安装OpenWAF依赖
cd /opt
yum install gcc gcc-c++ wget GeoIP-devel git swig make perl perl-ExtUtils-Embed readline-devel zlib-devel -y
#apt-get install gcc wget git swig make perl build-essential zlib1g-dev libgeoip-dev libncurses5-dev libreadline-dev -y
wget http://www.over-yonder.net/~fullermd/projects/libcidr/libcidr-1.2.3.tar.xz
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
tar -xvf libcidr-1.2.3.tar.xz
tar -zxvf pcre-8.43.tar.gz
tar -zxvf openssl-1.1.1d.tar.gz
tar -zxvf openresty-1.15.8.2.tar.gz
rm -rf pcre-8.43.tar.gz \
openssl-1.1.1d.tar.gz \
openresty-1.15.8.2.tar.gz
cd /opt/libcidr-1.2.3
make -j && make install
安装 OpenWAF
cd /opt
git clone https://github.com/titansec/OpenWAF.git
mv /opt/OpenWAF/lib/openresty/ngx_openwaf.conf /etc
mv /opt/OpenWAF/lib/openresty/configure /opt/openresty-1.15.8.2
cp -RP /opt/OpenWAF/lib/openresty/* /opt/openresty-1.15.8.2/bundle/
cd /opt/OpenWAF
make clean
make -j 8
make install
ln -s /usr/local/lib/libcidr.so /opt/OpenWAF/lib/resty/libcidr.so
编译 openresty
cd /opt/openresty-1.15.8.2/
make clean
./configure --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module \
--with-http_realip_module --with-http_sub_module --with-http_geoip_module --with-openssl=/opt/openssl-1.1.1d --with-pcre=/opt/pcre-8.43
gmake -j 8
gmake install
使用
#nginx.conf
lua_package_path '/twaf/?.lua;;';
init_by_lua_file /twaf/app/twaf_init.lua;
lua_shared_dict twaf_shm 50m;
upstream test {
server 0.0.0.1; #just an invalid address as a place holder
balancer_by_lua_file twaf_balancer.lua;
}
server {
listen 443 ssl;
server_name _;
ssl_certificate_by_lua_file twaf_ssl_cert.lua;
rewrite_by_lua_file /twaf/app/twaf_rewrite.lua;
access_by_lua_file /twaf/app/twaf_access.lua;
header_filter_by_lua_file /twaf/app/twaf_header_filter.lua;
body_filter_by_lua_file /twaf/app/twaf_body_filter.lua
log_by_lua_file /twaf/app/twaf_log.lua;
set $twaf_https 1;
set $twaf_upstream_server "";
ssl_certificate nginx.crt;
ssl_certificate_key nginx.key;
location / {
lua_need_request_body on;
proxy_pass $twaf_upstream_server;
}
}
server {
listen 80;
server_name _;
rewrite_by_lua_file /twaf/app/twaf_rewrite.lua;
access_by_lua_file /twaf/app/twaf_access.lua;
header_filter_by_lua_file /twaf/app/twaf_header_filter.lua;
body_filter_by_lua_file /twaf/app/twaf_body_filter.lua
log_by_lua_file /twaf/app/twaf_log.lua;
set $twaf_upstream_server "";
location / {
lua_need_request_body on;
proxy_pass $twaf_upstream_server;
}
}