基于Nginx的敏感信息泄露检测系统构建指南<\/h1>

一、系统概述<\/h2>
本系统利用OpenResty（集成了Nginx和Lua模块）构建一个实时检测和记录Web应用中敏感信息泄露的解决方案，特别针对数据库错误信息等敏感数据泄露场景。<\/p>

二、环境准备<\/h2>

1. 基础环境<\/h3>

操作系统<\/strong>: CentOS 7 Minimal<\/li>

核心组件<\/strong>:

OpenResty (Nginx + Lua模块)<\/li>
Splunk Free版 (用于日志收集和分析)<\/li> <\/ul> <\/li> <\/ul>
2. 软件安装<\/h3>

Splunk下载<\/strong>:
https:\/\/download.splunk.com\/products\/splunk\/releases\/7.1.2\/linux\/splunk-7.1.2-a0c72a66db66-linux-2.6-x86_64.rpm <\/code><\/pre> <\/li> <\/ul> 三、系统架构与原理<\/h2> 1. Nginx Lua模块执行阶段<\/h3> 系统主要利用两个关键阶段：<\/p> body_filter阶段<\/strong>: 处理服务器响应体，检测敏感信息<\/li> log阶段<\/strong>: 记录检测到的敏感信息并发送到Splunk<\/li> <\/ul> 2. 数据处理流程<\/h3> body_filter阶段匹配响应体中的敏感内容<\/li> 通过ngx.ctx跨阶段传递日志到log阶段<\/li> log阶段向Splunk发送结构化日志<\/li> Splunk进行统计、告警和分析<\/li> <\/ol> 四、核心代码实现<\/h2> 1. body_filter阶段 (body_filter.lua)<\/h3> local<\/span> resp_body =<\/span> ngx.arg[1<\/span>] -- 获取响应体<\/span> <\/span><\/span>local<\/span> eof =<\/span> ngx.arg[2<\/span>] <\/span><\/span>local<\/span> ctx_log =<\/span> {} -- 日志table<\/span> <\/span><\/span>local<\/span> regex =<\/span> [[You have an error in your SQL syntax]]<\/span> -- 匹配的敏感内容正则<\/span> <\/span><\/span> <\/span><\/span>-- 对响应体做正则匹配<\/span> <\/span><\/span>local<\/span> m =<\/span> ngx.re.match(resp_body, regex, 'jio'<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> m then<\/span> -- 如果匹配到敏感信息<\/span> <\/span><\/span> ctx_log.rule_match =<\/span> m[0<\/span>] -- 将匹配内容写入日志<\/span> <\/span><\/span> ctx_log.Request_line =<\/span> ngx.var.request -- 记录请求URL(含GET参数)<\/span> <\/span><\/span> ctx_log.Request_headers =<\/span> ngx.req.get_headers() -- 记录请求头部<\/span> <\/span><\/span> ngx.ctx.log =<\/span> ctx_log -- 日志赋值给跨阶段的ngx.ctx.log<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>2. log阶段 (log.lua)<\/h3> local<\/span> logger =<\/span> require "socket"<\/span> -- 加载logger socket库<\/span> <\/span><\/span>local<\/span> cjson =<\/span> require "cjson.safe"<\/span> -- 加载cjson库<\/span> <\/span><\/span> <\/span><\/span>-- 初始化logger<\/span> <\/span><\/span>if<\/span> not<\/span> logger.initted() then<\/span> <\/span><\/span> local<\/span> ok,err =<\/span> logger.init{ <\/span><\/span> host =<\/span> "127.0.0.1"<\/span>, -- splunk IP<\/span> <\/span><\/span> port =<\/span> 8888<\/span>, -- splunk端口<\/span> <\/span><\/span> sock_type =<\/span> "tcp"<\/span>, -- 日志socket类型<\/span> <\/span><\/span> flush_limit =<\/span> 1<\/span>, -- 刷新限制<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> not<\/span> ok then<\/span> -- 初始化失败处理<\/span> <\/span><\/span> ngx.log(ngx.ERR,"failed to initialize the logger: "<\/span>,err) <\/span><\/span> return<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>-- 接收跨阶段传过来的日志信息<\/span> <\/span><\/span>local<\/span> log =<\/span> ngx.ctx.log <\/span><\/span> <\/span><\/span>-- 判断日志不为空则记录<\/span> <\/span><\/span>if<\/span> type(log) ==<\/span> "table"<\/span> then<\/span> <\/span><\/span> local<\/span> bytes, err =<\/span> logger.log(cjson.encode(log) ..<\/span> "<\/span>\r\n<\/span>"<\/span>) <\/span><\/span> if<\/span> err then<\/span> <\/span><\/span> ngx.log(ngx.ERR, "failed to log message: "<\/span>, err) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>3. Nginx配置文件 (test.conf)<\/h3> lua_package_path '\/data\/code\/?.lua;;'; body_filter_by_lua_file \/data\/code\/body_filter.lua; log_by_lua_file \/data\/code\/log.lua; lua_code_cache on; <\/code><\/pre> 五、Splunk配置<\/h2> 1. 关键配置修改<\/h3> 编辑\/opt\/splunk\/etc\/system\/local\/props.conf<\/code>，添加以下内容：<\/p> [_json] # 指定sourcetype SHOULD_LINEMERGE = false # 禁止Splunk自动合并多行JSON日志 <\/code><\/pre> 六、系统部署<\/h2> 将所有代码文件放置在\/data\/code<\/code>目录下<\/li> 在Nginx的http配置块中include test.conf<\/li> 启动Splunk服务并确保监听指定端口(8888)<\/li> <\/ol> 七、测试与验证<\/h2> 1. 测试架构<\/h3> Nginx(反向代理) → httpd + php(DVWA)<\/li> <\/ul> 2. 测试方法<\/h3> 在DVWA的SQL注入部分输入单引号触发MySQL错误<\/li> 检查Splunk中是否记录以下信息：客户端请求头部(Request_headers)<\/li> 请求URL(Request_line)<\/li> 服务器响应体匹配数据(rule_match)<\/li> <\/ul> <\/li> <\/ol> 八、扩展与优化<\/h2> POST请求处理<\/strong>: 需要在access阶段额外处理POST请求体<\/li> 正则表达式优化<\/strong>: 可根据实际需求扩展敏感信息匹配规则<\/li> 性能调优<\/strong>: 根据流量调整lua_code_cache和flush_limit参数<\/li> <\/ol> 九、参考资源<\/h2> OpenResty官方文档<\/li> OpenResty最佳实践: https:\/\/moonbingbing.gitbooks.io\/openresty-best-practices\/lua\/main.html<\/a><\/li> <\/ol> 注：本文实现方案适用于检测数据库错误信息泄露，可根据实际需求扩展其他敏感信息检测规则。<\/em><\/p>

基于Nginx的敏感信息泄露检测系统构建指南<\/h1>

一、系统概述<\/h2> 本系统利用OpenResty（集成了Nginx和Lua模块）构建一个实时检测和记录Web应用中敏感信息泄露的解决方案，特别针对数据库错误信息等敏感数据泄露场景。<\/p>

二、环境准备<\/h2>

三、系统架构与原理<\/h2>

四、核心代码实现<\/h2>

五、Splunk配置<\/h2>

七、测试与验证<\/h2>

一、系统概述<\/h2>
本系统利用OpenResty（集成了Nginx和Lua模块）构建一个实时检测和记录Web应用中敏感信息泄露的解决方案，特别针对数据库错误信息等敏感数据泄露场景。<\/p>