ngx_waf 安装避坑详解

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

优秀的 nginx waf 模块：

---

ngx_waf 是一个方便且高性能的 Nginx 防火墙模块，在编译安装过程中，遇到的一些问题，这里 MARK 一下，方便以后使用备忘。

• IP 或 IP 网段的黑白名单、URI 黑白名单和请求体黑名单
• 配置文件和规则文件书写简单，可读性强
• 使用高效的 IP 检查算法和缓存机制。
• 兼容 ModSecurity 的规则，你可以使用 OWASP 的核心规则库。
• 支持验证 Google、Bing、Baidu 和 Yandex 的爬虫并自动放行，避免错误拦截。
• 支持三种验证码：hCaptcha、reCAPTCHAv2 和 reCAPTCHAv3。

ngx_waf 编译安装

---

按官网一步一步进行编译安装，缺失部分参考如下：

需要安装 flex 依赖（Plase run 部分）。

checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in /Data/tools/ngx_waf
which: no flex in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)

./configure: error: the ngx_http_waf_module module requires the flex.
---------------------------------------
Please run:
    On Ubuntu or Debian: 
        apt-get update && apt-get install --yes flex
    On CentOS 7:
        yum -y install flex
    On Centos 8 or Fedora 33 or Fedora 34:
        dnf install flex
    On Alpine:
        apk update && apk add --upgrade flex
    On Arch:
        1. Enable the core repository on /etc/pacman.conf:
            [core]
            Include = /etc/pacman.d/mirrorlist
        2. Install flex xz package:
            pacman -Syu flex
    On FreeBSD 12 or FreeBSD 13:
        pkg install flex

安装 bison 依赖：

checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in /Data/tools/ngx_waf
/usr/bin/flex
which: no bison in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)

./configure: error: the ngx_http_waf_module module requires the bison.
---------------------------------------------------------------------------------
Please run:
    On Ubuntu or Debian: 
        apt-get update && apt-get install --yes bison
    On CentOS 7:
        yum -y install bison
    On Centos 8 or Fedora 33 or Fedora 34:
        dnf install bison
    On Alpine:
        apk update && apk add --upgrade bison
    On Arch:
        1. Enable the core repository on /etc/pacman.conf:
            [core]
            Include = /etc/pacman.d/mirrorlist
        2. Install flex xz package:
            pacman -Syu bison
    On FreeBSD 12 or FreeBSD 13:
        pkg install bison

安装 uthash library 依赖：

checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in /Data/tools/ngx_waf
/usr/bin/flex
/usr/bin/bison

./configure: error: the ngx_http_waf_module module requires the following command to be run to generate the necessary files.

    cd /Data/tools/ngx_waf && make && cd /Data/tools/nginx-1.20.2
---------------------------------------------------------------------------------
configuring additional modules
adding module in /Data/tools/ngx_waf
/usr/bin/flex
/usr/bin/bison
checking for uthash library ... not found
./configure: error: the ngx_http_waf_module module requires the uthash library.

Please run:
            cd /usr/local/src \
        &&  git clone https://github.com/troydhanson/uthash.git \
        &&  export LIB_UTHASH=/usr/local/src/uthash \
        &&  cd /Data/tools/nginx-1.20.2

安装 injection library 依赖：

configuring additional modules
adding module in /Data/tools/ngx_waf
/usr/bin/flex
/usr/bin/bison
checking for uthash library ... found
checking for C99 features ... found
checking for injection library ... not found
./configure: error: the ngx_http_waf_module module requires the injection library.
---------------------------------------------------------------------------------
Please run cd /Data/tools/ngx_waf && git clone https://github.com/libinjection/libinjection.git inc/libinjection && cd /Data/tools/nginx-1.20.2

安装 sodium library 依赖：

adding module in /Data/tools/ngx_waf
/usr/bin/flex
/usr/bin/bison
checking for uthash library ... found
checking for C99 features ... found
checking for injection library ... found
checking for sodium library ... not found
./configure: error: the ngx_http_waf_module module requires the sodium library.
---------------------------------------------------------------------------------
Please run:
    On Ubuntu or Debian: 
            apt-get update && apt-get install --yes libsodium23 libsodium-dev
    On Alpine: 
            apk update && apk add libsodium libsodium-dev
    On other OS:
            # You can remove directories libsodium-src and libsodium after installing the ngx_http_waf_module.
            git clone https://github.com/jedisct1/libsodium.git --branch stable libsodium-src \
        &&  cd libsodium-src \
        &&  ./configure --prefix=/Data/tools/nginx-1.20.2/libsodium --with-pic \
        &&  make -j$(nproc) && make check -j $(nproc) && make install \
        &&  export LIB_SODIUM=/Data/tools/nginx-1.20.2/libsodium \
        &&  cd /Data/tools/nginx-1.20.2

上述依赖都 OK 后，Configuration 最终成功如下：

configuring additional modules
adding module in /Data/tools/ngx_waf
/usr/bin/flex
/usr/bin/bison
checking for uthash library ... found
checking for C99 features ... found
checking for injection library ... found
checking for sodium library ... found
 + ngx_http_waf_module was configured
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
---------------------------------------------------------------------------------
Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

注意 nginx 的编译参数 --with-cc-opt=-std=gnu99：

./configure --prefix=/Data/apps/nginx-1.20.2 --with-http_stub_status_module --with-pcre --with-http_ssl_module --with-http_realip_module --with-pcre --with-cc-opt='-std=gnu99' --add-module=/Data/tools/ngx_waf

以及接下来应该运行配置脚本：

sed -i 's/^\(CFLAGS.*\)/\1 -fstack-protector-strong -Wno-sign-compare/' objs/Makefile

接着您开始编译 ngxin 了

# 不使用并行编译
make

# 使用并行编译
make -j$(nproc)

测试 ngx_waf 验证是否生效：

curl -I -o /dev/null --user-agent zmeu -s -w "%{http_code}\\n" https://localhost/test

部分配置参考，更多详见官网：

waf on;
waf_rule_path /path/ngx_waf/assets/rules/;

waf_mode STD;
waf_cc_deny rate=1000r/m duration=60m;

waf_cache capacity=5000;

ngx_waf 扩展阅读：

---

• ngx_waf - 方便且高性能的 Nginx 防火墙模块
• 配置 Nginx + PHP， 并开始第一个PHP程序
• Nginx CSP 关于 iframe 的一个设置

---

---

ngx_waf 安装避坑评论