事前准备

操作系统以Centos为例,安装依赖软件包

yum install make gcc c++ wget pcre pcre-devel perl openssl openssl-devel

tengine下载地址 http://tengine.taobao.org/

cd /root/
wget http://tengine.taobao.org/download/tengine-2.3.3.tar.gz
tar zxvf tengine-2.3.3.tar.gz

LuaJIT下载地址 http://luajit.org/

cd /root/
wget https://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar zxvf LuaJIT-2.0.5.tar.gz

开始编译

  1. 进入各自的目录,进行编译,先编译luajit,再编译tengine

    编译luajit
    cd /root/LuaJIT-2.0.5
make && make install PREFIX=/usr/local/luajit
    编译tengine并启动
    cd /root/tengine-2.3.3/
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=root --group=root --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-pcre --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --add-module=./modules/ngx_http_upstream_vnswrr_module --add-module=./modules/ngx_http_proxy_connect_module --with-http_lua_module --with-luajit-lib=/usr/local/luajit/lib/ --with-luajit-inc=/usr/local/luajit/include/luajit-2.0/
make && make install
mkdir /var/log/nginx
mkdir /etc/nginx/conf
nginx
nginx -V

下载开源WAF-lua配置

  1. github开源项目 https://github.com/loveshell/ngx_lua_waf

    wget https://github.com/loveshell/ngx_lua_waf/archive/refs/tags/v0.7.2.tar.gz
tar -zxvf v0.7.2.tar.gz
mv v0.7.2/* /etc/nginx/conf/waf/
#具体文件路径视个人情况变动

  2. 修改/etc/nginx/conf/waf/config.lua 配置文件中的路径,规则路径和log路径
    **RulePath = "/opt/nginx/conf/waf/wafconf/"
    logdir = "/opt/nginx/logs/waf"**
    修改为自己需要的位置
    **RulePath = "/etc/nginx/conf/waf/wafconf/"
    logdir = "/var/log/nginx/waf"**
    创建一个log目录

    mkdir /var/log/nginx/waf
chmod 0777 /var/log/nginx/waf
chowm root /var/log/nginx/waf
chgrp root /var/log/nginx/waf
#文件夹所有者权限与nginx权限相同

  3. 修改 tengine 的nginx.conf使luawaf生效

    在 nginx.conf 的 http 段添加
    lua_package_path "/etc/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /etc/nginx/conf/waf/init.lua;
access_by_lua_file /etc/nginx/conf/waf/waf.lua;

  4. 测试配置和重载nginx

    nginx  -t
#如果无报错
nginx -s reload
    LUAWAF测试

    当你上面操作都顺利完成,我们接下来可以添加虚拟主机,启动测试。

  5. 修改nginx.conf文件
    在http段添加一句
    include /etc/nginx/sites-enabled/*.conf;
    然后创建这个目录
    mkdir /etc/nginx/sites-enabled/
    编写测试文件

    vi /etc/nginx/sites-enabled/test.conf
server {
 listen      80 ;
 listen      [::]:80 ;
 server_name domain.com;
 location /hello {
    default_type 'text/plain';
    content_by_lua 'ngx.say("hello")';
 }
}
#测试并重载nginx
nginx -t
nginx -s reload

    然后 访问http://IP/hello?id=../etc/passwd
    查看是否被waf正常拦截,拦截则成功,否则查看waf配置文件或者日志信息。