编译安装OpenWAF

发表于： 2020-11-21 2020-12-08
分类： SRE
标签： http, https, lua, make, pcre, ssl, tar, WAF, 安全

5fc7b4fc98a6e6602.jpg_fo742.png

安装OpenWAF依赖

    cd /opt
    yum install   gcc gcc-c++ wget GeoIP-devel git swig make perl perl-ExtUtils-Embed readline-devel zlib-devel -y
    #apt-get install   gcc wget git swig make perl build-essential zlib1g-dev libgeoip-dev libncurses5-dev libreadline-dev -y
    wget http://www.over-yonder.net/~fullermd/projects/libcidr/libcidr-1.2.3.tar.xz
    wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
    wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
    wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
    tar -xvf libcidr-1.2.3.tar.xz
    tar -zxvf pcre-8.43.tar.gz
    tar -zxvf openssl-1.1.1d.tar.gz
    tar -zxvf openresty-1.15.8.2.tar.gz
    rm -rf pcre-8.43.tar.gz \
           openssl-1.1.1d.tar.gz \
           openresty-1.15.8.2.tar.gz
    cd /opt/libcidr-1.2.3
    make -j && make install

安装 OpenWAF

    cd /opt  
    git clone https://github.com/titansec/OpenWAF.git
    mv /opt/OpenWAF/lib/openresty/ngx_openwaf.conf /etc
    mv /opt/OpenWAF/lib/openresty/configure /opt/openresty-1.15.8.2
    cp -RP /opt/OpenWAF/lib/openresty/* /opt/openresty-1.15.8.2/bundle/
    cd /opt/OpenWAF
    make clean
    make -j 8
    make install
    ln -s /usr/local/lib/libcidr.so /opt/OpenWAF/lib/resty/libcidr.so

编译 openresty

cd /opt/openresty-1.15.8.2/  
make clean
./configure --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module \
--with-http_realip_module --with-http_sub_module  --with-http_geoip_module --with-openssl=/opt/openssl-1.1.1d --with-pcre=/opt/pcre-8.43       
gmake -j 8
gmake install

使用

    #nginx.conf
    lua_package_path '/twaf/?.lua;;';

    init_by_lua_file /twaf/app/twaf_init.lua;

    lua_shared_dict twaf_shm 50m;

    upstream test {
        server 0.0.0.1; #just an invalid address as a place holder
        balancer_by_lua_file twaf_balancer.lua;
    }

    server {
        listen 443 ssl;
        server_name _;

        ssl_certificate_by_lua_file  twaf_ssl_cert.lua;
        rewrite_by_lua_file          /twaf/app/twaf_rewrite.lua;
        access_by_lua_file           /twaf/app/twaf_access.lua;
        header_filter_by_lua_file    /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file      /twaf/app/twaf_body_filter.lua
        log_by_lua_file              /twaf/app/twaf_log.lua;

        set $twaf_https 1;
        set $twaf_upstream_server "";

        ssl_certificate nginx.crt;
        ssl_certificate_key nginx.key;

        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }

    server {
        listen      80;
        server_name  _;

        rewrite_by_lua_file       /twaf/app/twaf_rewrite.lua;
        access_by_lua_file        /twaf/app/twaf_access.lua;
        header_filter_by_lua_file /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file   /twaf/app/twaf_body_filter.lua
        log_by_lua_file           /twaf/app/twaf_log.lua;

        set $twaf_upstream_server "";

        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }

sre

发表回复取消回复