所有源代码都在 /opt/src
下
下载编译ModSecurity
sudo mkdir /opt/src
sudo mkdir /opt/mod
cd /opt/src
sudo wget https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.3/modsecurity-2.9.3.tar.gz
sudo apt-get install apache2-dev libxml2-dev openssl libssl-dev zlib1g-dev libpcre3 libpcre3-dev libxslt-dev libgd-dev libgeoip-dev
cd modsecurity-2.9.3
./configure --enable-standalone-module --disable-mlogc --prefix=/opt/mod
sudo make
sudo make install
下载编译nginx
wget http://nginx.org/download/nginx-1.21.0.tar.gz
tar -zxvf nginx-1.21.0.tar.gz
cd nginx-1.21
./configure --prefix=/opt/waf \
--without-select_module \
--without-poll_module \
--with-file-aio \
--with-threads \
--with-ipv6 \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-stream_ssl_module \
--with-http_xslt_module=dynamic \
--with-http_geoip_module=dynamic \
--with-stream=dynamic \
--with-stream_geoip_module=dynamic \
--add-module=/opt/src/modsecurity-2.9.3/nginx/modsecurity/ \
--with-compat
make
make install
为nginx添加modsecurity
mkdir -p /opt/waf/conf/modsecurity/
cp /opt/src/modsecurity-2.9.3/modsecurity.conf-recommended /opt/waf/conf/modsecurity/modsecurity.conf
cp /opt/src/modsecurity-2.9.3/unicode.mapping /opt/waf/conf/modsecurity/unicode.mapping
cp -p /opt/mod/lib/* /opt/waf/modules
下载规则文件压缩包,解压后复制crs-setup.conf.example
到/opt/waf/conf/modsecurity/
下并重命名为crs-setup.conf
;
复制rules文件夹到/opt/waf/conf/modsecurity/
下,
同时修改
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
与RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
两个文件的文件名,将".example"删除,
可将自己写的规则放置于此两个文件中;
编辑modsecurity.conf
SecRuleEngine DetectionOnly
改为SecRuleEngine On
同时在文件末尾添加以下内容:
Include crs-setup.conf
Include rules/*.conf
编辑nginx.conf
在http或server节点中添加以下内容(在http节点添加表示全局配置,在server节点添加表示为指定网站配置):
ModSecurityEnabled on;
ModSecurityConfig modsecurity/modsecurity.conf;
server_tokens off;
启动
/opt/waf/sbin/nginx