jxwaf in openresty

Feb 14, 2019 00:00 · 721 words · 2 minute read jxwaf openresty

0x00 安装

$ cd /tmp

$ git clone https://github.com/jx-sec/jxwaf.git

$ cd jxwaf

$ sh install_waf.sh

$ 运行后显示如下信息即安装成功:

nginx: the configuration file /opt/jxwaf/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /opt/jxwaf/nginx/conf/nginx.conf test is successful

远程规则:

访问 http://www.jxwaf.com 并注册账号,在 WAF规则管理->查看官方规则组 页面按照自身需求加载规则,之后在 WAF规则配置->WAF全局配置 页面获取 “WAF_API_KEY”

修改/opt/jxwaf/nginx/conf/jxwaf/jxwafconfig.json 中的”waf_api_key”为你自己账号的”WAF_API_KEY”

$ /opt/jxwaf/nginx/sbin/nginx 启动openresty,openresty会在启动或者reload的时候自动到jxwaf管理中心拉取用户配置的最新规则

本地规则:

$ curl “http://update.jxwaf.com/waf/update_global_rule" -d ‘api_key=3d96848e-bab2-40b7-8c0b-abac3b613585’ > /opt/jxwaf/nginx/conf/jxwaf/jxwaf_local_config.json

$ curl “http://update.jxwaf.com/waf/update_rule" -d ‘api_key=3d96848e-bab2-40b7-8c0b-abac3b613585’ > /opt/jxwaf/nginx/conf/jxwaf/jxwaf_local_base_config.json

$ 修改/opt/jxwaf/nginx/conf/jxwaf/jxwaf_config.json 中的”waf_local”为”true”

$ /opt/jxwaf/nginx/sbin/nginx 启动

$ /opt/jxwaf/nginx/sbin/nginx -s stop 停止

$ /opt/jxwaf/nginx/sbin/nginx -s reload 重启

$ /opt/jxwaf/nginx/sbin/nginx -t 检测

0x01 配置反代

vi /opt/jxwaf/nginx/conf/nginx.conf

#user  nobody;
worker_processes  auto;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;
	resolver  114.114.114.114;
    #keepalive_timeout  0;
    keepalive_timeout  65;
lua_shared_dict limit_req 100m;
lua_shared_dict limit_req_count 100m;
init_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/init.lua;
init_worker_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/init_worker.lua;
rewrite_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/rewrite.lua;
access_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/access.lua;
header_filter_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/header_filter.lua;
body_filter_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/body_filter.lua;
log_by_lua_file /opt/jxwaf/lualib/resty/jxwaf/log.lua;
    #gzip  on;
	upstream www.jxwaf.com {
#	server 192.168.50.201;
	server 192.168.50.233;
}
lua_code_cache on;
    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            #root   html;
           # index  index.html index.htm;
           proxy_pass http://www.jxwaf.com;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
	 #proxy_pass http://www.jxwaf.com;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

log

find / -name error.log

/opt/jxwaf/nginx/logs/error.log

还可以直接远程日志打到splunk,作者超细节