利用 Naxsi 在 Nginx 上构建 WAF
2019-12-16 本文已影响0人
yangqing
环境使用的程序包如下: https://share.weiyun.com/5VfnzVo
1、解压naxsi-0.55.3.tar.gz包到/usr/local/src
$ tar xzvf naxsi-0.55.3.tar.gz
2、编译nginx
$ ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --add-module=/usr/local/src/nginx-sticky-module-ng --with-pcre=/usr/local/src/pcre-8.20 --add-module=/usr/local/src/naxsi-0.55.3/naxsi_src
$ make && make install
3、拷贝主配置文件【naxsi_core.rules】到项目中
$ cp naxsi_config/naxsi_core.rules /usr/local/nginx/conf/
4、关于配置naxsi_core.rules放置在nginx的http模块中
$ vim /usr/local/nginx/conf/nginx.conf
http {
...
include /usr/local/nginx/conf/naxsi_core.rules;
...
}
5、自定义子规则【naxsi.rules】
$ vim /usr/local/nginx/conf/naxsi.rules
# 启用Naxsi模块
SecRulesEnabled;
# 启用学习模式,即拦截请求后不拒绝访问,只将触发规则的请求写入日志。
#LearningMode;
# 拒绝访问时展示的页面
DeniedUrl "/RequestDenied";
# 检查规则
CheckRule "$SQL >= 10" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
6、将子规则放在location中,同时加上/RequestDenied的策略
$ vim /usr/local/nginx/conf/nginx.conf
server {
location / {
# 引用Naxsi子规则
include /usr/local/nginx/conf/naxsi.rules;
root html;
index index.html index.htm;
}
# 配置拦截后拒绝访问时展示的页面,这里直接返回403。
location /RequestDenied {
return 403;
}
}
7、拷贝白名单文件【wordpress.rules】
$ vim /usr/local/nginx/conf/wordpress.rules
# WordPress naxsi rules
### HEADERS
BasicRule wl:11,1302,1303,16;
8、配置【wordpress.rules】到项目中
location / {
# 引用Naxsi子规则
include /usr/local/nginx/conf/naxsi.rules;
# 白名单策略
include /usr/local/nginx/conf/wordpress.rules;
root html;
index index.html index.htm;
}
注:
如果出现问题:将naxsi.rules文件LearningMode;注释打开,重新nginx -s reload同步.
# 启用学习模式,即拦截请求后不拒绝访问,只将触发规则的请求写入日志
LearningMode;
