OpenResty+Lua实现WAF应用防火墙

一、OpenResty概览

OpenResty是一个基于Lua扩展Nginx实现的可伸缩Web平台，其内部集成了大量精良的Lua库、第三方模块以及大多数依赖项。用于方便的部署能够处理超高并发、扩展性极高的动态Web应用。

OpenResty的目标是让你的Web服务直接跑在Nginx服务内部，充分利用Nginx的非阻塞I/O模型，不仅仅对HTTP客户端请求，甚至于对后端诸如MySQL、PostgreSQL、Memcache以及Redis等都进行一致的高性能响应。

二、安装依赖库

• 安装pcre依赖库

  wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
  tar -zxf pcre-8.43.tar.gz
  cd pcre-8.43
  ./configure && make && make install

• 安装zlib依赖库

  yum install -y zlib zlib-devel

• 安装ssl依赖库

  yum install -y openssl openssl-devel

• 安装Lua组件 [ 想使用Lua实现WAF功能 ]

  #下载最新LuaJIT
  wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
  tar -zxf LuaJIT-2.0.5.tar.gz
  cd LuaJIT-2.0.5
  make && make install
  export LUAJIT_LIB=/usr/local/lib
  export LUAJIT_INC=/usr/local/include/luajit-2.0
  ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
  ldconfig

  三、编译安装OpenResty

官方各版本：下载地址

wget https://openresty.org/download/openresty-1.11.2.5.tar.gz
tar -zxf openresty-1.11.2.5.tar.gz
cd openresty-1.11.2.5

#创建www用户
useradd -s /sbin/nologin -M www

#编译openresty
./configure --prefix=/usr/local/openresty \
--user=www \
--group=www \
--with-luajit \
--with-http_v2_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-ipv6 --with-http_sub_module \
--with-pcre \
--with-pcre-jit \
--with-file-aio \
--with-http_dav_module

#安装
gmake  && gmake install

测试openresty

#创建nginx配置文件存放目录
mkdir -p /usr/local/openresty/nginx/conf/conf.d

# vim /usr/local/openresty/nginx/conf/nginx.conf
http {
    ......
    include /usr/local/openresty/nginx/conf/conf.d/*.conf;
}

vim /usr/local/openresty/nginx/conf/conf.d/hello.conf

server {
    location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")
            }
        }
}

启动Nginx

/usr/local/openresty/nginx/sbin/nginx -t
/usr/local/openresty/nginx/sbin/nginx

web访问测试

curl -XGET http://192.168.1.186/hello
HelloWorld

Systemd管理Nginx启动

ln -sv /usr/local/openresty/nginx/sbin/nginx /usr/sbin/

vim /etc/systemd/system/nginx.service

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

systemctl enable nginx
systemctl start nginx

四、部署WAF

功能参考：赵班长的 https://github.com/unixhot/waf

git clone https://github.com/unixhot/waf.git
cp -a ./waf/waf /usr/local/openresty/nginx/conf/

[root@local waf]# ls -lh /usr/local/openresty/nginx/conf/waf/
total 20K
-rw-r--r--. 1 root root  408 Sep 24 23:17 access.lua
-rw-r--r--. 1 root root 1.3K Sep 24 23:17 config.lua
-rw-r--r--. 1 root root 5.4K Sep 24 23:17 init.lua
-rw-r--r--. 1 root root 2.3K Sep 24 23:17 lib.lua
drwxr-xr-x. 2 root root  158 Sep 24 23:17 rule-config

把WAF整合到Nginx中

cat  /usr/local/openresty/nginx/conf/nginx.conf   
#放到http区段，注意路径

http {
    ......
    #WAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
    ......
    include /usr/local/openresty/nginx/conf/conf.d/*.conf;
}

nginx -t
nginx -s reload

五、WAF模块

waf安装好以后，不要直接上生产，而是先记录日志，不做任何动作。确定WAF不产生误杀。

• config.lua配置模块

  #pwd
  /usr/local/openresty/nginx/conf/waf
  
  #创建waf日志目录
  mkdir /tmp/waf_logs
  chown -R www:www /tmp/waf_logs

  config.lua 配置文件说明

  --WAF config file,enable = "on",disable = "off"
  
  --是否开启配置WAF
  config_waf_enable = "on"     
  
  --waf log dir
  config_log_dir = "/tmp/waf_logs"   
  
  --rule setting
  config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
  
  --enable/disable white url 是否开启URL检测
  config_white_url_check = "on"
  
  --enable/disable white ip  是否开启IP白名单检测
  config_white_ip_check = "on"
  
  --enable/disable block ip  是否开启IP黑名单检测
  config_black_ip_check = "on"
  
  --enable/disable url filtering 是否开启URL过滤
  config_url_check = "on"
  
  --enalbe/disable url args filtering 是否开启参数检测
  config_url_args_check = "on"
  
  --enable/disable user agent filtering 是否开启UA检测
  config_user_agent_check = "on"
  
  --enable/disable cookie deny filtering 是否开启cookie检测
  config_cookie_check = "on"
  
  --enable/disable cc filtering 是否开启防cc攻击
  config_cc_check = "on"
  
  --cc rate the xxx of xxx seconds 允许一个IP 60秒内只能访问10次
  config_cc_rate = "10/60"
  
  --enable/disable post filtering 是否开启post检测
  config_post_check = "on"
  
  --config waf output redirect/html action一个html页面，也可以选择跳转
  config_waf_output = "html"
  
  --if config_waf_output ,setting url
  config_waf_redirect_url = "https://globtc.io"
  config_output_html=[[
  <html>
  <head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Language" content="zh-cn" />
  <title>FBI</title>
  </head>
  <body>
  <h1 align="center">异常操作已被捕捉，请规范上网行为
  </body>
  </html>
  ]]

• access.lua 规则模块

  [root@local waf]# pwd
  /usr/local/openresty/nginx/conf/waf

  [root@local waf]# cat access.lua 
  require 'init'
  
  function waf_main()
      if white_ip_check() then
      elseif black_ip_check() then
      elseif user_agent_attack_check() then
      elseif cc_attack_check() then
      elseif cookie_attack_check() then
      elseif white_url_check() then
      elseif url_attack_check() then
      elseif url_args_attack_check() then
      --elseif post_attack_check() then
      else
          return
      end
  end
  
  waf_main()

  检测顺序：
  -- 先检查白名单，通过即不检测；再检查黑名单，不通过即拒绝;
  -- 检查UA，UA不通过即拒绝；
  -- 检查cookie；
  -- URL检查;
  -- URL参数检查;
  -- post检查；

  六、WAF功能验证

① 模拟SQL注入

[root@localhost conf]# curl http://192.168.1.186/a.sql
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>FBI</title>
</head>
<body>
<h1 align="center">异常操作已被捕捉，请规范上网行为
</body>
</html>

②使用ab压测工具模拟防cc攻击[未测试]

yum install -y httpd-tools
ab -c 500 -n 10000 http://192.168.1.186/index.php

③模拟IP黑名单

echo "192.168.1.8" >>/usr/local/openresty/nginx/conf/waf/rule-config/blackip.rule

[root@localhost ~]# curl http://192.168.1.186/a.sql
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.11.2.5</center>
</body>
</html>

④模拟IP白名单

#白名单即允许某个IP无限制访问，由于a.sql本身不存在，故访问时正常情况下返回404
echo "192.168.1.8" >>/usr/local/openresty/nginx/conf/waf/rule-config/whiteip.rule

[root@localhost ~]# curl http://192.168.1.186/a.sql
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>openresty/1.11.2.5</center>
</body>
</html>

⑤模拟URL参数检测

curl http://192.168.1.186/?a=select * from table
或
curl http://192.168.1.186/?a=select%20*%20from%20table

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>FBI</title>
</head>
<body>
<h1 align="center">异常操作已被捕捉，请规范上网行为
</body>
</html>

注：URL请求规范 args.rule已有规范

cat /usr/local/openresty/nginx/conf/waf/rule-config/args.rule

\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=

• 本文作者： GaryWu
• 本文链接： https://garywu520.github.io/2019/10/12/OpenResty-Lua实现WAF应用防火墙/
• 版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！