[openresty] cc,黑白名单防御配置
下载安装 openresty下载 https://github.com/unixhot/waf 配置注意事项在使用 unixhot 开源的 waf lua脚本时, 这里记录几个需要修改的地方修改nginx.conf新增以下 到 http 块中,替换{path}为你自己的路径lua_shared_dict limit 50m;lua_package_path "{path}/openresty-1.
·
下载安装 openresty
下载 https://github.com/unixhot/waf 配置
注意事项
在使用 unixhot 开源的 waf lua脚本时, 这里记录几个需要修改的地方
修改nginx.conf
新增以下 到 http 块中,替换{path}为你自己的路径
lua_shared_dict limit 50m;
lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";
init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";
access_by_lua_file "{path}/conf/waf/access.lua";
修改waf/config.lua
config_rule_dir = "{path}/openresty-1.19.9.1-win64/conf/waf/rule-config"
注意各项防御的开关变量
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "20/60"
--enable/disable post filtering
config_post_check = "on"
杀后策略
--config waf output redirect/html
config_waf_output = "html"
-- 如果 config_waf_output 配置为 redirect, 需要配置 config_waf_redirect_url
--config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>WAF</title>
</head>
<body>
<h1 align="center"> 访问过于频繁,请稍后重试
</body>
</html>
]]
这里看lua代码, 黑名单、cc是直接403了,如果有需求可以自己改一下
测试配置
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
lua_shared_dict limit 50m;
lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";
init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";
access_by_lua_file "{path}/conf/waf/access.lua";
server {
listen 80;
server_name localhost;
location / {
lua_code_cache off; # 正式环境不开启, 缓存lua脚本到内存
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
}
本文只是一个采坑记录,这里感谢 unixhot 开源,github地址:https://github.com/unixhot/waf
更多推荐
已为社区贡献1条内容
所有评论(0)