[security][modsecurity][nginx] nginx安装modsecurity

参考文档:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx

nginx不支持动态加载模块,所以需要重新编译,将modsecurity和nginx整合。

一: 软件准备:

  ModSecurity-2.9.1.zip

  nginx-1.10.1.tar.gz

  根据文档所述,有一些依赖包需要安装。  

yum install httpd httpd-devel pcre pcre-devel libxml2-devel 

二, 编译安装:

  从 2.6开始,modsecurity的编译方式发生了调整。参考:

  https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#GitHub_Access

[[email protected] ModSecurity-2.9.1]# ./autogen.sh
[[email protected] ModSecurity-2.9.1]# ./configure --enable-standalone-module --disable-mlogc
[[email protected] ModSecurity-2.9.1]# make

  编译nginx

[[email protected] nginx-1.10.1]# ./configure --prefix=/root/modsecurity/output --add-module=../ModSecurity-2.9.1/nginx/modsecurity/ [[email protected] nginx-1.10.1]# make[[email protected] nginx-1.10.1]# make install

三, 运行nginx

  1.  修改配置文件,conf/nginx.conf, 增加如下行:

user root;

  2.  使用如下命令启动/停止:

[[email protected] output]# ./sbin/nginx -c conf/nginx.conf
[[email protected] output]# ./sbin/nginx -s stop

四,配置modsecurity

已经在nginx中设置了两个监听端口80,81,分别对应于两个静态页。

[[email protected] conf]# cat nginx.conf

user root;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  ‘$remote_addr - $remote_user [$time_local] "$request" ‘
    #                  ‘$status $body_bytes_sent "$http_referer" ‘
    #                  ‘"$http_user_agent" "$http_x_forwarded_for"‘;

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

        include custom.conf;
        include mod.conf;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache‘s document root
        # concurs with nginx‘s one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }

    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

nginx.conf

[[email protected] conf]# cat custom.conf 

    server {
        listen       81;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }

custom.conf

  增加配置文件 mod.conf 监听于端口82

[[email protected] conf]# cat mod.conf
    server {
        listen       82;
        server_name  localhost;
        location / {
                ModSecurityEnabled on;
                ModSecurityConfig modsecurity.conf;
                proxy_pass http://127.0.0.1:81;
                proxy_read_timeout 180s;
        }
    }
[[email protected] conf]# 

  其中引用了两个配置文件,模板如下:

  https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

  https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping

五: 规则/语法/配置

  文档:

  https://www.feistyduck.com/library/modsecurity-handbook-free/online/

Everything in ModSecurity revolves around two things: configuration and rules. The configuration tells ModSecurity how to process the data it sees; the rules decide what to do with the processed data. 

For example:

SecRule ARGS "<script>" log,deny,status:404
Even without further assistance, you can probably recognize the part in the rule that specifies what we wish to look for in input data (<script>). Similarly, you will easily figure out what will happen if we do find the desired pattern (log,deny,status:404). Things will become more clear if I tell you about the general rule syntax, which is the following:

SecRule VARIABLES OPERATOR ACTIONS
The three parts have the following meanings:

The VARIABLES part tells ModSecurity where to look. The ARGS variable, used in the example, means all request parameters.
The OPERATOR part tells ModSecurity how to look. In the example, we have a regular expression pattern, which will be matched against ARGS.
The ACTIONS part tells ModSecurity what to do on a match. The rule in the example gives three instructions: log problem, deny transaction and use the status 404 for the denial (status:404).

For Example

  手册:

  https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

  第三方规则:

  OWASP: https://www.owasp.org/index.php/Main_Page

   Core Rules: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  结合手册读规则模板:

  TODO。。。

  

时间: 2024-12-29 01:01:01

[security][modsecurity][nginx] nginx安装modsecurity的相关文章

Nginx编译安装,启动,停止,升级。

1.简单介绍下Nginx Nginx是一款轻量级的web服务器和反向代理服务器,它使用了epoll的I/O模型,也就是事件触发I/O模型,减少了进程的生成切换所消耗的系统资源(CPU的压力减少,内存的占用也会减少),可以达到很高的并发请求.它是一款开源软件,企业成本降低,它的使用配置也比较简单,同时支持Rewrite,作为反向代理的时候可以检查后端的Web服务器的健康状况,能够支持热部署. 2.Nginx安装,重启,升级,停止. 环境是Centos系统,通过www.nginx.org下载需要的源

linux下nginx的安装

以Red Hat Enterprise Linux 5为例进行讲解. 相关系列: linux下jdk的安装 linux下ant的安装 linux下redis的安装 linux下svn的安装 linux下nginx的安装 linux下graphviz的安装 linux下doxygen的安装 安装nginx版本为0.8.36 一.下载nginx 下载地址:http://www.nginx.org/ 选择nginx-0.8.36 将该下载包拷贝到/usr/local/下(随意了,找个地方就好) 二.安

深刻理解Nginx之Nginx完整安装

1.   Nginx安装 1.1预先准备 CentOS系统下,安装Nginx的库包依赖.安装命令如下: sudo yum groupinstall "DevelopmentTools" sudo yum install pcre pcre-devel sudo yum install zlib zlib-devel yum install perl-ExtUtils-Embed sudo yum install openssl openssl-devel 1.2 安装 最重要的特性和基

nginx的安装

nginx安装环境 nginx是C语言开发,建议在linux上运行,本教程使用Centos6.5作为安装环境. n  gcc 安装nginx需要先将官网下载的源码进行编译,编译依赖gcc环境,如果没有gcc环境,需要安装gcc:yum install gcc-c++ n  PCRE PCRE(Perl Compatible Regular Expressions)是一个Perl库,包括 perl 兼容的正则表达式库.nginx的http模块使用pcre来解析正则表达式,所以需要在linux上安装

nginx 的安装

一.安装准备 首先由于nginx的一些模块依赖一些lib库,所以在安装nginx之前,必须先安装这些lib库,这些依赖库主要有g++.gcc.openssl-devel.pcre-devel和zlib-devel 所以执行如下命令安装 [html] view plaincopy $   yum install gcc-c++ $   yum install pcre pcre-devel $   yum install zlib zlib-devel $   yum install openss

Nginx基础学习(一)&mdash;Nginx的安装

一.Nginx介绍 1.什么是Nginx?      Nginx是一款高性能的http 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器.由俄罗斯的程序设计师Igor Sysoev所开发,官方测试nginx能够支支撑5万并发链接,并且cpu.内存等资源消耗却非常低,运行非常稳定.   2.Nginx的应用场景 (1)HTTP服务器      Nginx是一个http服务可以独立提供http服务.可以做网页静态服务器.   (2)虚拟主机      可以实现在一台服务器虚拟出多个网

2 nginx编译安装

一 安装nginx 1 下载 http://nginx.org/download/nginx-1.4.7.tar.gz 1.1 解压 # tar xf nginx-1.4.7.tar.gz 1.2 建立用户(为系统用户) # groupadd -r -g 110 nginx # useradd -r -g 110 -u 110 nginx 1.3 解决依赖关系 编译安装nginx需要事先需要安装开发包组"Development Tools"和 "Development Lib

Nginx+PHP7 安装及配置

今天花了几个小时折腾了下Nginx+PHP7编译安装和配置,写个博文记录下. 系统环境:centos6.5 x64 软件版本:nginx-1.10.0 php-7.0.6 安装 Nginx Nginx官网:http://nginx.org/ 先安装编译依赖的一些组件 yum install pcre pcre-devel openssl openssl-devel -y 1.解压程序包 tar xf nginx-1.10.0.tar.gz  cd nginx-1.10.0 2.预编译配置参数 .

Ubuntu中Nginx的安装与配置

Ubuntu中Nginx的安装与配置 1.Nginx介绍 Nginx是一个非常轻量级的HTTP服务器,Nginx,它的发音为“engine X”, 是一个高性能的HTTP和 反向代理服务器,同时也是一个IMAP/POP3/SMTP 代理服务器. 2.对PHP支持 目前各种web 服务器对PHP的支持一共有三种: (1)通过web 服务器内置的模块来实现,例如Apache的mod_php5,类似的Apache内置的mod_perl 可以对perl支持. (2)通过CGI来实现,这个就好比之前per