Security foundation of nginx (nginx+waf+lua)

Thanks to the great people on the Internet for providing the documentation.

nginx waf +lua security module construction , web application firewall on nginx

Required software:

1. LuaJIT download website: http://luajit.org (current stable version: 2.0.4 )
2, ngx_devel_kit-0.2.19.tar
3, lua-nginx-module-0.9.5rc2.tar
4, master.zip
5, nginx
optimize nginx package
1, libunwind
2, gperftools

1. Install LuaJIT

tar -zxvf LuaJIT.tar.gz

make

make install

After installation, lib, include Place directly in /usr/local/lib and /usr/local/include

2. Unzip ngx_devel_kit, lua-nginx-module

3. Set environment variables

export LUAJIT_LIB=/usr /local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH

4. Install nginx (version 1.6.1 , failed in 1.9.4)

4.1 optimized nginx

vim /usr/local/src/nginx-1.6.1/auto/cc/gcc

Comments: #debug
#CFLAGS ="$CFLAGS -g"

Explanation: Turn off the nginx debug module and reduce the size of the nginx installation package

4.2 Optimize nginx

Explanation: Optimize nginx performance, improve memory allocationefficiency and speed a lot, Reduce load. Need to install libunwind and gperftools

4.2.1 Install libunwind

tar -xf /usr/local/src/libunwind.tar.gz

cd /usr/local/src/libunwind
CFLA GS =-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install

4.2.2 Install gperftools

tar -xf /usr/local/src/gperftools.tar.gz
cd / usr/local/src/gperftools
make && make install

mkdir /tmp/tcmalloc //Create a tcmalloc thread to write the file
777 echo "/usr/local /lib" >/etc/ld.so.conf.d/usr_local_lib.conf #Enable the configuration of google_perftools_profiles in nginx.conf to take effect

4.2.3 Install nginx

cd /usr/local/src/ nginx-1.6.1/

For example: Production environment: Note that the paths of ngx_devel_kit-0.2.19 and lua-nginx-module-0.9.5rc2 must be correct--prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-http_realip_module --add-module=/usr/local/nginx_upstream_check_module-master --with-http_stub_status_module --add- module=/usr/local/src/ngx_devel_kit-0.2.19 --add-module=/usr/local/src/lua-nginx-module-0.9.5rc2 --with-google_perftools_module

make && make install

4.2.4 adds ngx_lua_waf_master

unzip -o /usr /local/src/ngx_lua_waf_master.zip mv /usr/local/src/ngx_lua_waf_master /usr/local/nginx/conf/waf

#Create a folder to store waf logs, which requires write permission mkidr /home /nignx_waf_log/

chmod 777 /home/nginx_waf_log/

vim /usr/local/src/nginx/conf/waf/conf.lua

RulePath = "/ usr/local/nginx-help /conf/waf/wafconf/" #Specify the waf rule storage folder logdir = "/home/nginx_waf_log" #Specify the waf log storage location
vim /usr/local/nginx/conf/nginx.conf #Add under pid, support gperftools library

google_perftools_profiles /tmp/tcmalloc/tcmalloc.;

#Add under http lua_package_path "/usr/local/nginx/conf/waf/?.lua";
dict lua_shared_ limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;



Then start nginx

and add the website sub-connection url? id=../etc/passwd; Check whether the firewall blocking page will appear
lsof -n | greo tcmalloc Check whether gperftools is running normally

In official use, use the one provided on www.wooyun.org waf module, the rules can be modified according to your needs

The above introduces the security foundation of nginx (nginx+waf+lua), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.