document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-23 21:20:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

ATRP

Browse Source 
@wxy
https://linux.cn/article-16479-1.html
This commit is contained in:
Xingyu Wang 2023-12-16 09:26:47 +08:00
parent eb4fd1df4f
commit 7a4e81b6f5
2 changed files with 181 additions and 198 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
published/20231204 A Web Application Firewall for Nginx.md Normal file
View File

@ -0,0 +1,181 @@
[#]: subject: "A Web Application Firewall for Nginx"
[#]: via: "https://fedoramagazine.org/a-web-application-firewall-for-nginx/"
[#]: author: "Roman Gherta https://fedoramagazine.org/author/romangherta/"
[#]: collector: "lujun9972/lctt-scripts-1700446145"
[#]: translator: "ChatGPT"
[#]: reviewer: "wxy"
[#]: publisher: "wxy"
[#]: url: "https://linux.cn/article-16479-1.html"
为 Nginx 配置 ModSecurity 网络应用防火墙
======
![][0]
> 网络应用防火墙WAF是一种在应用层监控网络流量的应用程序。
[OSI开放系统互联][6] 是最常被网络相关讨论引用的网络流量框架之一。当数据包通过第 6 层(表示层)移动到第 7 层(应用层)时,它会进行解密或解码操作。这些操作可能会因异常解码和解释而产生漏洞,而这些漏洞可能被利用来打破标准应用上下文。注入就是这种漏洞的一种类型,而且因为传统的 [IDS/IPS][7] 设备无法应对这些威胁,所以其长时间以来一直是人们特别关注的问题。
### ModSecurity 简介
[ModSecurity][8] 本质上就是 <ruby>网络应用防火墙<rt>web application firewall</rt></ruby>WAF引擎。它与 Apache、IIS 和 Nginx 兼容,并由第三方公司维护。该防火墙会将一份规则列表与由 Web 服务器/代理提供的 HTTP 头流进行交叉引用。目前这个仓库已经被简化,只包含主要的 LibModSecurity 库。你可以直接在自己的服务器实现中调用这个库,或通过特定编程语言的封装进行调用。
其母公司的支持计划于 2024 年 7 月 1 日结束,之后这个项目将由开源社区维护。
### 安装 Nginx 连接器
[Nginx 连接器][9] 是一个 Nginx 动态模块,可以通过 Fedora 包 `nginx-mod-modsecurity` 进行安装。它依赖于 `libmodsecurity.so`,所以在这个使用场景中,这个包本身就是防火墙。
```
[user@fedora ~]$ sudo dnf install -y nginx nginx-mod-modsecurity
[user@fedora ~]$ rpm -qR nginx-mod-modsecurity
config(nginx-mod-modsecurity) = 1.0.3-3.fc38
libc.so.6(GLIBC_2.4)(64bit)
libmodsecurity.so.3()(64bit)
nginx(abi) = 1.24.0
nginx-filesystem
...
```
安装完成后,你会见到连接器在 `/etc/nginx` 中添加了一些重要的文件。
```
[user@fedora ~]$ rpm -ql nginx-mod-modsecurity
/etc/nginx/modsecurity.conf # waf 配置
/etc/nginx/nginx.conf.modsecurity # nginx 示例配置
/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
/usr/share/nginx/modules/mod-modsecurity.conf
/usr/share/doc/nginx-mod-modsecurity/README.md
...
```
通过提供一些额外的配置指令,连接器对 Nginx 进行了扩展。下面的部分将演示 `nginx.conf.modsecurity` 文件中一些示例指令。指令的完整列表可以在 `README.md` 文件或项目的 GitHub 页面找到。
### 启动网络应用防火墙
`nginx.conf.modsecurity` 是我们将要运行的 Nginx 配置。解开如下所示的 *modsecurity* 行注释:
```
[user@fedora ~]$ sudo sed -i 's/#modsec/modsec/g' /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ grep -C2 modsecurity /etc/nginx/nginx.conf.modsecurity
# 如有需要,启用 ModSecurity WAF
modsecurity on;
# 如有需要,加载 ModSecurity CRS
modsecurity_rules_file /etc/nginx/modsecurity.conf;
```
在 shell 中启动服务器并查看日志,确保在 `modsecurity.conf` 加载了七个默认规则。
```
[user@fedora ~]$ sudo nginx -c /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ head /var/log/nginx/error.log
2023/10/21 23:55:09 [notice] 46218#46218: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/0)
2023/10/21 23:55:09 [notice] 46218#46218: using the "epoll" event method
2023/10/21 23:55:09 [notice] 46218#46218: nginx/1.24.0
2023/10/21 23:55:09 [notice] 46218#46218: OS: Linux 6.5.7-200.fc38.x86_64
```
通过发送一些不符合 `Content-Type` 头格式的数据来测试默认规则。
```
[user@fedora ~]$ curl -X POST http://localhost -H "Content-Type: application/json" --data "<xml></xml>"
[user@fedora ~]$ tail /var/log/modsec_audit.log
...
---rH5bFain---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "75"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: lexical error: invalid char in json text.\n"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.0.2.100"] [uri "/"] [unique_id "169795900388.487044"] [ref "v121,1"]
```
### 用 OWASP 核心规则集扩展你的网络应用防火墙
默认的 Nginx 连接器带有七条规则。OWASP [Core Rule Set v3.3.5][10] 则更为详尽,涵盖了许多场景。
复制并提取规则的存档。
```
[user@fedora ~]$ curl -fSL https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz --output /tmp/v3.3.5.tar.gz
[user@fedora ~]$ sudo tar -C /etc/nginx -xvf /tmp/v3.3.5.tar.gz
[user@fedora ~]$ tree -L 1 /etc/nginx/
/etc/nginx/
├── conf.d
├── default.d
├── modsecurity.conf # waf 配置
├── nginx.conf
├── nginx.conf.modsecurity # nginx 启用 waf
├── coreruleset-3.3.5
├ ├── rules # 规则目录
├ ...
├ ...
```
现在,你在 Nginx 配置文件夹中有了一个包含所有当前 OWASP 规则的 `rules` 目录。接下来,让 Nginx 知道这些规则。以下操作指南来源于 OWASP [INSTALL][11] 文件。
创建一个 `crs.conf` 文件,并在全局网络应用防火墙配置文件( `modsecurity.conf` )中包含所有相关的配置文件。
```
[user@fedora ~]$ sudo cp /etc/nginx/coreruleset-3.3.5/crs-setup.conf.example /etc/nginx/coreruleset-3.3.5/crs.conf
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/crs.conf" | sudo tee -a /etc/nginx/modsecurity.conf
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/rules/*.conf" | sudo tee -a /etc/nginx/modsecurity.conf
[user@fedora ~]$ tail /etc/nginx/modsecurity.conf
Include /etc/nginx/coreruleset-3.3.5/crs.conf
Include /etc/nginx/coreruleset-3.3.5/rules/*.conf
```
根据文档,包含这些文件的顺序很重要。上面的 `tee` 的命令将新的 `Include` 行放在了 `modsecurity.conf` 文件的末尾。现在,用这个新配置重启 Nginx。
```
[user@fedora ~]$ sudo nginx -s stop && sudo nginx -c /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ tail /var/log/nginx/error.log
2023/10/22 10:53:23 [notice] 202#202: exit
2023/10/22 10:53:50 [notice] 230#230: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/921/0)
2023/10/22 10:53:50 [notice] 230#230: using the "epoll" event method
2023/10/22 10:53:50 [notice] 230#230: nginx/1.24.0
2023/10/22 10:53:50 [notice] 230#230: OS: Linux 6.5.7-200.fc38.x86_64
2023/10/22 10:53:50 [notice] 230#230: getrlimit(RLIMIT_NOFILE): 524288:524288
2023/10/22 10:53:50 [notice] 231#231: start worker processes
```
注意Nginx 成功加载了 921 条规则。还需要做一些测试来确保规则实际上是被网络应用防火墙检查过的。这里再次引用 `INSTALL` 文件中的 “Testing the Installation” 片段。
```
[user@fedora ~]$ curl 'http://localhost/?param=''><script>alert(1);</script>'
[user@fedora ~]$ tail /var/log/modsec_audit.log
...
---8NSpdnLe---H--
ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/coreruleset-3.3.5/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "38"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: ><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.3.5"]
...
```
### 结论
本文演示了如何为 Nginx 服务器配置网络应用防火墙。这个部署使用了标准规则和 OWASP Core Rule Set v3.3.5。演示的防火墙在**检测模式**中运行并记录不寻常的行为。将防火墙运行在**防御模式**要对 `modsecurity.conf` 进行更多改动。请参考 [ModSecurity Reference Manual v3.x][12] 获取如何启用防御模式和更多信息。
祝你好运。
*题图DA/7ec85bc4-b209-4fc6-9275-8f7d1430f6ca*
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/a-web-application-firewall-for-nginx/
作者:[Roman Gherta][a]
选题:[lujun9972][b]
译者:[ChatGPT](https://linux.cn/lctt/ChatGPT)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/romangherta/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2023/11/waf-nginx-816x345.jpg
[2]: https://unsplash.com/@neonbrand?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[3]: https://unsplash.com/photos/red-bricks-wall-XEsx2NVpqWY?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[4]: https://unsplash.com/@cullansmith?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[5]: https://unsplash.com/photos/red-fire-digital-wallpaper-BdTtvBRhOng?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[6]: https://osi-model.com/
[7]: https://en.wikipedia.org/wiki/Intrusion_detection_system
[8]: https://github.com/SpiderLabs/ModSecurity
[9]: https://github.com/SpiderLabs/ModSecurity-nginx
[10]: https://github.com/coreruleset/coreruleset/tree/v3.3.5/rules
[11]: https://github.com/coreruleset/coreruleset/blob/v3.3.5/INSTALL
[12]: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)
[0]: https://img.linux.net.cn/data/attachment/album/202312/16/092516o1kqhzphvhh4h1hl.jpg

198
sources/tech/20231204 A Web Application Firewall for Nginx.md
View File

@ -1,198 +0,0 @@
[#]: subject: "A Web Application Firewall for Nginx"
[#]: via: "https://fedoramagazine.org/a-web-application-firewall-for-nginx/"
[#]: author: "Roman Gherta https://fedoramagazine.org/author/romangherta/"
[#]: collector: "lujun9972/lctt-scripts-1700446145"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
A Web Application Firewall for Nginx
======
![][1]
Red Bricks by [Kenny Eliason][2] on [Unsplash][3] (cropped), Fire by [Cullan Smith][4] on [Unsplash][5] (stretched, flipped)
A web application firewall (WAF) is an application that monitors network traffic at the application layer.
[OSI (Open Systems Interconnection)][6] is one of the most referenced network traffic frameworks across internet related discussions. When a package crosses Layer 6 (Presentation) and moves towards Layer 7 (Application) it undergoes decrypting/decoding operations. Each of these operations can be susceptible to faulty decoding and interpretation that can be used to break out of the standard application context. Injections are just one type of such vulnerabilities and for a long time have been the number one cause of concern especially since traditional [IDS/IPS][7] appliances cannot handle these threats.
### About ModSecurity
[ModSecurity][8] was historically the web application firewall engine itself. It is compatible with Apache, IIS, and Nginx and has been maintained by a third-party company. The firewall cross references a list of rules to a stream of HTTP headers provided by a webserver/proxy. As of now this repository was simplified and contains only the main library _LibModSecurity_. The library itself can be called from your own server implementation directly or via wrappers specific to individual programming languages.
The parent companys support is scheduled to end on July 1 2024 at which time the project is supposed to be maintained by the open-source community.
### Install the Nginx connector
The [Nginx connector][9] is an Nginx dynamic module and it can be installed via the Fedora package _nginx-mod-modsecurity_. It has _libmodsecurity.so_ as a dependency so for this use-case this package is the firewall itself.
```
[user@fedora ~]$ sudo dnf install -y nginx nginx-mod-modsecurity
[user@fedora ~]$ rpm -qR nginx-mod-modsecurity
config(nginx-mod-modsecurity) = 1.0.3-3.fc38
libc.so.6(GLIBC_2.4)(64bit)
libmodsecurity.so.3()(64bit)
nginx(abi) = 1.24.0
nginx-filesystem
...
```
Once installed, you will see that the connector adds a few important files to /etc/nginx.
```
[user@fedora ~]$ rpm -ql nginx-mod-modsecurity
/etc/nginx/modsecurity.conf # waf config
/etc/nginx/nginx.conf.modsecurity # nginx sample conf
/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
/usr/share/nginx/modules/mod-modsecurity.conf
/usr/share/doc/nginx-mod-modsecurity/README.md
...
```
The connector extends Nginx by providing some extra configuration directives. The following sections will demonstrate a few of the example directives in the _nginx.conf.modsecurity_ file. A complete list of the directives can be found in the _README.md_ file or on the projects GitHub page.
### Enable the web application firewall
_nginx.conf.modsecurity_ is the Nginx configuration we are going to run. Uncomment the _modsec*_ lines as shown below.
```
[user@fedora ~]$ sudo sed -i 's/#modsec/modsec/g' /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ grep -C2 modsecurity /etc/nginx/nginx.conf.modsecurity
# Enable ModSecurity WAF, if need
modsecurity on;
# Load ModSecurity CRS, if need
modsecurity_rules_file /etc/nginx/modsecurity.conf;
```
Start the server inside the shell and observe the logs to make sure the seven default rules defined in _modsecurity.conf_ are loaded.
```
[user@fedora ~]$ sudo nginx -c /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ head /var/log/nginx/error.log
2023/10/21 23:55:09 [notice] 46218#46218: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/0)
2023/10/21 23:55:09 [notice] 46218#46218: using the "epoll" event method
2023/10/21 23:55:09 [notice] 46218#46218: nginx/1.24.0
2023/10/21 23:55:09 [notice] 46218#46218: OS: Linux 6.5.7-200.fc38.x86_64
```
Test the default rules by sending some data that does not respect the _content-type_ header format.
```
[user@fedora ~]$ curl -X POST http://localhost -H "Content-Type: application/json" --data "<xml></xml>"
[user@fedora ~]$ tail /var/log/modsec_audit.log
...
---rH5bFain---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "75"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: lexical error: invalid char in json text.\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.0.2.100"] [uri "/"] [unique_id "169795900388.487044"] [ref "v121,1"]
```
### Extend your web application firewall with the OWASP core rule set
The default Nginx connector comes with seven rules. The OWASP [Core Rule Set v3.3.5][10] is more extensive and covers many scenarios.
Copy the archive and extract the rules.
```
[user@fedora ~]$ curl -fSL https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz --output /tmp/v3.3.5.tar.gz
[user@fedora ~]$ sudo tar -C /etc/nginx -xvf /tmp/v3.3.5.tar.gz
[user@fedora ~]$ tree -L 1 /etc/nginx/
/etc/nginx/
├── conf.d
├── default.d
├── modsecurity.conf # waf config
├── nginx.conf
├── nginx.conf.modsecurity # nginx waf enabled
├── coreruleset-3.3.5
├ ├── rules # rules directory
├ ...
├ ...
```
You now have a _rules_ directory within the nginx configuration folder with all the current OWASP rules. Next, make Nginx aware of these rules. The following instructions originate from the OWASP [./INSTALL][11] file.
Create a _crs.conf_ file and include all the relevant config files in the global web application firewall config file ( _modsecurity.conf_ ).
```
[user@fedora ~]$ sudo cp /etc/nginx/coreruleset-3.3.5/crs-setup.conf.example /etc/nginx/coreruleset-3.3.5/crs.conf
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/crs.conf" | sudo tee -a /etc/nginx/modsecurity.conf
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/rules/*.conf" | sudo tee -a /etc/nginx/modsecurity.conf
[user@fedora ~]$ tail /etc/nginx/modsecurity.conf
Include /etc/nginx/coreruleset-3.3.5/crs.conf
Include /etc/nginx/coreruleset-3.3.5/rules/*.conf
```
According to docs, the order of including these files is important. The _tee_ command shown above has placed the new _Include_ lines at the end of the _modsecurity.conf_ file. Now, reload Nginx with this new configuration.
```
[user@fedora ~]$ sudo nginx -s stop && sudo nginx -c /etc/nginx/nginx.conf.modsecurity
[user@fedora ~]$ tail /var/log/nginx/error.log
2023/10/22 10:53:23 [notice] 202#202: exit
2023/10/22 10:53:50 [notice] 230#230: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/921/0)
2023/10/22 10:53:50 [notice] 230#230: using the "epoll" event method
2023/10/22 10:53:50 [notice] 230#230: nginx/1.24.0
2023/10/22 10:53:50 [notice] 230#230: OS: Linux 6.5.7-200.fc38.x86_64
2023/10/22 10:53:50 [notice] 230#230: getrlimit(RLIMIT_NOFILE): 524288:524288
2023/10/22 10:53:50 [notice] 231#231: start worker processes
```
Notice Nginx loaded _921_ rules successfully. Some tests are also needed to make sure the rules are actually checked by the web application firewall. Here again, we reference the snippet _Testing the Installation_ from the _./INSTALL_ file.
```
[user@fedora ~]$ curl 'http://localhost/?param=''><script>alert(1);</script>'
[user@fedora ~]$ tail /var/log/modsec_audit.log
...
---8NSpdnLe---H--
ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/coreruleset-3.3.5/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "38"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: ><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.3.5"]
...
```
### Conclusions
How to configure a web application firewall for an Nginx server has been demonstrated. This deployment uses standard rules plus the _OWASP Core Rule Set v3.3.5._ The firewall demonstrated above is running in **detection mode** and logging unusual actions. Running the firewall in **prevention mode** requires further changes to _modsecurity.conf._ Refer to [ModSecurity Reference Manual v3.x][12] for instructions on how to enable prevention mode and much more.
All the best.
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/a-web-application-firewall-for-nginx/
作者:[Roman Gherta][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/romangherta/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2023/11/waf-nginx-816x345.jpg
[2]: https://unsplash.com/@neonbrand?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[3]: https://unsplash.com/photos/red-bricks-wall-XEsx2NVpqWY?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[4]: https://unsplash.com/@cullansmith?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[5]: https://unsplash.com/photos/red-fire-digital-wallpaper-BdTtvBRhOng?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
[6]: https://osi-model.com/
[7]: https://en.wikipedia.org/wiki/Intrusion_detection_system
[8]: https://github.com/SpiderLabs/ModSecurity
[9]: https://github.com/SpiderLabs/ModSecurity-nginx
[10]: https://github.com/coreruleset/coreruleset/tree/v3.3.5/rules
[11]: https://github.com/coreruleset/coreruleset/blob/v3.3.5/INSTALL
[12]: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)