This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Server configuration ngx_lua_waf is a we...
View: 17464|Reply: 2

[Web] ngx_lua_waf is a web application firewall based on lua-nginx-module (openresty).

[Copy link]
Posted on 12/21/2016 4:51:51 PM | | | |

ngx_lua_waf

ngx_lua_waf is a ngx_lua-based web application firewall developed when I first joined Fun Travel.

The code is simple, and the original intention of development is to use simplicity, high performance and lightweight.

It is now open sourced and complies with the MIT license. It contains our filtering rules. If you have any suggestions or want to fa, please feel free to improve it with me.

Uses:
            
      
Prevent web attacks such as SQL injection, local inclusion, partial overflow, fuzzing testing, xss, SSRF, etc
        Prevent file leakage such as SVN/backup
        Prevent attacks from stress testing tools like ApacheBench
        Block common scanning hacking tools, scanners
        Block unusual network requests
        Block the PHP execution permission of the image attachment directory
        Prevent webshell uploads


Recommended Installation:

It is recommended to use lujit2.1 for lua support

ngx_lua if it is a version 0.9.2 or later, it is recommended to change the regular filter function to ngx.re.find, and the matching efficiency will be increased by about three times.


Directions for use:

The nginx installation path is assumed to be: /usr/local/nginx/conf/

Download the ngx_lua_waf to the conf directory and unzip it and name it waf

Add it in the http section of nginx.conf

            

Configure the WAF rule directory in config.lua (usually in the waf/conf/ directory)

        RulePath = "/usr/local/nginx/conf/waf/wafconf/"

If the absolute path changes, it needs to be modified accordingly

Then restart nginx


Profile Details:

           
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
        --rule storage directory
        attacklog = "off"
        --To enable attack information logging, you need to configure logdir
        logdir = "/usr/local/nginx/logs/hack/"
        --log storage directory, which needs to be created by the user himself, and requires the write permission of the nginx user
        UrlDeny="on"
        --whether to block URL access
        Redirect="on"
        --whether to redirect after interception
        CookieMatch = "on"
        --Whether to block cookie attacks
        postMatch = "on"
        --whether to block a post attack
        whiteModule = "on"
        --whether to turn on URL whitelisting
        black_fileExt={"php","jsp"}
        --Fill in the file suffix type that is not allowed to be uploaded
        ipWhitelist={"127.0.0.1"}
        --IP whitelist, multiple IPs are separated by commas
        ipBlocklist={"1.0.0.1"}
        --IP blacklist, multiple IPs are separated by commas
        CCDeny="on"
        --Whether to enable the interception of cc attacks (requires the HTTP segment of nginx.conf to be increased lua_shared_dict limit 10m; )
        CCrate = "100/60"
        --Set the CC attack frequency in seconds.
        --By default, the same IP address can only request the same address 100 times per minute
        html=[[Please go away~~]]
        --Warning content, customizable in parentheses
        Note: Do not use double quotation marks to be case sensitive

        
Check if the rules are in effect

After deployment, you can try the following command:        
  
      

Note: By default, the machine does not filter in the whitelist, and you can adjust the config.lua configuration by yourself


The renderings are as follows


Rule Updates:

Considering the caching problem of regulars, dynamic rules affect performance, so I don't use things like shared memory dictionaries and redis for dynamic management.

Rule updates can be placed on other servers, and the rules can be updated by downloading them regularly through the crontab task, and the nginx reload will take effect. To ensure the high performance of NGX LUA WAF.

Only record the filter log, do not turn on filtering, just add a -- comment in front of check in the code, if you need to filter, vice versa

Some notes:

        The filtering rules can be adjusted according to your needs under wafconf, and each rule needs to be wrapped or split with |
        
                args rules get parameter to filter
                URLs are rules that only request URLs filtered in GET               
                post is a filtering rule only in post requests               
                The whitelist is a whitelist, and the URLs in it match so that it is not filtered               
                user-agent is a filtering rule for user-agent
        

        Get and post filtering are enabled by default, if you need to enable cookie filtering, edit the waf.lua cancel part - comment
        
        The log file name format is as follows: Web Host Name _sec.log






Previous:Powershell fails to load files when scripting directly because the script is prohibited
Next:cmd /c and cmd /k are explained in detail

Related Posts
Posted on 11/8/2017 3:23:22 PM |
Yes, I learned
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com