nginx deploy modsecurity

Jan 17, 2019 00:00 · 1007 words · 3 minute read modsecurity

0x01 环境配置

cenos7 mini

yum -y update

关闭selinux与防火墙

yum -y install gcc-g++ gcc-c++ gcc-g++ gcc-c++  httpd-devel apr apr-util-devel apr-devel  pcre pcre-devel  libxml2 libxml2-devel zlib zlib-devel openssl openssl-devel  pcre pcre-devel libtool git wget

1下载tengine or nginx or openresty
wget  http://tengine.taobao.org/download/tengine-2.2.1.tar.gz
wget https://openresty.org/download/openresty-1.11.2.5.tar.gz

2下载modsecurity-nginx模块
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

3下载modsecurity
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

modsecurity部分
cd ModSecurity
git submodule init
git submodule update

./build.sh 
在build的过程中会出现以下错误,忽略即可:
fatal: No names found, cannot describe anything.
./configure 
make&&make install

nginx部分
cd openresty-1.11.2.5/
./configure --prefix=/usr/loca/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --add-module=/root/ModSecurity-nginx/ ##这里配置静态连接模块,如果禁用 只能重新编译
make&&make install
nginx -V

0x02 配置规则

cd /usr/local/nginx/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
1 把modsecurity.conf拷贝到/usr/local/nginx/ 里面

2 cd owasp-modsecurity-crs |cp crs-setup.conf.example crs-setup.conf

3 vi modsecurity.conf 修改如下
SecRuleEngine on
Include owasp-modsecurity-crs/crs-setup.conf
Include owasp-modsecurity-crs/rules/*.conf
SecRuleEngine:是否接受来自ModSecurity-CRS目录下的所有规则的安全规则引擎。因此,我们可以根据需求设置不同的规则。要设置不同的规则有以下几种。SecRuleEngine On:将在服务器上激活ModSecurity防火墙,它会检测并阻止该服务器上的任何恶意攻击。SecRuleEngine Detection Only:如果设置这个规则它只会检测到所有的攻击,并根据攻击产生错误,但它不会在服务器上阻止任何东西。SecRuleEngine Off:这将在服务器上上停用ModSecurity的防火墙。

4 vi owasp-modsecurity-crs/crs-setup.conf
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

将id:900000注释去掉,level改为4是最严格的
将id:900100注释去掉,警告错误的积分
将id:900110注释去掉,inbound设置入站阈值,比如30,outbound出站阈值默认

0x03 配置nginx

vi /usr/local/nginx/nginx.conf

worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
#include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
upstream web1 {
        server 192.168.0.156  weight=1;
       #server 192.168.0.17  weight=1;
       ip_hash;
        }
server{
modsecurity on; #开启模块
modsecurity_rules_file /usr/local/nginx/modsecurity.conf; #引入模块路径
        listen 80;

        server_name www.ifish.com;

        access_log  /var/log/nginx/ifish.log;



        location / {

            root /home/web1_root;

            proxy_pass http://web1;

            proxy_read_timeout 300;

            proxy_connect_timeout 300;

            proxy_redirect     off;

            proxy_set_header   X-Forwarded-Proto $scheme;

            proxy_set_header   Host              $http_host;

            proxy_set_header   X-Real-IP         $remote_addr;

        }

    }

}

0x04 bug

bug1
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 73. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /usr/local/nginx/nginx.conf:37
nginx: configuration file /usr/local/nginx/nginx.conf test failed
vi /usr/local/nginx/owasp-modsecurity-crs/rules
删掉

bug2
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /usr/local/nginx/modsecurity.conf. Line: 237. Column: 17. Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'un--add-dynamic-moduleicode.mapping', '/usr/local/nginx/unicode.mapping', '/usr/local/nginx/unicode.mapping'.  in /usr/local/nginx/nginx.conf:37
nginx: configuration file /usr/local/nginx/nginx.conf test failed 
vi /usr/local/nginx/modsecurity.conf
/mapping 注释掉

bug3
Starting nginx: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) 
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) 
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) 
nginx: [emerg] still could not bind()
发现是nginx进程占用了80端口,所以我们把nginx进程kill掉,重新启动服务。
lsof -i :80
kill -9

0x05 启动nginx

nginx -t 查看是否错误

nginx -c /usr/local/nginx/nginx.conf 启动

nginx -s: stop, quit, reopen, reload