用ModSecurity启动WAF的一次小试
字数 992 2025-08-18 11:39:19
ModSecurity与NGINX集成部署指南
1. 概述
本指南详细介绍了如何在CentOS 8系统上将ModSecurity Web应用防火墙(WAF)与NGINX集成部署的过程,包括OWASP核心规则集(CRS)的配置。ModSecurity是一个开源的、跨平台的Web应用防火墙引擎,可以保护Web应用免受各种攻击。
2. 系统准备
2.1 启用PowerTools存储库
dnf config-manager --set-enabled PowerTools
2.2 安装必要的开发工具
dnf -y install \
autoconf \
automake \
GeoIP-devel \
bison \
bison-devel \
curl \
curl-devel \
doxygen \
flex \
gcc \
gcc-c++ \
git \
libcurl-devel \
libxml2-devel \
lmdb-devel \
lua-devel \
openssl-devel \
ssdeep-devel \
yajl \
yajl-devel \
zlib-devel
3. 下载所需资源
创建工作目录并下载所有必要的资源:
mkdir owasp
cd owasp
wget https://nginx.org/download/nginx-1.17.8.tar.gz
wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz -O CRS_v3.2.0.tar.gz
git clone --recursive https://github.com/maxmind/libmaxminddb
git clone https://github.com/SpiderLabs/ModSecurity
git clone https://github.com/SpiderLabs/ModSecurity-nginx
git clone https://github.com/leev/ngx_http_geoip2_module
4. 编译安装MaxMind库
cd libmaxminddb
./bootstrap
./configure
make
make check
make install
cd ..
5. 编译安装ModSecurity库
tar -xvf modsecurity-v3.0.4.tar.gz
cd modsecurity-v3.0.4
./configure --with-lmdb --with-maxmind=/usr/local
make
make install
cd ..
6. 编译安装ModSecurity模块
cd ModSecurity
sh build.sh
git submodule init
git submodule update
./configure --with-lmdb --with-maxmind=/usr/local
make
make install
cd ..
7. 编译安装NGINX
7.1 解压NGINX源码
tar -xvf nginx-1.17.8.tar.gz
cd nginx-1.17.8
7.2 配置编译选项
./configure \
--prefix=/usr/local/nginx \
--sbin-path=/usr/local/nginx/sbin/nginx \
--modules-path=/usr/local/nginx/modules \
--conf-path=/usr/local/nginx/etc/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_ssl_module \
--with-compat \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -DNGX_HTTP_HEADERS' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' \
--add-dynamic-module=../ModSecurity-nginx \
--add-dynamic-module=../ngx_http_geoip2_module
7.3 编译并安装
make
make install
cd ..
7.4 创建NGINX用户和缓存目录
useradd -m -c 'nginx' nginx
mkdir -p /var/cache/nginx/client_temp
chown nginx:nginx /var/cache/nginx/client_temp
8. 配置ModSecurity
8.1 创建配置目录
mkdir -p /usr/local/nginx/etc/modsec
8.2 下载默认配置文件
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
-O /usr/local/nginx/etc/modsec/modsecurity.conf
cp -p /root/owasp/modsecurity-v3.0.4/unicode.mapping /usr/local/nginx/etc/modsec/unicode.mapping
8.3 启用规则引擎
sed -i 's/^SecRuleEngine.*/SecRuleEngine On/' /usr/local/nginx/etc/modsec/modsecurity.conf
8.4 创建主配置文件
cat <<- '@EOF' > /usr/local/nginx/etc/modsec/main.conf
Include "/usr/local/nginx/etc/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:blogtest "@contains test" "id:1111,deny,status:403"
SecRule REQUEST_URI "@beginsWith /admin" "phase:2,t:lowercase,id:2222,deny,msg:'block admin'"
@EOF
9. 配置NGINX使用ModSecurity
编辑/usr/local/nginx/etc/nginx.conf文件:
worker_processes 1;
load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_stream_geoip2_module.so;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
modsecurity on;
modsecurity_rules_file /usr/local/nginx/etc/modsec/main.conf;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
10. 验证配置
/usr/local/nginx/sbin/nginx -t
11. 测试基本规则
测试/admin路径是否被拦截:
curl http://localhost/adminaccess
预期输出:
<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.17.8</center></body></html>
检查错误日志:
cat /var/log/nginx/error.log
12. 配置OWASP核心规则集(CRS)
12.1 解压CRS
cd /usr/local/nginx/etc
tar -xvf ~/owasp/CRS_v3.2.0.tar.gz
ln -s owasp-modsecurity-crs-3.2.0 owasp-crs
cp -p /usr/local/nginx/etc/owasp-crs/crs-setup.conf.example /usr/local/nginx/etc/owasp-crs/crs-setup.conf
12.2 修改主配置文件
编辑/usr/local/nginx/etc/modsec/main.conf,添加以下内容:
Include "/usr/local/nginx/etc/owasp-crs/crs-setup.conf"
Include "/usr/local/nginx/etc/owasp-crs/rules/*.conf"
12.3 配置默认动作
编辑/usr/local/nginx/etc/owasp-crs/crs-setup.conf,确保包含以下行:
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
13. 测试CRS规则
测试普通请求:
curl http://localhost/trololo_singer.html
测试受保护文件请求:
curl http://localhost/.htaccess
检查错误日志确认拦截情况。
14. 启动NGINX
/usr/local/nginx/sbin/nginx
15. 总结
通过以上步骤,我们成功在CentOS 8系统上将ModSecurity WAF与NGINX集成,并配置了OWASP核心规则集。现在您的Web应用将受到以下保护:
- SQL注入攻击防护
- 跨站脚本(XSS)攻击防护
- 本地文件包含(LFI)攻击防护
- 远程文件包含(RFI)攻击防护
- PHP代码注入防护
- HTTP协议违规防护
- HTTP请求走私防护
- HTTP响应拆分防护
- 恶意机器人防护
- 扫描器防护
您可以根据需要调整规则集,或添加自定义规则以满足特定安全需求。