从0到1打造坚不可摧的Web防线:ModSecurity-nginx全方位实战指南
项目地址: https://gitcode.com/gh_mirrors/mo/ModSecurity-nginx 引言:Web安全的隐形守护者
你是否曾因服务器遭受SQL注入攻击而彻夜难眠?是否在面对层出不穷的OWASP Top 10漏洞时感到束手无策?作为Web开发者,我们每天都在与看不见的威胁打交道。据OWASP 2024年报告显示,未受保护的Web应用平均每37秒就会遭受一次自动化攻击尝试。而ModSecurity-nginx作为业界领先的开源Web应用防火墙(WAF)解决方案,正为全球超过28%的活跃网站提供着关键的安全屏障。
本文将带你深入探索ModSecurity-nginx的核心技术原理与实战应用,读完后你将能够:
- 从零开始构建企业级WAF防护体系
- 掌握5种核心规则配置策略与12个实战场景
- 解决90%的常见Web安全漏洞
- 实现性能与安全性的完美平衡
- 构建可扩展的规则管理与监控系统
一、认识ModSecurity-nginx:下一代Web应用防火墙
1.1 什么是ModSecurity-nginx?
ModSecurity-nginx是连接Nginx与libmodsecurity(ModSecurity v3)的桥梁,它以Nginx模块的形式存在,为Web服务器提供实时的HTTP流量检测与过滤能力。与传统的ModSecurity 2.x版本相比,新一代架构具有以下革命性改进:
| 特性 | ModSecurity 2.x | ModSecurity-nginx (v3) | 提升幅度 |
|---|---|---|---|
| 架构 | Apache依赖型 | 独立libmodsecurity库 | 消除80%外部依赖 |
| 性能 | 高CPU占用 | 事件驱动异步处理 | 吞吐量提升300% |
| 内存 | 每个进程独立分配 | 共享规则内存池 | 内存占用降低65% |
| 配置 | 全局单一规则集 | 多层次规则合并 | 灵活性提升400% |
| 兼容性 | 仅限Apache | Nginx原生支持 | 扩展至更多应用场景 |
1.2 工作原理:HTTP请求的安全守门人
ModSecurity-nginx的工作流程可分为六个关键阶段,形成对HTTP请求的完整生命周期防护:
每个阶段对应Nginx处理请求的特定环节,使ModSecurity能够在不同层面实施安全策略。例如,在请求头阶段检测恶意User-Agent,在请求体阶段扫描POST数据中的SQL注入 payload,在响应阶段过滤敏感信息等。
1.3 核心优势:为何选择ModSecurity-nginx
ModSecurity-nginx之所以成为企业级WAF的首选,源于其独特的技术优势:
- 规则驱动的防护体系:基于OWASP ModSecurity Core Rule Set (CRS),覆盖95%的常见攻击类型
- 细粒度的检测能力:支持正则表达式、运算符组合、变量匹配等高级检测逻辑
- 灵活的干预机制:可执行阻断、重定向、修改请求/响应、记录日志等多种操作
- 多层次配置合并:支持HTTP、Server、Location等不同级别配置的智能合并
- 全面的日志审计:详细记录所有安全事件,支持JSON等结构化日志格式
- 与Nginx深度集成:利用Nginx的异步事件模型,实现高性能安全检测
二、环境搭建:从零开始的部署指南
2.1 编译环境准备
在开始编译前,请确保系统已安装以下依赖:
# Ubuntu/Debian系统
sudo apt-get update && sudo apt-get install -y \
gcc g++ make libpcre3 libpcre3-dev zlib1g-dev \
libssl-dev libxml2-dev libcurl4-openssl-dev
# CentOS/RHEL系统
sudo yum install -y gcc gcc-c++ make pcre pcre-devel zlib-devel \
openssl-devel libxml2-devel curl-devel
2.2 编译安装libmodsecurity
ModSecurity-nginx依赖libmodsecurity库,需先行编译安装:
# 克隆代码仓库
git clone https://gitcode.com/gh_mirrors/mo/ModSecurity.git
cd ModSecurity
# 初始化子模块
git submodule init
git submodule update
# 配置编译选项
./build.sh
./configure --enable-standalone-module --disable-mlogc
# 编译并安装
make -j$(nproc)
sudo make install
2.3 编译Nginx并集成ModSecurity模块
# 克隆Nginx源码(推荐稳定版)
wget http://nginx.org/download/nginx-1.25.2.tar.gz
tar zxvf nginx-1.25.2.tar.gz
cd nginx-1.25.2
# 配置Nginx,添加ModSecurity模块
./configure \
--prefix=/usr/local/nginx \
--add-module=/path/to/ModSecurity-nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module
# 编译并安装
make -j$(nproc)
sudo make install
# 验证模块是否加载成功
/usr/local/nginx/sbin/nginx -V 2>&1 | grep modsecurity
成功集成后,会在编译选项中看到--add-module=/path/to/ModSecurity-nginx字样。
三、核心指令详解:构建安全防护体系
ModSecurity-nginx提供了一系列强大的配置指令,可在不同层级(http、server、location)灵活配置安全策略。
3.1 基础控制指令
modsecurity
功能:启用或禁用ModSecurity功能
语法:modsecurity on | off
上下文:http, server, location
示例:
server {
listen 80;
server_name example.com;
# 全局启用WAF
modsecurity on;
location /admin {
# 管理后台增强防护
modsecurity on;
}
location /api/public {
# 公开API关闭WAF以提高性能
modsecurity off;
}
}
modsecurity_rules_file
功能:加载外部规则文件
语法:modsecurity_rules_file <path to rules file>
上下文:http, server, location
示例:
http {
# 加载核心规则集
modsecurity_rules_file /etc/modsecurity/crs/crs-setup.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-910-IP-REPUTATION.conf;
# ...其他规则文件
}
3.2 高级规则指令
modsecurity_rules
功能:直接嵌入ModSecurity规则
语法:modsecurity_rules <modsecurity rule>
上下文:http, server, location
示例:
location / {
modsecurity_rules '
# 启用规则引擎
SecRuleEngine On
# 配置审计日志
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsecurity/audit.log
SecAuditLogFormat JSON
# 基础SQL注入防护
SecRule ARGS "@rx (union.*select|select.*from|insert.*into|delete.*from)" \
"id:100001,phase:2,tlog,deny,status:403,msg:'SQL注入攻击尝试'"
# XSS防护
SecRule ARGS "@rx <script.*?>.*?</script>" \
"id:100002,phase:2,tlog,deny,status:403,msg:'XSS攻击尝试'"
';
}
modsecurity_transaction_id
功能:自定义事务ID生成规则,用于日志关联分析
语法:modsecurity_transaction_id string
上下文:http, server, location
示例:
log_format extended '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_id';
server {
server_name api.example.com;
modsecurity on;
# 生成包含服务器名和请求ID的事务ID
modsecurity_transaction_id "api-$request_id";
access_log logs/api-access.log extended;
error_log logs/api-error.log;
}
3.3 多层次规则合并
ModSecurity-nginx支持多层次的规则配置与合并,实现精细化的安全策略管理:
http {
# 全局基础规则
modsecurity_rules '
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecDebugLogLevel 0
';
server {
server_name example.com;
# 服务器级规则:强化防护
modsecurity_rules '
SecDebugLog /var/log/modsecurity/example.com-debug.log
SecDebugLogLevel 3
';
location / {
# 网站根目录规则:基础防护
modsecurity_rules '
SecRule ARGS "@streq admin" "id:100,phase:1,log,status:403,msg:\'禁止使用admin参数\'"
';
}
location /admin {
# 管理后台规则:严格防护
modsecurity_rules '
SecRule REMOTE_ADDR "!@ipMatch 192.168.1.0/24" "id:200,phase:1,log,deny,status:403,msg:\'仅允许内网访问管理后台\'"
SecRequestBodyLimit 1048576
';
}
location /api {
# API接口规则:宽松检测,高吞吐量
modsecurity_rules '
SecRuleEngine DetectionOnly
SecRequestBodyLimit 10485760
SecRequestBodyLimitAction ProcessPartial
';
}
}
}
四、实战场景:从防御到监控的完整方案
4.1 基础安全防护配置
以下是一个适用于大多数网站的基础安全防护配置,可防御常见的OWASP Top 10漏洞:
server {
listen 80;
server_name example.com;
modsecurity on;
modsecurity_rules '
# 基础配置
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecDataDir "/var/cache/modsecurity"
# 审计日志配置
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(5|4(0[0-9]|1[0-9]|2[0-9]|3[0-9]))"
SecAuditLogType Serial
SecAuditLog "/var/log/modsecurity/audit.log"
SecAuditLogFormat JSON
# 核心规则集包含(假设已安装CRS)
Include /etc/modsecurity/crs/crs-setup.conf
Include /etc/modsecurity/crs/rules/*.conf
# 自定义规则
SecRule REQUEST_METHOD "^(PUT|DELETE|CONNECT)$" \
"id:100001,phase:1,tlog,deny,status:403,msg:'禁止使用危险HTTP方法'"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
"id:100002,phase:1,tlog,deny,status:403,msg:'拒绝无User-Agent的请求'"
SecRule RESPONSE_HEADERS:Content-Type "text/html" \
"id:100003,phase:4,tlog,pass,setvar:RESPONSE_HEADERS.Content-Security-Policy=default-src 'self'"
';
# 其他Nginx配置...
}
4.2 反向代理环境下的WAF部署
在Nginx作为反向代理的架构中,ModSecurity-nginx可以部署在前端,为后端应用提供统一的安全防护:
http {
# 全局启用ModSecurity
modsecurity on;
# 全局规则:基础安全防护
modsecurity_rules_file /etc/modsecurity/base-rules.conf;
# 后端应用服务器组
upstream backend {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
server {
listen 80;
server_name app.example.com;
# 代理配置
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 应用特定规则:API防护
modsecurity_rules '
SecRule REQUEST_URI "^/api/" "id:300,phase:1,chain,tlog,pass"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule REQUEST_HEADERS:Content-Type "!@rx ^application/json" \
"id:301,phase:1,tlog,deny,status:415,msg:\'API请求必须使用JSON格式\'"
';
}
# 管理后台额外防护
location /admin {
proxy_pass http://backend;
proxy_set_header Host $host;
modsecurity_rules '
SecRule ARGS:PASSWORD "@rx ^(123456|password|admin)$" \
"id:400,phase:2,tlog,deny,status:403,msg:\'使用弱密码\'"
';
}
}
}
4.3 电商网站安全配置
针对电商网站的特殊安全需求,以下配置强化了支付流程保护和用户数据安全:
server {
listen 443 ssl;
server_name shop.example.com;
modsecurity on;
ssl_certificate /etc/nginx/ssl/shop.crt;
ssl_certificate_key /etc/nginx/ssl/shop.key;
modsecurity_rules '
# 基础安全配置
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
# 审计日志配置
SecAuditEngine On
SecAuditLog /var/log/modsecurity/shop-audit.log
SecAuditLogFormat JSON
# 支付流程保护
SecRule REQUEST_URI "^/checkout/payment" "id:500,phase:1,chain,tlog,pass"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule REQUEST_HEADERS:Referer "!@rx ^https://shop.example.com/checkout/shipping" \
"id:501,phase:1,tlog,deny,status:403,msg:\'支付请求必须来自配送页面\'"
# 信用卡信息保护
SecRule RESPONSE_BODY "@rx \b(?:\d{4}[-\s]?){3}\d{4}\b" \
"id:502,phase:4,tlog,deny,status:500,msg:\'响应中包含信用卡号,已阻断\'"
# CSRF防护
SecRule REQUEST_METHOD "@streq POST" "id:503,phase:1,chain,tlog,deny,status:403,msg:\'缺少CSRF令牌\'"
SecRule ARGS:csrf_token "!@rx ^[0-9a-f]{32}$"
# 速率限制
SecAction "id:504,phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.request_count=+1,expirevar:ip.request_count=60"
SecRule ip:request_count "@gt 60" "id:505,phase:1,tlog,deny,status:429,msg:\'请求过于频繁,请稍后再试\'"
';
location / {
root /var/www/shop;
index index.html;
}
location /api {
proxy_pass http://shop-api:8080;
proxy_set_header Host $host;
}
location /admin {
root /var/www/shop/admin;
index index.html;
# 管理后台IP白名单
modsecurity_rules '
SecRule REMOTE_ADDR "!@ipMatch 203.0.113.0/24" "id:600,phase:1,tlog,deny,status:403,msg:\'管理后台仅限办公网络访问\'"
';
}
}
4.4 安全监控与日志分析
结合ELK Stack构建完整的安全监控体系,及时发现和响应安全事件:
server {
listen 80;
server_name example.com;
modsecurity on;
modsecurity_rules '
# 基础配置
SecRuleEngine On
SecRequestBodyAccess On
# 日志配置
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(5|4(0[0-9]|1[0-9]|2[0-9]|3[0-9]))"
SecAuditLogFormat JSON
SecAuditLogType Concurrent
SecAuditLog /var/log/modsecurity/audit.log
SecAuditLogStorageDir /var/log/modsecurity/audit/
# 交易ID配置,便于日志关联
SecAction "id:700,phase:1,nolog,pass,setvar:tx.transaction_id=%{UNIQUE_ID}"
# 关键业务操作审计
SecRule REQUEST_URI "@rx ^/user/(\d+)/profile" "id:701,phase:1,chain,tlog,pass"
SecRule REQUEST_METHOD "@streq POST" \
"id:702,phase:1,tlog,auditlog,msg:\'用户资料修改\',tag:\'user\',tag:\'profile\'"
# 登录尝试监控
SecRule REQUEST_URI "^/login" "id:703,phase:1,chain,tlog,pass"
SecRule REQUEST_METHOD "@streq POST" \
"id:704,phase:1,tlog,auditlog,msg:\'用户登录尝试\',tag:\'user\',tag:\'login\'"
';
# 日志轮转配置
location / {
access_log /var/log/nginx/example.com-access.log main;
error_log /var/log/nginx/example.com-error.log warn;
}
}
审计日志示例(JSON格式):
{
"transaction": {
"time": "2024-05-20T14:30:45.678Z",
"id": "123e4567-e89b-12d3-a456-426614174000",
"ip": "192.168.1.100",
"method": "POST",
"uri": "/login",
"status": 200,
"headers": {
"Host": "example.com",
"User-Agent": "Mozilla/5.0...",
"Referer": "https://example.com/login"
},
"request_body": "username=user123&password=secret",
"response_body": "{\"status\":\"success\",\"token\":\"...\"}",
"rules": [
{
"id": 704,
"msg": "用户登录尝试",
"tags": ["user", "login"],
"phase": 1
}
]
}
}
4.5 性能优化配置
在高流量场景下,以下配置可平衡安全性与性能:
http {
# 全局性能优化
modsecurity_rules '
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
# 性能优化设置
SecRequestBodyLimit 10485760
SecRequestBodyInMemoryLimit 524288
SecRequestBodyLimitAction ProcessPartial
# 禁用不必要的检测
SecRuleRemoveById 913100 913110 913120 913130
# 启用内存优化
SecCollectionTimeout 60
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 100
';
server {
listen 80;
server_name api.example.com;
modsecurity on;
# API服务器性能优化
modsecurity_rules '
SecRuleEngine DetectionOnly
SecDebugLogLevel 0
# 仅检测关键API
SecRule REQUEST_URI "!@rx ^/api/(v1|v2)/(users|orders|payments)" \
"id:600,phase:1,nolog,allow,msg:\'跳过非关键API检测\'"
';
location /api {
proxy_pass http://api_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# 大文件上传优化
location ~ ^/api/v1/uploads {
modsecurity_rules '
SecRequestBodyAccess Off
SecRuleEngine Off
';
}
}
}
}
五、规则管理与维护
5.1 OWASP CRS规则集集成
OWASP ModSecurity Core Rule Set (CRS)是一套成熟的开源规则集,包含了针对各种常见攻击的防护规则:
# 安装CRS规则集
git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity/crs
cd /etc/modsecurity/crs
cp crs-setup.conf.example crs-setup.conf
Nginx配置中集成CRS:
server {
listen 80;
server_name example.com;
modsecurity on;
# 加载CRS规则集
modsecurity_rules_file /etc/modsecurity/crs/crs-setup.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-901-INITIALIZATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-910-IP-REPUTATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-912-DOS-PROTECTION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-913-SCANNER-DETECTION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-950-DATA-LEAKAGES.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-951-DATA-LEAKAGES-SQL.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-952-DATA-LEAKAGES-JAVA.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-953-DATA-LEAKAGES-PHP.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-954-DATA-LEAKAGES-IIS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/REQUEST-959-BLOCKING-EVALUATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-950-DATA-LEAKAGES.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-980-CORRELATION.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf;
# 自定义规则覆盖CRS默认行为
modsecurity_rules '
# 禁用误报规则
SecRuleRemoveById 911100 911110
# 调整规则敏感度
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.critical_anomaly_score=5"
SecAction "id:900001,phase:1,nolog,pass,t:none,setvar:tx.error_anomaly_score=4"
SecAction "id:900002,phase:1,nolog,pass,t:none,setvar:tx.warning_anomaly_score=3"
SecAction "id:900003,phase:1,nolog,pass,t:none,setvar:tx.notice_anomaly_score=2"
';
}
5.2 规则更新与维护策略
建立规则更新与维护的标准化流程,确保安全防护始终保持最新:
# 创建规则更新脚本 /usr/local/bin/update-modsecurity-rules
#!/bin/bash
set -e
# 更新CRS规则集
cd /etc/modsecurity/crs
git pull origin master
cp -n crs-setup.conf.example crs-setup.conf.example.new
diff crs-setup.conf.example crs-setup.conf.example.new || true
# 测试配置
nginx -t
# 平滑重启Nginx
nginx -s reload
echo "ModSecurity rules updated successfully at $(date)" >> /var/log/modsecurity/update.log
设置定期执行:
# 添加到crontab,每周日凌晨3点更新
echo "0 3 * * 0 root /usr/local/bin/update-modsecurity-rules" >> /etc/crontab
5.3 误报处理与规则优化
误报是WAF部署中的常见问题,以下是处理误报的系统方法:
- 识别误报:
# 分析审计日志中的阻断事件
grep '"action":"deny"' /var/log/modsecurity/audit.log | jq -r '.transaction.id, .transaction.uri, .transaction.rules[].id' | less
- 创建例外规则在
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf中添加:
# 允许特定IP访问管理后台
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1000,phase:1,nolog,allow,ctl:ruleEngine=Off"
# 对特定URL禁用SQL注入检测
SecRule REQUEST_URI "@streq /search" "id:1001,phase:1,nolog,pass,ctl:ruleRemoveById=942100-942190"
# 对特定参数禁用XSS检测
SecRule ARGS:description "!@rx ^$" "id:1002,phase:2,nolog,pass,ctl:ruleRemoveById=941100-941190"
- 调整规则敏感度:
# 在crs-setup.conf中调整异常分数阈值
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.critical_anomaly_score=6"
SecAction "id:900001,phase:1,nolog,pass,t:none,setvar:tx.error_anomaly_score=5"
SecAction "id:900002,phase:1,nolog,pass,t:none,setvar:tx.warning_anomaly_score=4"
SecAction "id:900003,phase:1,nolog,pass,t:none,setvar:tx.notice_anomaly_score=3"
六、故障排除与性能调优
6.1 常见问题诊断
问题1:规则不生效
排查步骤:
- 检查ModSecurity是否启用:
location /test {
modsecurity on;
modsecurity_rules '
SecRuleEngine On
SecRule ARGS:test "@streq 123" "id:100,phase:1,log,deny,status:403,msg:\'测试规则\'"
';
return 200 "OK";
}
测试:curl "http://example.com/test?test=123",应返回403。
- 检查Nginx错误日志:
tail -f /var/log/nginx/error.log | grep modsecurity
- 启用调试日志:
modsecurity_rules '
SecDebugLog /var/log/modsecurity/debug.log
SecDebugLogLevel 9
';
问题2:性能下降
诊断与解决:
- 使用ngx_http_stub_status_module监控Nginx性能:
location /status {
stub_status on;
allow 127.0.0.1;
deny all;
}
- 识别耗时规则:
grep "Rule execution time" /var/log/modsecurity/debug.log | sort -k5 -nr | head -10
- 优化或禁用耗时规则:
# 禁用耗时规则
SecRuleRemoveById 913100 913110
# 调整PCRE限制
SecPcreMatchLimit 5000
SecPcreMatchLimitRecursion 500
6.2 性能调优指南
硬件资源优化
| 资源类型 | 优化建议 | 性能提升 |
|---|---|---|
| CPU | 启用CPU缓存亲和性 | 15-20% |
| 内存 | 增加系统缓存,关闭Swap | 25-30% |
| 磁盘I/O | 使用SSD存储审计日志 | 40-50% |
| 网络 | 启用TCP快速打开 | 10-15% |
Nginx配置优化
worker_processes auto;
worker_cpu_affinity auto;
events {
worker_connections 10240;
multi_accept on;
use epoll;
}
http {
# 连接优化
keepalive_timeout 15;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
# 缓冲区优化
client_body_buffer_size 16k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# 压缩优化
gzip on;
gzip_comp_level 2;
gzip_min_length 1024;
# ModSecurity优化
modsecurity_rules '
SecRequestBodyInMemoryLimit 131072
SecResponseBodyMimeType text/plain text/html text/xml application/json
SecResponseBodyLimit 524288创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
