運維安全——安全防護-OpenResty
- 2019 年 10 月 5 日
- 筆記
OpenResty® 是一個基於 Nginx 與 Lua 的高性能 Web 平台,其內部集成了大量精良的 Lua 庫、第三方模組以及大多數的依賴項。用於方便地搭建能夠處理超高並發、擴展性極高的動態 Web 應用、Web 服務和動態網關。
安裝
- 安裝依賴包 $ yum install -y readline-devel pcre-devel openssl-devel gcc
- 下載最新OpenResty源碼包 $ cd /usr/local/src/ $ wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
- 編譯安裝: $ tar zxvf openresty-1.15.8.2.tar.gz $ cd openresty-1.15.8.2/ $ ./configure –prefix=/usr/local/openresty –with-luajit –with-http_stub_status_module –with-pcre –with-pcre-jit $ gmake && gmake install 補充: 關於gmake和make的區別
配置waf規則
- 下載waf規則lua文件:waf
$ cd /usr/local/src $ git clone https://github.com/unixhot/waf.git $ cp -a /usr/local/src/waf/waf /usr/local/openresty/nginx/conf
- 配置OpenResty:
vim /usr/local/openresty/nginx/conf/nginx.confhttp { include mime.types; default_type application/octet-stream; lua_shared_dict limit 50m; lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua"; - 配置攔截後返回資訊:
vim /usr/local/openresty/nginx/conf/waf/config.lua–if config_waf_output ,setting url config_waf_redirect_url = "https://www.baidu.com" — 重定向返回的url config_output_html=[[ … ]] - 啟動OpenResty: $ /usr/local/openresty/nginx/sbin/nginx -t $ /usr/local/openresty/nginx/sbin/nginx
- 啟動報錯: nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found: no field package.preload['resty.core'] no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua' no file '/usr/local/openresty/site/lualib/resty/core.so' no file '/usr/local/openresty/lualib/resty/core.so' no file './resty/core.so' no file '/usr/local/lib/lua/5.1/resty/core.so' no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so' no file '/usr/local/lib/lua/5.1/loadall.so' no file '/usr/local/openresty/site/lualib/resty.so' no file '/usr/local/openresty/lualib/resty.so' no file './resty.so' no file '/usr/local/lib/lua/5.1/resty.so' no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so' no file '/usr/local/lib/lua/5.1/loadall.so')
- 解決上述報錯:錯誤原因是找不到lualib庫和resty模組,默認到
/usr/local/lib/去找lualib,然而在編譯安裝OpenResty時lualib庫默認放到/usr/local/openresty/lualib$ ln -s /usr/local/openresty/lualib /usr/local/lib/lua $ ln -s /usr/local/openresty/lualib/resty /usr/local/openresty/nginx/conf/waf/resty - 啟動成功: $ /usr/local/openresty/nginx/sbin/nginx $ netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 20273/nginx: master
- 在瀏覽器訪問:示例
關於waf的使用,可參考:README
(adsbygoogle = window.adsbygoogle || []).push({});
