CentOS7.7下安装x-waf及配置策略

服务器操作系统：CentOS7.7 64位

1.官方GitHub

https://github.com/xsec-lab/x-waf

https://github.com/xsec-lab/x-waf-admin

2.编译安装openresty

1.yum -y install gcc gcc-c++ autoconf pcre pcre-devel make automake wget httpd-tools vim openssl-devel curl

wget https://openresty.org/download/openresty-1.15.8.1.tar.gz

tar -zxvf openresty-1.15.8.1.tar.gz

cd openresty-1.15.8.1

./configure

gmake && gmake install

直接像上述得方法安装，openresty默认就是安装在/usr/local/目录下

把openresty加入环境变量，以便可以只用调用openresty命令，实际上 /usr/local/openresty/bin/openresty 是指向 /usr/local/openresty/nginx/sbin/nginx 的一个链接，但我们把环境变量指向openresty，以便和系统已有的 nginx 相区别

将openresty导入到本地环境变量，下面是临时的

export PATH=/usr/local/openresty/bin:$PATH

可以永久性导入把变量写入到用户环境变量的配置文件里面

vi ~/.bash_profile

3.启动openresty

启动 ： openresty

停止： openresty -s stop

重启： openresty -s reload

检测配置： openresty -t

默认情况下如果没有针对openresty配置指定用户，openresty会使用默认的配置使用nobody用户进行启动

可以建立一个nginx用户，用来启动openresty

useradd -s /sbin/nologin -M nginx

4.下载x-waf并配置文件和规则包

切换到openresty目录下

cd /usr/local/openresty/nginx/conf/

下载x-waf文件

git clone https://github.com/xsec-lab/x-waf.git

下载下来是一个x-waf 的文件夹，里面的 nginx_conf/nginx.conf 文件是一个配置好了lua和x-waf规则目录的模板文件，可以拷贝到 /usr/local/openresty/nginx/conf/nginx.conf 直接覆盖原有openresty的配置文件

cp /usr/local/openresty/nginx/conf/x-waf/nginx_conf/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

作者的代码里面url白名单部分有个错误，需要修正一下，否则会因为找不到url白名单文件，而导致白名单失效

vim /usr/local/openresty/nginx/conf/x-waf/waf.lua

找到 writeurl.rule，替换为 whiteUrl.rule

建立虚拟主机配置文件目录

mkdir -p /usr/local/openresty/nginx/conf/vhosts

修改配置文件

vim /usr/local/openresty/nginx/conf/x-waf/config.lua

--[[

Copyright (c) 2016 xsec.io

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in

all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEq

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

THE SOFTWARE.

]]

-- WAF config file, enable = "on", disable = "off"

local _M = {

    -- waf status

    config_waf_enable = "on",

    -- log dir

    config_log_dir = "/tmp/",

    -- rule setting

    config_rule_dir = "/usr/local/openresty/nginx/conf/x-waf/rules",

    -- enable/disable white url

    config_white_url_check = "on",

    -- enable/disable white ip

    config_white_ip_check = "on",

    -- enable/disable block ip

    config_black_ip_check = "on",

    -- enable/disable url filtering

    config_url_check = "on",

    -- enalbe/disable url args filtering

    config_url_args_check = "on",

    -- enable/disable user agent filtering

    config_user_agent_check = "on",

    -- enable/disable cookie deny filtering

    config_cookie_check = "on",

    -- enable/disable cc filtering

    config_cc_check = "on",

    -- cc rate the xxx of xxx seconds

    config_cc_rate = "10/60",

    -- enable/disable post filtering

    config_post_check = "on",

    -- config waf output redirect/html/jinghuashuiyue

    config_waf_model = "html",

    -- if config_waf_output ,setting url

    config_waf_redirect_url = "http://xsec.io",

    config_expire_time = 600,

    config_output_html = [[

    <html>

    <head>

    <meta charset="UTF-8">

    <title>MIDUN WAF</title>

    </head>

      <body>

        <div>

      <div class="table">

        <div>

          <div class="cell">

            您的IP为: %s

          </div>

          <div class="cell">

            欢迎在遵守白帽子道德准则的情况下进行安全测试。

          </div>

          <div class="cell">

            联系方式：http://xsec.io

          </div>

        </div>

      </div>

    </div>

      </body>

    </html>

    ]],

}

return _M

默认情况下功能都是开启的，不需要修改

5.管理后台安装，这里的管理后台是使用golang编写的，作者已经编译好的二进制文件，可以直接下载下来使用

wget https://github.com/xsec-lab/x-waf-admin/releases/download/x-waf-admin0.1/x-waf-admin0.1-linux-amd64.tar.gz

解压

tar -zxvf x-waf-admin0.1-linux-amd64.tar.gz

进行目录

cd x-waf-admin

编辑配置文件

vim conf/app.ini

最终改成如下信息

RUN_MODE = dev

;RUN_MODE = prod

[server]

HTTP_PORT = 5000

API_KEY = xsec.io||secdevops.cn

NGINX_BIN = /usr/local/openresty/nginx/sbin/nginx

NGINX_VHOSTS = /usr/local/openresty/nginx/conf/vhosts/

API_SERVERS = 127.0.0.1, 172.16.0.5

[database]

USER = root

PASSWD = m9shituSFL7duAVXfeAwGUSG

HOST = 127.0.0.1:3306

NAME = waf

[waf]

RULE_PATH = /usr/local/openresty/nginx/conf/x-waf/rules/

注意：这里需要自己建立数据库并把数据库服务启动起来，账户和密码配置好，同时要确认这里只需要把数据库名waf建立好就可以，然后直接使用默认账户和密码直接去登录即可，这里中途如果测试有问题，就关闭服务，然后重启，再登录即可

搭建数据库

yum install mariadb mariadb-server -y

systemctl start mariadb.service

默认使用root账户号登录，密码是空

更改数据库的root密码

update user set password=password("m9shituSFL7duAVXfeAwGUSG") where user="root";

创建数据库

create database waf;

数据库方面只要操作上面两部即可，然后直接启动服务，登录

启动x-waf的管理后台

nohup ./server >> x-waf.log 2>&1 &

查看运行的日志

tail -f x-waf.log

默认的账户和密码是 admin/x@xsec.io

登录后台效果

测试拦截效果：

推荐：https://www.cnblogs.com/lbnnbs/p/11332914.html

推荐：https://www.zhoucj.com/index.php/archives/83/

有疑问加站长微信联系（非本文作者）