CentOS 8 安装Nginx和ModSecurity反向代理测试WAF

最新推荐文章于 2025-05-10 12:18:43 发布

原创最新推荐文章于 2025-05-10 12:18:43 发布 · 2.1k 阅读

1 ·

CC 4.0 BY-SA版权

本文介绍如何通过安装和配置ModSecurity模块来增强Nginx的安全防护能力，包括设置规则引擎、导入OWASP核心规则集、重启Nginx服务及验证防护效果。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

dnf install -y https://repo.aerisnetwork.com/pub/aeris-release-8.rpm
yum install nginx-more
yum install libmodsecurity
yum install nginx-more-module-modsecurity

cd /tmp
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
mkdir -p /etc/nginx/modsec
cp unicode.mapping /etc/nginx/modsec/
cp modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

vi /etc/nginx/modsec/modsecurity.conf
SecRuleEngine On

vi /etc/nginx/modsec/main.conf
Include "/etc/nginx/modsec/modsecurity.conf"
Include "/etc/nginx/modsec/crs/crs-setup.conf"
Include "/etc/nginx/modsec/crs/rules/*.conf"

vi /etc/nginx/nginx.conf

server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
location / {
proxy_pass http://192.168.174.1/;
sub_filter my your;
sub_filter_once off;
sub_filter_types *;

}
}

cd /tmp
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0.tar.gz
tar -zxvf v3.2.0.tar.gz
cd owasp-modsecurity-crs-3.2.0
mkdir -p /etc/nginx/modsec/crs
cp crs-setup.conf.example /etc/nginx/modsec/crs/crs-setup.conf
cd rules
mkdir -p /etc/nginx/modsec/crs/rules/
cp * /etc/nginx/modsec/crs/rules/
systemctl restart nginx
curl localhost/index.html?exec=/bin/bash
cd /var/log
more modsec_audit.log

# more modsec_audit.log
---qR5tEZ3Z---A--
[02/Aug/2020:07:42:52 +0800] 159632537210.626465 127.0.0.1 39492 127.0.0.1 80
---qR5tEZ3Z---B--
GET /index.html?exec=/bin/bash HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: */*

---qR5tEZ3Z---D--

---qR5tEZ3Z---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0
d\x0a</html>