openresty整合modsecurity

安装依赖包

安装依赖

yum -y install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel libtool libxml2-devel libxslt-devel

安装依赖包

ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libstdc++-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-c++-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-libquadmath-devel-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-gcc-gfortran-9.3.1-2.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.9.2009/sclo/x86_64/rh/Packages/d/devtoolset-9-binutils-2.32-16.el7.x86_64.rpm
ftp://ftp.icm.edu.pl/vol/rzm7/linux-centos-vault/7.8.2003/sclo/x86_64/rh/Packages/d/devtoolset-9-runtime-9.1-0.el7.x86_64.rpm# 一个一个安装，下面是示例
yum localinstall -y devtoolset-9-*.rpmscl enable devtoolset-9 bash

下载modsecurity源码

git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout v3/master
git submodule init
git submodule update./build.sh
./configure
make
make install

安装ModSecurity-nginx Connector

git clone https://github.com/SpiderLabs/ModSecurity-nginx
cd /app/openresty/
# 和openresty一起编译或者用nginx编译后的二进制拷贝进去

./configure --prefix=/app/openresty --with-http_ssl_module
–with-http_ssl_module
–with-http_v2_module
–with-http_gzip_static_module
–with-http_sub_module
–with-http_realip_module
–with-http_stub_status_module
–with-http_auth_request_module
–with-luajit
–with-compat
–with-http_geoip_module
–with-stream
–with-stream_ssl_module
–with-mail
–with-mail_ssl_module
–with-threads
–with-file-aio
–with-http_dav_module
–with-http_xslt_module
–with-http_addition_module
–add-dynamic-module=/usr/MyWorkSpace/ModSecurity-nginx-master

gmake && gmake install

拷贝配置文件到nginx

配置文件在ModSecurity的源码目录中

cp modsecurity.conf-recommended /path/to/modsecurity.conf
cp unicode.mapping /path/to/
mkdir -p /app/openresty/nginx/logs/
mkdir -p /app/openresty/nginx/sec_temp
mkdir -p /app/openresty/nginx/sec_data# 修改modsecurity.conf的日志路径以方便查询问题SecRuleEngine on 
SecDebugLog /app/openresty/nginx/logs/modsec_debug.log
SecDebugLogLevel 9 # 生产环境调为1
SecAuditLog /app/openresty/nginx/logs/modsec_audit.log

修改SecTmpDir选项

指定自己的目录

SecTmpDir /app/openresty/nginx/sec_temp
SecDataDir /app/openresty/nginx/sec_data

参数配置

编辑 Nginx 配置文件（如 nginx.conf），加载并启用 ModSecurity 模块：

load_module modules/ngx_http_modsecurity_module.so;
#user  nobody;
worker_processes  4;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;gzip on;  # 启用 Gzip 压缩gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;gzip_vary on;  # 向响应头添加 `Vary: Accept-Encoding`，以确保代理缓存的正确性gzip_min_length 1024;  # 设置压缩的最小文件大小，较小的文件可能不压缩gzip_proxied any;  # 启用代理后端的压缩响应gzip_comp_level 5;  # 设置压缩级别，范围是1-9，数值越大压缩比越高，但CPU消耗也更大server {listen       8080;server_name  0.0.0.0;charset utf-8;# 在特定位置启用 ModSecuritymodsecurity on;modsecurity_rules_file /app/openresty/nginx/conf/modsecurity.conf;#access_log  logs/host.access.log  main;location / {proxy_pass http://127.0.0.1:9080;proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 关键部分：重写后端服务器的重定向URLproxy_redirect default;}}}

下载 OWASP CRS

git clone https://github.com/coreruleset/coreruleset.git
mkdir -p /app/openresty/nginx/modsec/crs
cp -r coreruleset/* /app/openresty/nginx/modsec/crs
cd /app/openresty/nginx/modsec/crs
cp crs-setup.conf.example crs-setup.conf

编辑/app/openresty/nginx/conf/modsecurity.conf

Include /app/openresty/nginx/modsec/crs/crs-setup.conf
Include /app/openresty/nginx/modsec/crs/rules/*.conf

添加测试规则

编辑crs-setup.conf

SecRule ARGS:testparam "@contains test" "id:10001,phase:1,log,deny,status:403,msg:'Testing rule'"

当url参数包含testparam=test会返回403

启动openresty

/app/openresty/nginx/sbin/nginx -c /app/openresty/nginx/conf/nginx.conf/app/openresty/nginx/sbin/nginx -s reload