一、说明
操作系统:CentOS 7 (最小化安装)
Kong版本:1.4.2
二、系统配置
1、按系统标准完成操作系统初始化配置。
2、注意关闭 Selinux 配置
3、配置阿里云 更新源(含EPEL),增加 npm 国内配置源
4、配置 pgsql 安装源和 kong 安装源
三、编译升级
下载 Openresty 的源码包,需要注意 Kong 会严格验证 nginx 的版本,如果出现版本不一致的情况将无法正常启动。如果使用高版本的 nginx 编译需求调整源文件的版本号。
yum install libtool perl-core gcc gcc-c++ tree git elfutils-devel -y npm config set registry https://registry.npm.taobao.org wget https://bintray.com/kong/kong-rpm/rpm -O bintray-kong-kong-rpm.repo baseurl=https://kong.bintray.com/kong-rpm/centos/7 yum install kong-1.4.2 wget https://openresty.org/download/openresty-1.15.8.2.tar.gz wget http://mirrors.sohu.com/nginx/nginx-1.17.4.tar.gz git clone https://github.com/openresty/openresty cp /tmp/openresty/patches/nginx-1.17.4* /root/openresty-1.15.8.2/patches/ /root/openresty-1.15.8.2/bundle/openssl-1.1.1c/Configure linux-x86_64 make && make install /root/openresty-1.15.8.2/bundle/pcre-8.42/configure make && make install /root/openresty-1.15.8.2/bundle/zlib-1.2.11/configure make && make install cd LuaJIT-2.1-20190507/ make clean make&&make install export LUAJIT_INC=/usr/local/include/luajit-2.1 export LUAJIT_LIB=/usr/local/lib wget https://openresty.org/download/openresty-1.15.8.2.tar.gz tar zxvf openresty-1.15.8.2.tar.gz wget https://github.com/Kong/openresty-patches/archive/master.tar.gz tar zxvf master.tar.gz cd openresty-1.15.8.2/bundle for i in ../../openresty-patches-master/patches/1.15.8.2/*.patch; do patch -p1 < $i; done /root/openresty-1.15.8.2/configure vim /root/openresty-1.15.8.2/bundle/nginx-1.17.4/src/core/nginx.h
nginx.h
#define nginx_version 1015008
#define NGINX_VERSION "1.15.8"
#define NGINX_VER "openresty/" NGINX_VERSION ".2"
./configure --prefix=/usr/local/openresty/nginx \ --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 \ --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 \ --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 \ --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../rds-json-nginx-module \ --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 \ --add-module=../ngx_stream_lua-0.0.7 --add-module=../nginx-upload-module --add-module=../rds-csv-nginx-module-0.09 \ --add-module=../lua-kong-nginx-module --add-module=../naxsi-0.56/naxsi_src \ --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre --with-openssl=../openssl-1.1.1c --with-pcre-jit --with-debug \ --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module \ --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module \ --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module \ --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module \ --with-http_gunzip_module --with-threads --with-stream --with-stream_ssl_preread_module --with-http_ssl_module make cp /root/openresty-1.15.8.2/bundle/nginx-1.17.4/objs/nginx /usr/local/openresty/nginx/sbin kong start -vv
四、加入 Modsecurity 策略支持
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example 和 RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example 是自定义白名单文件。
yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen lmdb-devel ssdeep-devel git clone https://github.com/SpiderLabs/ModSecurity cd ModSecurity git checkout -b v3/master origin/v3/master sh build.sh git submodule init git submodule update ./configure make make install export MODSECURITY_INC="/root/openresty-1.15.8.2/bundle/ModSecurity/headers/" export MODSECURITY_LIB="/root/openresty-1.15.8.2/bundle/ModSecurity/src/.libs/" git clone https://github.com/SpiderLabs/ModSecurity-nginx git clone https://bitbucket.org/lazy_dogtown/doxi-rules.git ./configure --prefix=/usr/local/openresty/nginx \ --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 \ --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 \ --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 \ --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 \ --add-module=../rds-json-nginx-module --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 \ --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.7 --add-module=../nginx-upload-module --add-module=../rds-csv-nginx-module-0.09 \ --add-module=../lua-kong-nginx-module --add-module=../ModSecurity-nginx \ --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre --with-openssl=../openssl-1.1.1c --with-pcre-jit --with-debug --with-stream \ --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module \ --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module \ --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module \ --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-stream --with-stream_ssl_preread_module \ --with-http_ssl_module make git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git cp ../ModSecurity/modsecurity.conf-recommended /usr/local/kong/modsec/modsecurity.conf cp ../ModSecurity/unicode.mapping /usr/local/kong/modsec/ cp /root/openresty-1.15.8.2/bundle/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/kong/modsec/crs-setup.conf cp -R /root/openresty-1.15.8.2/bundle/owasp-modsecurity-crs/rules/ /usr/local/kong/modsec/ sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /usr/local/kong/modsec/modsecurity.conf sed -i "s/SecAuditLogType Serial/SecAuditLogType Concurrent/" /usr/local/kong/modsec/modsecurity.conf sed -i "s|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /usr/local/kong/logs/modsec.log|" /usr/local/kong/modsec/modsecurity.conf
4.1 修改模版文件,加入安全策略
vim /usr/lib/systemd/system/kong.servic
[Unit] Description=Kong After=rsyslog.target network.target postgresql-11.service [Service] User=root Group=root Type=forking ExecStart=/usr/local/bin/kong start ExecReload=/usr/local/bin/kong reload ExecStop=/usr/local/bin/kong stop LimitAS=infinity LimitRSS=infinity LimitCORE=infinity LimitNOFILE=4096 [Install] WantedBy=multi-user.target
4.2 修改配置文件,加入策略
4.3 Naxsi 配置
git clone https://bitbucket.org/lazy_dogtown/doxi-rules.git mkdir -p /usr/local/kong/naxsi cp /root/openresty-1.15.8.2/bundle/naxsi-0.56/naxsi_config/naxsi_core.rules /usr/local/kong/naxsi/ cp /root/openresty-1.15.8.2/bundle/doxi-rules/*.rules /usr/local/kong/naxsi/
4.4 fail2ban 配置
vim /etc/fail2ban/jail.conf [kong-naxsi] enabled = true port = http,https filter = kong-naxsi logpath = /usr/local/kong/logs/naxsi.log maxretry = 3 vim /etc/fail2ban/filter.d/kong-naxsi.conf [INCLUDES] before = common.conf [Definition] failregex = NAXSI_FMT: ip=<HOST>&server=.*&uri=.*&learning=0 NAXSI_FMT: ip=<HOST>.*&config=block ignoreregex = NAXSI_FMT: ip=<HOST>.*&config=learning
五、编译故障处理
1、nginx 启动时提示”no file '/usr/local/lib/lua/5.1/rex_pcre.so'“
原因:
加载 lua-resty-waf 插件后提示没有 pcre 动态库文件
解决方法:
luarocks install lrexlib-pcre cp /usr/lib64/lua/5.1/rex_pcre.so /usr/local/openresty/lualib/
2、编译提示”WARNING: 'aclocal-1.15' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>“
原因:
缺乏 aclocal 指令
解决办法:
yum install automake
然后到出错的文件夹执行 autoreconf
g++ ac_lua.cxx -c -fvisibility=hidden -Wall -msse2 -msse3 -msse4.1 -O3 -fPIC -I/usr/include/lua5.1 -MMD -o build_so/ac_lua.o
ac_lua.cxx:11:14: fatal error: lua.h: No such file or directory
#include <lua.h>
^~~~~~~
lua-resty-waf
git clone git://github.com/vozlt/nginx-module-vts.git wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.bz2 wget https://mirrors.yangxingzhen.com/pcre/pcre-8.39.tar.gz wget https://www.openssl.org/source/old/1.1.0/openssl-1.1.0j.tar.gz wget https://www.zlib.net/zlib-1.2.11.tar.gz wget https://openresty.org/package/centos/openresty.repo yum install openresty-pcre-devel openresty-openssl-devel openresty-zlib-devel openresty-debug ./configure --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ --add-module=../ngx_devel_kit-0.3.1rc1 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 \ --add-module=../nginx-module-vts --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 \ --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.15 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 \ --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.7 \ --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib \ -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' --with-cc='ccache gcc -fdiagnostics-color=always' --with-pcre=../pcre-8.42 \ --with-pcre-jit --with-debug --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module \ --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module \ --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module \ --with-threads --with-stream --with-stream_ssl_preread_module --with-http_ssl_module yum install luarocks ccache automake luarocks install lua-resty-waf lrexlib-pcre yum install perl-JSON perl-Clone perl-List perl-List-MoreUtils perl-Try-Tiny perl-Exporter-Declare echo "SecRule REQUEST_URI /XinXiBu/WebResource.axd \"id:11008, phase:1,log,allow,msg:'WhiteList-Different URL Accessed'\"" \ | ./luarocks_lua-resty-waf-0.11.1-1-8143/lua-resty-waf/tools/modsec2lua-resty-waf.pl
nginx.conf 的 http 配置区域增加以下内容
lua_package_path '/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/lualib/?.lua;;';
lua_package_cpath '/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;;';
init_by_lua_block {
local lua_resty_waf = require "resty.waf"
local ok, errs = pcall(function()
lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/21000_http_anomaly.json")
lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/35000_user_agent.json")
lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/40000_generic_attack.json")
lua_resty_waf.load_secrules("/usr/local/openresty/site/lualib/rules/41000_sqli.json")
end)
if errs then
for i = 1, #errs do
ngx.log(ngx.ERR, errs[i])
end
end
}
include vhost/*.conf;
具体配置文件增加以下内容
location / {
access_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:set_option("event_log_request_body", true)
waf:set_option("event_log_request_headers", true)
waf:set_option("debug", true)
waf:set_option("mode", "ACTIVE")
waf:set_option("debug_log_level", ngx.DEBUG)
waf:set_option("info", "true")
waf:set_option("event_log_request_arguments", true)
waf:set_option("event_log_target", "file")
waf:set_option("event_log_target_path", "/var/log/waf/" .. ngx.var.http_host .. "_" .. ngx.today() .. ".log")
waf:set_option("process_multipart_body", true)
waf:set_option("res_body_max_size", 1024 * 1024 * 2)
###############################################
# lua resty waf usage
###############################################
header_filter_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
}
body_filter_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
}
log_by_lua_block {
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
waf:write_log_events()
}
root html;
index index.html index.htm;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://caiyang-cn;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
拦截情况
{"timestamp":1575525013,"request_headers":{"host":"www.caiyang.com.cn","connection":"keep-alive","sec-fetch-site":"none","upgrade-insecure-requests":"1","sec-fetch-mode":"navigate","accept-encoding":"gzip, deflate, br","user-agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3904.108 Safari\/537.36","cookie":"_csrf_token=6eb2dc40f3acb235633184c2dde6bb236c756760; session=eyJfY3NyZl90b2tlbiI6IjZlYjJkYzQwZjNhY2IyMzU2MzMxODRjMmRkZTZiYjIzNmM3NTY3NjAiLCJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.Xeiaiw.YO6EAoO4R3CkrKBi5YCmX7Ua1kc","accept-language":"en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7","accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3","sec-fetch-user":"?1"},"id":"f721035c7cd42b38d9bd","method":"GET","uri":"\/login","client":"192.168.13.43","uri_args":{"..\/..\/.svn":true},"alerts":[{"msg":"Repetitive non-word characters anomaly detected","id":40002,"match":1},{"msg":"Directory traversal (volatile match)","id":40022,"match":3},{"logdata":8,"msg":"Request score greater than score threshold","id":99001,"match":8}]}
{"timestamp":1575525013,"request_headers":{"host":"www.caiyang.com.cn","connection":"keep-alive","sec-fetch-site":"none","upgrade-insecure-requests":"1","sec-fetch-mode":"navigate","accept-encoding":"gzip, deflate, br","user-agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3904.108 Safari\/537.36","cookie":"_csrf_token=6eb2dc40f3acb235633184c2dde6bb236c756760; session=eyJfY3NyZl90b2tlbiI6IjZlYjJkYzQwZjNhY2IyMzU2MzMxODRjMmRkZTZiYjIzNmM3NTY3NjAiLCJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlfQ.Xeiaiw.YO6EAoO4R3CkrKBi5YCmX7Ua1kc","accept-language":"en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7","accept":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3","sec-fetch-user":"?1"},"id":"f721035c7cd42b38d9bd","method":"GET","uri":"\/login","client":"192.168.13.43","uri_args":{"..\/..\/.svn":true},"alerts":[{"msg":"Repetitive non-word characters anomaly detected","id":40002,"match":1},{"msg":"Directory traversal (volatile match)","id":40022,"match":3},{"logdata":8,"msg":"Request score greater than score threshold","id":99001,"match":8}]}
添加评论