unixhot / waf Goto Github PK
View Code? Open in Web Editor NEW使用Nginx+Lua实现的WAF(版本v1.0)
License: Apache License 2.0
使用Nginx+Lua实现的WAF(版本v1.0)
License: Apache License 2.0
我可以正常使用ip黑名单和白名单,但是url check和post check不生效,请问是怎么回事呢?
我使用的是openresty-1.11.2.5版本来实现waf的,下面是我的nginx.conf和config.lua文件,请参考。
nginx.conf
`#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
#WAF
lua_shared_dict limit 50m; #防cc使用字典,大小50M
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 4880;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location /hi {
default_type text/html;
content_by_lua_block{
ngx.say('hello openrastry')
}
}
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
`
config.lua
`--WAF config file,enable = "on",disable = "off"
--waf status
config_waf_enable = "on"
--log dir
config_log_dir = "/tmp"
--rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "10/60"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
--if config_waf_output ,setting url
config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
`
。。
为什么按照说明的操作提示这个错误,init_lua 第170行pairs的参数为空。
2017/09/11 20:29:28 [debug] 14548#0: *23152 regex "/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|in c|forumdata|upload|includes|cache|avatar)/(\w+).(php|jsp)" not matched on string "/testhello" starting from 0
157 2017/09/11 20:29:28 [debug] 14548#0: *23152 lua resume returned 2
158 2017/09/11 20:29:28 [error] 14548#0: *23152 lua entry thread aborted: runtime error: /liyang/openresty-test/conf/waf/init.lua:170: bad argu ment #1 to 'pairs' (table expected, got nil)
将空格替换为%0A可以绕过waf,请问这种情况下如何修复?
竟然一个问题没有,最近我在测试ngx_lua_waf,看到这个我打算再测试下这个,看看这两个到底有什么区别,目前ngx_lua_waf日志格式不是json的,费了九牛二虎之力才用grok切分得马马虎虎,能在ELK上展示了。
对,加载白名单写真write_rule了。
改下吧
赵班长 给某个路径指定访问ip 需要怎么配 谢谢?
白名单ip
白名单url
这俩个应该放在前面,避免cc规则拦住就到不了白名单url规则
修改了config.lua下的config_log_dir,重载nginx后未生效,原/tmp目录下也无日志
环境说明
CentOS Linux release 7.6.1810
nginx-1.18.0
openresty-1.17.8.2
ngx_devel_kit-0.3.0
LuaJIT-2.0.5
lua-nginx-module-0.10.10
RT,这样的场景有没有问题
`require 'init'
function waf_main()
if white_ip_check() then
elseif black_ip_check() then
elseif user_agent_attack_check() then
elseif cc_attack_check() then
elseif cookie_attack_check() then
elseif white_url_check() then
elseif url_attack_check() then
elseif url_args_attack_check() then
elseif post_attack_check() then
else
return
end
end
waf_main()
`
错误日志
2020/01/07 18:15:53 [error] 165#0: *40 lua entry thread aborted: runtime error: /usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: in function 'post_attack_check'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:12: in function 'waf_main'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:18: in main chunk, client: 10.211.55.2, server: localhost, request: "GET /abcdef/core/notification/count.do HTTP/1.1", host: "10.211.55.9", referrer: "http://10.211.55.9/abcdef/index.do"
post_attack_check()错误且不完整,无法校验post参数
你好,如何将日志配置成json并用elk收集呢?
[root@localhost nginx]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/lnmp1.8/src/openssl-1.1.1k --with-openssl-opt='enable-weak-ssl-ciphers' --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib --add-module=/root/src/lua-nginx-module-0.10.14 --add-module=/root/src/ngx_devel_kit-0.3.1 --with-ld-opt='-ljemalloc'
RT,谢谢
你好,cc限制比如配置为config_cc_rate = "10/60",默认比如触发报警,限制的ip有效期为多长,在哪里可以配置呢
性能测试过么
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?rAV7w.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?id=fuiW3 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?5C8RZ28.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?6n0pJ52.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?20E46h5.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?N2ea4/0OVS7.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?O13tN.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?28W6634.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?aZlUA16.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?550d51N.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?DRu4Q.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?29eWj=T9CO0.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?id=irp69 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=3TnGu HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=CHb16 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?G9n73.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?V8m7g.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
太嚣张了,疯狂的扫描。请教下怎么写对应的拦截正则?
赵班长可以加入一些当下最新的URL漏洞规则吗?
比如我要編寫一個ip或一個ip段到ip白名單應該怎麼寫?
亲爱的赵班长,有空把post部分完成一下啊,非常喜欢你的作品,感谢你的付出
你好:
我想只进行记录日志,不进行拦截,请问如何设置呢?
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
就是在 nginx+modsecurity
的基础上直接开发; 能不能达到您这个效果; 如果可以,思路又是怎么样的。
我conf文件server_name行配置多域名时,waf_logs里面只记录了第一个域名,其他域名记录不了,不知道是什么原因?
请问该系统性能怎么样,有相关性能指标参考吗?
比如接入镜像流量用于流量清洗,大概能抗住多少流量。
我这边部署了Openresty 1.15.8.1 ,把waf规则放到nginx/conf下,启动openresty报错
2019/05/28 15:05:23 [error] 8427#0: lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
可能是时间太久了,这个waf规则需要修改下才能使用呢。
2020/12/16 10:11:23 [warn] 6630#0: *36 [lua] _G write guard:12: __newindex(): writing a global lua variable ('CLIENT_IP') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/home/openresty/openresty/waf/lib.lua:11: in function 'get_client_ip'
/home/openresty/openresty/waf/init.lua:63: in function 'cc_attack_check'
/home/openresty/openresty/waf/access.lua:7: in function 'waf_main'
/home/openresty/openresty/waf/access.lua:18: in main chunk, client:
请问这个报错怎么解决
021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/usr/local/openresty/nginx/conf/waf/access.lua:4: in main chunk, client: 192.168.121.188, server: localhost, request: "GET /hello HTTP/1.1", host: "192.168.123.179"
2021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
log文件无法生成,用的是openresty 1.17.8.2
waf的url_args_attack_check功能报错,请大神帮忙解决。
报错详细如下:
[C]: in function 'concat'
/usr/local/openresty1.11/nginx/conf/waf/init.lua:130: in function 'url_args_attack_check'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:11: in function 'waf_main'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:18: in function </usr/local/openresty1.11/nginx/conf/waf/access.lua:1>, client: 118.91.92.132, server: g.share.com, request: "GET /gamepage/egg.php?lxt&&cd=0<=d96628e0ads&vs=0 HTTP/1.1", host: "g.share.com"
2017/08/02 19:29:01 [error] 18148#0: *14 lua entry thread aborted: runtime error: /usr/local/nginx/conf/waf/init.
lua:152: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/nginx/conf/waf/init.lua:152: in function 'user_agent_attack_check'
/usr/local/nginx/conf/waf/access.lua:6: in function 'waf_main'
/usr/local/nginx/conf/waf/access.lua:18: in function </usr/local/nginx/conf/waf/access.lua:1>, client: 12
5.39.239.6, server: localhost, request: "GET //index.php/api/index/imgcode HTTP/1.1", host: "gd.lo-x.cc", referre
r: "http://www.baidu.com/s?wd=www"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.