跳转至

nginxwaf Install

安装openresty后,我们下载ngx_lua_waf 的脚本,放置在nginx 目录,就可以开始配置测试了

在nginx 创建waf目录

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@pts/0 # git clone https://github.com/loveshell/ngx_lua_waf.git
root@pts/0 # tree ngx_lua_waf
├── config.lua
├── init.lua
├── install.sh
├── README.md
├── wafconf
   ├── args
   ├── cookie
   ├── post
   ├── url
   ├── user-agent
   └── whiteurl
└── waf.lua

# 我们只需要如下文件
├── config.lua    #配置文件
├── init.lua    #初始化
├── wafconf    #过滤规则目录
   ├── args
   ├── cookie
   ├── post
   ├── url
   ├── user-agent
   └── whiteurl
└── waf.lua    #处理waf的脚本

root@pts/0 # cd /usr/local/openresty/nginx/
root@pts/0 # mkdir -p {conf/waf,logs/hack}
root@pts/0 # rsync -avzP ngx_lua_waf/{init.lua,config.lua,waf.lua,wafconf} conf/waf/
root@pts/0 # cd conf/waf

初步修改waf配置文件

Bash
1
2
3
root@pts/0 # vim config.lua 
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
logdir = "/usr/local/openresty/nginx/logs/hack/"

nginx http加载waf

Bash
1
2
3
4
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/openresty/nginx/conf/waf/init.lua; 
access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua;

重启nginx 报错

找不到resty.core模块,需要在lua_package_path添加模块路径

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
root@pts/0 # cat logs/error.log 

2025/07/22 16:48:19 [notice] 25222#25222: signal process started
2025/07/22 16:48:19 [alert] 21371#21371: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
    no field package.preload['resty.core']
    no file '/usr/local/openresty/nginx/waf/resty/core.lua'
    no file '/usr/local/openresty/site/lualib/resty/core.so'
    no file '/usr/local/openresty/lualib/resty/core.so'
    no file './resty/core.so'
    no file '/usr/local/lib/lua/5.1/resty/core.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
    no file '/usr/local/lib/lua/5.1/loadall.so'
    no file '/usr/local/openresty/site/lualib/resty.so'
    no file '/usr/local/openresty/lualib/resty.so'
    no file './resty.so'
    no file '/usr/local/lib/lua/5.1/resty.so'
    no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
    no file '/usr/local/lib/lua/5.1/loadall.so') in /usr/local/openresty/nginx/conf/nginx.conf:126

解决

Bash
1
2
3
4
5
6
7
# 需要在http模块lua_package_path添加resty.core的路径
# lua_package_path 添加waf目录,多目录用;;分隔
# 其他值不变
    lua_package_path "/usr/local/openresty/lualib/?.lua;;/usr/local/openresty/nginx/conf/waf/?.lua;;";
    lua_shared_dict limit 10m;
    init_by_lua_file  /usr/local/openresty/nginx/conf/waf/init.lua; 
    access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf.lua;

重启查看logs/error.log没有报错了

测试CC攻击

准备一个测试页面

Bash
1
2
3
root@pts/1 # echo "123" > html/test.html
root@pts/1 # curl http://localhost/test.html
123

这里修改

Bash
1
2
3
4
5
6
root@pts/1 # vim waf/config.lua
CCDeny="on"    # 开启拦截cc攻击
CCrate="2/60"    # 默认1分钟同一个IP只能请求同一个地址2次

root@pts/1 # curl http://localhost/test.html
123