OpenWAF nginx配置

2018-06-06 13:55 更新

名稱

此文檔將詳細(xì)描述 OpenWAF 的 nginx 配置文件 /etc/ngx_openwaf.conf 中每一項(xiàng)配置

以及接入規(guī)則(access_rule)與 nginx 配置的關(guān)聯(lián)

Table of Contents

nginx配置

http {
    include            /opt/OpenWAF/conf/twaf_main.conf;    # 加載策略配置,規(guī)則,功能模塊
    include            /opt/OpenWAF/conf/twaf_api.conf;     # api,動(dòng)態(tài)配置接入規(guī)則,動(dòng)態(tài)配置規(guī)則,動(dòng)態(tài)配置策略,查看統(tǒng)計(jì)信息等


    upstream test {
       server 0.0.0.1; #just an invalid address as a place holder
       balancer_by_lua_file /opt/OpenWAF/app/twaf_balancer.lua;
    }

    
    server {
        listen 443 ssl;
        server_name _;

        
        ssl_certificate /opt/OpenWAF/conf/ssl/nginx.crt;
        ssl_certificate_key /opt/OpenWAF/conf/ssl/nginx.key;
        ssl_protocols TLSv1.1 TLSv1.2;

        
        include                     /opt/OpenWAF/conf/twaf_server.conf;
        ssl_certificate_by_lua_file /opt/OpenWAF/app/twaf_ssl_cert.lua;

        
        set $twaf_https 1;


        location / {
            proxy_pass $twaf_upstream_server;
        }
    }

    
    server {
        listen       80;
        server_name  _;
        include      /opt/OpenWAF/conf/twaf_server.conf;


        location / {
            proxy_pass $twaf_upstream_server;
        }
    }
}

twaf_main

#twaf_main.conf 文件


#申請(qǐng)共享內(nèi)存
lua_shared_dict twaf_shm                  50m;
lua_shared_dict twaf_limit_conn           5m;
lua_shared_dict twaf_reqstat              1m;


lua_package_path        "/opt/OpenWAF/?.lua;;";            #指定 OpenWAF 安裝路徑
init_by_lua_file         /opt/OpenWAF/app/twaf_init.lua;   #加載策略配置,加載特征規(guī)則,加載功能模塊

若想添加新的共享內(nèi)存,在 twaf_main.conf 中添加,如:lua_shared_dict twaf_test 1m;

twaf_init

-- twaf_init.lua 文件


require "resty.core"


--加載靜態(tài)配置
local twaf_config_m = require "lib.twaf.twaf_conf"
local twaf_config = twaf_config_m:new()
twaf_config:load_default_config("/opt/OpenWAF/conf/twaf_default_conf.json")  -- 加載缺省策略
twaf_config:load_access_rule("/opt/OpenWAF/conf/twaf_access_rule.json")      -- 加載接入規(guī)則
twaf_config:load_policy_config("/opt/OpenWAF/conf", {twaf_policy_conf = 1})  -- 加載策略,想擴(kuò)展策略,可在此加載新的策略
twaf_config:load_rules()                                                     -- 加載規(guī)則


-- GeoIP ,想擴(kuò)展城市級(jí)別GEOIP,可在此擴(kuò)展
twaf_config:load_geoip_country_ipv4("/opt/OpenWAF/lib/twaf/inc/knowledge_db/geo_country/GeoIP.dat")    -- 加載國(guó)家級(jí)別 GeoIPv4
twaf_config:load_geoip_country_ipv6("/opt/OpenWAF/lib/twaf/inc/knowledge_db/geo_country/GeoIPv6.dat")  -- 加載國(guó)家級(jí)別 GEOIPv6


-- 加載 OpenWAF 自帶的統(tǒng)計(jì)模塊
local twaf_reqstat_m = require "lib.twaf.twaf_reqstat"
twaf_reqstat = twaf_reqstat_m:new(twaf_config.twaf_default_conf.twaf_reqstat, twaf_config.twaf_policy.policy_uuids)


local twaf_lib = require "lib.twaf.twaf_core"
twaf = twaf_lib:new(twaf_config)


--加載各功能模塊
local default_init_register = twaf:get_default_config_param("init_register")
twaf:register_modules(default_init_register)

添加新的策略,在 twaf_init.lua 中加載 

    1. 添加 /opt/OpenWAF/conf 目錄下,policy1.json 和 policy2.json 策略  
        twaf_config:load_policy_config("/opt/OpenWAF/conf", {policy1 = 1, policy2 = 1})  

        
    2. 添加 /etc/a/policy1.json 策略和 /etc/b/policy2.json 策略  
        twaf_config:load_policy_config("/etc/a", {policy1 = 1})  
        twaf_config:load_policy_config("/etc/b", {policy2 = 1})

twaf_api

server {
    listen 127.0.0.1:61111;    #監(jiān)聽(tīng)地址
    server_name nosuchdomain;
    access_log off;


    location / {
        stub_status on;
        allow 127.0.0.0/8;
        deny all;
    }


    location /api {
        content_by_lua_file /opt/OpenWAF/app/twaf_api.lua;    #api,動(dòng)態(tài)配置接入規(guī)則,動(dòng)態(tài)配置規(guī)則,動(dòng)態(tài)配置策略,查看統(tǒng)計(jì)信息等
        allow 127.0.0.0/8;
        deny all;
    }
}

如查看全局統(tǒng)計(jì)信息: 'curl http://127.0.0.1:61111/api/stat'

更多信息,請(qǐng)?jiān)斂?twaf_api 模塊

twaf_server

#twaf_server.conf
rewrite_by_lua_file       /opt/OpenWAF/app/twaf_rewrite.lua;         # rewrite 階段有接入規(guī)則模塊
access_by_lua_file        /opt/OpenWAF/app/twaf_access.lua;          # 處理請(qǐng)求頭,請(qǐng)求體階段,主要的安全防護(hù)功能都在 access 階段處理
header_filter_by_lua_file /opt/OpenWAF/app/twaf_header_filter.lua;   # 處理響應(yīng)頭階段
body_filter_by_lua_file   /opt/OpenWAF/app/twaf_body_filter.lua;     # 處理響應(yīng)體階段
log_by_lua_file           /opt/OpenWAF/app/twaf_log.lua;             # log 階段有日志模塊和統(tǒng)計(jì)模塊


set $twaf_upstream_server "";
set $twaf_attack_info     "";
set $twaf_cache_flag       1;

twaf_access_rule

twaf_access_rule 涉及 ssl_certificate_by_lua , rewrite_by_lua 和 balancer_by_lua 三個(gè)階段

{
    "twaf_access_rule": [
        "rules": [                                 -- 注意先后順序
            {                                      
                "ngx_ssl": false,                  -- nginx 認(rèn)證的開(kāi)關(guān)
                "ngx_ssl_cert": "path",            -- nginx 認(rèn)證所需 PEM 證書(shū)地址
                "ngx_ssl_key": "path",             -- nginx 認(rèn)證所需 PEM 私鑰地址
                "host": "www.baidu.com",           -- 域名,正則匹配
                "path": "/",                       -- 路徑,正則匹配
                "port": 80,                        -- 端口,默認(rèn) 80
                "server_ssl": false,               -- 后端服務(wù)器 ssl 開(kāi)關(guān)
                "forward": "server_5",             -- 后端服務(wù)器 upstream 名稱
                "forward_addr": "1.1.1.2",         -- 后端服務(wù)器ip地址
                "forward_port": "8080",            -- 后端服務(wù)器端口號(hào)(缺省80)
                "uuid": "access_567b067ff2060",    -- 用來(lái)標(biāo)記此規(guī)則的 uuid,api 中會(huì)用到,要保證全局唯一
                "policy": "policy_uuid"            -- 安全策略 ID
            }
        ]
    }
}

ssl_certificate_by_lua

ssl_certificate_by_lua 階段用于 ssl 認(rèn)證,涉及到 access_rule 配置的有 ngx_ssl,ngx_ssl_cert 和 ngx_ssl_key

這部分配置可以節(jié)省 nginx 中 ssl 配置的重復(fù)性,如:

    server {
        listen 443 ssl;
        server_name www.abc.com;

        
        ssl_certificate /opt/OpenWAF/conf/ssl/abc.crt;
        ssl_certificate_key /opt/OpenWAF/conf/ssl/abc.key;
        ssl_protocols TLSv1.1 TLSv1.2;


        location / {
            ...
        }
    }

    
    server {
        listen 443 ssl;
        server_name www.xyz.com;

        
        ssl_certificate /opt/OpenWAF/conf/ssl/xyz.crt;
        ssl_certificate_key /opt/OpenWAF/conf/ssl/xyz.key;
        ssl_protocols TLSv1.1 TLSv1.2;


        location / {
            ...
        }
    }

    
    ...

原始 nginx 配置如上,那么加上 WAF 防護(hù),且經(jīng)過(guò) access_rule 的優(yōu)化后,可寫(xiě)為:

    server {
        listen 443 ssl;
        server_name _;

        
        ssl_certificate /opt/OpenWAF/conf/ssl/nginx.crt;
        ssl_certificate_key /opt/OpenWAF/conf/ssl/nginx.key;
        ssl_protocols TLSv1.1 TLSv1.2;

        
        include                     /opt/OpenWAF/conf/twaf_server.conf;  #添加 WAF 防護(hù)
        ssl_certificate_by_lua_file /opt/OpenWAF/app/twaf_ssl_cert.lua;  #動(dòng)態(tài)指定 SSL 證書(shū)

        
        set $twaf_https 1;


        location / {
            ...
        }
    }

此時(shí)只需在 access_rule 中指定 SSL 證書(shū)即可,如:

{
    "twaf_access_rule": [
        "rules": [
            {                                      
                "ngx_ssl": true,
                "ngx_ssl_cert": "opt/OpenWAF/conf/ssl/abc.crt",
                "ngx_ssl_key":  "/opt/OpenWAF/conf/ssl/abc.key",
                "host": "www.abc.com",
                "path": "/",
                "port": 443,
                ...
            },
            {                                      
                "ngx_ssl": true,
                "ngx_ssl_cert": "opt/OpenWAF/conf/ssl/xyz.crt",
                "ngx_ssl_key":  "/opt/OpenWAF/conf/ssl/xyz.key",
                "host": "www.xyz.com",
                "path": "/",
                "port": 443,
                ...
            }
        ]
    }
}

如此,多個(gè) ssl 站點(diǎn),也可用 access_rule 實(shí)現(xiàn)動(dòng)態(tài)分配 SSL 證書(shū),不需變更 nginx 配置

rewrite_by_lua

rewrite_by_lua 階段,會(huì)依據(jù)請(qǐng)求頭中的 host,port,uri 等信息,確認(rèn)后端服務(wù)器地址及選用的策略

下面詳細(xì)討論 nginx 配置是如何轉(zhuǎn)到 access_rule 中配置的



    upstream aaa {
        server 1.1.1.1;
    }

    
    server {
        listen       80;
        server_name  www.aaa.com;


        location / {
            proxy_pass http://aaa;
        }
    }

上面 nginx 配置,加上 OpenWAF 防御后,對(duì)應(yīng) nginx 配置如下:

    upstream test {
       server 0.0.0.1; #just an invalid address as a place holder
       balancer_by_lua_file /opt/OpenWAF/app/twaf_balancer.lua;
    }

    
    server {
        listen       80;
        server_name  _;
        include      /opt/OpenWAF/conf/twaf_server.conf;


        location / {
            proxy_pass $twaf_upstream_server;
        }
    }

對(duì)應(yīng) access_rule 配置如下:

{
    "twaf_access_rule": [
        "rules": [
            {
                "host": "www.aaa.com",
                "path": "/",
                "port": 80,
                "forward": "test",
                "forward_addr": "1.1.1.1",
                "forward_port": 80
                ...
            }
        ]
    }
}

其中 forward 是為 nginx 配置中的 $twaf_upstream_server 變量賦值
forward_addr 和 forward_port 只在 upstream 中使用 balancer_by_lua 才會(huì)生效,否則不需配置這兩個(gè)值

前面 ssl_certificate_by_lua 的配置,節(jié)省了因 ssl 證書(shū)配置使得一個(gè) ssl 站點(diǎn)對(duì)應(yīng)一個(gè) nginx 的 server 配置的重復(fù)性

這部分 rewrite_by_lua 的配置同樣可以節(jié)省 nginx 中配置的重復(fù)性,如:



    upstream aaa_1 {
        server 1.1.1.1;
    }

    
    upstream_aaa_2 {
        server 1.1.1.2;
    }

    
    upstream bbb {
        server 2.2.2.2:8000;
    }

    
    server {
        listen       80;
        server_name  www.aaa.com;


        location / {
            proxy_pass http://aaa_1;
        }

        
        location /a {
            proxy_pass http://aaa_2;
        }
    }

    
    server {
        listen       90;
        server_name  www.bbb.com;


        location / {
            proxy_pass http://bbb;
        }
    }

    
    ...

上面 nginx 配置,加上 OpenWAF 防御后,對(duì)應(yīng) nginx 配置如下:

    upstream test {
       server 0.0.0.1; #just an invalid address as a place holder
       balancer_by_lua_file /opt/OpenWAF/app/twaf_balancer.lua;
    }

    
    server {
        listen       80;
        listen       90;
        server_name  _;
        include      /opt/OpenWAF/conf/twaf_server.conf;


        location / {
            proxy_pass $twaf_upstream_server;
        }
    }

對(duì)應(yīng) access_rule 配置如下:

{
    "twaf_access_rule": [
        "rules": [
            {
                "host": "www.aaa.com",
                "path": "/a",
                "port": 80,
                "forward": "test",
                "forward_addr": "1.1.1.2",
                "forward_port": 80
                ...
            },
            {
                "host": "www.aaa.com",
                "path": "/",
                "port": 80,
                "forward": "test",
                "forward_addr": "1.1.1.1",
                "forward_port": 80
                ...
            },
            {
                "host": "www.bbb.com",
                "path": "/",
                "port": 90,
                "forward": "test",
                "forward_addr": "2.2.2.2",
                "forward_port": 8000
                ...
            }
        ]
    }
}

從以上配置可以看出,access_rule 節(jié)省了因域名,監(jiān)聽(tīng)端口,路徑,upstream 等因素造成的配置復(fù)雜性

而且,以后可通過(guò) api,動(dòng)態(tài)添加接入規(guī)則,不需中斷業(yè)務(wù),而修改 nginx 配置,可能會(huì)中斷業(yè)務(wù)

注意:在上例中,www.aaa.com 站點(diǎn)下,有 '/' 和 '/a' 兩個(gè)路徑,access_rule 是數(shù)組,因此,要將有關(guān) '/a' 的配置放在 '/' 前

本地資源配置:

    upstream test {
       server 0.0.0.1; #just an invalid address as a place holder
       balancer_by_lua_file /opt/OpenWAF/app/twaf_balancer.lua;
    }

    
    server {
        listen       80;
        server_name  www.aaa.com;
        include      /opt/OpenWAF/conf/twaf_server.conf;


        location / {
            proxy_pass $twaf_upstream_server;
        }

        
        location /a {      #本地資源
            root /xxx;
            index xxx;
        }
    }

對(duì)應(yīng) access_rule 配置如下:

{
    "twaf_access_rule": [
        "rules": [
            {
                "host": "www.aaa.com",
                "path": "/",
                "port": 80,
                "forward": "test",
                "forward_addr": "1.1.1.1",
                "forward_port": 80
                ...
            }
        ]
    }
}

這里可以看到,僅僅是配置了根目錄的接入規(guī)則,并不需單獨(dú)為 '/a' 進(jìn)行配置

因?yàn)樵L問(wèn) www.aaa.com/a 目錄下資源,已經(jīng)匹配中了這條接入規(guī)則,但對(duì)應(yīng)的 nginx 配置中并沒(méi)有 proxy_pass,
因此 forward ,forward_addr 和 forward_port 三個(gè)參數(shù)并不會(huì)生效

當(dāng)然如果你很任性,非要添加有關(guān) '/a' 目錄的接入規(guī)則,則配置如下:

{
    "twaf_access_rule": [
        "rules": [
            {
                "host": "www.aaa.com",
                "path": "/a",
                "port": 80,
                ...
            },
            {
                "host": "www.aaa.com",
                "path": "/",
                "port": 80,
                "forward": "test",
                "forward_addr": "1.1.1.1",
                "forward_port": 80
                ...
            }
        ]
    }
}

從上面配置看出,因?yàn)?forward ,forward_addr 和 forward_port 三個(gè)參數(shù)并不會(huì)生效,所以無(wú)需配置

access_rule 中還剩最后兩個(gè)參數(shù),uuid 和 policy
uuid: 用來(lái)標(biāo)記接入規(guī)則的 uuid,api 中會(huì)用到,要保證全局唯一
policy: 指定策略名稱,OpenWAF 自帶策略有 twaf_default_conf 和 twaf_policy_conf,若不配置 policy,缺省使用 twaf_default_conf 策略

以上內(nèi)容是否對(duì)您有幫助:
在線筆記
App下載
App下載

掃描二維碼

下載編程獅App

公眾號(hào)
微信公眾號(hào)

編程獅公眾號(hào)