当前位置: 首页 > news >正文

openresty整合modsecurity

news 2025/7/12 19:20:59

安装依赖包

安装依赖

yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libtool libxml2-devel libxslt-devel

安装依赖包

ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libstdc++-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-c++-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libquadmath-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-gfortran-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.9.2009/sclo/x86_64/rh/Packages/d/devtoolset-9-binutils-2.32-16.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-runtime-9.1-0.el7.x86_64.rpm# 一个一个安装,下面是示例
yum localinstall -y devtoolset-9-*.rpmscl enable devtoolset-9 bash

下载modsecurity源码

git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout v3/master
git submodule init
git submodule update./build.sh
./configure
make
make install

安装ModSecurity-nginx Connector

git clone https://github.com/SpiderLabs/ModSecurity-nginx
cd /app/openresty/
# 和openresty一起编译或者用nginx编译后的二进制拷贝进去

./configure --prefix=/app/openresty --with-http_ssl_module
–with-http_ssl_module
–with-http_v2_module
–with-http_gzip_static_module
–with-http_sub_module
–with-http_realip_module
–with-http_stub_status_module
–with-http_auth_request_module
–with-luajit
–with-compat
–with-http_geoip_module
–with-stream
–with-stream_ssl_module
–with-mail
–with-mail_ssl_module
–with-threads
–with-file-aio
–with-http_dav_module
–with-http_xslt_module
–with-http_addition_module
–add-dynamic-module=/usr/MyWorkSpace/ModSecurity-nginx-master

gmake && gmake install

拷贝配置文件到nginx

配置文件在ModSecurity的源码目录中

cp modsecurity.conf-recommended /path/to/modsecurity.conf
cp unicode.mapping /path/to/
mkdir -p /app/openresty/nginx/logs/
mkdir -p /app/openresty/nginx/sec_temp
mkdir -p /app/openresty/nginx/sec_data# 修改modsecurity.conf的日志路径以方便查询问题SecRuleEngine on 
SecDebugLog /app/openresty/nginx/logs/modsec_debug.log
SecDebugLogLevel 9 # 生产环境调为1
SecAuditLog /app/openresty/nginx/logs/modsec_audit.log

修改SecTmpDir选项

指定自己的目录

SecTmpDir /app/openresty/nginx/sec_temp
SecDataDir /app/openresty/nginx/sec_data

参数配置

编辑 Nginx 配置文件(如 nginx.conf),加载并启用 ModSecurity 模块:

load_module modules/ngx_http_modsecurity_module.so;
#user  nobody;
worker_processes  4;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;gzip on;  # 启用 Gzip 压缩gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;gzip_vary on;  # 向响应头添加 `Vary: Accept-Encoding`,以确保代理缓存的正确性gzip_min_length 1024;  # 设置压缩的最小文件大小,较小的文件可能不压缩gzip_proxied any;  # 启用代理后端的压缩响应gzip_comp_level 5;  # 设置压缩级别,范围是1-9,数值越大压缩比越高,但CPU消耗也更大server {listen       8080;server_name  0.0.0.0;charset utf-8;# 在特定位置启用 ModSecuritymodsecurity on;modsecurity_rules_file /app/openresty/nginx/conf/modsecurity.conf;#access_log  logs/host.access.log  main;location / {proxy_pass http://127.0.0.1:9080;proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 关键部分:重写后端服务器的重定向URLproxy_redirect default;}}}

下载 OWASP CRS

git clone https://github.com/coreruleset/coreruleset.git
mkdir -p /app/openresty/nginx/modsec/crs
cp -r coreruleset/* /app/openresty/nginx/modsec/crs
cd /app/openresty/nginx/modsec/crs
cp crs-setup.conf.example crs-setup.conf

编辑/app/openresty/nginx/conf/modsecurity.conf

Include /app/openresty/nginx/modsec/crs/crs-setup.conf
Include /app/openresty/nginx/modsec/crs/rules/*.conf

添加测试规则

编辑crs-setup.conf

SecRule ARGS:testparam "@contains test" "id:10001,phase:1,log,deny,status:403,msg:'Testing rule'"

当url参数包含testparam=test会返回403

启动openresty

/app/openresty/nginx/sbin/nginx -c /app/openresty/nginx/conf/nginx.conf/app/openresty/nginx/sbin/nginx -s reload
http://www.lryc.cn/news/423852.html

相关文章:

  • 结构体structure、共用体union
  • Spring自动注册-<bean>标签和属性解析
  • 【仿RabbitMQ消息队列】基于C++11中packaged_tack异步线程池
  • 免费下载专利
  • CentOS7安装流程步骤详细教程
  • 【大模型从入门到精通17】openAI API 构建和评估大型语言模型(LLM)应用5
  • 苹果手机无iCloud备份下“最近删除”照片的恢复策略
  • Docker搭建Minio容器
  • 【C++】多源BFS问题和拓扑排序
  • CentOS 7 安装详细教程
  • mybatis-plus + springboot 多对多实例
  • SpringBoot日志整合
  • 信创教育:培养未来科技创新的生力军
  • slowfast
  • 怎么调试python脚本
  • Flask获取请求信息
  • Overleaf中放置高分辨率图片的方法
  • 【C语言】动态内存管理(malloc,free,calloc,realloc详解 )
  • 如何寻找数值仿真参数最优解?CFD参数优化详解3来袭
  • 虚拟机macos中构建llvm、clang并配置Xcode
  • Java 中的 @SneakyThrows 注解详解:简化异常处理的利与弊
  • 系统编程 day11 进程(线程)3
  • [ Python 原理分析 ]如何实现用户实现博客文章点赞-物联网Python
  • 【47 Pandas+Pyecharts | 杭州二手房数据分析可视化】
  • C++入门基础知识13
  • IP地址证如何实现HTTPS访问?(内网IP、公网IP)
  • 东土科技车规级网络芯片获批量应用
  • nvidia系列教程-AGX-Orin pcie扩展M.2磁盘调试笔记
  • haproxy七层代理知识点以及各种配置
  • uniapp自定义浮动图标、列表布局