1.安装依赖
apt-get install apache2-dev autoconf automake build-essential bzip2 checkinstall devscripts flex g++ gcc git graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat libaio-dev libaio1 libass-dev libatomic-ops-dev libavcodec-dev libavdevice-dev libavfilter-dev libavformat-dev libavutil-dev libbz2-dev libcdio-cdda1 libcdio-paranoia1 libcdio13 libcurl4-openssl-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 libgif-dev libgpac-dev libgsm1-dev libjack-jackd2-dev libjpeg-dev libjpeg-progs libjpeg8-dev liblmdb-dev libmp3lame-dev libncurses5-dev libopencore-amrnb-dev libopencore-amrwb-dev libpam0g-dev libpcre3 libpcre3-dev libperl-dev libpng12-dev libpng12-0 libpng12-dev libreadline-dev librtmp-dev libsdl1.2-dev libssl-dev libssl1.0.0 libswscale-dev libtheora-dev libtiff5-dev libtool libva-dev libvdpau-dev libvorbis-dev libxml2-dev libxslt1-dev libxslt1.1 libxvidcore-dev libxvidcore4 libyajl-dev make openssl perl pkg-config tar texi2html unzip zip zlib1g-devwget http://www.over-yonder.net/~fullermd/projects/libcidr/libcidr-1.2.3.tar.xz
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
tar -xvf libcidr-1.2.3.tar.xz
tar -zxvf pcre-8.43.tar.gz
tar -zxvf openssl-1.1.1d.tar.gz
tar -zxvf openresty-1.15.8.2.tar.gz
rm -rf pcre-8.43.tar.gz \openssl-1.1.1d.tar.gz \openresty-1.15.8.2.tar.gz
cd /opt/libcidr-1.2.3
make && make install
2.下载ModSecurity
git clone https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity/
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure --with-yajl=yes
make
make install
3.下载ModSecurity-nginx
git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git
4.下载owasp规则库
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
5.搭建openwaf
git clone https://github.com/titansec/OpenWAF.git
cd OpenWAF/
mv /opt/OpenWAF/lib/openresty/configure /opt/openresty/ #可以不剪切
cp -RP /opt/OpenWAF/lib/openresty/* /opt/openresty/bundle/
make clean
make install
ln -s /usr/local/lib/libcidr.so /opt/OpenWAF/lib/resty/libcidr.so
6.openresty集成
./configure --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_geoip_module --with-openssl=/opt/openssl-1.1.1d --with-pcre=/opt/pcre-8.43 --add-dynamic-module=../ModSecurity-nginxmake
make install
7.配置
cd owasp-modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cp /opt/ModSecurity/modsecurity.conf-recommended /opt/ModSecurity/modsecurity.conf
chmod 777 /var/log/modsecurity
8.nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#modsecurity动态库加载
load_module /usr/local/openresty/nginx/modules/ngx_http_modsecurity_module.so;#error_log logs/error.log notice;#error_log logs/error.log info; pid logs/nginx.pid;events {worker_connections 1024;
}http {include /opt/openresty/bundle/nginx-1.15.8/conf/mime.types;default_type application/octet-stream;
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;#log_format main '$remote_addr - $remote_user [$time_local] "$request" '# '$status $body_bytes_sent "$http_referer" '# '"$http_user_agent" "$http_x_forwarded_for"';#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65;#gzip on;server {listen 80;server_name _;include /opt/OpenWAF/conf/twaf_server.conf;#access_log logs/host.access.log main;#modsecurity 支持modsecurity on;location /dvwa/ {#modsecurity配置文件路径modsecurity_rules_file /opt/ModSecurity/modsecurity.conf;proxy_pass http://192.168.0.138/dvwa/;# root html;# index index.html index.htm;}location = /50x.html {root html;}}
}
~
9.启动
openresty -p /data/geektime -c /data/geektime/conf/nginx.conf