1.安装依赖
apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-dev wget http://www.over-yonder.net/~fullermd/projects/libcidr/libcidr-1.2.3.tar.xz wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz wget https://openresty.org/download/openresty-1.15.8.2.tar.gz tar -xvf libcidr-1.2.3.tar.xz tar -zxvf pcre-8.43.tar.gz tar -zxvf openssl-1.1.1d.tar.gz tar -zxvf openresty-1.15.8.2.tar.gz rm -rf pcre-8.43.tar.gz \ openssl-1.1.1d.tar.gz \ openresty-1.15.8.2.tar.gz cd /opt/libcidr-1.2.3 make && make install2.下载ModSecurity
git clone https://github.com/SpiderLabs/ModSecurity.git cd ModSecurity/ git checkout -b v3/master origin/v3/master sh build.sh git submodule init git submodule update ./configure --with-yajl=yes make make install3.下载ModSecurity-nginx
git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git4.下载owasp规则库
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cd owasp-modsecurity-crs/ cp crs-setup.conf.example crs-setup.conf cd rules cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf5.搭建openwaf
git clone https://github.com/titansec/OpenWAF.git cd OpenWAF/ mv /opt/OpenWAF/lib/openresty/configure /opt/openresty/ #可以不剪切 cp -RP /opt/OpenWAF/lib/openresty/* /opt/openresty/bundle/ make clean make install ln -s /usr/local/lib/libcidr.so /opt/OpenWAF/lib/resty/libcidr.so6.openresty集成
./configure --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_geoip_module --with-openssl=/opt/openssl-1.1.1d --with-pcre=/opt/pcre-8.43 --add-dynamic-module=../ModSecurity-nginx make make install7.配置
cd owasp-modsecurity-crs/ cp crs-setup.conf.example crs-setup.conf cd rules cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cp /opt/ModSecurity/modsecurity.conf-recommended /opt/ModSecurity/modsecurity.conf chmod 777 /var/log/modsecurity
8.nginx.conf
#user nobody; worker_processes 1; #error_log logs/error.log; #modsecurity动态库加载 load_module /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so; #error_log logs/error.log notice; #error_log logs/error.log info; pid logs/nginx.pid; events { worker_connections 1024; } http { include /opt/openresty/bundle/nginx-1.15.8/conf/mime.types; default_type application/octet-stream; include /opt/OpenWAF/conf/twaf_main.conf; include /opt/OpenWAF/conf/twaf_api.conf; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name _; include /opt/OpenWAF/conf/twaf_server.conf; #access_log logs/host.access.log main; #modsecurity 支持 modsecurity on; location /dvwa/ { #modsecurity配置文件路径 modsecurity_rules_file /opt/ModSecurity/modsecurity.conf; proxy_pass http://192.168.0.138/dvwa/; # root html; # index index.html index.htm; } location = /50x.html { root html; } } } ~
9.启动
openresty -p /data/geektime -c /data/geektime/conf/nginx.conf
