- 由 虚拟的现实创建于10月 07, 2023 需要 3 分钟阅读时间
编译 Nginx
# pcre 正则库 $ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.41.tar.gz $ tar -zxf pcre-*.tar.gz $ cd pcre-* $ ./configure $ make && sudo make install # zlib gzip 库 $ wget http://zlib.net/zlib-1.2.11.tar.gz $ tar -zxf zlib-1.2.11.tar.gz $ cd zlib-1.2.11 $ ./configure $ make && sudo make install # openssl https库 注意官网代码是mac编译,建议如果失败,搜索一下openssl 编译 $ wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz $ tar -zxf openssl-*.tar.gz $ cd openssl-* $ ./config --prefix=/usr/local/openssl/ $ make && sudo make install #主线和稳定二选一 # 主线版本 $ wget http://nginx.org/download/nginx-1.13.3.tar.gz #稳定版本 $ wget http://nginx.org/download/nginx-1.12.1.tar.gz $ tar zxf nginx-*.tar.gz $ cd nginx-* $ ./configure --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_realip_module \ --with-http_slice_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-compat \ --with-file-aio \ --with-threads \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-http_v2_module \ --with-http_ssl_module \ --with-pcre=../pcre-8.41 \ --with-zlib=../zlib-1.2.11 \ --without-http_autoindex_module \ --without-http_fastcgi_module \ --without-http_uwsgi_module \ --without-http_scgi_module \ --without-http_memcached_module \ --without-http_empty_gif_module $ make && sudo make install # 从官方标准参数中去除不用的模块,并新增了pcre和zlib模块 # 临时文件相关 #--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ #--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ #--http-scgi-temp-path=/var/cache/nginx/scgi_temp \ #--http-client-body-temp-path=/var/cache/nginx/client_temp \ #--http-proxy-temp-path=/var/cache/nginx/proxy_temp \ # dav,媒体相关 #--with-http_dav_module \ #--with-http_flv_module \ #--with-http_mp4_module \ #随机首页,安全连接相关 #--with-http_random_index_module \ #--with-http_secure_link_module \ #email相关 #--with-mail \ #--with-mail_ssl_module \ #gcc相关 #--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \ #--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' #组,用户相关 #--user=nginx #--group=nginx #如果指定user和group 则通过此命令创建用户 #$ sudo adduser --system --no-create-home --shell /bin/false --group --disabled-login nginx #如果用不到https,可以把ssl和http2模块也禁掉 #禁用未用模块,减少安全风险 #--without-http_autoindex_module \ #--without-http_fastcgi_module \ #--without-http_uwsgi_module \ #--without-http_scgi_module \ #--without-http_memcached_module \ #--without-http_empty_gif_module $ nginx -t && nginx nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
openresty 编译参数
$ sudo apt-get install -y libreadline-dev libncurses5-dev libpcre3-dev libssl-dev perl make build-essential dos2unix mercurial $ wget https://openresty.org/download/openresty-1.11.2.4.tar.gz $ tar zxf openresty-1.11.2.4.tar.gz # 或者直接从github clone 一份自行编译 # git clone https://github.com/openresty/openresty # cd openresty # make -j4 $ cd openresty-* # 查看所有编译参数 $ ./configure --help #进行编译 ./configure --prefix=/etc/openresty \ --user=nginx \ --group=nginx \ --with-cc-opt='-O2 -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ --with-pcre-jit \ --with-dtrace-probes \ --with-pcre-opt=-g \ --with-stream \ --with-stream_ssl_module \ --with-http_v2_module \ --with-http_stub_status_module \ --with-http_realip_module \ --with-http_gzip_static_module \ --with-http_sub_module \ --with-http_gunzip_module \ --with-threads \ --with-file-aio \ --with-http_ssl_module \ --with-http_auth_request_module \ --without-mail_pop3_module \ --without-mail_imap_module \ --without-mail_smtp_module \ --without-http_fastcgi_module \ --without-http_uwsgi_module \ --without-http_scgi_module \ --without-http_autoindex_module \ --without-http_memcached_module \ --without-http_empty_gif_module \ --without-http_ssi_module \ --without-http_userid_module \ --without-http_browser_module \ --without-http_rds_json_module \ --without-http_rds_csv_module \ --without-http_memc_module \ --without-http_redis2_module \ --without-lua_resty_memcached \ --without-lua_resty_mysql \ -j4 #禁用memcached模块 #--without-http_memc_module \ #禁用redis模块(保留redis2模块) #--without-http_redis_module \ #禁用email相关模块 #--without-mail_pop3_module \ #--without-mail_imap_module \ #--without-mail_smtp_module \ #禁用rds模块 #--without-http_rds_json_module \ #--without-http_rds_csv_module \ #禁用cgi #--without-http_fastcgi_module \ #--without-http_uwsgi_module \ #--without-http_scgi_module \ #--without-http_autoindex_module \ #--without-http_memcached_module \ #--without-http_empty_gif_module \ $ make -j4 && sudo make install #确保80端口没被占用 $ lsof -i:80 $ /opt/openresty/nginx/nginx/sbin/nginx -t && /opt/openresty/nginx/nginx/sbin/nginx $ curl localhost
Modsecurity 配置
$ git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git --depth=1 $ cd ModSecurity/ $ git checkout -b v3/master origin/v3/master $ sh build.sh $ git submodule init $ git submodule update #[for bindings/python, others/libinjection, test/test-cases/secrules-language-tests] $ ./configure $ make $ sudo make install #使用 ModSecurity-nginx 而不是网上流传的独立版 详见 https://github.com/SpiderLabs/ModSecurity-nginx $ export MODSECURITY_INC="/home/anjia/openresty/ModSecurity/headers" $ export MODSECURITY_LIB="/home/anjia/openresty/ModSecurity/src/.libs" $ git clone https://github.com/SpiderLabs/ModSecurity-nginx --depth=1 $ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git --depth=1 $ sudo cp -R owasp-modsecurity-crs/rules /opt/openresty/nginx/nginx/conf $ cp owasp-modsecurity-crs/crs-setup.conf.example /opt/openresty/nginx/nginx/conf/crs-setup.conf $ sudo wget -P /opt/openresty/nginx/nginx/conf https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended h ttps://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping $ sudo mv /opt/openresty/nginx/nginx/conf/modsecurity.conf-recommended /opt/openresty/nginx/nginx/conf/modsecurity.conf $ sudo mkdir /opt/openresty/nginx/nginx/conf/sites-enabled #使用www-data用户 $ sudo sed -i '1s/^/user www-data;\n/' /opt/openresty/nginx/nginx/conf/nginx.conf $ sudo vim /opt/openresty/nginx/nginx/conf/nginx.conf #删除36-116行,即server{}段,可以在英文输入法状态按 :36,166d 然后 :wq #如果确认行数没问题,也可以用sudo sed '35,116d' -i /opt/openresty/nginx/nginx/conf/nginx.conf $ sudo sed '$i include /opt/openresty/nginx/nginx/conf/sites-enabled/*; ' -i /opt/openresty/nginx/nginx/conf/nginx.conf #嫌费事,也可以直接用下面的配置文件 user www-data; worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; include /opt/openresty/nginx/nginx/conf/sites-enabled/*; } $ vi /opt/openresty/nginx/nginx/conf/modsecurity.conf #Load OWASP Config Include crs-setup.conf #Load all other Rules Include rules/*.conf #Disable rule by ID from error message #SecRuleRemoveById 920350 $ sudo sed s/"SecRuleEngine DetectionOnly"/"SecRuleEngine On"/g -i /opt/openresty/nginx/nginx/conf/modsecurity.conf $ sudo /opt/openresty/nginx/nginx/sbin/nginx -t && sudo /opt/openresty/nginx/nginx/sbin/nginx -s reload $ curl "http://localhost/wp-admin/admin.php?where1=%3Cscript%3Ealert(String.fromCharCode(88,+83,+83))%3C/script%3E&searchsubmit=Buscar&page=nsp_search" # 返回403 Forbidden
服务文件
$ chmod +x /etc/init.d/openresty #$ systemctl mask openresty #$ systemctl unmask openresty
- 无标签