版本比较

标识

  • 该行被添加。
  • 该行被删除。
  • 格式已经改变。

一、说明

操作系统:CentOS 7 (最小化安装)

Kong版本:1.4.2

二、系统配置

1、按系统标准完成操作系统初始化配置。

2、注意关闭 Selinux 配置

3、配置阿里云 更新源(含EPEL),增加 npm 国内配置源

4、配置 pgsql 安装源和 kong 安装源

三、编译升级

下载 Openresty 的源码包,需要注意 Kong 会严格验证 nginx 的版本,如果出现版本不一致的情况将无法正常启动。如果使用高版本的 nginx 编译需求调整源文件的版本号。

代码块
languagebash
yum install libtool perl-core gcc gcc-c++ tree git elfutils-devel -y
npm config set registry https://registry.npm.taobao.org
wget https://bintray.com/kong/kong-rpm/rpm -O bintray-kong-kong-rpm.repo
  baseurl=https://kong.bintray.com/kong-rpm/centos/7
yum install kong-1.4.2
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
wget http://mirrors.sohu.com/nginx/nginx-1.17.4.tar.gz
git clone https://github.com/openresty/openresty
cp /tmp/openresty/patches/nginx-1.17.4*  /root/openresty-1.15.8.2/patches/
/root/openresty-1.15.8.2/bundle/openssl-1.1.1c/Configure linux-x86_64
make && make install
/root/openresty-1.15.8.2/bundle/pcre-8.42/configure
make && make install
/root/openresty-1.15.8.2/bundle/zlib-1.2.11/configure
make && make install
cd LuaJIT-2.1-20190507/
make clean
make&&make install
export LUAJIT_INC=/usr/local/include/luajit-2.1
export LUAJIT_LIB=/usr/local/lib
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
tar zxvf openresty-1.15.8.2.tar.gz
wget https://github.com/Kong/openresty-patches/archive/master.tar.gz
tar zxvf master.tar.gz
cd openresty-1.15.8.2/bundle
for i in ../../openresty-patches-master/patches/1.15.8.2/*.patch; do patch -p1 < $i; done
/root/openresty-1.15.8.2/configure
vim /root/openresty-1.15.8.2/bundle/nginx-1.17.4/src/core/nginx.h


信息
titlenginx.h

#define nginx_version 1015008
#define NGINX_VERSION "1.15.8"
#define NGINX_VER "openresty/" NGINX_VERSION ".2"


代码块
languagebash
./configure --prefix=/usr/local/openresty/nginx \
--with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \
--add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 \
--add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 \
--add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 \
--add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../rds-json-nginx-module \
--add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 \
--add-module=../ngx_stream_lua-0.0.7 --add-module=../nginx-upload-module --add-module=../rds-csv-nginx-module-0.09 \
--add-module=../lua-kong-nginx-module --add-module=../naxsi-0.56/naxsi_src \
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \
--with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre --with-openssl=../openssl-1.1.1c --with-pcre-jit --with-debug \
--with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module \
--without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module \
--with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module \
--with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module \
--with-http_gunzip_module --with-threads --with-stream --with-stream_ssl_preread_module --with-http_ssl_module
make
cp /root/openresty-1.15.8.2/bundle/nginx-1.17.4/objs/nginx /usr/local/openresty/nginx/sbin
kong start -vv

四、加入 Modsecurity 策略支持

REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example  和 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 是自定义白名单文件。

代码块
languagebash
yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen lmdb-devel ssdeep-devel
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
make
make install

export MODSECURITY_INC="/root/openresty-1.15.8.2/bundle/ModSecurity/headers/"
export MODSECURITY_LIB="/root/openresty-1.15.8.2/bundle/ModSecurity/src/.libs/"
git clone https://github.com/SpiderLabs/ModSecurity-nginx
git clone https://bitbucket.org/lazy_dogtown/doxi-rules.git
./configure --prefix=/usr/local/openresty/nginx \
--with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \
--add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 \
--add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 \
--add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 \
--add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 \
--add-module=../rds-json-nginx-module --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 \
--add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.7 --add-module=../nginx-upload-module --add-module=../rds-csv-nginx-module-0.09 \
--add-module=../lua-kong-nginx-module --add-module=../ModSecurity-nginx \
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \
--with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre --with-openssl=../openssl-1.1.1c --with-pcre-jit --with-debug --with-stream \
--with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module \
--without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module \
--with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module \
--with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-stream --with-stream_ssl_preread_module \
--with-http_ssl_module
make
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp ../ModSecurity/modsecurity.conf-recommended /usr/local/kong/modsec/modsecurity.conf
cp ../ModSecurity/unicode.mapping /usr/local/kong/modsec/
cp  /root/openresty-1.15.8.2/bundle/owasp-modsecurity-crs/crs-setup.conf.example  /usr/local/kong/modsec/crs-setup.conf
cp -R /root/openresty-1.15.8.2/bundle/owasp-modsecurity-crs/rules/ /usr/local/kong/modsec/
sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/kong/modsec/modsecurity.conf
sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/kong/modsec/modsecurity.conf
sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/kong/logs/modsec.log|" /usr/local/kong/modsec/modsecurity.conf

4.1 修改模版文件,加入安全策略

代码块
languagebash
vim /usr/lib/systemd/system/kong.servic


代码块
languagetext
[Unit]
Description=Kong
After=rsyslog.target network.target postgresql-11.service

[Service]
User=root
Group=root
Type=forking
ExecStart=/usr/local/bin/kong start
ExecReload=/usr/local/bin/kong reload
ExecStop=/usr/local/bin/kong stop

LimitAS=infinity
LimitRSS=infinity
LimitCORE=infinity
LimitNOFILE=4096

[Install]
WantedBy=multi-user.target

4.2 修改配置文件,加入策略

4.3 Naxsi 配置

代码块
languagebash
git clone https://bitbucket.org/lazy_dogtown/doxi-rules.git
mkdir -p /usr/local/kong/naxsi
cp /root/openresty-1.15.8.2/bundle/naxsi-0.56/naxsi_config/naxsi_core.rules /usr/local/kong/naxsi/
cp /root/openresty-1.15.8.2/bundle/doxi-rules/*.rules /usr/local/kong/naxsi/

4.4 fail2ban 配置

代码块
languagebash
vim /etc/fail2ban/jail.conf

[kong-naxsi]
enabled = true
port = http,https
filter = kong-naxsi
logpath = /usr/local/kong/logs/naxsi.log
maxretry = 3

vim /etc/fail2ban/filter.d/kong-naxsi.conf

[INCLUDES]
before = common.conf
[Definition]
failregex = NAXSI_FMT: ip=<HOST>&server=.*&uri=.*&learning=0
NAXSI_FMT: ip=<HOST>.*&config=block
ignoreregex = NAXSI_FMT: ip=<HOST>.*&config=learning

五、编译故障处理

1、nginx 启动时提示”no file '/usr/local/lib/lua/5.1/rex_pcre.so'“

原因:

加载 lua-resty-waf 插件后提示没有 pcre 动态库文件

解决方法:


代码块
languagebash
luarocks install lrexlib-pcre
cp /usr/lib64/lua/5.1/rex_pcre.so /usr/local/openresty/lualib/



2、编译提示”WARNING: 'aclocal-1.15' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>“

原因:

缺乏 aclocal 指令

解决办法:

代码块
languagebash
yum install automake

然后到出错的文件夹执行  autoreconf


g++ ac_lua.cxx -c -fvisibility=hidden -Wall -msse2 -msse3 -msse4.1 -O3 -fPIC -I/usr/include/lua5.1 -MMD -o build_so/ac_lua.o
ac_lua.cxx:11:14: fatal error: lua.h: No such file or directory
#include <lua.h>
^~~~~~~


lua-resty-waf

代码块
languagebash
git clone git://github.com/vozlt/nginx-module-vts.git
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.bz2
wget https://mirrors.yangxingzhen.com/pcre/pcre-8.39.tar.gz
wget https://www.openssl.org/source/old/1.1.0/openssl-1.1.0j.tar.gz
wget https://www.zlib.net/zlib-1.2.11.tar.gz
wget https://openresty.org/package/centos/openresty.repo
yum install openresty-pcre-devel openresty-openssl-devel openresty-zlib-devel openresty-debug
./configure --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \
--add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 \
--add-module=../nginx-module-vts --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 \
--add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 \
--add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.7 \
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib \
-Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre=../pcre-8.42 \
--with-pcre-jit --with-debug --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module \
--without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module \
--with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module \
--with-threads --with-stream --with-stream_ssl_preread_module --with-http_ssl_module
yum install luarocks ccache automake 
luarocks install lua-resty-waf lrexlib-pcre
yum install perl-JSON perl-Clone perl-List perl-List-MoreUtils perl-Try-Tiny perl-Exporter-Declare
echo "SecRule REQUEST_URI /XinXiBu/WebResource.axd \"id:11008, phase:1,log,allow,msg:'WhiteList-Different URL Accessed'\"" \
| ./luarocks_lua-resty-waf-0.11.1-1-8143/lua-resty-waf/tools/modsec2lua-resty-waf.pl

nginx.conf 的 http 配置区域增加以下内容

代码块
languagetext
lua_package_path '/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/lualib/?.lua;;';
lua_package_cpath '/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;;';

init_by_lua_block {
    local lua_resty_waf = require "resty.waf"
    local ok, errs = pcall(function()
    lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/21000_http_anomaly.json")
    lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/35000_user_agent.json")
    lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/40000_generic_attack.json")
    lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/41000_sqli.json")
    end)
    if errs then
        for i = 1, #errs do
        ngx.log(ngx.ERR, errs[i])
    end
end
}

include vhost/*.conf;

具体配置文件增加以下内容

代码块
languagetext
location / {

    access_by_lua_block {
    local lua_resty_waf = require "resty.waf"
    local waf = lua_resty_waf:new()
    waf:set_option("event_log_request_body", true)
    waf:set_option("event_log_request_headers", true)
    waf:set_option("debug", true)
    waf:set_option("mode", "ACTIVE")
    waf:set_option("debug_log_level", ngx.DEBUG)
    waf:set_option("info", "true")
    waf:set_option("event_log_request_arguments", true)
    waf:set_option("event_log_target", "file")
    waf:set_option("event_log_target_path", "/var/log/waf/" .. ngx.var.http_host .. "_" .. ngx.today() .. ".log")
    waf:set_option("process_multipart_body", true)
    waf:set_option("res_body_max_size", 1024 * 1024 * 2)

###############################################
# lua resty waf usage
###############################################

header_filter_by_lua_block {
    local lua_resty_waf = require "resty.waf"
    local waf = lua_resty_waf:new()
    waf:exec()
}

body_filter_by_lua_block {
    local lua_resty_waf = require "resty.waf"
    local waf = lua_resty_waf:new()
    waf:exec()
}

log_by_lua_block {
    local lua_resty_waf = require "resty.waf"
    local waf = lua_resty_waf:new()
    waf:exec()
    waf:write_log_events()
}

root html;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://caiyang-cn;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_http_version 1.1;
proxy_set_header Connection "";

}

拦截情况

代码块
languagetext
{"timestamp":1575525013,"request_headers":{"host":"www.caiyang.com.cn","connection":"keep-alive","sec-fetch-site":"none","upgrade-insecure-requests":"1","sec-fetch-mode":"navigate","accept-encoding":"gzip, deflate, br","user-agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3904.108 Safari\/537.36","cookie":"_csrf_token=6eb2dc40f3acb235633184c2dde6bb236c756760; session=eyJfY3NyZl90b2tlbiI6IjZlYjJkYzQwZjNhY2IyMzU2MzMxODRjMmRkZTZiYjIzNmM3NTY3NjAiLCJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.Xeiaiw.YO6EAoO4R3CkrKBi5YCmX7Ua1kc","accept-language":"en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7","accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3","sec-fetch-user":"?1"},"id":"f721035c7cd42b38d9bd","method":"GET","uri":"\/login","client":"192.168.13.43","uri_args":{"..\/..\/.svn":true},"alerts":[{"msg":"Repetitive non-word characters anomaly detected","id":40002,"match":1},{"msg":"Directory traversal (volatile match)","id":40022,"match":3},{"logdata":8,"msg":"Request score greater than score threshold","id":99001,"match":8}]}
{"timestamp":1575525013,"request_headers":{"host":"www.caiyang.com.cn","connection":"keep-alive","sec-fetch-site":"none","upgrade-insecure-requests":"1","sec-fetch-mode":"navigate","accept-encoding":"gzip, deflate, br","user-agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3904.108 Safari\/537.36","cookie":"_csrf_token=6eb2dc40f3acb235633184c2dde6bb236c756760; session=eyJfY3NyZl90b2tlbiI6IjZlYjJkYzQwZjNhY2IyMzU2MzMxODRjMmRkZTZiYjIzNmM3NTY3NjAiLCJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.Xeiaiw.YO6EAoO4R3CkrKBi5YCmX7Ua1kc","accept-language":"en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7","accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3","sec-fetch-user":"?1"},"id":"f721035c7cd42b38d9bd","method":"GET","uri":"\/login","client":"192.168.13.43","uri_args":{"..\/..\/.svn":true},"alerts":[{"msg":"Repetitive non-word characters anomaly detected","id":40002,"match":1},{"msg":"Directory traversal (volatile match)","id":40022,"match":3},{"logdata":8,"msg":"Request score greater than score threshold","id":99001,"match":8}]}


目录