WAF嵌入LNMP集群架構

前言:

之前想著每天都更新一篇文章,但是連續幾天之后,發現有好多博客大佬,所以覺得還是不要獻丑好一點,然后就學習一下關于安全防護的知識,畢竟安全意識強弱代表在互聯網防護能力,類似ddos,xss,csrf等也是經常出現,比如一些基本的×××方式:SQL注入,web參數,cc。所以我就記錄了下面全程的將WAF嵌入LNMP架構,應用于實戰集群架構。附帶lua語言寫的防護模塊。

實戰:

服務器架構圖如下:

一、web服務器集群高可用負載均衡

1.高可用使用:nginx+keepalived模式

master(web1) 192.168.0.230

slaver(web2) 192.168.0.211

VIP:192.168.0.100

2.兩邊安裝keepalived

[root@web1 ~]# yum install -y keepalived

3.創建服務器監控腳本

[root@web1 ~]# mkdir -p /server/work

[root@web1 ~]# cd? /server/work/

[root@web1 work]# vim check_ng.sh

#!/bin/bash

#write by leo

d=`date --date today +%Y%m%d_%H:%M:%S`

n=`ps -C nginx --no-heading|wc-l`

#如果進程為0,則啟動nginx,并且再次檢測nginx進程數量

#如果還為0,說明nginx無法啟動,此時需要關閉keepalived

if[$n-eq"0"];then

????????????/etc/init.d/nginx start? ? ? ?

????????????n2=`ps -C nginx --no-heading|wc-l`

????????????if[$n2-eq"0"];then

????????????????????????????echo"$dnginx down,keepalived will stop">> /server/logs/nginx/check_ng.log

????????????????????????????systemctl stop keepalived

????????????fi

fi

[root@web1 work]# mkdir -p /server/logs/nginx

[root@web1 work]# chmod +x? check_ng.sh

4.修改master的keepalived配置文件

[root@web1 ~]# vim /etc/keepalived/keepalived.conf

! Configuration Fileforkeepalived

global_defs {??

?????????????notification_email {

????????????????????????????boheng@buyercamp.com??

? ? ? ? ? ? ? }??

? ? ? ? ? ? ? notification_email_from root@web1??

? ? ? ? ? ? ? smtp_server 127.0.0.1

? ? ? ? ? ? ? smtp_connect_timeout 30

? ? ? ? ? ? ? router_id LVS_DEVEL

}??

vrrp_script chk_nginx {? ??

????????????????script "/server/work/check_ng.sh"

????????????????interval 3

}

vrrp_instance VI_1 {? ??

????????????????state MASTER? ??

????????????????interface ens33? ??

????????????????virtual_router_id 51

????????????????priority 100

????????????????advert_int 1

????????????????authentication {? ? ? ??

????????????????????????????????auth_type PASS? ? ? ??

????????????????????????????????auth_pass 000000

????????????????}? ??

????????????????virtual_ipaddress {

????????????????????????????????192.168.0.100

????????????????}? ??

????????????????track_script {? ? ? ??

????????????????????????????????chk_nginx? ??

????????????????}

}

[root@web1 ~]# systemctl stop nginx

[root@web1 ~]# systemctl status nginx

● nginx.service - LSB: starts the nginx web server? Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)? Active: inactive (dead)? ? Docs: man:systemd-sysv-generator(8)

[root@web1 ~]# systemctl start keepalived

[root@web1 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor? Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)? Active: active (running) since Fri2018-07-1315:06:13CST;32s ago? Process:14019ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:14020(keepalived)? CGroup: /system.slice/keepalived.service? ? ? ? ? ├─14020/usr/sbin/keepalived -D? ? ? ? ? ├─14021/usr/sbin/keepalived -D? ? ? ? ? └─14022/usr/sbin/keepalived -DJul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:15web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) Sendi...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Hint: Some lines were ellipsized, use -l to showinfull.

5.修改slaver的keepalived配置文件

[root@web2 ~]# vim /etc/keepalived/keepalived.conf

! Configuration Fileforkeepalivedglobal_defs {??

????????????notification_email {

????????????????????????????boheng@buyercamp.com??

????????????}??

????????????notification_email_from root@web2??

????????????smtp_server 127.0.0.1

????????????smtp_connect_timeout 30

????????????router_id LVS_DEVEL

}??

vrrp_script chk_nginx {? ??

????????????script "/server/work/check_ng.sh"

????????????interval 3

}

vrrp_instance VI_1 {

????????????stateBACKUP? ??

????????????interface ens33? ??

????????????virtual_router_id 51

????????????priority 90

????????????advert_int1

????????????authentication {? ? ? ??

????????????????????????????auth_type PASS? ? ? ??

????????????????????????????auth_pass 000000

????????????}? ??

????????????virtual_ipaddress {

????????????????????????????192.168.0.100

????????????}? ??

????????????track_script {? ? ? ??

????????????????????????????chk_nginx? ??

????????????}

}

[root@web2 ~]# systemctl stop nginx

[root@web2 ~]# systemctl status nginx

● nginx.service - LSB: starts the nginx web server? Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)? Active: inactive (dead)? ? Docs: man:systemd-sysv-generator(8)

[root@web2 ~]# systemctl start keepalived

[root@web2 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor? Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)

? Active: active (running) since Fri 2018-07-13 15:07:20 CST; 43s ago

? Process: 13279 ExecStart=/usr/sbin/keepalived$KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:13280(keepalived)? CGroup:/system.slice/keepalived.service? ? ? ? ? ├─13280/usr/sbin/keepalived -D? ? ? ? ? ├─13281/usr/sbin/keepalived -D? ? ? ? ? └─13282/usr/sbin/keepalived -DJul1315:07:20web2 Keepalived_vrrp[13282]: Registering Kernel netlin...Jul1315:07:20web2 Keepalived_vrrp[13282]: Registering gratuitous AR...Jul1315:07:20web2 Keepalived_vrrp[13282]: Opening file'/etc/keepal...

Jul 13 15:07:20 web2 Keepalived_vrrp[13282]: WARNING - default user 'k...Jul1315:07:20web2 Keepalived_vrrp[13282]: SECURITY VIOLATION - scri...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) remov...Jul1315:07:20web2 Keepalived_vrrp[13282]: Using LinkWatch kernel ne...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) Enter...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP sockpool: [ifindex(2...Jul1315:07:20web2 Keepalived_vrrp[13282]: VRRP_Script(chk_nginx) su...Hint: Some lines were ellipsized,use-l to show in full.

6.在master上查看IP地址

[root@web1 ~]# ip a1: lo: mtu65536qdisc noqueue state UNKNOWN groupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo? ? ? valid_lft forever preferred_lft forever? ? inet6 ::1/128scope host? ? ? valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_fast state UP groupdefaultqlen1000link/ether00:0c:29:c5:33:97brd ff:ff:ff:ff:ff:ff? ? inet192.168.0.230/24brd192.168.0.255scopeglobalnoprefixroute dynamic ens33? ? ? valid_lft6103sec preferred_lft6103sec? ? inet192.168.0.100/32scopeglobalens33? ? ? valid_lft forever preferred_lft forever

7.在slaver上查看IP地址

[root@web2 ~]# ip a

1: lo: mtu65536qdisc noqueuestateUNKNOWN group default qlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo? ? ? valid_lft forever preferred_lft forever? ? inet6 ::1/128scope host? ? ? valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_faststateUP group default qlen1000link/ether00:0c:29:d7:df:dc brd ff:ff:ff:ff:ff:ff? ? inet192.168.0.211/24brd192.168.0.255scope global noprefixroute dynamic ens33? ? ? valid_lft6107sec preferred_lft6107sec? ? inet6 fe80::20c:29ff:fed7:dfdc/64scopelinkvalid_lft forever preferred_lft forever

8.在master上關閉keepalived服務(模擬master宕機或者腦裂情況)

[root@web1 ~]# systemctl stop keepalived

[root@web1 ~]# systemctl status keepalived

● keepalived.service - LVSandVRRP High Availability Monitor? Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)? Active: inactive (dead)Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:06:20web1 Keepalived_vrrp[14022]: Sending gratuitous ARPon...Jul1315:11:20web1 systemd[1]: Stopping LVSandVRRP High Availabil....Jul1315:11:20web1 Keepalived[14020]: StoppingJul1315:11:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) sent ...Jul1315:11:20web1 Keepalived_vrrp[14022]: VRRP_Instance(VI_1) remov...Jul1315:11:21web1 Keepalived_vrrp[14022]: StoppedJul1315:11:21web1 Keepalived[14020]: Stopped Keepalived v1.3.5(03...2Jul1315:11:21web1 systemd[1]: Stopped LVSandVRRP High Availabili....Hint: Some lines were ellipsized, use -l to showinfull.

9.在slaver上查看狀態

[root@web2 ~]# ip a

1: lo: mtu65536qdisc noqueue state UNKNOWN groupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scope host lo? ? ? valid_lft forever preferred_lft forever? ? inet6 ::1/128scope host? ? ? valid_lft forever preferred_lft forever2: ens33: mtu1500qdisc pfifo_fast state UP groupdefaultqlen1000link/ether00:0c:29:d7:df:dc brd ff:ff:ff:ff:ff:ff? ? inet192.168.0.211/24brd192.168.0.255scopeglobalnoprefixroute dynamic ens33? ? ? valid_lft5895sec preferred_lft5895sec? ? inet192.168.0.100/32scopeglobalens33? ? ? valid_lft forever preferred_lft forever? ? inet6 fe80::20c:29ff:fed7:dfdc/64scope link? ? ? valid_lft forever preferred_lft forever

[root@web2 ~]# systemctl status? keepalived

● keepalived.service - LVSandVRRP High Availability Monitor? Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)? Active: active (running) since Fri2018-07-1315:07:20CST;7min ago? Process:13279ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID:13280(keepalived)? CGroup: /system.slice/keepalived.service? ? ? ? ? ├─13280/usr/sbin/keepalived -D? ? ? ? ? ├─13281/usr/sbin/keepalived -D? ? ? ? ? └─13282/usr/sbin/keepalived -DJul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:22web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: VRRP_Instance(VI_1) Sendi...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Jul1315:12:27web2 Keepalived_vrrp[13282]: Sending gratuitous ARPon...Hint: Some lines were ellipsized, use -l to showinfull.

10.查看丟包情況

在windows上模擬持續性訪問,使用ping查看丟包情況

二、建立共享存儲服務器

1.安裝NFS方式,master 服務端

[root@web1 web]# yum install -y rpcbind nfs-utils

2.slaver 客戶端

[root@web2 web]# yum install -y nfs-utils

3.master服務端啟動共享存儲服務

[root@web1 web]# cat /etc/exports

/server/web192.168.0.0/24(rw,sync,no_root_squash)

[root@web1 web]# systemctl start nfs

4.slaver客戶端查看共享存儲

[root@web2 web]# showmount -e 192.168.0.230

Export listfor192.168.0.230:/server/web192.168.0.0/24

[root@web2 web]# mount -t nfs 192.168.0.230:/server/web? /server/web? ? -o proto=tcp -o nolock

[root@web2 web]# ls

[root@web2 web]# df -h

Filesystem? ? ? ? ? ? ? ? Size? Used Avail Use% Mountedon/dev/mapper/centos-root? ? 50G? 4.2G? 46G? 9% /devtmpfs899M0899M0% /devtmpfs911M0911M0% /dev/shmtmpfs911M9.6M902M2% /runtmpfs911M0911M0% /sys/fs/cgroup/dev/sda11014M142M873M14% /boot/dev/mapper/centos-home47G74M47G1% /hometmpfs183M0183M0% /run/user/0192.168.0.230:/server/web50G4.2G46G9% /server/web

[root@web2 web]#

5.修改nginx配置文件(兩邊配置一致)

[root@web1 ~]# cd /usr/local/nginx/conf/vhost/

[root@web1 vhost]# vim zt.conf

server? ? {? ? ? ?
????????????listen80;

????????????#listen [::]:80 default_server ipv6only=on;

????????????server_name zt.linuxview.com ;? ? ? ??

????????????index index.html index.htm index.php;? ? ? ??

????????????root? /server/web/test;

????????????#error_page? 404? /404.html;error_page404404/404.html;? ? ? ?

????????????include enable-php.conf;? ? ? ??

????????????location /nginx_status? ? ? ? {? ? ? ? ? ??

????????????????????????stub_statuson;? ? ? ? ? ??

????????????????????????access_logoff;? ? ? ??

????????????}? ??

????????????location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$ {? ? ? ??

????????????????????????deny all;? ??

????????????}? ? ? ??

????????????location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$? ? ? ? {? ? ? ? ? ??

????????????????????????expires30d;? ? ? ??

????????????}? ? ? ?

????????????location ~ .*\.(js|css)?$? ? ? ? {? ? ? ? ? ??

????????????????????????expires12h;? ? ? ??

????????????}? ? ? ??

????????????location ~ /\.? ? ? ? {? ? ? ? ? ??

????????????????????????deny all;? ? ? ??

????????????}? ? ? ??

????????????access_log? /server/logs/nginx/zuitu/access.log ;? ? ? ??

????????????error_log? /server/logs/nginx/zuitu/error.log ;? ??

}

6.訪問網頁

7.master上設置反向代理

[root@web1 vhost]# vim xs.conf

server? ? {

????????listen80;? ? ? ??

????????server_name xs.linuxview.com ;? ??

????????location / {? ? ? ??

????????????????????proxy_pass http://192.168.0.211:80;? ? ? ??

????????????????????proxy_set_header Host xs.linuxview.com;? ? ? ??

????????????????????proxy_redirect off;? ? ? ??

????????????????????proxy_set_header X-Real-IP192.168.0.211;? ? ? ??

????????????????????proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;? ? ? ??

????????????????????proxy_connect_timeout60;? ? ? ??

????????????????????proxy_read_timeout600;? ? ? ??

????????????????????proxy_send_timeout600;? ??

????????}? ? ? ??

????????access_log? /server/logs/nginx/zuitu/access.log ;? ? ? ??

????????error_log? /server/logs/nginx/zuitu/error.log ;? ??

}

[root@web1 vhost]# /usr/local/nginx/sbin/nginx -s reload

8.slaver上設置nginx的配置文件

[root@web2 vhost]# vim xs.conf

server? ? {? ? ? ??

????????????listen80;

????????????#listen [::]:80 default_server ipv6only=on;

????????????server_name xs.linuxview.com ;? ? ? ??

????????????index index.html index.htm index.php;? ? ? ??

????????????root? /server/web/test3;#error_page? 404? /404.html;error_page404404/404.html;? ? ? ??

????????????include enable-php.conf;? ? ? ??

????????????location /nginx_status? ? ? ? {? ? ? ? ? ??

????????????????????????stub_statuson;? ? ? ? ? ??

????????????????????????access_logoff;? ? ? ??

????????????}? ??

????????????location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$ {? ? ? ??

????????????????????????deny all;? ??

????????????}? ? ? ??

????????????location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$? ? ? ? {? ? ? ? ? ??

????????????????????????expires30d;? ? ? ??

????????????}? ? ? ??

????????????location ~ .*\.(js|css)?$? ? ? ? {? ? ? ? ? ??

????????????????????????expires12h;? ? ? ??

????????????}? ? ? ??

????????????location ~ /\.? ? ? ? {? ? ? ? ? ??

????????????????????????deny all;? ? ? ??

????????????}? ? ? ??

????????????access_log? /server/logs/nginx/zuitu/access.log ;? ? ? ??

????????????error_log? /server/logs/nginx/zuitu/error.log ;? ??

}

[root@web2 vhost]# /usr/local/nginx/sbin/nginx -s reload

9.訪問網頁測試

三、WAF鑲嵌lnmp架構

1.安裝依賴包

[root@waf ~]# yum install -y readline-devel pcre-devel openssl-devel gcc* git* libxml2*

2.下載2.0.5版本的luajit,編譯安裝

[root@waf ~]# mkdir -p /server/source

[root@waf ~]# cd /server/source/

[root@waf source]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

[root@waf source]# tar -xf LuaJIT-2.0.5.tar.gz

[root@waf source]# cd LuaJIT-2.0.5

[root@waf LuaJIT-2.0.5]# export LUAJIT_LIB=/user/local/lib

[root@waf LuaJIT-2.0.5]# export LUAJIT_INC=/usr/local/include/luajit-2.0

[root@waf LuaJIT-2.0.5]# make && make install? &&? ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

成功安裝標志:

3.下載并編譯安裝openresty

[root@waf source]# wget https://openresty.org/download/openresty-1.11.2.2.tar.gz

[root@waf source]# tar -xf openresty-1.11.2.2.tar.gz

[root@waf source]# cd openresty-1.11.2.2

[root@waf openresty-1.11.2.2]# ./configure --prefix=/usr/local/openresty? --user=www? --group=www? --with-luajit --with-http_v2_module? --with-http_stub_status_module? --with-http_ssl_module? --with-http_gzip_static_module? --with-ipv6 --with-http_sub_module? --with-pcre? --with-pcre-jit? --with-file-aio --with-http_dav_module

[root@waf openresty-1.11.2.2]# gmake && gmake install

4.修改最大文件打開數量

[root@waf openresty-1.11.2.2]# vim /proc/sys/fs/file-max100000

[root@waf openresty-1.11.2.2]# ulimit -l64

5.修改openresty內置的nginx配置文件(--prefix指定的是安裝目錄,所以配置文件就在安裝目錄里面,編譯完成之后,就不用在源碼包界面了)

[root@waf openresty]# mkdir /server/conf

[root@waf openresty]# pwd/usr/local/openresty

[root@waf openresty]# cd /server/conf/

[root@waf conf]# ls

[root@waf conf]# ln -s /usr/local/openresty? ? /server/conf/openresty

[root@waf conf]# lsopenresty

[root@waf conf]# ln -s? /usr/local/openresty/nginx? ? /server/conf/nginx

[root@waf conf]# ll

total 0

lrwxrwxrwx1root root26Jul1009:25nginx ->/usr/local/openresty/nginx

lrwxrwxrwx1root root20Jul1009:23openresty ->/usr/local/openresty

[root@waf conf]#vim nginx.conf??

(修改user為www ,在最后一行的括號上新增include vhost/*.conf;)

[root@waf conf]# useradd www -M -s /sbin/nologin

[root@waf conf]# mkdir vhost

[root@waf conf]# cd vhost/

##編寫測試網頁

[root@waf vhost]# vim waf.conf

server {

????????listen80;? ? ? ??

????????server_name waf.linuxview.com ;

????????indexindex.html index.php index.htm ;? ? ? ??

????????root /server/web/waf ;? ? ? ??

????????error_log /server/logs/nginx/waf/error.log;? ? ? ??

????????access_log /server/logs/nginx/waf/access.log;

}

[root@waf vhost]# mkdir -p /server/web/waf && cd /server/web/waf

##創建測試網頁

[root@waf waf]# cat index.html

Welcome to Linuxview!!!

##重加載nginx

[root@waf waf]# /usr/local/openresty/nginx/sbin/nginx -s reload

6.訪問測試網頁

7.安裝waf防護模塊

[root@waf waf]# cd /server/source/? ? ??

#這個目錄用來存源碼或軟件包等

[root@waf source]# git clone https://github.com/leoheng/lua.git

#這些全是lua語言寫的防護模塊,復制到nginx的conf配置文件目錄

[root@waf waf]# cp -a ./waf? /server/conf/nginx/conf/

[root@waf waf]# cd /server/conf/nginx/conf/

[root@waf conf]# ls

fastcgi.conf? ? ? ? ? ? koi-win? ? ? ? ? ? scgi_params? ? ? ? ? waffastcgi.conf.defaultmime.types? ? ? ? ? scgi_params.defaultwin-utffastcgi_params? ? ? ? ? mime.types.defaultuwsgi_paramsfastcgi_params.defaultnginx.conf? ? ? ? ? uwsgi_params.defaultkoi-utf? ? ? ? ? ? ? ? nginx.conf.defaultvhost

[root@waf conf]# cd waf/

[root@waf waf]# ls

access.lua? config.lua? init.lua? lib.lua? rule-config

[root@waf waf]#cd ..

##在http字段下添加lua模塊

[root@waf conf]# vim nginx.conf

????????????lua_shared_dict limit50m;? ? ?##CC,50M

????????????lua_package_path/server/conf/nginx/conf/waf/?.lua ;? ? ? ??

????????????init_by_lua_file? /server/conf/nginx/conf/waf/init.lua ;? ? ? ??

????????????access_by_lua_file? /server/conf/nginx/conf/waf/access.lua ;

##檢查配置文件并重加載服務

[root@waf conf]# /usr/local/openresty/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/openresty/nginx/conf/nginx.conf syntaxisoknginx: configuration file /usr/local/openresty/nginx/conf/nginx.conf testissuccessful

[root@waf conf]# /usr/local/openresty/nginx/sbin/nginx -s reload

8.配置waf防護

[root@waf waf]# cat config.lua

--WAF config file,enable ="on",disable ="off"????????##WAF功能選項

--waf status

config_waf_enable ="on"????????##是否啟動waf防護

--log dirconfig_log_dir ="/server/logs/waf_logs"????????##waf的日志

--rule settingconfig_rule_dir ="/usr/local/openresty/nginx/conf/waf/rule-config"????????##waf的防護規則配置文件

--enable/disable white urlconfig_white_url_check ="on"????????##配置白名單url檢查

--enable/disable white ip? ??

config_white_ip_check ="on"????????##配置白名單IP檢查

--enable/disable block ipconfig_black_ip_check ="on"????????##配置黑名單IP檢查

--enable/disable url filteringconfig_url_check ="on"????????##配置url檢查過濾

--enalbe/disable url args filteringconfig_url_args_check ="on"????????##配置url參數檢查

--enable/disable user agent filteringconfig_user_agent_check ="on"????????##配置用戶代理檢查

--enable/disable cookie deny filteringconfig_cookie_check ="on"????????##配置cookie過濾檢查

--enable/disable cc filteringconfig_cc_check ="on"????????##配置CC×××檢查過濾

--cc rate the xxx of xxx secondsconfig_cc_rate ="10/60"????????##CC×××速率訪問網頁每60秒訪問10次

--enable/disable post filteringconfig_post_check ="on"????????##配置post檢查過濾

--config waf output redirect/htmlconfig_waf_output ="html"????????##配置匹配成功重定向或者輸出警告頁面

--if config_waf_output ,setting urlconfig_waf_redirect_url ="https://www.baidu.com"????????##重定向到百度首頁##輸出HTML格式的警告信息[[ html警告內容 ]]

config_output_html=[[? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? WAF-TEST

WAF-TEST

? ? ? ? // TODO SOMTHING HTML

]]

9.訪問匹配模塊

規則:檢測白名單-》黑名單-》UA×××檢測-》CC×××檢測-》cookie檢測-》URL檢測-》URL×××檢測-》URL參數檢測-》post檢測

[root@waf waf]# cat access.lua

require'init'????##先請求init.lua文件進行匹配,然后進行檢查功能匹配

##配置檢查順序

function waf_main()

????????if? white_ip_check()? then

????????elseif black_ip_check()? then

????????elseif user_agent_attack_check()? then

????????elseif cc_attack_check()? then

????????elseif cookie_attack_check()? then

????????elseif white_url_check()? then

????????elseif url_attack_check()? then

????????elseif url_args_attack_check()? then

????????--elseif post_attack_check()? then

????????else

????????????????return

????????end

end

waf_main()

[root@waf waf]#

10.防護規則大概流程圖:

11.url參數測試

12.模擬CC×××測試

[root@waf waf]# ab -c 100 -t 100 http://waf.linuxview.com/

13.查看日志記錄:×××方式,客戶端地址,被×××的服務器時間等等

14.SQL測試

15.安裝httpguard再升級CC防護

下載壓縮包,復制lua配置到waf下

[root@waf waf]# cd /server/source/

[root@waf source]# wget --no-check-certificate https://github.com/centos-bz/HttpGuard/archive/master.zip

[root@waf source]# unzip master.zip

[root@waf source]# cd HttpGuard-master/

[root@waf HttpGuard-master]# cp guard.lua /server/conf/nginx/conf/waf/

[root@waf HttpGuard-master]# cp runtime.lua /server/conf/nginx/conf/waf/

四、MySQL5.7集群(雙主多從模式)

當只有兩臺數據庫的時候,使用雙主模式(互為主從)

1.修改master的mysql配置文件

[root@web1 ~]# vim /etc/my.cnf? ?

?#在mysqld下新增一下配置

[mysqld]

log-bin=mysql-bin

binlog_format=mixed

server-id? = 1

sync_binlog = 1

binlog_checksum = none

binlog_format = mixed

auto-increment-increment = 2

auto-increment-offset = 1

slave-skip-errors = all

[root@web1 ~]# systemctl restart mysql

[root@web1 ~]# systemctl status mysql

● mysql.service - LSB: start and stop MySQL? Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)? Active: active (exited) since Fri 2018-07-13 17:18:39 CST; 6s ago? ? Docs: man:systemd-sysv-generator(8)? Process: 37255 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS)Jul 13 17:18:39 web1 systemd[1]: Starting LSB: start and stop MySQL...Jul 13 17:18:39 web1 mysql[37255]: Starting MySQL SUCCESS!Jul 13 17:18:39 web1 systemd[1]: Started LSB: start and stop MySQL.Jul 13 17:18:40 web1 mysql[37255]: 2018-07-13T09:18:40.050893Z mysqld_safe A mys...tsHint: Some lines were ellipsized, use -l to show in full.

2.進入數據庫,賦權給web2用戶,讓它連接主數據庫同步數據

[root@web1 ~]# mysql -uroot -p000000

mysql:[Warning] Using a password on the command line interface can be insecure.Welcome to the MySQL monitor.? Commandsendwith ;or\g.Your MySQL connection id is3Serverversion:5.7.18-log Source distributionCopyright (c)2000,2017, Oracleand/orits affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporationand/oritsaffiliates. Other names may be trademarks of their respectiveowners.Type'help;'or'\h'forhelp. Type'\c'to clear the current input statement.

mysql> grant replication slave,replication client on *.* to web2@'192.168.0.%'identified by"000000";

Query OK,0rows affected,1warning (0.13sec)

mysql> flush privileges;

Query OK,0rows affected (0.03sec)

###查看log bin日志和post值位置

mysql> show master status;

+------------------+----------+--------------+------------------+-------------------+| File? ? ? ? ? ? |Position| Binlog_Do_DB |Binlog_Ignore_DB| Executed_Gtid_Set |+------------------+----------+--------------+------------------+-------------------+| mysql-bin.000006 |620|? ? ? ? ? ? ? ||? ? ? ? ? ? ? ? ? |+------------------+----------+--------------+------------------+-------------------+1 row in set (0.01sec)

mysql>

3.在slaver上修改MySQL配置文件

[root@web2 ~]# vim /etc/my.cnf

[mysqld]

server-id =2

log-bin = mysql-bin

sync_binlog =1

binlog_checksum = none

binlog_format = mixed

auto-increment-increment =2

auto-increment-offset =2

slave-skip-errors = all

[root@web2 ~]# systemctl restart mysql

[root@web2 ~]# systemctl status mysql

● mysql.service - LSB: startandstop MySQL? Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)? Active: active (running) since Fri2018-07-1317:29:56CST;20s ago? ? Docs: man:systemd-sysv-generator(8)? Process:31883ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=0/SUCCESS)? CGroup: /system.slice/mysql.service? ? ? ? ? ├─31891/bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/m...? ? ? ? ? └─32461/usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadi...Jul1317:29:38web2 systemd[1]: Starting LSB: startandstop MySQL...Jul1317:29:56web2 mysql[31883]: Starting MySQL................. SUCCESS!Jul1317:29:56web2 systemd[1]: Started LSB: startandstop MySQL.

4.創建數據庫用戶用于數據庫同步數據

[root@web2 ~]# mysql -uroot -p000000

mysql: [Warning] Using a passwordonthe command line interface can be insecure.Welcome to the MySQL monitor.? Commands end with ;or\g.Your MySQL connection idis3Server version:5.7.18-log Source distributionCopyright (c)2000,2017, Oracleand/orits affiliates. All rights reserved.Oracleisa registered trademarkofOracle Corporationand/oritsaffiliates. Other names may be trademarksoftheir respectiveowners.Type'help;'or'\h'forhelp. Type'\c'to clear the current input statement.

mysql> grant replication slave,replication clienton*.* to web2@'192.168.0.%'identifiedby"000000";

ERROR1064(42000): You have an errorinyour SQL syntax; check the manual that corresponds to your MySQL server versionforthe right syntax to use near'identiified by "000000"'at line1

mysql> grant replication slave,replication clienton*.* to web2@'192.168.0..%'identifiedby"000000";

Query OK,0rows affected,1warning (0.18sec)

mysql> flush privileges;

Query OK,0rows affected (0.00sec)

mysql> show master status;

+------------------+----------+--------------+------------------+-------------------+| File? ? ? ? ? ? | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |+------------------+----------+--------------+------------------+-------------------+| mysql-bin.000007|610|? ? ? ? ? ? ? |? ? ? ? ? ? ? ? ? |? ? ? ? ? ? ? ? ? |+------------------+----------+--------------+------------------+-------------------+1rowinset (0.01sec)mysql>

5.在master上同步數據庫到slaver上

mysql> stop slave;

Query OK, 0 rows affected, 1 warning (0.02 sec)

mysql>change? master to master_host='192.168.0.211',master_user='web2',master_password='000000',master_log_file='mysql-bin.000006',master_log_pos=620;

Query OK, 0 rows affected, 2 warnings (0.03 sec)

mysql> start slave;

Query OK, 0 rows affected (0.00 sec)

mysql> show slave status \G;

*************************** 1. row ***************************? ? ? ? ? ? ? Slave_IO_State: Waiting for master to send event? ? ? ? ? ? ? ? ? Master_Host: 192.168.0.211? ? ? ? ? ? ? ? ? Master_User: web2? ? ? ? ? ? ? ? ? Master_Port: 3306? ? ? ? ? ? ? ? Connect_Retry: 60? ? ? ? ? ? ? Master_Log_File: mysql-bin.000008? ? ? ? ? Read_Master_Log_Pos: 1110? ? ? ? ? ? ? Relay_Log_File: web1-relay-bin.000002? ? ? ? ? ? ? ? Relay_Log_Pos: 312? ? ? ? Relay_Master_Log_File: mysql-bin.000008? ? ? ? ? ? Slave_IO_Running: Yes? ? ? ? ? ? Slave_SQL_Running: Yes? ? ? ? ? ? ? Replicate_Do_DB:? ? ? ? ? Replicate_Ignore_DB:? ? ? ? ? Replicate_Do_Table:? ? ? Replicate_Ignore_Table:? ? ? Replicate_Wild_Do_Table:? Replicate_Wild_Ignore_Table:? ? ? ? ? ? ? ? ? Last_Errno: 0? ? ? ? ? ? ? ? ? Last_Error:? ? ? ? ? ? ? ? Skip_Counter: 0? ? ? ? ? Exec_Master_Log_Pos: 1110? ? ? ? ? ? ? Relay_Log_Space: 510? ? ? ? ? ? ? Until_Condition: None? ? ? ? ? ? ? Until_Log_File:? ? ? ? ? ? ? ? Until_Log_Pos: 0? ? ? ? ? Master_SSL_Allowed: No? ? ? ? ? Master_SSL_CA_File:? ? ? ? ? Master_SSL_CA_Path:? ? ? ? ? ? ? Master_SSL_Cert:? ? ? ? ? ? Master_SSL_Cipher:? ? ? ? ? ? ? Master_SSL_Key:? ? ? ? Seconds_Behind_Master: 0Master_SSL_Verify_Server_Cert: No? ? ? ? ? ? ? ? Last_IO_Errno: 0? ? ? ? ? ? ? ? Last_IO_Error:? ? ? ? ? ? ? Last_SQL_Errno: 0? ? ? ? ? ? ? Last_SQL_Error:? Replicate_Ignore_Server_Ids:? ? ? ? ? ? Master_Server_Id: 2? ? ? ? ? ? ? ? ? Master_UUID: ed87ba4b-8653-11e8-94fe-000c29d7dfdc? ? ? ? ? ? Master_Info_File: /usr/local/mysql/var/master.info? ? ? ? ? ? ? ? ? ? SQL_Delay: 0? ? ? ? ? SQL_Remaining_Delay: NULL? ? ? Slave_SQL_Running_State: Slave has read all relay log; waiting for more updates? ? ? ? ? Master_Retry_Count: 86400? ? ? ? ? ? ? ? ? Master_Bind:? ? ? Last_IO_Error_Timestamp:? ? Last_SQL_Error_Timestamp:? ? ? ? ? ? ? Master_SSL_Crl:? ? ? ? ? Master_SSL_Crlpath:? ? ? ? ? Retrieved_Gtid_Set:? ? ? ? ? ? Executed_Gtid_Set:? ? ? ? ? ? ? ? Auto_Position: 0? ? ? ? Replicate_Rewrite_DB:? ? ? ? ? ? ? ? Channel_Name:? ? ? ? ? Master_TLS_Version:1 row in set (0.00 sec)

6.在slaver上同步master的數據庫

mysql> stop slave;

Query OK, 0 rows affected, 1 warning (0.02 sec)

mysql>change? master to master_host='192.168.0.230',master_user='web2',master_password='000000',master_log_file='mysql-bin.000006',master_log_pos=620;

Query OK, 0 rows affected, 2 warnings (0.03 sec)

mysql> start slave;

Query OK, 0 rows affected (0.00 sec)

mysql> show slave status \G;

*************************** 1. row ***************************? ? ? ? ? ? ? Slave_IO_State: Connecting to master? ? ? ? ? ? ? ? ? Master_Host: 192.168.0.230? ? ? ? ? ? ? ? ? Master_User: web1? ? ? ? ? ? ? ? ? Master_Port: 3306? ? ? ? ? ? ? ? Connect_Retry: 60? ? ? ? ? ? ? Master_Log_File: mysql-bin.000010? ? ? ? ? Read_Master_Log_Pos: 1110? ? ? ? ? ? ? Relay_Log_File: web2-relay-bin.000001? ? ? ? ? ? ? ? Relay_Log_Pos: 4? ? ? ? Relay_Master_Log_File: mysql-bin.000010? ? ? ? ? ? Slave_IO_Running: Yes? ? ? ? ? ? Slave_SQL_Running: Yes

7.在master的數據庫上創建數據庫和表

mysql> create database leotest;

Query OK, 1 row affected (0.00 sec)

mysql> use leotest;

Database changed

mysql>create tabletest(id int(4),name varchar(10));

Query OK, 0 rows affected (0.04 sec)

mysql> show tables ;

+-------------------+| Tables_in_leotest |+-------------------+| test? ? ? ? ? ? ? |+-------------------+1 row in set (0.00 sec)

mysql>

8.在slaver上查看同步的數據

mysql> show databases;

+--------------------+| Database? ? ? ? ? |+--------------------+| information_schema || leotest? ? ? ? ? ? || mysql? ? ? ? ? ? ? || performance_schema || sys? ? ? ? ? ? ? ? |+--------------------+5rowsinset (0.00sec)

mysql>

至此,MySQL集群已完成,而waf嵌入LNMP集群架構也完成了。

(原文來自:http://blog.51cto.com/leoheng/2148772)

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容