兆理大数据工具套装
CentOS 7 安装 NginX 和 Naxsi

安装必要组件

$ yum install -y epel-release
$ yum install -y gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel libxml2 libxml2-devel jemalloc*

注意:jemalloc是一个进行内存管理优化的软件,nginx使用了jemalloc编译的话,运行会很快。

相关资料: https://my.oschina.net/manmao/blog/603881

下载nginx和naxsi源码并解压

$ cd /data
$ mkdir software
$ cd software
$ wget http://nginx.org/download/nginx-1.16.1.tar.gz
$ wget https://github.com/nbs-system/naxsi/archive/0.56.tar.gz
$ tar zxvf nginx-1.14.2.tar.gz
$ tar zxvf 0.56.tar.gz

NginX编译配置

$ cd nginx-1.16.2
$ ./configure \
--conf-path=/etc/nginx/nginx.conf \
--add-module=/opt/naxsi-0.56/naxsi_src/ \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-threads \
--with-http_ssl_module \
--with-ld-opt="-ljemalloc" \
--with-http_addition_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_gzip_static_module \
--without-mail_pop3_module \
--without-mail_smtp_module \
--without-mail_imap_module \
--without-http_uwsgi_module \
--without-http_scgi_module \
--sbin-path=/usr/sbin/nginx \
--prefix=/usr/share/nginx

注意: 要保证naxsi的目录是正确的

安装

$ make & make install

创建nginx的必要目录

$ mkdir -p /var/lib/nginx/body
$ mkdir -p /var/lib/nginx/fastcgi
$ mkdir -p /var/lib/nginx/proxy

创建nginx的日志目录

$ mkdir -p /data/logs/nginx/naxsi

创建nginx用户组和用户

$ groupadd nginx
$ useradd -g nginx -s /sbin/nologin -M nginx

注意:系统初次安装的话就需要创建

配置nginx.conf

$ cd /etc/nginx
$ vi nginx.conf

nginx.conf配置参考

user  nginx;
worker_processes  2;
error_log  /data/logs/nginx/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    server_tokens   off;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    # 有需要可以加上
    underscores_in_headers on;
    #gzip  on;
    # Naxsi用到的规则
    include naxsi_core.rules;
    include /etc/nginx/conf.d/*.conf;
    # 可以添加自己需要的配置目录
    include /etc/nginx/conf.d/test/*.conf;
    include /etc/nginx/conf.d/ucbyun/*.conf;
}

配置Naxsi

$ cd /etc/nginx
$ cp /data/software/naxsi-0.55.3/naxsi_config/naxsi_core.rules ./
$ vi naxsi.rules

naxsi.rules参考

# Enable naxsi
SecRulesEnabled;
# Enable learning mode
# LearningMode;
# Define where blocked requests go
DeniedUrl "/RequestDenied";
# CheckRules, determining when naxsi needs to take action
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

网站conf配置参考

server {
    server_name  admin.ccp.mygear.pro;
    charset UTF-8;
    access_log  /data/logs/nginx/admin.ccp.access.log  main;
    # error_log  /data/logs/nginx/admin.ccp.error.log;
    location / {
        alias  /data/www/ccp/dist/;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html;
        include /etc/nginx/naxsi.rules;
        # Naxsi logs goes there
        error_log /data/logs/nginx/naxsi/admin.ccp.error.log;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    location ~ ^/.well-known/ {
        root /data/www/ccp/dist/;
    }
    location ~ \.git {
	deny	all;
    }
    location ~ /\.git {
        deny  all;
    }
    # naxsi configuration
    location /RequestDenied {
        return 403;
    } 
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/admin.ccp.mygear.pro/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/admin.ccp.mygear.pro/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = admin.ccp.mygear.pro) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen       80;
    server_name  admin.ccp.mygear.pro;
    return 404; # managed by Certbot
}

添加nginx.service到systemd

$ vi /usr/lib/systemd/system/nginx.service

nginx.service参考

[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

添加系统开机运行

$ systemctl enable nginx
$ systemctl start nginx

查看jemalloc是否生效

$ yum install -y lsof
# 在nginx启动后
$ lsof -n | grep jemalloc

测试方式

通过浏览器访问返回403

http://admin.ccp.mygear.pro/?q=<>

在/data/logs/nginx/naxsi/xxx.log会有

2019/02/07 01:02:08 [error] 8825#0: *167 NAXSI_FMT: ip=219.136.196.8&server=admin.ccp.mygear.pro&uri=/&learning=0&vers=0.55.3&total_processed=17&total_blocked=9&block=1&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=q, client: 219.136.196.8, server: admin.ccp.mygear.pro, request: "GET /?q=%3C%3E HTTP/1.1", host: "admin.ccp.mygear.pro"

注意事项

  1. 各项目录要正确,例如pid目录,lib目录,日志目录等
  2. Naxsi要网站conf里面加上 /RequestDenied 的配置才生效。
  3. 不要忘记在网站重复里面include naxsi.rules
  4. 启动nginx后最好查看netstat和log保证正确启动

参考资料

https://dalao.page/2018/05/16/nginx-with-naxsi-waf/

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-naxsi-on-ubuntu-16-04

https://www.jianshu.com/p/d9f89e7c18ae

https://medium.com/@icarobichir/install-and-configure-nginx-with-naxsi-9aaa66f20d4e

https://github.com/nbs-system/naxsi/wiki/naxsi-setup#example-configuration

https://www.jianshu.com/p/8492da04b3ba

白名单设置参考资料

IP类白名单

https://github.com/nbs-system/naxsi/wiki/runtime-modifiers

规则类白名单

https://github.com/nbs-system/naxsi/wiki/whitelists-examples

https://github.com/nbs-system/naxsi/wiki/whitelists-bnf

https://blog.micblo.com/2015/07/19/NGINX%E7%9A%84WAF%E6%A8%A1%E5%9D%97-Naxsi-%E9%85%8D%E7%BD%AE%E7%99%BD%E5%90%8D%E5%8D%95-2/

https://bolerolily.github.io/2018/08/21/Naxsi-%E9%85%8D%E7%BD%AE%E7%99%BD%E5%90%8D%E5%8D%95/

https://blog.csdn.net/weixin_34128534/article/details/85068711

这篇内容的评论功能已被禁用