编译安装nginx+Modsecurity
本文由 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
0x01 前言
最近利用awvs以及Wpscan对网站进行了漏洞扫描,扫出来一堆漏洞,然后就对服务器进行了一次大升级,才有了这篇文章。
0x02 准备
因为我应用环境的需要,所以我需要下载以下源码:
lua-nginx-module:用于支持lua模块
nginx-ct:启用证书透明度
ModSecurity:用于编译ModSecurity
ModSecurity-nginx:用于连接ModSecurity与nignx
首先建立临时文件夹并下载相关文件:
安装依赖
yum install -y libxml2 libxslt-devel gperftools pcre-devel libuuid-devel libxslt* libblkid-devel libudev-devel fuse-devel libedit-devel perl-ExtUtils-Embed at gcc-c++ python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd gd-devel t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel libatomic_ops-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel libpcap-devel glib2-devel GeoIP-devel libxml2-devel redis vim wget git htop iftop libtool make automake mlocate pam-devel unzip gcc screen iptables-services bash-completion* pcre-devel libxslt* perl-ExtUtils-Embed at python subversion gperf make rpm-build git curl bzip2-devel libcurl-devel gd t1lib t1lib-devel libmcrypt libmcrypt-devel libtidy libtidy-devel GeoIP-devel zlib-devel unzip libstdc++* net-snmp net-snmp* gmp gmp-devel openldap openldap-devel net-tools luajit
新建文件夹
[root@web-dev ~] mkdir /opt/nginx
进入文件夹
[root@web-dev ~] cd /opt/nginx/
下载 ngx_http_headers_module
[root@web-dev nginx] git clone https://github.com/openresty/headers-more-nginx-module.git
下载 lua-nginx-module
[root@web-dev nginx] git clone https://github.com/openresty/lua-nginx-module.git
# 下载nginx-ct
[root@web-dev nginx] git clone https://github.com/grahamedgecombe/nginx-ct.git
下载 Openssl
[root@web-dev nginx] wget https://github.com/openssl/openssl/archive/OpenSSL_1_1_1c.tar.gz
下载 ModSecurity
[root@web-dev nginx] git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
#下载ModSecurity-nginx
[root@web-dev nginx] git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
下载 Nginx
[root@web-dev nginx] wget https://nginx.org/download/nginx-1.18.0.tar.gz
#下载OWASP ModSecurity CRS
[root@web-dev nginx] git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
最后解压被压缩的软件:
解压并删除nginx压缩包
[root@web-dev nginx] tar -zxvf nginx-1.18.0.tar.gz && rm -f nginx-1.18.0.tar.gz
解压openssl压缩包
[root@web-dev nginx] tar -zxvf OpenSSL_1_1_1c.tar.gz && rm -f OpenSSL_1_1_1c.tar.gz
最终,该目录下会有这些文件夹:
[root@iztsvh228msdkjz nginx]# ll
total 32
drwxr-xr-x 6 root root 4096 Sep 26 14:09 headers-more-nginx-module
drwxr-xr-x 11 root root 4096 Sep 26 14:20 lua-nginx-module
drwxr-xr-x 13 root root 4096 Sep 26 14:45 ModSecurity
drwxr-xr-x 6 root root 4096 Sep 26 14:45 ModSecurity-nginx
drwxr-xr-x 8 wordpress wordpress 4096 Apr 21 22:09 nginx-1.18.0
drwxr-xr-x 3 root root 4096 Sep 26 14:22 nginx-ct
drwxrwxr-x 18 root root 4096 May 28 2019 openssl-OpenSSL_1_1_1c
drwxr-xr-x 8 root root 4096 Sep 26 14:53 owasp-modsecurity-crs
0x03 编译安装
0x03.1 配置安装openssl
配置
cd openssl-OpenSSL_1_1_1c
./config --prefix=/usr
编译&&安装
make && make install
ldconfig
查看安装版本
openssl version
0x03.2 Modsecurity Lib
先编译Modsecurity Lib,进入ModSecurity源码文件夹并运行以下命令:
进入文件夹
[root@modsecurity openssl-OpenSSL_1_1_1c] cd /opt/nginx/ModSecurity
初始化submodule
[root@modsecurity ModSecurity] git submodule init
Submodule 'bindings/python' (https://github.com/SpiderLabs/ModSecurity-Python-bindings.git) registered for path 'bindings/python'
Submodule 'others/libinjection' (https://github.com/client9/libinjection.git) registered for path 'others/libinjection'
Submodule 'test/test-cases/secrules-language-tests' (https://github.com/SpiderLabs/secrules-language-tests) registered for path 'test/test-cases/secrules-language-tests'
更新submodule
[root@modsecurity ModSecurity] git submodule update
Cloning into 'bindings/python'...
remote: Counting objects: 38, done.
remote: Total 38 (delta 0), reused 0 (delta 0), pack-reused 38
Unpacking objects: 100% (38/38), done.
Submodule path 'bindings/python': checked out 'bc625d5bb0bac6a64bcce8dc9902208612399348'
Cloning into 'others/libinjection'...
remote: Counting objects: 9937, done.
remote: Total 9937 (delta 0), reused 0 (delta 0), pack-reused 9937
Receiving objects: 100% (9937/9937), 5.45 MiB | 1.24 MiB/s, done.
Resolving deltas: 100% (6083/6083), done.
Submodule path 'others/libinjection': checked out 'bf234eb2f385b969c4f803b35fda53cffdd93922'
Cloning into 'test/test-cases/secrules-language-tests'...
remote: Counting objects: 232, done.
remote: Total 232 (delta 0), reused 0 (delta 0), pack-reused 232
Receiving objects: 100% (232/232), 89.18 KiB | 85.00 KiB/s, done.
Resolving deltas: 100% (131/131), done.
Submodule path 'test/test-cases/secrules-language-tests': checked out 'e6b03e46046ce9ce6dcfc0e6ad0820194e21db35'
完成后,在根目录下会有一个build.sh的可执行文件:
[root@eef51b ModSecurity] ll -h
total 172K
-rw-r--r-- 1 root root 202 Sep 23 18:53 AUTHORS
drwxr-xr-x 3 root root 20 Sep 23 18:53 bindings
drwxr-xr-x 2 root root 275 Sep 23 18:53 build
-rwxr-xr-x 1 root root 273 Sep 23 18:53 build.sh
-rw-r--r-- 1 root root 18K Sep 23 18:53 CHANGES
-rw-r--r-- 1 root root 17K Sep 23 18:53 configure.ac
drwxr-xr-x 2 root root 85 Sep 23 18:53 doc
drwxr-xr-x 7 root root 176 Sep 23 18:53 examples
drwxr-xr-x 3 root root 25 Sep 23 18:53 headers
-rw-r--r-- 1 root root 12K Sep 23 18:53 LICENSE
-rw-r--r-- 1 root root 18K Sep 23 18:53 Makefile.am
-rw-r--r-- 1 root root 10K Sep 23 18:53 modsecurity.conf-recommended
-rw-r--r-- 1 root root 377 Sep 23 18:53 modsecurity.pc.in
drwxr-xr-x 4 root root 78 Sep 23 18:53 others
-rw-r--r-- 1 root root 13K Sep 23 18:53 README.md
drwxr-xr-x 12 root root 4.0K Sep 23 18:53 src
drwxr-xr-x 9 root root 4.0K Sep 23 18:53 test
drwxr-xr-x 3 root root 44 Sep 23 18:53 tools
-rw-r--r-- 1 root root 52K Sep 23 18:53 unicode.mapping
运行build.sh:
[root@modsecurity ModSecurity] ./build.sh
libtoolize: putting auxiliary files in `.'.
libtoolize: copying file `./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
libtoolize: copying file `build/libtool.m4'
libtoolize: copying file `build/ltoptions.m4'
libtoolize: copying file `build/ltsugar.m4'
libtoolize: copying file `build/ltversion.m4'
libtoolize: copying file `build/lt~obsolete.m4'
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
configure.ac:44: installing './ar-lib'
configure.ac:119: installing './config.guess'
configure.ac:119: installing './config.sub'
configure.ac:39: installing './install-sh'
configure.ac:39: installing './missing'
parallel-tests: installing './test-driver'
examples/multiprocess_c/Makefile.am: installing './depcomp'
configure.ac: installing './ylwrap'
fatal: No names found, cannot describe anything.
fatal: No names found, cannot describe anything.
在build的过程中会出现以下错误,忽略即可:
fatal: No names found, cannot describe anything.
然后是configure、编译和安装:
编译安装三部曲
./configure && make && make install
完成ModSecurity的编译安装后就可以准备nignx的编译参数了:
--prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/opt/nginx/headers-more-nginx-module
0x03.3 Nginx编译&安装
[root@iztsvh228msdkjz ModSecurity] cd /opt/nginx/nginx-1.18.0/
configure
[root@web-dev nginx-1.13.10] ./configure --prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/opt/nginx/headers-more-nginx-module
编译
[root@web-dev nginx-1.13.10] make
安装
[root@web-dev nginx-1.13.10] make install
创建目录
mkdir -p /var/tmp/nginx/client_body
最后查看nginx版本与检查编译参数:
[root@localhost nginx-1.18.0]# nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/nginx --with-cc-opt=-O2 --with-ld-opt='-Wl,-rpath,/usr/local/nginx/luajit/lib -Wl,-E' --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --with-http_gunzip_module --with-pcre --with-pcre-jit --with-http_perl_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-select_module --with-poll_module --with-file-aio --with-http_degradation_module --with-libatomic --http-client-body-temp-path=/var/tmp/nginx/client_body --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --add-dynamic-module=/opt/nginx/ModSecurity-nginx --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/opt/nginx/headers-more-nginx-module
0x03.4 Nginx与modsecurity配置
modsecurity灵活性很高,你可以将ModSecurityEnabled这个指令放置在server或location块,以此控制modsecurity的启用与否。以下使用nginx默认的配置文件nginx.conf进行修改,首先在文件顶部添加以下内容:
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so
让nginx加载动态模块,这样才能识别下方ModSecurity的配置内容。然后将以下两行内容放置在location块中:
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;
到这里nginx配置文件的修改就完成了。
0x03.5 Modsecurity配置文件准备
[root@iztsvh228msdkjz nginx] mkdir /usr/local/nginx/modsecurity
cp /opt/nginx/ModSecurity/modsecurity.conf-recommended /usr/local/nginx/modsecurity/modsecurity.conf
cp /opt/nginx/owasp-modsecurity-crs/crs-setup.conf.example /usr/local/nginx/modsecurity/crs-setup.conf
cp -r /opt/nginx/owasp-modsecurity-crs/rules/ /usr/local/nginx/modsecurity/
cp /opt/nginx/ModSecurity/unicode.mapping /usr/local/nginx/modsecurity/unicode.mapping
然后在/usr/local/nginx/modsecurity
目录下新建一个名为modsec_includes.conf的文件并填入owasp modsecurity crs配置文件与modsecurity.conf的路径:
include /usr/local/nginx/modsecurity/modsecurity.conf
include /usr/local/nginx/modsecurity/crs-setup.conf
include /usr/local/nginx/modsecurity/rules/*.conf
最终该目录下有这些文件。
[root@eef51b modsecurity] ll
total 108
-rw-r--r-- 1 root root 32931 Sep 24 19:31 crs-setup.conf
-rw-r--r-- 1 root root 156 Sep 24 19:23 modsec_includes.conf
-rw-r--r-- 1 root root 10199 Sep 24 19:30 modsecurity.conf
drwxr-xr-x 2 root root 4096 Sep 24 19:21 rules
-rw-r--r-- 1 root root 53146 Sep 24 19:32 unicode.mapping
0x03.6 Modsecurity实施拦截动作
编辑
vim /usr/local/nginx/modsecurity/modsecurity.conf
修改SecRuleEngine
SecRuleEngine On
打开crs-setup.conf
vim /usr/local/nginx/modsecurity/crs-setup.conf
注释以下内容
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
取消以下内容的注释
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
Modsecurity日志文件
vim /var/log/modsec_audit.log
0x03.7 Nginx配置文件修改
load_module /usr/local/nginx/nginx/modules/ngx_http_modsecurity_module.so;
http {
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
#启用modsecurity
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name localhost;
location / {
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsecurity/modsec_includes.conf;
root /home/wwwroot/www.jiangjiyue.com;
index index.html index.htm index.php;
}
}
}
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
文章目录