Home >Backend Development >PHP Tutorial >Security foundation of nginx (nginx+waf+lua)
Thanks to the great people on the Internet for providing the documentation.
nginx waf +lua security module construction , web application firewall on nginx
Required software:
1. LuaJIT download website: http://luajit.org (current stable version: 2.0.4 )
2, ngx_devel_kit-0.2.19.tar
3, lua-nginx-module-0.9.5rc2.tar
4, master.zip
5, nginx
optimize nginx package
1, libunwind
2, gperftools
1. Install LuaJIT
tar -zxvf LuaJIT.tar.gz
make
make install
After installation, lib, include Place directly in /usr/local/lib and /usr/local/include
2. Unzip ngx_devel_kit, lua-nginx-module
3. Set environment variables
export LUAJIT_LIB=/usr /local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH
4. Install nginx (version 1.6.1 , failed in 1.9.4)
4.1 optimized nginx
vim /usr/local/src/nginx-1.6.1/auto/cc/gcc
Comments: #debug
#CFLAGS ="$CFLAGS -g"
Explanation: Turn off the nginx debug module and reduce the size of the nginx installation package
4.2 Optimize nginx
Explanation: Optimize nginx performance, improve memory allocationefficiency and speed a lot, Reduce load. Need to install libunwind and gperftools
4.2.1 Install libunwind
tar -xf /usr/local/src/libunwind.tar.gz
cd /usr/local/src/libunwind
CFLA GS =-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install
4.2.2 Install gperftools
tar -xf /usr/local/src/gperftools.tar.gz
cd / usr/local/src/gperftools
make && make install
mkdir /tmp/tcmalloc //Create a tcmalloc thread to write the file
777 echo "/usr/local /lib" >/etc/ld.so.conf.d/usr_local_lib.conf #Enable the configuration of google_perftools_profiles in nginx.conf to take effect
4.2.3 Install nginx
cd /usr/local/src/ nginx-1.6.1/
For example: Production environment: Note that the paths of ngx_devel_kit-0.2.19 and lua-nginx-module-0.9.5rc2 must be correct--prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-http_realip_module --add-module=/usr/local/nginx_upstream_check_module-master --with-http_stub_status_module --add- module=/usr/local/src/ngx_devel_kit-0.2.19 --add-module=/usr/local/src/lua-nginx-module-0.9.5rc2 --with-google_perftools_module
make && make install
4.2.4 adds ngx_lua_waf_master
unzip -o /usr /local/src/ngx_lua_waf_master.zip mv /usr/local/src/ngx_lua_waf_master /usr/local/nginx/conf/waf
#Create a folder to store waf logs, which requires write permission mkidr /home /nignx_waf_log/
chmod 777 /home/nginx_waf_log/
vim /usr/local/src/nginx/conf/waf/conf.lua
RulePath = "/ usr/local/nginx-help /conf/waf/wafconf/" #Specify the waf rule storage folder logdir = "/home/nginx_waf_log" #Specify the waf log storage location
vim /usr/local/nginx/conf/nginx.conf #Add under pid, support gperftools library
#Add under http lua_package_path "/usr/local/nginx/conf/waf/?.lua";
dict lua_shared_ limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
Then start nginx
and add the website sub-connection url? id=../etc/passwd; Check whether the firewall blocking page will appear
lsof -n | greo tcmalloc Check whether gperftools is running normally
In official use, use the one provided on www.wooyun.org waf module, the rules can be modified according to your needs
The above introduces the security foundation of nginx (nginx+waf+lua), including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.