运维安全——安全防护-OpenResty

OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台，其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高并发、扩展性极高的动态 Web 应用、Web 服务和动态网关。

安装

安装OpenResty

• 安装依赖包 $ yum install -y readline-devel pcre-devel openssl-devel gcc
• 下载最新OpenResty源码包 $ cd /usr/local/src/ $ wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
• 编译安装： $ tar zxvf openresty-1.15.8.2.tar.gz $ cd openresty-1.15.8.2/ $ ./configure --prefix=/usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit $ gmake && gmake install 补充： 关于gmake和make的区别

配置waf规则

• 下载waf规则lua文件：waf

$ cd /usr/local/src
$ git clone https://github.com/unixhot/waf.git
$ cp -a /usr/local/src/waf/waf  /usr/local/openresty/nginx/conf

• 配置OpenResty：vim /usr/local/openresty/nginx/conf/nginx.conf http { include mime.types; default_type application/octet-stream; lua_shared_dict limit 50m; lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
• 配置拦截后返回信息：vim /usr/local/openresty/nginx/conf/waf/config.lua --if config_waf_output ,setting url config_waf_redirect_url = "https://www.baidu.com" -- 重定向返回的url config_output_html=[[ ... ]]
• 启动OpenResty： $ /usr/local/openresty/nginx/sbin/nginx -t $ /usr/local/openresty/nginx/sbin/nginx
• 启动报错： nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: no field package.preload['resty.core'] no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua' no file '/usr/local/openresty/site/lualib/resty/core.so' no file '/usr/local/openresty/lualib/resty/core.so' no file './resty/core.so' no file '/usr/local/lib/lua/5.1/resty/core.so' no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so' no file '/usr/local/lib/lua/5.1/loadall.so' no file '/usr/local/openresty/site/lualib/resty.so' no file '/usr/local/openresty/lualib/resty.so' no file './resty.so' no file '/usr/local/lib/lua/5.1/resty.so' no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so' no file '/usr/local/lib/lua/5.1/loadall.so')
• 解决上述报错：错误原因是找不到lualib库和resty模块，默认到/usr/local/lib/ 去找lualib，然而在编译安装OpenResty时lualib库默认放到/usr/local/openresty/lualib $ ln -s /usr/local/openresty/lualib /usr/local/lib/lua $ ln -s /usr/local/openresty/lualib/resty /usr/local/openresty/nginx/conf/waf/resty
• 启动成功： $ /usr/local/openresty/nginx/sbin/nginx $ netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20273/nginx: master
• 在浏览器访问：示例

20190918156878182765768.png

关于waf的使用，可参考：README

(adsbygoogle = window.adsbygoogle || []).push({});