TIPS:服务器操作系统最小安装,已选环境的附加软件选择包括“开发工具”、“传统UNIX兼容性”、“安全性工具”、“系统工具”,避免一些
一、安装依赖
yum -y install curl-devel curl GeoIP-devel zlib-devel pcre-devel pcre2-devel libxml2-devel openssl-devel
yum -y install lua-devel yajl-devel lmdb-devel doxygen
二、下载资源
1.下载nginx
- 2024/10/21最新稳定版为26.2:http://nginx.org/en/download.html
2.下载Modsecurity - 途径一,国内中文网站下载稳定版本地址http://www.modsecurity.cn/
- 途径二,github上下载最新版本https://github.com/owasp-modsecurity/ModSecurity/releases/modsecurity-v3.0.x.tar.gz
3.下载ModSecurity-nginx模块
github上下载最新版本https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/modsecurity-nginx-v1.0.x.tar.gz
4.下载OWASP规则 - 途径一,国内中文网站下载http://www.modsecurity.cn/
- 途径二,github下载最新版本https://github.com/coreruleset/coreruleset/releases/coreruleset-4.x.0-minimal.tar.gz
三、安装Modsecurity
tar zxf modsecurity-v3.0.x.tar.gz
cd modsecurity-v3.0.x
sh build.sh
./configure
make -j4
make install
四、安装ModSecurity-nginx模块
tar zxf modsecurity-nginx-v1.0.x.tar.gz
五、编译nginx增加ModSecurity-nginx模块
tar zxf nginx-1.xy.x,tar,gz
cd nginx-1.xy.x
./configure --prefix=/app/nginx --user=eastray --group=eastray --with-compat --with-file-aio --with-threads --with-http_addition_module \
--with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module \
--with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module \
--with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module \
--with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module \
--with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
--add-module=../modsecurity-nginx-v1.0.x
make -j$(proc)
make install
六、配置加载规则
1.创建存放modsecurity配置的目录
mkdir -pv /usr/local/nginx/conf/modsecurity/crs
2.modsecurity配置
# 进入modsecurity源码目录
cd modsecurity-v3.0.x
cp modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity/modsecurity.conf
cp unicode.mapping /usr/local/nginx/conf/modsecurity/unicode.mapping
3.owasp规则配置
tar zxf coreruleset-4.x.0-minimal.tar.gz -C /usr/local/nginx/conf/modsecurity/crs
cd /usr/local/nginx/conf/modsecurity/crs
cp crs-setup.conf.example crs-setup.conf
cd rules
cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
cd /usr/local/nginx/conf/modsecurity
sed -i "/SecRuleEngine/ s/DetectionOnly/On/g" modsecurity.conf-recommended
echo "Include /app/nginx/conf/modsecurity/crs/crs-setup.conf" >> modsecurity.conf
echo "Include /app/nginx/conf/modsecurity/crs/rules/*.conf" >> modsecurity.conf
4.nginx配置启用modsecurity
# http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置)
modsecurity on;
modsecurity_rules_file /usr/local/nginx/conf/modsecurity/modsecurity.conf;
5.启动或重载nginx配置
/app/nginx/sbin/nginx
/app/nginx/sbin/nginx -s reload
七、验证是否生效
浏览器访问如下非法地址
http://服务器ip:端口/?foo=/etc/passwd&bar=/bin/sh
http://服务器ip:端口/?param=">