOR part tells ModSecurity how to look. In the example, we have a regular expression pattern, which will be matched against ARGS. The ACTIONS part tells ModSecurity what to do on a match. The rule in the example gives three instructions: log problem, deny transaction and use the status 404 for the denial (status:404).
手册:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
第三方规则:
OWASP: https://www.owasp.org/index.php/Main_Page
Core Rules: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
结合手册读规则模板:
TODO。。。
[security][modsecurity][nginx] nginx安装modsecurity
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。