背景
为了增强web服务器的安全性,减轻服务器的压力,给服务器增加一道安全屏障,减少服务器受到"不必要"的攻击。
需求
因为原有的服务器使用nginx做web服务器(至于为什么使用nginx?以及nginx的优势在哪里?我在这里就不过多的赘述了。想了解的自行学习相关知识),所以要想给服务器增加一道安全屏障,想通过nginx的模块扩展性,使用lua来做这道墙。毕竟openresty可以说是lua版的么!相比较起来,实现更快,性能更好,主要是有openresty做参考(别人能实现的我也能实现。哼...)。
技术实现
- 环境所需要的依赖软件
- luajit2-2.1-20201027.tar.gz
- lua-nginx-module-0.10.19.tar.gz
- lua-resty-core-0.1.21.tar.gz
- lua-resty-lrucache-0.10.tar.gz
- nginx-1.16.1.tar.gz
- ngx_lua_waf-0.7.2.tar.gz
- ngx_devel_kit-0.3.1.tar.gz
- 实操过程
首先将所有的压缩包解压.tar -zxvf filename.tar.gz
luajit的安装
1 [root@cluste-black-node1 opt]# cd luajit2-2.1-20201027/ 2 [root@cluste-black-node1 luajit2-2.1-20201027]# ls 3 COPYRIGHT doc dynasm etc Makefile README README.md src t 4 [root@cluste-black-node1 luajit2-2.1-20201027]# make install PREFIX=/usr/local/LuaJIT
提示如下即表示成功:
1 ==== Installing LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ==== 2 mkdir -p /usr/local/LuaJIT/bin /usr/local/LuaJIT/lib /usr/local/LuaJIT/include/luajit-2.1 /usr/local/LuaJIT/share/man/man1 /usr/local/LuaJIT/lib/pkgconfig /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit /usr/local/LuaJIT/share/lua/5.1 /usr/local/LuaJIT/lib/lua/5.1 3 cd src && install -m 0755 luajit /usr/local/LuaJIT/bin/luajit-2.1.0-beta3 4 cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/LuaJIT/lib/libluajit-5.1.a || : 5 rm -f /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2 6 cd src && test -f libluajit.so && 7 install -m 0755 libluajit.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2.1.0 && 8 ( ldconfig -n 2>/dev/null /usr/local/LuaJIT/lib || : ) && 9 ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so && 10 ln -sf libluajit-5.1.so.2.1.0 /usr/local/LuaJIT/lib/libluajit-5.1.so.2 || : 11 cd etc && install -m 0644 luajit.1 /usr/local/LuaJIT/share/man/man1 12 cd etc && sed -e "s|^prefix=.*|prefix=/usr/local/LuaJIT|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && 13 install -m 0644 luajit.pc.tmp /usr/local/LuaJIT/lib/pkgconfig/luajit.pc && 14 rm -f luajit.pc.tmp 15 cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/LuaJIT/include/luajit-2.1 16 cd src/jit && install -m 0644 bc.lua bcsave.lua dump.lua p.lua v.lua zone.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua dis_mips64.lua dis_mips64el.lua vmdef.lua /usr/local/LuaJIT/share/luajit-2.1.0-beta3/jit 17 ln -sf luajit-2.1.0-beta3 /usr/local/LuaJIT/bin/luajit 18 ==== Successfully installed LuaJIT 2.1.0-beta3 to /usr/local/LuaJIT ====
lua_resty_core的安装
1 [root@cluste-black-node1 opt]# cd lua-resty-core-0.1.21/ 2 [root@cluste-black-node1 lua-resty-core-0.1.21]# ls 3 dist.ini lib Makefile README.markdown t valgrind.suppress 4 [root@cluste-black-node1 lua-resty-core-0.1.21]# make install PREFIX=/usr/local/LuaLIB 5 install -d /usr/local/LuaLIB/lib/lua//resty/core/ 6 install -d /usr/local/LuaLIB/lib/lua//ngx/ 7 install -d /usr/local/LuaLIB/lib/lua//ngx/ssl 8 install lib/resty/*.lua /usr/local/LuaLIB/lib/lua//resty/ 9 install lib/resty/core/*.lua /usr/local/LuaLIB/lib/lua//resty/core/ 10 install lib/ngx/*.lua /usr/local/LuaLIB/lib/lua//ngx/ 11 install lib/ngx/ssl/*.lua /usr/local/LuaLIB/lib/lua//ngx/ssl/
lua_resty_lrucache的安装
1 [root@cluste-black-node1 opt]# cd lua-resty-lrucache-0.10/ 2 [root@cluste-black-node1 lua-resty-lrucache-0.10]# ls 3 dist.ini lib Makefile README.markdown t valgrind.suppress 4 [root@cluste-black-node1 lua-resty-lrucache-0.10]# make install PREFIX=/usr/local/LuaLIB 5 install -d //usr/local/LuaLIB/lib/lua//resty/lrucache 6 install lib/resty/*.lua //usr/local/LuaLIB/lib/lua//resty/ 7 install lib/resty/lrucache/*.lua //usr/local/LuaLIB/lib/lua//resty/lrucache/
注意:lua_nginx_module的编译需要改动文件。
1 [root@cluste-black-node1 opt]# cd lua-nginx-module-0.10.19/ 2 [root@cluste-black-node1 lua-nginx-module-0.10.19]# ls 3 config doc dtrace misc README.markdown src t tapset util valgrind.suppress
添加环境变量如下:
[root@cluste-black-node1 lua-nginx-module-0.10.19]# vim config 1 LUAJIT_INC=/usr/local/LuaJIT/include/luajit-2.1 2 LUAJIT_LIB=/usr/local/LuaJIT/lib 3 4 ngx_lua_opt_I= 5 ngx_lua_opt_L= 6 luajit_ld_opt= 7 8 ngx_feature_name= 9 ngx_feature_run=no 10 ngx_feature_incs= 11 ngx_feature_test= 12 13 if [ -n "$LUAJIT_INC" -o -n "$LUAJIT_LIB" ]; then 14 # explicitly set LuaJIT paths
编译nginx。增加模块编译,相应编译参数如下:
1 ./configure --with-debug --with-http_realip_module --with-stream_realip_module --prefix=/usr/local/nginx --with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/lib" --add-module=/opt/ngx_devel_kit-0.3.1 --add-module=/opt/lua-nginx-module-0.10.19
编译通过以后生成Makefile执行make&& make install
然后将解压后的waf模块存放在nginx安装路径下的conf目录下。
修改waf文件夹下config.lua文件中的RulePath路径和logdir路径,保存退出。
[root@cluste-black-node1 conf]# vim waf/config.lua 1 RulePath = "/usr/local/nginx/conf/waf/wafconf/" 2 attacklog = "on" 3 logdir = "/usr/local/nginx/logs/hack/"
修改nginx的配置文件在http块添加lua的路径配置
1 lua_package_path "/usr/local/nginx/conf/waf/?.lua;/usr/local/LuaLIB/lib/lua/?.lua;;"; 2 lua_shared_dict limit 10m; 3 init_by_lua_file /usr/local/nginxk/conf/waf/init.lua; 4 access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
修改nginx的配置文件在server块添加/lua访问资源
1 location /lua { 2 default_type 'text/html'; 3 content_by_lua 'ngx.say("Hi Lua")'; 4 }
通过curl访问即可访问到Hi Lua字符串。
1 curl http://ip+port/Lua
通过curl访问非法的资源输出waf设定的字符串,说明应用防火墙生效。
1 curl http://ip+port/Lua?id=/etc/passwd
- 问题解决
在下载Luajit的时候下载了很早之前的版本,导致环境搭建失败。切记LuaJIT下载时时openresty开源代码中的LuaJIT.
lua_nginx_module两个环境变量的设置,通过export设置好像没生效导致出现下面的情况
1 checking for LuaJIT 2.x ... not found 2 ./configure: error: unsupported LuaJIT version; ngx_http_lua_module requires LuaJIT 2.x.
f-stack平台同理可以编译通过并且waf应用防火墙生效。只不过在编译nginx的时候需要修改生成的objs目录下的Makefile.将其中的Werror删除即可
f-stack平台报错如下:
1 /opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c: In function ‘ngx_http_lua_udp_connect’: 2 /opt/lua-nginx-module-0.10.19/src/ngx_http_lua_socket_udp.c:1435:9: error: the address of ‘ngx_add_event’ will always evaluate as ‘true’ [-Werror=address] 3 if (ngx_add_event) { 4 ^ 5 cc1: all warnings being treated as errors 6 make[1]: *** [objs/addon/src/ngx_http_lua_socket_udp.o] Error 1 7 make[1]: Leaving directory `/opt/f-stack/app/nginx-1.16.1' 8 make: *** [build] Error 2
dpdk在虚拟机的环境下可能会出现问题,出现网卡不支持的问题。