一、防火墙配置
二、下载安装文件
1. 下载程序
cd /opt
wget https://github.com/LuaJIT/LuaJIT/archive/refs/tags/v2.0.5.tar.gz -O luajit-v2.0.5.tar.gz
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.4.tar.gz -O ngx_devel_kit-0.3.4.tar.gz
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz -O lua-nginx-module-0.10.9rc7.tar.gz
wget http://nginx.org/download/nginx-1.19.3.tar.gz -O nginx-1.19.3.tar.gz
2. 逐项解压
tar -xzvf luajit-v2.0.5.tar.gz
tar -xzvf ngx_devel_kit-0.3.4.tar.gz
tar -xzvf lua-nginx-module-0.10.9rc7.tar.gz
tar -xzvf nginx-1.19.3.tar.gz
三、安装
1. 安装lua环境
cd /opt/LuaJIT-2.0.5/
make && make install
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig
2. 安装nginx,需要包含nginx lua模块
cd /opt/nginx-1.19.3
./configure --prefix=/usr/local/nginx \
--add-module=/opt/ngx_devel_kit-0.3.4 \
--add-module=/opt/lua-nginx-module-0.10.9rc7
make && make install
四、配置lua防火墙
1. 下载lua防火墙代码
cd /usr/local/nginx/conf
git clone https://github.com/loveshell/ngx_lua_waf.git
2. 加载lua防火墙配置,vi /usr/local/nginx/conf/nginx.conf,http中加入以下红色部分配置
http {
# 其它配置
...
lua_package_path "/usr/local/nginx/conf/ngx_lua_waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/waf.lua;
}
3. 修改防火墙配置RulePath值,vi /usr/local/nginx/conf/ngx_lua_waf/config.lua
# 默认值是`/usr/local/nginx/conf/waf/wafconf/` /waf 改为 /ngx_lua_waf
RulePath = "/usr/local/nginx/conf/ngx_lua_waf/wafconf/"
4. 启动nginx
/usr/local/nginx/sbin/nginx
五、测试
1. 测试url中的关键字,出现拦截页面表示配置成功, 拦截参数在/usr/local/nginx/conf/ngx_lua_waf/wafconf/url文件
2. 测试post关键字
六、准备演示环境
1. 前端演示页面
<html>
<head>
<title>登陆</title>
<meta charset="utf-8">
</head>
<body>
<div>
用户名:<input type="text" name="user" id="txtUser"><br>
密码:<input type="password" name="pwd" id="txtPassword"><br>
<input type="button" onclick="login('login')" value="登陆"> <br>
<div id="divMsg"></div>
<script>
function login(action) {
var httpRequest = new XMLHttpRequest()
httpRequest.onreadystatechange = function () {
if (httpRequest.readyState == 4) {
document.getElementById("divMsg").innerText = httpRequest.responseText
}
}
httpRequest.open('POST', `/api/${action}`, true)
httpRequest.setRequestHeader(
'Content-type',
'application/x-www-form-urlencoded'
)
var user = document.getElementById("txtUser").value
var pwd = document.getElementById("txtPassword").value
var str = `username=${user}&password=${pwd}`
httpRequest.send(str)
}
</script>
</div>
</body>
</html>
2. 服务端演示代码,模拟SQL注入
@Autowired
JdbcTemplate jdbcTemplate;
/**
* 拼sql查询
*
* @param user
* @return
*/
@PostMapping("/login")
public String login(User user) {
String sql = "select * from sys_user where user_name = '" + user.getUsername() + "' and pass_word = '" + user.getPassword() + "'";
System.out.println("SQL:");
System.out.println(sql);
List<Map<String, Object>> maps = jdbcTemplate.queryForList(sql);
System.out.println(maps.size());
if (maps.size() > 0) {
return"login success";
} else {
return"login fail";
}
}
3. nginx代理设置
location /api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.18:8093/;
}
4. 配置拦截参数(lua防火墙通过检测post表单中的关键字实现拦截)。
# 设置SQL注入的关键参数
echo "'\s+or\s+" >> /usr/local/nginx/conf/ngx_lua_waf/wafconf/post
# 重新加载,使配置生效
/usr/local/nginx/sbin/nginx -s reload
七、效果演示
1. 正常登陆
2. 注入成功,在配置post拦截参数以前的效果
3. 注入被拦截,在配置post拦截参数以后的效果