CentOS7.7下安装X-WAF及配置策略
服务器操作系统:CentOS7.7 64位
1.官方GitHub
https://github.com/xsec-lab/x-waf
https://github.com/xsec-lab/x-waf-admin
2.编译安装openresty
1.yum -y install gcc gcc-c++ autoconf pcre pcre-devel make automake wget httpd-tools vim openssl-devel curl
wget https://openresty.org/download/openresty-1.15.8.1.tar.gz
tar -zxvf openresty-1.15.8.1.tar.gz
cd openresty-1.15.8.1
./configure
gmake && gmake install
直接像上述得方法安装,openresty默认就是安装在/usr/local/目录下
把openresty加入环境变量,以便可以只用调用openresty命令,实际上 /usr/local/openresty/bin/openresty 是指向 /usr/local/openresty/nginx/sbin/nginx 的一个链接,但我们把环境变量指向openresty,以便和系统已有的 nginx 相区别
将openresty导入到本地环境变量,下面是临时的
export PATH=/usr/local/openresty/bin:$PATH
可以永久性导入把变量写入到用户环境变量的配置文件里面
vi ~/.bash_profile
3.启动openresty
启动 : openresty
停止: openresty -s stop
重启: openresty -s reload
检测配置: openresty -t
默认情况下如果没有针对openresty配置指定用户,openresty会使用默认的配置使用nobody用户进行启动
可以建立一个nginx用户,用来启动openresty
useradd -s /sbin/nologin -M nginx
4.下载x-waf并配置文件和规则包
切换到openresty目录下
cd /usr/local/openresty/nginx/conf/
下载x-waf文件
git clone https://github.com/xsec-lab/x-waf.git
下载下来是一个x-waf 的文件夹,里面的 nginx_conf/nginx.conf 文件是一个配置好了lua和x-waf规则目录的模板文件,可以拷贝到 /usr/local/openresty/nginx/conf/nginx.conf 直接覆盖原有openresty的配置文件
cp /usr/local/openresty/nginx/conf/x-waf/nginx_conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
作者的代码里面url白名单部分有个错误,需要修正一下,否则会因为找不到url白名单文件,而导致白名单失效
vim /usr/local/openresty/nginx/conf/x-waf/waf.lua
找到 writeurl.rule,替换为 whiteUrl.rule
建立虚拟主机配置文件目录
mkdir -p /usr/local/openresty/nginx/conf/vhosts
修改配置文件
vim /usr/local/openresty/nginx/conf/x-waf/config.lua
--[[
Copyright (c) 2016 xsec.io
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEq
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
]]
-- WAF config file, enable = "on", disable = "off"
local _M = {
-- waf status
config_waf_enable = "on",
-- log dir
config_log_dir = "/tmp/",
-- rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/x-waf/rules",
-- enable/disable white url
config_white_url_check = "on",
-- enable/disable white ip
config_white_ip_check = "on",
-- enable/disable block ip
config_black_ip_check = "on",
-- enable/disable url filtering
config_url_check = "on",
-- enalbe/disable url args filtering
config_url_args_check = "on",
-- enable/disable user agent filtering
config_user_agent_check = "on",
-- enable/disable cookie deny filtering
config_cookie_check = "on",
-- enable/disable cc filtering
config_cc_check = "on",
-- cc rate the xxx of xxx seconds
config_cc_rate = "10/60",
-- enable/disable post filtering
config_post_check = "on",
-- config waf output redirect/html/jinghuashuiyue
config_waf_model = "html",
-- if config_waf_output ,setting url
config_waf_redirect_url = "http://xsec.io",
config_expire_time = 600,
config_output_html = [[
<html>
<head>
<meta charset="UTF-8">
<title>MIDUN WAF</title>
</head>
<body>
<div>
<div class="table">
<div>
<div class="cell">
您的IP为: %s
</div>
<div class="cell">
欢迎在遵守白帽子道德准则的情况下进行安全测试。
</div>
<div class="cell">
联系方式:http://xsec.io
</div>
</div>
</div>
</div>
</body>
</html>
]],
}
return _M
默认情况下功能都是开启的,不需要修改
5.管理后台安装,这里的管理后台是使用golang编写的,作者已经编译好的二进制文件,可以直接下载下来使用
wget https://github.com/xsec-lab/x-waf-admin/releases/download/x-waf-admin0.1/x-waf-admin0.1-linux-amd64.tar.gz
解压
tar -zxvf x-waf-admin0.1-linux-amd64.tar.gz
进行目录
cd x-waf-admin
编辑配置文件
vim conf/app.ini
最终改成如下信息
RUN_MODE = dev
;RUN_MODE = prod
[server]
HTTP_PORT = 5000
API_KEY = xsec.io||secdevops.cn
NGINX_BIN = /usr/local/openresty/nginx/sbin/nginx
NGINX_VHOSTS = /usr/local/openresty/nginx/conf/vhosts/
API_SERVERS = 127.0.0.1, 172.16.0.5
[database]
USER = root
PASSWD = m9shituSFL7duAVXfeAwGUSG
HOST = 127.0.0.1:3306
NAME = waf
[waf]
RULE_PATH = /usr/local/openresty/nginx/conf/x-waf/rules/
注意:这里需要自己建立数据库并把数据库服务启动起来,账户和密码配置好,同时要确认这里只需要把数据库名waf建立好就可以,然后直接使用默认账户和密码直接去登录即可,这里中途如果测试有问题,就关闭服务,然后重启,再登录即可
搭建数据库
yum install mariadb mariadb-server -y
systemctl start mariadb.service
默认使用root账户号登录,密码是空
更改数据库的root密码
update user set password=password("m9shituSFL7duAVXfeAwGUSG") where user="root";
创建数据库
create database waf;
数据库方面只要操作上面两部即可,然后直接启动服务,登录
启动x-waf的管理后台
nohup ./server >> x-waf.log 2>&1 &
查看运行的日志
tail -f x-waf.log
默认的账户和密码是 admin/x@xsec.io
登录后台效果
测试拦截效果:
网友评论