事前准备
操作系统以Centos为例,安装依赖软件包
yum install make gcc c++ wget pcre pcre-devel perl openssl openssl-devel
tengine下载地址 http://tengine.taobao.org/
cd /root/
wget http://tengine.taobao.org/download/tengine-2.3.3.tar.gz
tar zxvf tengine-2.3.3.tar.gz
LuaJIT下载地址 http://luajit.org/
cd /root/
wget https://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar zxvf LuaJIT-2.0.5.tar.gz
开始编译
进入各自的目录,进行编译,先编译luajit,再编译tengine
编译luajit
cd /root/LuaJIT-2.0.5 make && make install PREFIX=/usr/local/luajit
编译tengine并启动
cd /root/tengine-2.3.3/ ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=root --group=root --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-pcre --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --add-module=./modules/ngx_http_upstream_vnswrr_module --add-module=./modules/ngx_http_proxy_connect_module --with-http_lua_module --with-luajit-lib=/usr/local/luajit/lib/ --with-luajit-inc=/usr/local/luajit/include/luajit-2.0/ make && make install mkdir /var/log/nginx mkdir /etc/nginx/conf nginx nginx -V
下载开源WAF-lua配置
github开源项目 https://github.com/loveshell/ngx_lua_waf
wget https://github.com/loveshell/ngx_lua_waf/archive/refs/tags/v0.7.2.tar.gz tar -zxvf v0.7.2.tar.gz mv v0.7.2/* /etc/nginx/conf/waf/ #具体文件路径视个人情况变动
修改/etc/nginx/conf/waf/config.lua 配置文件中的路径,规则路径和log路径
**RulePath = "/opt/nginx/conf/waf/wafconf/"
logdir = "/opt/nginx/logs/waf"**
修改为自己需要的位置
**RulePath = "/etc/nginx/conf/waf/wafconf/"
logdir = "/var/log/nginx/waf"**
创建一个log目录mkdir /var/log/nginx/waf chmod 0777 /var/log/nginx/waf chowm root /var/log/nginx/waf chgrp root /var/log/nginx/waf #文件夹所有者权限与nginx权限相同
修改 tengine 的nginx.conf使luawaf生效
在 nginx.conf 的 http 段添加
lua_package_path "/etc/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /etc/nginx/conf/waf/init.lua; access_by_lua_file /etc/nginx/conf/waf/waf.lua;
测试配置和重载nginx
nginx -t #如果无报错 nginx -s reload
LUAWAF测试
当你上面操作都顺利完成,我们接下来可以添加虚拟主机,启动测试。
修改nginx.conf文件
在http段添加一句include /etc/nginx/sites-enabled/*.conf;
然后创建这个目录mkdir /etc/nginx/sites-enabled/
编写测试文件vi /etc/nginx/sites-enabled/test.conf server { listen 80 ; listen [::]:80 ; server_name domain.com; location /hello { default_type 'text/plain'; content_by_lua 'ngx.say("hello")'; } } #测试并重载nginx nginx -t nginx -s reload
然后 访问http://IP/hello?id=../etc/passwd
查看是否被waf正常拦截,拦截则成功,否则查看waf配置文件或者日志信息。