nginx lua防火墙防SQL注入配置
作者:遇见火星
本文详细介绍了基于Nginx和Lua的防火墙配置,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧
一、防火墙配置
二、下载安装文件
1. 下载程序
cd /opt wget https://github.com/LuaJIT/LuaJIT/archive/refs/tags/v2.0.5.tar.gz -O luajit-v2.0.5.tar.gz wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.4.tar.gz -O ngx_devel_kit-0.3.4.tar.gz wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz -O lua-nginx-module-0.10.9rc7.tar.gz wget http://nginx.org/download/nginx-1.19.3.tar.gz -O nginx-1.19.3.tar.gz
2. 逐项解压
tar -xzvf luajit-v2.0.5.tar.gz tar -xzvf ngx_devel_kit-0.3.4.tar.gz tar -xzvf lua-nginx-module-0.10.9rc7.tar.gz tar -xzvf nginx-1.19.3.tar.gz
三、安装
1. 安装lua环境
cd /opt/LuaJIT-2.0.5/ make && make install export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.0 echo "/usr/local/lib" >> /etc/ld.so.conf ldconfig
2. 安装nginx,需要包含nginx lua模块
cd /opt/nginx-1.19.3 ./configure --prefix=/usr/local/nginx \ --add-module=/opt/ngx_devel_kit-0.3.4 \ --add-module=/opt/lua-nginx-module-0.10.9rc7 make && make install
四、配置lua防火墙
1. 下载lua防火墙代码
cd /usr/local/nginx/conf git clone https://github.com/loveshell/ngx_lua_waf.git
2. 加载lua防火墙配置,vi /usr/local/nginx/conf/nginx.conf,http中加入以下红色部分配置
http {
# 其它配置
...
lua_package_path "/usr/local/nginx/conf/ngx_lua_waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/waf.lua;
}
3. 修改防火墙配置RulePath值,vi /usr/local/nginx/conf/ngx_lua_waf/config.lua
# 默认值是`/usr/local/nginx/conf/waf/wafconf/` /waf 改为 /ngx_lua_waf RulePath = "/usr/local/nginx/conf/ngx_lua_waf/wafconf/"
4. 启动nginx
/usr/local/nginx/sbin/nginx
五、测试
1. 测试url中的关键字,出现拦截页面表示配置成功, 拦截参数在/usr/local/nginx/conf/ngx_lua_waf/wafconf/url文件
2. 测试post关键字
六、准备演示环境
1. 前端演示页面
<html>
<head>
<title>登陆</title>
<meta charset="utf-8">
</head>
<body>
<div>
用户名:<input type="text" name="user" id="txtUser"><br>
密码:<input type="password" name="pwd" id="txtPassword"><br>
<input type="button" onclick="login('login')" value="登陆"> <br>
<div id="divMsg"></div>
<script>
function login(action) {
var httpRequest = new XMLHttpRequest()
httpRequest.onreadystatechange = function () {
if (httpRequest.readyState == 4) {
document.getElementById("divMsg").innerText = httpRequest.responseText
}
}
httpRequest.open('POST', `/api/${action}`, true)
httpRequest.setRequestHeader(
'Content-type',
'application/x-www-form-urlencoded'
)
var user = document.getElementById("txtUser").value
var pwd = document.getElementById("txtPassword").value
var str = `username=${user}&password=${pwd}`
httpRequest.send(str)
}
</script>
</div>
</body>
</html>2. 服务端演示代码,模拟SQL注入
@Autowired
JdbcTemplate jdbcTemplate;
/**
* 拼sql查询
*
* @param user
* @return
*/
@PostMapping("/login")
public String login(User user) {
String sql = "select * from sys_user where user_name = '" + user.getUsername() + "' and pass_word = '" + user.getPassword() + "'";
System.out.println("SQL:");
System.out.println(sql);
List<Map<String, Object>> maps = jdbcTemplate.queryForList(sql);
System.out.println(maps.size());
if (maps.size() > 0) {
return"login success";
} else {
return"login fail";
}
}3. nginx代理设置
location /api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.18:8093/;
}4. 配置拦截参数(lua防火墙通过检测post表单中的关键字实现拦截)。
# 设置SQL注入的关键参数 echo "'\s+or\s+" >> /usr/local/nginx/conf/ngx_lua_waf/wafconf/post # 重新加载,使配置生效 /usr/local/nginx/sbin/nginx -s reload
七、效果演示
1. 正常登陆
2. 注入成功,在配置post拦截参数以前的效果
3. 注入被拦截,在配置post拦截参数以后的效果
到此这篇关于nginx lua防火墙防SQL注入配置的文章就介绍到这了,更多相关Nginx lua防止SQL注入内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!