2. 部署指南

nginx-quic-waf 部署 nginx

https://hub.docker.com/r/yumechang/nginx-quic

https://github.com/google/boringssl


-hg:  nginx quic  hg.nginx 1.27.2

https://abc.htmltoo.com/thread-46839.htm


# run

docker run -d --name quic --hostname quic -p 80:80 -p 443:443/tcp -p 443:443/udp  --restart=always  --privileged=true --user=root  -e TZ='Asia/Shanghai'   --ulimit nofile=262144:262144    -v /data/site/docker/env/nginx/nginx/nginx.conf:/etc/nginx/nginx.conf:ro  -v  /data/site/docker/env/nginx/nginx/conf.d:/etc/nginx/conf.d:ro  -v /data/site/docker/env/nginx/nginx/fastcgi_params:/etc/nginx/fastcgi_params:ro  -v /data/site:/data/site   -v /data/file:/data/file    hub.htmltoo.com:5000/nginx:quicwaf-1.25.5

# labs

docker run -d --name quicwaf --hostname quic  --restart=always  --privileged=true --user=root  -e TZ='Asia/Shanghai'   --ulimit nofile=262144:262144    -v /data/site/docker/env/nginx/quic/nginx.conf:/etc/nginx/nginx.conf:ro  -v  /data/site/docker/env/nginx/quic/conf.d:/etc/nginx/conf.d:ro  -v /data/site/docker/env/nginx/quic/fastcgi_params:/etc/nginx/fastcgi_params:ro  -v /data/site:/data/site   -v /data/file:/data/file    yumechang/nginx-quic:1.23.4


docker run -d --name quicwaf --hostname quic --restart=always  --privileged=true --user=root  -e TZ='Asia/Shanghai'   --ulimit nofile=262144:262144    -v /data/site/docker/env/nginx/quic/nginx.conf:/etc/nginx/nginx.conf:ro  -v  /data/site/docker/env/nginx/quic/conf.d:/etc/nginx/conf.d:ro  -v /data/site/docker/env/nginx/quic/fastcgi_params:/etc/nginx/fastcgi_params:ro  -v /data/site:/data/site   -v /data/file:/data/file   hub.htmltoo.com:5000/nginx:quicwaf-1.25.5


---配置Nginx---

    server {
...
    # 用以支持HTTP/2
    http2 on;
    # 用于支持Quic或HTTP/3
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    listen 443 ssl; # 启用 http2 协议浏览器不支持 http3 时,可以选择 http2
...
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
...
    # Quic或HTTP/3响应头
    add_header Alt-Svc 'quic=":443"; h3-27=":443";h3-25=":443"; h3-T050=":443"; h3-Q050=":443";h3-Q049=":443";h3-Q048=":443"; h3-Q046=":443"; h3-Q043=":443"';
    # HSTS
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
...

    }


docker exec -it quic  /bin/bash

docker exec -it quicwaf  /bin/bash


-ModSecurity

https://github.com/owasp-modsecurity/ModSecurity

cd /usr/local/

git clone https://github.com/owasp-modsecurity/ModSecurity.git

cd ModSecurity/

git submodule init

git submodule update

sh build.sh

./configure

make  &&  make install


cd  /data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/

-ModSecurity-nginx

https://github.com/owasp-modsecurity/ModSecurity-nginx

git clone --depth 1  https://github.com/owasp-modsecurity/ModSecurity-nginx.git


-编译nginx

wget  http://nginx.org/download/nginx-1.25.5.tar.gz

tar -xzvf  nginx-1.25.5.tar.gz  &&  rm  -rf  nginx-1.25.5.tar.gz

cd  nginx-1.25.5

./configure  --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --with-openssl=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/openssl-3.2.1 --with-pcre=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/pcre-8.45 --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/ngx_http_geoip2_module --with-stream --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/ngx_brotli --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/ngx_devel_kit-0.3.3 --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/lua-nginx-module-0.10.26 --with-http_dav_module --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-dav-ext-module --add-dynamic-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-dav-ext-module --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/nginx-module-vts --add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/ngx_waf/current/ngx_waf --with-stream --with-cc-opt=-Wl,-rpath,/usr/local/luajit/lib


docker commit -m="update" -a="htmltoo.com" quicwaf  hub.htmltoo.com:5000/nginx:quicwaf-1.25.5

docker push hub.htmltoo.com:5000/nginx:quicwaf-1.25.5


docker save  hub.htmltoo.com:5000/nginx:quicwaf-1.25.5 | gzip > /data/site/htmltoo.f/htmltoo.up/soft/docker.tar/nginx-quicwaf-1.25.5.tar.gz

# load - 镜像解压

docker load < /opt/nginx-quicwaf-1.25.5.tar.gz


---验证 HTTP3 生效---

https://http3check.net


-------

---编译---

    --with-debug \

    --with-http_v3_module \

    --with-http_v2_module \

    --with-cc-opt="-I../boringssl/include"    --with-ld-opt="-L../boringssl/build/ssl  -L../boringssl/build/crypto"


-克隆quictls/openssl最新版本

cd  /data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/

git clone --depth 1 --recursive https://github.com/quictls/openssl.git 

cd openssl

./Configure --prefix=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/quictls --openssldir=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/quictls

make install_dev


-headers-more-nginx-module

https://github.com/openresty/headers-more-nginx-module

git clone --depth 1 --recursive https://github.com/openresty/headers-more-nginx-module.git

--add-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/headers-more-nginx-module


-nginxscript: 实现请求头验证或者分流

http://hg.nginx.org/njs

git clone --depth 1 --recursive  http://hg.nginx.org/njs

--add-dynamic-module=/data/site/htmltoo.f/htmltoo.soft/src/common/nginx-module/njs/nginx


---

https://github.com/ninja-build/ninja/releases/

wget https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-linux.zip

unzip ninja-linux.zip && rm -rf  ninja-linux.zip

cp -r ninja /usr/bin/

which ninja


https://github.com/google/boringssl.git

git clone --depth=1 https://github.com/google/boringssl.git

apt-get update

apt-get install -y build-essential cmake

add-apt-repository ppa:longsleep/golang-backports

apt-get update

apt-get install -y openssl golang-go libpcre3 libpcre3-dev libssl-dev zlib1g-dev

cd boringssl && mkdir build && cd build 

cmake -GNinja ..

ninja

cd ../../


docker cp /data/site/docker/env/nginx/nginx/modules/1.25.4/ngx_http_waf_module.so quicwaf:/etc/nginx/modules


https://juejin.cn/post/7292957290889953291




签名:这个人很懒,什么也没有留下!
收藏的用户(0 X
正在加载信息~
猜你喜欢:
最新回复 (0)
返回
发新帖
作者最近主题:
热门主题: