OpenResty安全网关开发教学文档<\/h1>

一、前言<\/h2>
本教学文档基于OpenResty开发安全网关的实现过程，主要功能包括：<\/p>
防御Shiro反序列化攻击<\/li>
防御自动化工具请求<\/li>
保护网站前端代码<\/li>
防御多源代理请求<\/li>
防止敏感信息泄漏<\/li> <\/ul>
二、环境搭建<\/h2>

2.1 OpenResty安装<\/h3>
配置yum源：<\/li> <\/ol>
wget https:\/\/openresty.org\/package\/centos\/openresty.repo
<\/span><\/span>sudo mv openresty.repo \/etc\/yum.repos.d\/
<\/span><\/span>sudo yum check-update
<\/span><\/span><\/code><\/pre>
安装OpenResty：<\/li>
<\/ol>
sudo yum install -y openresty
<\/span><\/span>sudo yum install -y openresty-resty
<\/span><\/span><\/code><\/pre>
验证安装：<\/li>
<\/ol>
openresty -V
<\/span><\/span><\/code><\/pre>
文件结构：<\/li>
<\/ol>
\/usr\/local\/openresty\/
├── bin
├── COPYRIGHT
├── luajit
├── lualib
├── nginx
├── openssl111
├── pcre
├── site
└── zlib
<\/code><\/pre>

常用命令：<\/li>
<\/ol>
openresty -t # 检查配置文件<\/span>
<\/span><\/span>openresty -s reload # 重新加载配置<\/span>
<\/span><\/span>openresty -s reopen # 重新打开日志文件<\/span>
<\/span><\/span>openresty -s stop # 快速停止<\/span>
<\/span><\/span>openresty -s quit # 优雅停止<\/span>
<\/span><\/span><\/code><\/pre>2.2 Node.js安装<\/h3>

安装Node.js：<\/li>
<\/ol>
curl -fsSL https:\/\/rpm.nodesource.com\/setup_17.x | bash -
<\/span><\/span>sudo yum install -y nodejs
<\/span><\/span><\/code><\/pre>
安装Babel相关包：<\/li>
<\/ol>
npm -g install @babel\/generator@7.16.8
<\/span><\/span>npm -g install @babel\/parser@7.16.8
<\/span><\/span>npm -g install @babel\/traverse@7.16.8
<\/span><\/span>npm -g install @babel\/types@7.16.8
<\/span><\/span><\/code><\/pre>
设置环境变量：<\/li>
<\/ol>
export NODE_PATH=<\/span>\/usr\/lib\/node_modules
<\/span><\/span><\/code><\/pre>三、功能实现<\/h2>
3.1 防御Shiro反序列化攻击<\/h3>
实现原理<\/h4>

对服务器下发的Cookie进行加密<\/li>
对客户端传来的Cookie进行解密<\/li>
对不认识的Cookie直接丢弃<\/li>
<\/ol>
关键代码<\/h4>

请求处理：<\/li>
<\/ol>
function<\/span> reqCookieParse<\/span>()
<\/span><\/span>    if<\/span> ShiroProtect then<\/span>
<\/span><\/span>        local<\/span> userCookie =<\/span> ngx.var.cookie_x9i7RDYX23
<\/span><\/span>        if<\/span> not<\/span> userCookie then<\/span>
<\/span><\/span>            log('0-cookie 无cookie'<\/span>, ''<\/span>)
<\/span><\/span>        elseif<\/span> #<\/span>userCookie <<\/span> 32<\/span> then<\/span>
<\/span><\/span>            log('1-cookie 不符合要求'<\/span>, userCookie)
<\/span><\/span>            say_html()
<\/span><\/span>        else<\/span>
<\/span><\/span>            local<\/span> result =<\/span> xpcall(dencrypT, errPrint, userCookie)
<\/span><\/span>            if<\/span> not<\/span> result then<\/span>
<\/span><\/span>                log('3-cookie 无法解密'<\/span>, userCookie)
<\/span><\/span>                say_html()
<\/span><\/span>            else<\/span>
<\/span><\/span>                local<\/span> originCookie =<\/span> StrToTable(dencrypT(userCookie))
<\/span><\/span>                ngx.req.set_header('Cookie'<\/span>, transTable(originCookie))
<\/span><\/span>                log('4-cookie 解密成功'<\/span>, userCookie)
<\/span><\/span>            end<\/span>
<\/span><\/span>        end<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>
响应处理：<\/li>
<\/ol>
function<\/span> respCookieEncrypt<\/span>()
<\/span><\/span>    if<\/span> ShiroProtect then<\/span>
<\/span><\/span>        local<\/span> value =<\/span> ngx.resp.get_headers()["Set-Cookie"<\/span>]
<\/span><\/span>        if<\/span> value then<\/span>
<\/span><\/span>            local<\/span> encryptedCookie =<\/span> cookieKey..<\/span>"="<\/span>..<\/span>encrypT(TableToStr(value))
<\/span><\/span>            ngx.header["Set-Cookie"<\/span>] =<\/span> encryptedCookie
<\/span><\/span>            log('5-cookie 加密成功'<\/span>, encryptedCookie)
<\/span><\/span>        end<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>
日志记录：<\/li>
<\/ol>
function<\/span> log<\/span>(data, ruletag)
<\/span><\/span>    if<\/span> Attacklog then<\/span>
<\/span><\/span>        local<\/span> realIp =<\/span> getClientIp()
<\/span><\/span>        local<\/span> method =<\/span> ngx.var.request_method
<\/span><\/span>        local<\/span> ua =<\/span> ngx.var.http_user_agent
<\/span><\/span>        local<\/span> servername =<\/span> ngx.var.server_name
<\/span><\/span>        local<\/span> url =<\/span> ngx.var.request_uri
<\/span><\/span>        local<\/span> time =<\/span> ngx.localtime()
<\/span><\/span>        
<\/span><\/span>        local<\/span> line =<\/span> realIp..<\/span>" ["<\/span>..<\/span>time..<\/span>"] <\/span>\"<\/span>"<\/span>..<\/span>method..<\/span>" "<\/span>..<\/span>servername..<\/span>url..<\/span>"<\/span>\"<\/span> <\/span>\"<\/span>"<\/span>..<\/span>ruletag..<\/span>"<\/span>\"<\/span> <\/span>\"<\/span>"<\/span>..<\/span>ua..<\/span>"<\/span>\"<\/span> <\/span>\"<\/span>"<\/span>..<\/span>data..<\/span>"<\/span>\"\n<\/span>"<\/span>
<\/span><\/span>        local<\/span> filename =<\/span> logpath..<\/span>'\/'<\/span>..<\/span>servername..<\/span>"_"<\/span>..<\/span>ngx.today()..<\/span>"_sec.log"<\/span>
<\/span><\/span>        write(filename, line)
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>3.2 防御自动化工具请求<\/h3>
实现原理<\/h4>

首次请求无Cookie时返回302跳转至JS生成页面<\/li>
JS代码收集环境数据并生成Cookie<\/li>
后续请求验证Cookie有效性<\/li>
<\/ol>
关键代码<\/h4>

请求处理：<\/li>
<\/ol>
function<\/span> toolsInfoSpider<\/span>()
<\/span><\/span>    if<\/span> ToolsProtect then<\/span>
<\/span><\/span>        local<\/span> clientCookieA =<\/span> ngx.var.cookie_h0yGbdRv
<\/span><\/span>        local<\/span> clientCookieB =<\/span> ngx.var.cookie_kQpFHdoh
<\/span><\/span>        
<\/span><\/span>        if<\/span> not<\/span> (clientCookieA and<\/span> clientCookieB) then<\/span>
<\/span><\/span>            local<\/span> ip =<\/span> 'xxx'<\/span>
<\/span><\/span>            local<\/span> finalPath =<\/span> 'http:\/\/'<\/span>..<\/span>ip..<\/span>'\/'<\/span>..<\/span>jsPath..<\/span>'?origin='<\/span>..<\/span>encodeBase64(ngx.var.request_uri)
<\/span><\/span>            log('1-tools 无cookieA\/B'<\/span>, ''<\/span>)
<\/span><\/span>            ngx.redirect(finalPath, 302<\/span>)
<\/span><\/span>        else<\/span>
<\/span><\/span>            local<\/span> result =<\/span> xpcall(dencrypT, emptyPrint, clientCookieB, clientCookieA)
<\/span><\/span>            if<\/span> not<\/span> result then<\/span>
<\/span><\/span>                log('2-tools 解密失败'<\/span>, clientCookieA..<\/span>', '<\/span>..<\/span>clientCookieB)
<\/span><\/span>                say_html()
<\/span><\/span>            else<\/span>
<\/span><\/span>                local<\/span> result2 =<\/span> dencrypT(clientCookieB, clientCookieA)
<\/span><\/span>                local<\/span> _, e =<\/span> string.find(result2, '0'<\/span>)
<\/span><\/span>                if<\/span> e ~=<\/span> nil<\/span> then<\/span>
<\/span><\/span>                    log('3-tools 工具请求'<\/span>, result2)
<\/span><\/span>                    say_html()
<\/span><\/span>                else<\/span>
<\/span><\/span>                    log('0-tools 工具验证通过'<\/span>, ''<\/span>)
<\/span><\/span>                end<\/span>
<\/span><\/span>            end<\/span>
<\/span><\/span>        end<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>
JS检测代码：<\/li>
<\/ol>
\/\/ webdriver.js
<\/span><\/span><\/span><\/span>function<\/span> get_webdriver<\/span>() {
<\/span><\/span>    try<\/span> {
<\/span><\/span>        return<\/span> !<\/span>0<\/span> ===<\/span> _navigator<\/span>.webdriver<\/span> ?<\/span> 0<\/span> :<\/span> +!<\/span>window.document.documentElement<\/span>.getAttribute<\/span>('webdriver'<\/span>)
<\/span><\/span>    } catch<\/span>(e<\/span>) {
<\/span><\/span>        return<\/span> 1<\/span>
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> get_awvs<\/span>() {
<\/span><\/span>    for<\/span>(var<\/span> e<\/span>=<\/span>['SimpleDOMXSSClass'<\/span>,'MarvinHooks'<\/span>,'MarvinPageExplorer'<\/span>,'HashDOMXSSClass'<\/span>],t<\/span>=<\/span>e<\/span>.length<\/span>,r<\/span>=<\/span>window.$hook$<\/span>,n<\/span>=<\/span>0<\/span>;n<\/span><<\/span>t<\/span>;n<\/span>++<\/span>)
<\/span><\/span>        if<\/span>(window[e<\/span>[n<\/span>]]&&<\/span>r<\/span>) return<\/span> 0<\/span>;
<\/span><\/span>    return<\/span> 1<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> get_appscan<\/span>() {
<\/span><\/span>    for<\/span>(var<\/span> e<\/span>=<\/span>['appScanSendReplacement'<\/span>,'appScanOnReadyStateChangeReplacement'<\/span>,'appScanLoadHandler'<\/span>,'appScanSetPageLoaded'<\/span>],t<\/span>=<\/span>e<\/span>.length<\/span>,r<\/span>=<\/span>0<\/span>;r<\/span><<\/span>t<\/span>;r<\/span>++<\/span>)
<\/span><\/span>        if<\/span>(window[e<\/span>[r<\/span>]]) return<\/span> 0<\/span>;
<\/span><\/span>    return<\/span> 1<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> get_info<\/span>(arr<\/span>){
<\/span><\/span>    arr<\/span> =<\/span> ''<\/span> +<\/span> get_webdriver<\/span>() +<\/span> get_awvs<\/span>() +<\/span> get_appscan<\/span>();
<\/span><\/span>    return<\/span> arr<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> setCookie<\/span>(cname<\/span>, date<\/span>) {
<\/span><\/span>    var<\/span> d<\/span> =<\/span> new<\/span> Date();
<\/span><\/span>    d<\/span>.setTime<\/span>(d<\/span>.getTime<\/span>() +<\/span> (1<\/span>*<\/span>24<\/span>*<\/span>60<\/span>*<\/span>60<\/span>*<\/span>1000<\/span>));
<\/span><\/span>    var<\/span> expires<\/span> =<\/span> "expires="<\/span> +<\/span> d<\/span>.toGMTString<\/span>();
<\/span><\/span>    document.cookie<\/span> =<\/span> cname<\/span> +<\/span> '='<\/span> +<\/span> date<\/span> +<\/span> '; '<\/span> +<\/span> expires<\/span> +<\/span> '; Path=\/'<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> aesEncrypt<\/span>(word<\/span>, tt<\/span>) {
<\/span><\/span>    let<\/span> key<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(tt<\/span>);
<\/span><\/span>    const<\/span> iv<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>('ABCDEF1234123412'<\/span>);
<\/span><\/span>    let<\/span> srcs<\/span> =<\/span> CryptoJS<\/span>.enc<\/span>.Utf8<\/span>.parse<\/span>(word<\/span>);
<\/span><\/span>    let<\/span> encrypted<\/span> =<\/span> CryptoJS<\/span>.AES<\/span>.encrypt<\/span>(srcs<\/span>, key<\/span>, {
<\/span><\/span>        iv<\/span>:<\/span> iv<\/span>,
<\/span><\/span>        mode<\/span>:<\/span> CryptoJS<\/span>.mode<\/span>.CBC<\/span>,
<\/span><\/span>        padding<\/span>:<\/span> CryptoJS<\/span>.pad<\/span>.Pkcs7<\/span>
<\/span><\/span>    });
<\/span><\/span>    return<\/span> encrypted<\/span>.ciphertext<\/span>.toString<\/span>().toUpperCase<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>tt<\/span> =<\/span> '000'<\/span> +<\/span> tt<\/span>;
<\/span><\/span>setCookie<\/span>('h0yGbdRv'<\/span>, tt<\/span>);
<\/span><\/span>setCookie<\/span>('kQpFHdoh'<\/span>, aesEncrypt<\/span>(get_info<\/span>(arr<\/span>), tt<\/span>));
<\/span><\/span><\/code><\/pre>3.3 保护网站前端代码<\/h3>
实现原理<\/h4>

检测请求的JS文件<\/li>
使用Babel对JS代码进行混淆<\/li>
返回混淆后的代码<\/li>
<\/ol>
关键代码<\/h4>

检测JS文件：<\/li>
<\/ol>
function<\/span> jsExtDetect<\/span>()
<\/span><\/span>    if<\/span> JsProtect then<\/span>
<\/span><\/span>        local<\/span> ext =<\/span> string.match(ngx.var.uri, ".+%.(%w+)$"<\/span>)
<\/span><\/span>        if<\/span> ext ==<\/span> 'js'<\/span> then<\/span>
<\/span><\/span>            JsConfuse =<\/span> true<\/span>
<\/span><\/span>        end<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>
混淆JS代码：<\/li>
<\/ol>
function<\/span> jsConfuse<\/span>()
<\/span><\/span>    if<\/span> JsConfuse then<\/span>
<\/span><\/span>        local<\/span> originBody =<\/span> ngx.arg[1<\/span>]
<\/span><\/span>        if<\/span> #<\/span>originBody ><\/span> 200<\/span> then<\/span>
<\/span><\/span>            local<\/span> s =<\/span> getRandom(8<\/span>)
<\/span><\/span>            local<\/span> path =<\/span> '\/tmp\/'<\/span>..<\/span>s
<\/span><\/span>            writefile(path, originBody, 'w+'<\/span>)
<\/span><\/span>            local<\/span> t =<\/span> io.popen('export NODE_PATH=\/usr\/lib\/node_modules && node \/gate\/node\/js_confuse.js '<\/span>..<\/span>path)
<\/span><\/span>            local<\/span> a =<\/span> t:read("*all"<\/span>)
<\/span><\/span>            ngx.arg[1<\/span>] =<\/span> a
<\/span><\/span>            os.execute('rm -f '<\/span>..<\/span>path)
<\/span><\/span>        end<\/span>
<\/span><\/span>        JsConfuse =<\/span> false<\/span>
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>3.4 防御多源代理请求<\/h3>
实现原理<\/h4>

使用fingerprintjs生成浏览器指纹<\/li>
将指纹信息存入Cookie<\/li>
验证请求的指纹一致性<\/li>
<\/ol>
关键代码<\/h4>

指纹生成：<\/li>
<\/ol>
function<\/span> finalCookie<\/span>(){
<\/span><\/span>    arr<\/span>.push<\/span>(get_info<\/span>())
<\/span><\/span>    let<\/span> fp<\/span> =<\/span> new<\/span> Fingerprint<\/span>();
<\/span><\/span>    arr<\/span>.push<\/span>(fp<\/span>.get<\/span>());
<\/span><\/span>    return<\/span> arr<\/span>
<\/span><\/span>}
<\/span><\/span>setCookie<\/span>('kQpFHdoh'<\/span>, aesEncrypt<\/span>(finalCookie<\/span>(), tt<\/span>));
<\/span><\/span><\/code><\/pre>
指纹验证：<\/li>
<\/ol>
function<\/span> toolsInfoSpider<\/span>()
<\/span><\/span>    -- ...<\/span>
<\/span><\/span>    local<\/span> srs =<\/span> split(result2, ','<\/span>)
<\/span><\/span>    local<\/span> _, e =<\/span> string.find(srs[1<\/span>], '0'<\/span>)
<\/span><\/span>    if<\/span> e ~=<\/span> nil<\/span> then<\/span>
<\/span><\/span>        log('4-tools 工具请求'<\/span>, result2)
<\/span><\/span>        say_html()
<\/span><\/span>    else<\/span>
<\/span><\/span>        log('0-tools 工具验证通过, 记录浏览器指纹'<\/span>, ''<\/span>, srs[2<\/span>])
<\/span><\/span>    end<\/span>
<\/span><\/span>    -- ...<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>3.5 防止敏感信息泄漏<\/h3>
实现原理<\/h4>

在响应体过滤阶段处理<\/li>
使用正则匹配敏感信息<\/li>
替换为星号<\/li>
<\/ol>
关键代码<\/h4>
function<\/span> dateReplace<\/span>()
<\/span><\/span>    if<\/span> SensitiveProtect then<\/span>
<\/span><\/span>        local<\/span> replaceTelephone =<\/span> string.gsub(ngx.arg[1<\/span>], "[1][3,4,5,7,8]%d%d%d%d%d%d%d%d%d"<\/span>, "******"<\/span>)
<\/span><\/span>        ngx.arg[1<\/span>] =<\/span> replaceTelephone
<\/span><\/span>    end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>四、项目结构<\/h2>
.
├── 403.lua                 # 403页面
├── aes.lua                # AES加解密
├── b64.lua                # Base64转码
├── config.lua             # 配置文件
├── fileio.lua             # 文件IO相关
├── init.lua               # 处理请求的具体逻辑
├── log.lua                # 日志相关
├── log\/                   # 保存日志的路径
│   ├── error.log
│   └── localhost_2022-02-11_sec.log
├── nginx\/
│   └── nginx.conf         # 示例配置
├── zE48AHvK\/              # 下发cookie相关文件
│   ├── crypto-js.min.js
│   ├── index.html
│   ├── info.html
│   ├── info.js
│   ├── jump.js
│   └── webdriver.js
├── node\/                  # Babel混淆规则
│   └── js_confuse.js
├── randomStr.lua          # 产生随机字符串
├── req.lua                # 处理发来的请求
├── resty\/                 # OpenResty库文件
├── rsp_body.lua           # 处理返回包体内容
├── rsp_header.lua         # 处理返回包头内容
├── tableXstring.lua       # table与string转换
└── whiteList.lua          # 白名单相关
<\/code><\/pre>
五、总结<\/h2>
5.1 功能特点<\/h3>

业务层面防护，降低原始站点设计缺陷风险<\/li>
无需对已上线系统进行二次开发<\/li>
基于Nginx扩展性，灵活处理请求和响应<\/li>
<\/ol>
5.2 注意事项<\/h3>

JS安全是关键点，需要加强混淆强度<\/li>
存在Cookie可被重放使用的问题<\/li>
部分处理逻辑可能返回500状态码<\/li>
<\/ol>
5.3 后续规划<\/h3>

增强JS混淆能力和反逆向能力<\/li>
防御XSS、SQL、XXE等传统Web攻击<\/li>
加入图形化日志分析功能<\/li>
将日志接入Splunk、ELK等数据处理平台<\/li>
<\/ol>
OpenResty安全网关开发教学文档<\/h1>

二、环境搭建<\/h2>

三、功能实现<\/h2>

3.1 防御Shiro反序列化攻击<\/h3>

3.2 防御自动化工具请求<\/h3>

3.3 保护网站前端代码<\/h3>

3.4 防御多源代理请求<\/h3>

3.5 防止敏感信息泄漏<\/h3>

五、总结<\/h2>

5.3 后续规划<\/h3> 增强JS混淆能力和反逆向能力<\/li> 防御XSS、SQL、XXE等传统Web攻击<\/li> 加入图形化日志分析功能<\/li> 将日志接入Splunk、ELK等数据处理平台<\/li> <\/ol>

5.3 后续规划<\/h3>

增强JS混淆能力和反逆向能力<\/li>
防御XSS、SQL、XXE等传统Web攻击<\/li>
加入图形化日志分析功能<\/li>
将日志接入Splunk、ELK等数据处理平台<\/li> <\/ol>
