主要实现的功能有:
1、支持IP白名单和黑名单功能,直接将黑名单的IP访问拒绝(白名单权重高于黑名单)。
2、支持URL白名单,将不需要过滤的URL进行定义。
3、支持User-Agent的过滤,匹配自定义规则中的条目,然后进行处理(返回403)。
4、支持CC攻击防护,单个URL指定时间的访问次数,超过设定值,直接返回403。
5、支持Cookie过滤,匹配自定义规则中的条目,然后进行处理(返回403)。
6、支持URL过滤,匹配自定义规则中的条目,如果用户请求的URL包含这些,返回403。
7、支持url参数过滤。
8、支持日志记录,将所有拒绝的操作,记录到日志中去。
9、日志记录为JSON格式,便于日志分析,例如使用ELKStack进行收集日志收集、存储、搜索和展示。
安装脚本
#!/bin/bash
source /etc/profile
#下载代码
get(){
cd /usr/local/src && \
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz >/dev/null 2>&1 && echo "get v0.3.0.tar.gz : OK !!" || echo "get v0.3.0.tar.gz : ERROR !!"
wget >/dev/null 2>&1 && echo "get v0.10.9rc7.tar.gz : OK !!" || echo "get v0.10.9rc7.tar.gz : ERROR !!"
wget >/dev/null 2>&1 && echo "get nginx-1.12.1.tar.gz : OK !!" || echo "get nginx-1.12.1.tar.gz : ERROR !!"
wget >/dev/null 2>&1 && echo "get LuaJIT-2.0.2.tar.gz : OK !!" || echo "get LuaJIT-2.0.2.tar.gz : ERROR !!"
wget >/dev/null 2>&1 && echo "get ngx_openresty-1.9.3.2.tar.gz : OK !!" || echo "get ngx_openresty-1.9.3.2.tar.gz : ERROR !!"
}
#安装LuaJIT
luajit_install(){
cd /usr/local/src && \
tar xf LuaJIT-2.0.2.tar.gz >/dev/null 2>&1 && cd LuaJIT-2.0.2 && \
make install prefix=/usr/local/LuaJIT >/dev/null 2>&1 && echo "luajit_install : OK !!" || echo "luajit_install : ERROR !!"
}
#设置环境变量
set_path(){
echo "export LUAJIT_LIB=/usr/local/lib" >>/etc/profile && \
echo "export LUAJIT_INC=/usr/local/include/luajit-2.0" >>/etc/profile && \
source /etc/profile && echo "set path : OK !!" || echo "set path : ERROR !!"
}
#解压压缩包
jy(){
cd /usr/local/src && \
tar xf v0.10.9rc7.tar.gz >/dev/null 2>&1 && \
tar xf v0.3.0.tar.gz >/dev/null 2>&1 && \
tar xf nginx-1.12.1.tar.gz >/dev/null 2>&1 && \
tar xf ngx_openresty-1.9.3.2.tar.gz >/dev/null 2>&1
}
#判断:有nginx则什么也不做,没有则添加用户
adduser(){
num=`egrep -c "^nginx" /etc/passwd`
[ ${num} -eq 1 ] || useradd -s /sbin/nologin -M nginx && echo "user Already exist"
}
#编译nginx
istall_nginx(){
adduser && jy && \
cd /usr/local/src/nginx-1.12.1 && \
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module --add-module=/usr/local/src/ngx_devel_kit-0.3.0/ --add-module=/usr/local/src/lua-nginx-module-0.10.9rc7/ >/dev/null 2>&1 && make >/dev/null 2>&1 && make install >/dev/null 2>&1 && echo "install nginx : OK !!" || echo "install nginx : ERROR !!"
}
#配置nginx配置文件
conf_nginx(){
>/usr/local/nginx/conf/nginx.conf
cat >> /usr/local/nginx/conf/nginx.conf << EOF
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location /hello {
default_type 'text/plain';
content_by_lua 'ngx.say("hello,lua")';
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
EOF
}
#访问nginx
curl_nginx(){
ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2 && \
/usr/local/nginx/sbin/nginx && \
curl && \
/usr/local/nginx/sbin/nginx -s stop
}
#安装openresty
install_openresty(){
yum install -y readline-devel pcre-devel openssl-devel >/dev/null 2>&1 && echo "install rely: OK !!" || echo "install rely : ERROR"
cd /usr/local/src && tar xf ngx_openresty-1.9.3.2.tar.gz >/dev/null 2>&1 && cd ngx_openresty-1.9.3.2 && \
./configure --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit >/dev/null 2>&1 && \
gmake >/dev/null 2>&1 && gmake install >/dev/null 2>&1 && echo "install openresty : OK !!" || echo "install openresty : ERROR !!"
}
#下载waf
get_waf(){
cd /usr/local/src && \
git clone >/dev/null 2>&1 && \
cp -a ./waf/waf /usr/local/openresty/nginx/conf/ && echo "get WAF : OK !!" || echo "get WAF : ERROR !!"
}
#设置waf
set_waf(){
>/usr/local/openresty/nginx/conf/nginx.conf
cat >> /usr/local/openresty/nginx/conf/nginx.conf <
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#WAF
lua_shared_dict limit 50m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
server {
listen 80;
server_name localhost;
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
EOT
chown -R nginx.nginx /usr/local/openresty/
}
#访问waf
curl_waf(){
/usr/local/openresty/nginx/sbin/nginx && \
curl
echo "
Welcome to (Web Application Firewall)
" >/usr/local/openresty/nginx/html/index.html
}
#总函数
main(){
get && \
luajit_install && \
set_path && \
istall_nginx && \
conf_nginx >/dev/null 2>&1 && echo "conf_nginx : OK !!" || echo "conf_nginx : ERROR !!" && \
curl_nginx && \
install_openresty && \
get_waf && \
set_waf >/dev/null 2>&1 && echo "set_waf : OK !!" || echo "set_waf : ERROR !!" && \
curl_waf
}
main
阅读(8195) | 评论(0) | 转发(1) |
