版本比较

标识

  • 该行被添加。
  • 该行被删除。
  • 格式已经改变。

编译 Nginx

代码块
languagebash
# pcre 正则库 
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.tar.gz
$ tar -zxf pcre-*.tar.gz
$ cd pcre-*
$ ./configure
$ make && sudo make install

# zlib gzip 库
$ wget http://zlib.net/zlib-1.2.11.tar.gz
$ tar -zxf zlib-1.2.11.tar.gz
$ cd zlib-1.2.11
$ ./configure
$ make && sudo make install

# openssl https库 注意官网代码是mac编译,建议如果失败,搜索一下openssl 编译

$ wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
$ tar -zxf openssl-*.tar.gz
$ cd openssl-*
$ ./config --prefix=/usr/local/openssl/
$ make && sudo make install


#主线和稳定二选一
# 主线版本
$ wget http://nginx.org/download/nginx-1.13.3.tar.gz

#稳定版本
$ wget http://nginx.org/download/nginx-1.12.1.tar.gz

$ tar zxf nginx-*.tar.gz

$ cd nginx-*

$ ./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \

--with-http_gunzip_module \
--with-http_gzip_static_module \

--with-http_addition_module \
--with-http_auth_request_module \
--with-http_realip_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-compat \
--with-file-aio \
--with-threads \

--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \

--with-http_v2_module \
--with-http_ssl_module \

--with-pcre=../pcre-8.41 \
--with-zlib=../zlib-1.2.11 \

--without-http_autoindex_module \
--without-http_fastcgi_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-http_memcached_module \
--without-http_empty_gif_module

$ make && sudo make install

# 从官方标准参数中去除不用的模块,并新增了pcre和zlib模块
# 临时文件相关
#--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
#--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
#--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
#--http-client-body-temp-path=/var/cache/nginx/client_temp \
#--http-proxy-temp-path=/var/cache/nginx/proxy_temp \

# dav,媒体相关
#--with-http_dav_module \
#--with-http_flv_module \
#--with-http_mp4_module \

#随机首页,安全连接相关
#--with-http_random_index_module \
#--with-http_secure_link_module \

#email相关
#--with-mail \
#--with-mail_ssl_module \

#gcc相关
#--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
#--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

#组,用户相关
#--user=nginx 
#--group=nginx 
#如果指定user和group 则通过此命令创建用户
#$ sudo adduser --system --no-create-home --shell /bin/false --group --disabled-login nginx

#如果用不到https,可以把ssl和http2模块也禁掉

#禁用未用模块,减少安全风险
#--without-http_autoindex_module \
#--without-http_fastcgi_module \
#--without-http_uwsgi_module \
#--without-http_scgi_module \
#--without-http_memcached_module \
#--without-http_empty_gif_module
$ nginx -t && nginx

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

openresty 编译参数

代码块
languagebash
$ sudo apt-get install -y libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl make build-essential dos2unix mercurial
$ wget https://openresty.org/download/openresty-1.11.2.4.tar.gz
$ tar zxf openresty-1.11.2.4.tar.gz

# 或者直接从github clone 一份自行编译
# git clone https://github.com/openresty/openresty 
# cd openresty 
# make -j4

$ cd openresty-*

# 查看所有编译参数
$ ./configure --help

#进行编译
./configure --prefix=/etc/openresty \
--user=nginx \
--group=nginx \
--with-cc-opt='-O2 -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \
--with-pcre-jit \
--with-dtrace-probes \
--with-pcre-opt=-g \
--with-stream \
--with-stream_ssl_module \
--with-http_v2_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_gunzip_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_auth_request_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--without-http_fastcgi_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--without-http_autoindex_module \
--without-http_memcached_module \
--without-http_empty_gif_module \
--without-http_ssi_module \
--without-http_userid_module \
--without-http_browser_module \
--without-http_rds_json_module \
--without-http_rds_csv_module \
--without-http_memc_module \
--without-http_redis2_module \
--without-lua_resty_memcached \
--without-lua_resty_mysql \
-j4

#禁用memcached模块
#--without-http_memc_module \
#禁用redis模块(保留redis2模块)
#--without-http_redis_module \
#禁用email相关模块
#--without-mail_pop3_module \
#--without-mail_imap_module \
#--without-mail_smtp_module \
#禁用rds模块
#--without-http_rds_json_module \
#--without-http_rds_csv_module \
#禁用cgi 
#--without-http_fastcgi_module \
#--without-http_uwsgi_module \
#--without-http_scgi_module \
#--without-http_autoindex_module \
#--without-http_memcached_module \
#--without-http_empty_gif_module \
$ make -j4 && sudo make install

#确保80端口没被占用
$ lsof -i:80

$ /opt/openresty/nginx/nginx/sbin/nginx -t && /opt/openresty/nginx/nginx/sbin/nginx

$ curl localhost

Modsecurity 配置

代码块
languagebash
$ git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git --depth=1
$ cd ModSecurity/
$ git checkout -b v3/master origin/v3/master
$ sh build.sh
$ git submodule init
$ git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests]
$ ./configure
$ make
$ sudo make install

#使用 ModSecurity-nginx 而不是网上流传的独立版 详见 https://github.com/SpiderLabs/ModSecurity-nginx

$ export MODSECURITY_INC="/home/anjia/openresty/ModSecurity/headers"
$ export MODSECURITY_LIB="/home/anjia/openresty/ModSecurity/src/.libs"
$ git clone https://github.com/SpiderLabs/ModSecurity-nginx --depth=1
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git --depth=1
$ sudo cp -R owasp-modsecurity-crs/rules /opt/openresty/nginx/nginx/conf 
$ cp owasp-modsecurity-crs/crs-setup.conf.example /opt/openresty/nginx/nginx/conf/crs-setup.conf
$ sudo wget -P /opt/openresty/nginx/nginx/conf https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended h
ttps://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping
$ sudo mv /opt/openresty/nginx/nginx/conf/modsecurity.conf-recommended /opt/openresty/nginx/nginx/conf/modsecurity.conf
$ sudo mkdir /opt/openresty/nginx/nginx/conf/sites-enabled
#使用www-data用户
$ sudo sed -i '1s/^/user www-data;\n/' /opt/openresty/nginx/nginx/conf/nginx.conf
$ sudo vim /opt/openresty/nginx/nginx/conf/nginx.conf
#删除36-116行,即server{}段,可以在英文输入法状态按 :36,166d 然后 :wq
#如果确认行数没问题,也可以用sudo sed '35,116d' -i /opt/openresty/nginx/nginx/conf/nginx.conf
$ sudo sed '$i include /opt/openresty/nginx/nginx/conf/sites-enabled/*; ' -i /opt/openresty/nginx/nginx/conf/nginx.conf
#嫌费事,也可以直接用下面的配置文件
user www-data;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /opt/openresty/nginx/nginx/conf/sites-enabled/*;
}

$ vi /opt/openresty/nginx/nginx/conf/modsecurity.conf

#Load OWASP Config 
Include crs-setup.conf 
#Load all other Rules 
Include rules/*.conf 
#Disable rule by ID from error message 
#SecRuleRemoveById 920350

$ sudo sed s/"SecRuleEngine DetectionOnly"/"SecRuleEngine On"/g -i /opt/openresty/nginx/nginx/conf/modsecurity.conf
$ sudo /opt/openresty/nginx/nginx/sbin/nginx -t && sudo /opt/openresty/nginx/nginx/sbin/nginx -s reload
$ curl "http://localhost/wp-admin/admin.php?where1=%3Cscript%3Ealert(String.fromCharCode(88,+83,+83))%3C/script%3E&searchsubmit=Buscar&page=nsp_search"
# 返回403 Forbidden

服务文件

代码块
languagebash
$ chmod +x /etc/init.d/openresty
#$ systemctl mask openresty
#$ systemctl unmask openresty


目录
printablefalse