搜索到
2
篇与
的结果
-
tengine编译安装结合lua实现WAF防火墙 事前准备操作系统以Centos为例,安装依赖软件包yum install make gcc c++ wget pcre pcre-devel perl openssl openssl-devel tengine下载地址 http://tengine.taobao.org/cd /root/ wget http://tengine.taobao.org/download/tengine-2.3.3.tar.gz tar zxvf tengine-2.3.3.tar.gzLuaJIT下载地址 http://luajit.org/cd /root/ wget https://luajit.org/download/LuaJIT-2.0.5.tar.gz tar zxvf LuaJIT-2.0.5.tar.gz开始编译进入各自的目录,进行编译,先编译luajit,再编译tengine编译luajitcd /root/LuaJIT-2.0.5 make && make install PREFIX=/usr/local/luajit编译tengine并启动cd /root/tengine-2.3.3/ ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=root --group=root --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-pcre --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --add-module=./modules/ngx_http_upstream_vnswrr_module --add-module=./modules/ngx_http_proxy_connect_module --with-http_lua_module --with-luajit-lib=/usr/local/luajit/lib/ --with-luajit-inc=/usr/local/luajit/include/luajit-2.0/ make && make install mkdir /var/log/nginx mkdir /etc/nginx/conf nginx nginx -V下载开源WAF-lua配置github开源项目 https://github.com/loveshell/ngx_lua_wafwget https://github.com/loveshell/ngx_lua_waf/archive/refs/tags/v0.7.2.tar.gz tar -zxvf v0.7.2.tar.gz mv v0.7.2/* /etc/nginx/conf/waf/ #具体文件路径视个人情况变动修改/etc/nginx/conf/waf/config.lua 配置文件中的路径,规则路径和log路径**RulePath = "/opt/nginx/conf/waf/wafconf/"logdir = "/opt/nginx/logs/waf"**修改为自己需要的位置**RulePath = "/etc/nginx/conf/waf/wafconf/"logdir = "/var/log/nginx/waf"**创建一个log目录mkdir /var/log/nginx/waf chmod 0777 /var/log/nginx/waf chowm root /var/log/nginx/waf chgrp root /var/log/nginx/waf #文件夹所有者权限与nginx权限相同修改 tengine 的nginx.conf使luawaf生效在 nginx.conf 的 http 段添加lua_package_path "/etc/nginx/conf/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /etc/nginx/conf/waf/init.lua; access_by_lua_file /etc/nginx/conf/waf/waf.lua;测试配置和重载nginxnginx -t #如果无报错 nginx -s reloadLUAWAF测试当你上面操作都顺利完成,我们接下来可以添加虚拟主机,启动测试。修改nginx.conf文件 在http段添加一句include /etc/nginx/sites-enabled/*.conf;然后创建这个目录mkdir /etc/nginx/sites-enabled/编写测试文件vi /etc/nginx/sites-enabled/test.conf server { listen 80 ; listen [::]:80 ; server_name domain.com; location /hello { default_type 'text/plain'; content_by_lua 'ngx.say("hello")'; } } #测试并重载nginx nginx -t nginx -s reload然后 访问http://IP/hello?id=../etc/passwd查看是否被waf正常拦截,拦截则成功,否则查看waf配置文件或者日志信息。完 -
nginx-tengine 编译http2 tls1.3 nginx-tengine 编译http2 tls1.3在开始编译之前,需要确保已经安装好编译工具debian系需要安装apt-get install libtool gcc g++ apt-get install build-essential zlib1g-dev libpcre3 libpcre3-dev unzip uuid-devredhat系需要安装yum -y install gcc-c++随后编译并安装 pcre,用于支持 rewriteredhat系需要安装yum -y install pcre-devel openssl openssl-devel或手动编译pcrecd /usr/local/src wget https://ftp.pcre.org/pub/pcre/pcre-8.44.zip unzip pcre-8.44.zip cd pcre-8.44 ./configure make && make install编译并安装 zlib,用于支持 gzipcd /usr/local/src wget http://zlib.net/zlib-1.2.11.tar.gz tar -zxvf zlib-1.2.11.tar.gz cd zlib-1.2.11 ./configure make && make install然后我们下载 openssl 源码为编译 Nginx 做准备,打开这个链接后点击当前最新的版本 “OpenSSL_1_1_1” 下面的 hash 值,在页面中复制完整的 hash ,稍后需要用到。在最后一步中,填入你所复制的 hash。这里我们不需要编译 openssl ,随后在编译 Nginx 时会顺带处理cd /usr/local/src git clone https://github.com/openssl/openssl.git cd openssl git checkout 1d864f0f534fe38541c7adba5777935a0f2a2eb9编译nginxcd /usr/local/src wget http://tengine.taobao.org/download/tengine-2.3.2.tar.gz tar -zxvf tengine-2.3.2.tar.gz cd tengine-2.3.2 ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=www-data --group=www-data --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-pcre --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module make && make install mkdir /var/cache/nginx然后配置nginx文件cd /etc/nginx include /etc/nginx/sites-enabled/*; mkdir sites-enabled创建配置文件cd /etc/nginx/sites-enabled vi mysite.conf输入命令nginx -t检查配置文件输入命令nginx启动开机自动启动设置:在/etc/rc.local 添加nginx完
