banner
moeyy

moeyy

一条有远大理想的咸鱼。
github
mastodon
email
HomeArchivesNextJS BlogApps

Deploying a web application firewall Ngx_lua_waf on VPS host to resist CC attacks and protect data security.

28
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the deployment of the Ngx_lua_waf web application firewall on VPS hosting to protect against CC attacks and ensure data security. It highlights the lack of specialized personnel for managing VPS hosting and the need for individuals to handle technical issues themselves. The Ngx_lua_waf module is recommended as a lightweight and high-performance solution for preventing web attacks such as SQL injection, XSS, SSRF, and webshell uploads. The installation requirements and usage instructions are provided, including the configuration of the waf rules directory and the option to enable attack information logging. The article concludes by mentioning the importance of testing the configuration and restarting Nginx after installation.

Service Introduction#

More and more people are using VPS hosts to build websites. However, compared to shared hosting or managed servers, personal VPS hosts are basically unmanaged. This means that the host provider is only responsible for the network connectivity of the VPS host, and any technical issues need to be resolved by the user. Websites are often subjected to scanning, injection, overflow, and other automated attacks.

image

Commercial shared hosting has dedicated operations engineers to ensure security. As mentioned above, VPS and other virtual cloud machines do not have dedicated personnel for assistance, so we need to handle everything ourselves. Today, I will introduce a very good Nginx (openresty) web application firewall module called ngx_lua_waf. ngx_lua_waf is a web application firewall based on ngx_lua. The code is very simple, and the developer's intention is to make it easy to use while maintaining its lightweight characteristics.

Main Functions of Ngx_lua_waf#

Prevent SQL injection, local inclusion, certain overflow, fuzzing testing, XSS, SSRF, and other web attacks
Prevent leakage of files such as SVN/backups
Prevent attacks from stress testing tools like ApacheBench
Block common scanning hacker tools and scanners
Block abnormal network requests
Block PHP execution permissions in image attachment directories
Prevent webshell uploads

Here we can see that Ngx_lua_waf has a rich set of functions, which can effectively reject most scanning attacks and play a significant role in preventing websites from being compromised.

Installation Requirements#

The author of Ngx_lua_waf recommends using lujit2.1 for Lua support. If ngx_lua is version 0.9.2 or above, it is recommended to change the regular filtering function to ngx.re.find, which will improve matching efficiency by about three times. Our Nginx only needs to compile Lua support to deploy this web application firewall and add a security gate to our server.

Instructions for Use#

Let's assume that the installation path of Nginx is: /usr/local/nginx/conf/

We only need to download ngx_lua_waf to the conf directory, unzip it, and rename it to waf. Then, add the following lines to the http section of nginx.conf, or write a separate conf file and include it in nginx.conf.

lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file  /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Configure the rule directory in config.lua (usually in the waf/conf/ directory).

RulePath = "/usr/local/nginx/conf/waf/wafconf/"

Then, following the debugging guidelines, run nginx -t to check if the configuration is correct. If it indicates successful loading, we can restart nginx.

Detailed Configuration File Explanation:#

  • RulePath = "/usr/local/nginx/conf/waf/wafconf/"
  •     --Directory where rules are stored
  •     attacklog = "off"
  •     --Whether to enable attack information logging, logdir needs to be configured
  •     logdir = "/usr/local/nginx/logs/hack/"
  •     --Log storage directory, this directory needs to be created by the user and requires writable permissions for the nginx user
  •     UrlDeny="on"
  •     --Whether to intercept URL access
  •     Redirect="on"
  •     --Whether to intercept and redirect after blocking
  •     CookieMatch = "on"
  •     --Whether to intercept cookie attacks
  •     postMatch = "on"
  •     --Whether to intercept post attacks
  •     whiteModule = "on"
  •     --Whether to enable URL whitelist
  •     black_fileExt={"php","jsp"}
  •     --Specify disallowed file extension types for uploads
  •     ipWhitelist={"127.0.0.1"}
  •     --IP whitelist, separate multiple IPs with commas
  •     ipBlocklist={"1.0.0.1"}
  •     --IP blacklist, separate multiple IPs with commas
  •     CCDeny="on"
  •     --Whether to enable CC attack interception (requires adding lua_shared_dict limit 10m; to the http section of nginx.conf)
  •     CCrate = "100/60"
  •     --Set the frequency of CC attacks in seconds.
  •     --By default, the same IP can only request the same address 100 times within 1 minute
  •     html=[[Please go away~~]]
  •     --Warning content, you can customize it within the square brackets
  •     Note: Do not modify the double quotes randomly, and pay attention to case sensitivity.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.