配置:
nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"
cd /data/file/soft/src/nginx/ModSecurity
apt-get install -y libxml2 libxml2-dev libexpat1-dev libpcre3-dev libpcre++-dev libyajl-dev libgeoip-dev libcurl4-gnutls-dev dh-autoreconf
apt-get update -y # 更新软件信息数据库
apt-get dist-upgrade -y # 这一步安装所有可用更新,包括新内核
apt-get upgrade -y # 进行系统升级
apt autoremove # Debian系统中删除过时/不需要的软件包。
apt-get install -y wget vim net-tools cron curl git
apt clean
cat /etc/debian_version # 查看内核版本
./configure --prefix=/usr/src/modsecurity --enable-mutex-on-pm
make && make install
cd /data/file/soft/src/nginx/modsecurity-nginx-v1.0.0
cd /data/file/soft/src/nginx/nginx-1.15.2
export MODSECURITY_LIB="/data/file/soft/src/nginx/ModSecurity/src/.libs/"
export MODSECURITY_INC="/data/file/soft/src/nginx/ModSecurity/headers/"
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=/data/file/soft/src/nginx/openssl-1.0.2o --with-pcre=/data/file/soft/src/nginx/pcre-8.42 --add-module=/usr/local/src/ngx_brotli --with-http_geoip_module --add-dynamic-module=/data/file/soft/src/nginx/modsecurity-nginx-v1.0.0
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.15.2/debian/debuild-base/nginx-1.15.2=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --with-openssl=/data/file/soft/src/nginx/openssl-1.0.2o --with-pcre=/data/file/soft/src/nginx/pcre-8.42 --add-module=/usr/local/src/ngx_brotli --with-http_geoip_module --with-threads --with-file-aio --with-compat --add-dynamic-module=/data/file/soft/src/nginx/modsecurity-nginx-v1.0.0
make && make install && make modules
cp objs/ngx_http_modsecurity_module.so /usr/lib/nginx/modules
cd /data/file/soft/src/nginx
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
mv owasp-modsecurity-crs /opt/tengine/conf/
vi /data/docker/nginx/modsecurity.conf
Include /data/file/soft/src/nginx/owasp-modsecurity-crs/crs-setup.conf
Include /data/file/soft/src/nginx/owasp-modsecurity-crs/rules/*.conf
server {
.....
modsecurity on;
location / {
.....
modsecurity_rules_file /usr/local/nginx/conf/modsecurity.conf;
.....
}
}
在浏览器中访问:
http://www.52os.net/phpinfo.php?id=1 正常显示。
http://www.52os.net/phpinfo.php?id=1 and 1=1 返回403。
http://www.52os.net/phpinfo.php?search=<scritp>alert('xss');</script> 返回403。
tail -f /var/log/modsec_audit.log
service nginx configtest
service nginx reload
签名:这个人很懒,什么也没有留下!
