参考文档:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#installation-for-nginx

nginx不支持动态加载模块,所以需要重新编译,将modsecurity和nginx整合。

一: 软件准备:

  ModSecurity-2.9.1.zip

  nginx-1.10.1.tar.gz

  根据文档所述,有一些依赖包需要安装。  

yum install httpd httpd-devel pcre pcre-devel libxml2-devel

二, 编译安装:

  从 2.6开始,modsecurity的编译方式发生了调整。参考:

  https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#GitHub_Access

[root@dpdk ModSecurity-2.9.]# ./autogen.sh

[root@dpdk ModSecurity-2.9.1]# ./configure --enable-standalone-module --disable-mlogc

[root@dpdk ModSecurity-2.9.]# make

  编译nginx

[root@dpdk nginx-1.10.]# ./configure --prefix=/root/modsecurity/output --add-module=../ModSecurity-2.9./nginx/modsecurity/ 
[root@dpdk nginx-1.10.1]# make
[root@dpdk nginx-1.10.1]# make install

三, 运行nginx

  1.  修改配置文件,conf/nginx.conf, 增加如下行:

user root;

  2.  使用如下命令启动/停止:

[root@dpdk output]# ./sbin/nginx -c conf/nginx.conf

[root@dpdk output]# ./sbin/nginx -s stop

四,配置modsecurity

已经在nginx中设置了两个监听端口80,81,分别对应于两个静态页。

[root@dpdk conf]# cat nginx.conf

user root;

worker_processes  ;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {

    worker_connections  ;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  ;

    keepalive_timeout  ;

    #gzip  on;

        include custom.conf;

        include mod.conf;

    server {

        listen       ;

        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            root   html;

            index  index.html index.htm;

        }

        #error_page                /.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page        /50x.html;

        location = /50x.html {

            root   html;

        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:

        #

        #location ~ \.php$ {

        #    proxy_pass   http://127.0.0.1;

        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:

        #

        #location ~ \.php$ {

        #    root           html;

        #    fastcgi_pass   127.0.0.1:;

        #    fastcgi_index  index.php;

        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        #    include        fastcgi_params;

        #}

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        #location ~ /\.ht {

        #    deny  all;

        #}

    }

    # another virtual host using mix of IP-, name-, and port-based configuration

    #

    #server {

    #    listen       ;

    #    listen       somename:;

    #    server_name  somename  alias  another.alias;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

    # HTTPS server

    #

    #server {

    #    listen        ssl;

    #    server_name  localhost;

    #    ssl_certificate      cert.pem;

    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;

    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;

    #    ssl_prefer_server_ciphers  on;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

}

nginx.conf

[root@dpdk conf]# cat custom.conf 

    server {

        listen       ;

        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            root   /usr/share/nginx/html;

            index  index.html index.htm;

        }

        #error_page                /.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page        /50x.html;

        location = /50x.html {

            root   html;

        }

    }

custom.conf

  增加配置文件 mod.conf 监听于端口82

[root@dpdk conf]# cat mod.conf

    server {

        listen       ;

        server_name  localhost;

        location / {

                ModSecurityEnabled on;

                ModSecurityConfig modsecurity.conf;

                proxy_pass http://127.0.0.1:81;

                proxy_read_timeout 180s;

        }

    }

[root@dpdk conf]#

  其中引用了两个配置文件,模板如下:

  https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

  https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/unicode.mapping

五: 规则/语法/配置

  文档:

  https://www.feistyduck.com/library/modsecurity-handbook-free/online/

Everything in ModSecurity revolves around two things: configuration and rules. 
The configuration tells ModSecurity how to process the data it sees; 
the rules decide what to do with the processed data. 
For example:

SecRule ARGS "<script>" log,deny,status:

Even without further assistance, you can probably recognize the part in the rule that specifies what we wish to look for in input data (<script>). Similarly, you will easily figure out what will happen if we do find the desired pattern (log,deny,status:). Things will become more clear if I tell you about the general rule syntax, which is the following:

SecRule VARIABLES OPERATOR ACTIONS

The three parts have the following meanings:

The VARIABLES part tells ModSecurity where to look. The ARGS variable, used in the example, means all request parameters.

The OPERATOR part tells ModSecurity how to look. In the example, we have a regular expression pattern, which will be matched against ARGS.

The ACTIONS part tells ModSecurity what to do on a match. The rule in the example gives three instructions: log problem, deny transaction and use the status  for the denial (status:).

For Example

  手册:

  https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

  第三方规则:

  OWASP: https://www.owasp.org/index.php/Main_Page

   Core Rules: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

  例子里有大量的注释,很适合学习:

  /home/tong/Src/thirdparty/github/owasp-modsecurity-crs [git::v3.0/master]/crs-setup.conf.example

  5.1  精读 Reference-Manual

    要想细致理解,必须精读一遍。

  5.2  精读429条项目规则

六: 在Nginx中使用与测试

  如第四小节内容所示,将82端口配置成modsecurity,并重定向至81端口。然而并不好使。。。

  设置 ModSecurityEnabled Off;

  修改 mod/conf 的内容,将 127.0.0.1 改为 localhost。 重定向成功。打开了81所指向的页。

  再修改为 proxy_pass http://192.168.10.209;  也可以成功。

  说明也许是ModSecurity设置的问题。

  6.1  做一个最简单的modsecurity配置

[root@dpdk output]# cat conf/mymod.conf

SecRuleEngine DetectionOnly

SecRequestBodyAccess On

SecResponseBodyAccess On

SecDebugLogLevel

SecDebugLog /root/modsecurity/output/logs/modsec_debug.log

SecAuditEngine On

SecAuditLogType Serial

SecAuditLog /root/modsecurity/output/logs/modsec_audit.log

[root@dpdk output]#

  现象不变。

  可以modsec_debug.log中有如下打印信息:

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Initialising transaction (txid @cAcAcAcAcAAAcAcAcAcSGuc).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Transaction context created (dcfg 23ce7b8).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase REQUEST_HEADERS.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Second phase starting (dcfg 23ce7b8).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Input filter: This request does not have a body.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase REQUEST_BODY.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Hook insert_filter: Adding output filter (r 23b91e0).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Receiving output (f 23ba430, r 23b91e0).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase RESPONSE_HEADERS.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Content Injection: Not enabled.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Bucket type POOL contains  bytes.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Bucket type EOS contains  bytes.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Completed receiving response body (buffered full -  bytes).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase RESPONSE_BODY.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Output forwarding complete.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Initialising transaction (txid AcizPcAcAc8c3gAcAcO@AcAc).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Transaction context created (dcfg 23ce7b8).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase REQUEST_HEADERS.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Second phase starting (dcfg 23ce7b8).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Input filter: This request does not have a body.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase REQUEST_BODY.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Hook insert_filter: Adding output filter (r 23b91e0).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Receiving output (f 23ba430, r 23b91e0).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase RESPONSE_HEADERS.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Content Injection: Not enabled.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Bucket type POOL contains  bytes.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Bucket type EOS contains  bytes.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Completed receiving response body (buffered full -  bytes).

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Starting phase RESPONSE_BODY.

[/Jun/::: +] [/sid#23cdee0][rid#23b91e0][/][] Output filter: Output forwarding complete.

  以及error.log

// :: [alert] #: worker process  exited on signal

// :: [alert] #: worker process  exited on signal

// :: [alert] #: worker process  exited on signal

  使用 curl 访问,显示server没有返回任何数据

/home/tong/Temp [tong@T7] [:]

> curl 192.168.7.4:

curl: () Empty reply from server

  6.2   启用nginx debug

  参考 man nginx

DEBUGGING LOG

     To enable a debugging log, reconfigure nginx to build with debugging:

           ./configure --with-debug ...

     and then set the debug level of the error_log:

           error_log /path/to/log debug;

     It is also possible to enable the debugging for a particular IP address:

           events {

                   debug_connection 127.0.0.1;

           }
[root@dpdk nginx-1.10.]# ./configure --prefix=/root/modsecurity/output --add-module=../ModSecurity-2.9./nginx/modsecurity/ 
  --with-debug

[root@dpdk nginx-1.10.]# make

[root@dpdk nginx-1.10.]# make install

  配置里加一行

error_log  logs/error.log debug;

  在次使用curl访问,日志如下

// :: [debug] #: epoll: fd: ev: d:00007FAB90C6D0E8

// :: [debug] #: accept on 0.0.0.0:, ready:

// :: [debug] #: posix_memalign: : @

// :: [debug] #: * accept: 192.168.7.1: fd:

// :: [debug] #: * event timer add: : :

// :: [debug] #: * reusable connection:

// :: [debug] #: * epoll add event: fd: op: ev:

// :: [debug] #: timer delta:

// :: [debug] #: worker cycle

// :: [debug] #: epoll timer:

// :: [debug] #: epoll: fd: ev: d:00007FAB90C6D370

// :: [debug] #: * http wait request handler

// :: [debug] #: * malloc: 00000000016410C0:

// :: [debug] #: * recv: fd:  of

// :: [debug] #: * reusable connection:

// :: [debug] #: * posix_memalign: 00000000016414D0: @

// :: [debug] #: * http process request line

// :: [debug] #: * http request line: "GET / HTTP/1.1"

// :: [debug] #: * http uri: "/"

// :: [debug] #: * http args: ""

// :: [debug] #: * http exten: ""

// :: [debug] #: * http process request header line

// :: [debug] #: * http header: "Host: 192.168.7.4:82"

// :: [debug] #: * http header: "User-Agent: curl/7.54.1"

// :: [debug] #: * http header: "Accept: */*"

// :: [debug] #: * http header done

// :: [debug] #: * event timer del: :

// :: [debug] #: * rewrite phase:

// :: [debug] #: * test location: "/"

// :: [debug] #: * using configuration "/"

// :: [debug] #: * http cl:- max:

// :: [debug] #: * rewrite phase:

// :: [debug] #: * post rewrite phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * modSecurity: handler

// :: [debug] #: * add cleanup: 00000000016423E0

// :: [debug] #: * posix_memalign: : @

// :: [debug] #: * add cleanup:

// :: [debug] #: * ModSecurity: load headers in: "Host: 192.168.7.4:82"

// :: [debug] #: * ModSecurity: load headers in: "User-Agent: curl/7.54.1"

// :: [debug] #: * ModSecurity: load headers in: "Accept: */*"

// :: [debug] #: * ModSecurity: load headers in done

// :: [debug] #: * ModSecurity: status -

// :: [debug] #: * generic phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * access phase:

// :: [debug] #: * access phase:

// :: [debug] #: * post access phase:

// :: [debug] #: * http init upstream, client timer:

// :: [debug] #: * epoll add event: fd: op: ev:

// :: [debug] #: * http script copy: "Host: "

// :: [debug] #: * http script var: "localhost:81"

// :: [debug] #: * http script copy: "

"

// :: [debug] #: * http script copy: "Connection: close

"

// :: [debug] #: * http script copy: ""

// :: [debug] #: * http script copy: ""

// :: [debug] #: * http script copy: ""

// :: [debug] #: * http script copy: ""

// :: [debug] #: * http proxy header: "User-Agent: curl/7.54.1"

// :: [debug] #: * http proxy header: "Accept: */*"

// :: [debug] #: * http proxy header:

"GET / HTTP/1.0

Host: localhost:

Connection: close

User-Agent: curl/7.54.

Accept: */*

"

2017/06/22 10:52:52 [debug] 5474#0: *1 http cleanup add: 0000000001635928

2017/06/22 10:52:52 [debug] 5474#0: *1 get rr peer, try: 2

2017/06/22 10:52:52 [debug] 5474#0: *1 get rr peer, current: 000000000166BAD0 -1

2017/06/22 10:52:52 [debug] 5474#0: *1 stream socket 14

2017/06/22 10:52:52 [debug] 5474#0: *1 epoll add connection: fd:14 ev:80002005

2017/06/22 10:52:52 [debug] 5474#0: *1 connect to 127.0.0.1:81, fd:14 #2

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream connect: -2

2017/06/22 10:52:52 [debug] 5474#0: *1 posix_memalign: 0000000001674AE0:128 @16

2017/06/22 10:52:52 [debug] 5474#0: *1 event timer add: 14: 60000:1498100032928

2017/06/22 10:52:52 [debug] 5474#0: *1 http finalize request: -4, "/?" a:1, c:2

2017/06/22 10:52:52 [debug] 5474#0: *1 http request count:2 blk:0

2017/06/22 10:52:52 [debug] 5474#0: timer delta: 0

2017/06/22 10:52:52 [debug] 5474#0: worker cycle

2017/06/22 10:52:52 [debug] 5474#0: epoll timer: 60000

2017/06/22 10:52:52 [debug] 5474#0: epoll: fd:3 ev:0004 d:00007FAB90C6D370

2017/06/22 10:52:52 [debug] 5474#0: *1 http run request: "/?"

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream check client, write event:1, "/"

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream recv(): -1 (11: Resource temporarily unavailable)

2017/06/22 10:52:52 [debug] 5474#0: epoll: fd:14 ev:0004 d:00007FAB90C6D448

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream request: "/?"

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream send request handler

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream send request

2017/06/22 10:52:52 [debug] 5474#0: *1 http upstream send request body

2017/06/22 10:52:52 [debug] 5474#0: *1 chain writer buf fl:1 s:95

2017/06/22 10:52:52 [debug] 5474#0: *1 chain writer in: 0000000001635960

2017/06/22 10:52:52 [debug] 5474#0: *1 writev: 95 of 95

2017/06/22 10:52:52 [debug] 5474#0: *1 chain writer out: 0000000000000000

2017/06/22 10:52:52 [debug] 5474#0: *1 event timer del: 14: 1498100032928

2017/06/22 10:52:52 [debug] 5474#0: *1 event timer add: 14: 180000:1498100152928

2017/06/22 10:52:52 [debug] 5474#0: epoll: fd:6 ev:0001 d:00007FAB90C6D010

2017/06/22 10:52:52 [debug] 5474#0: accept on 0.0.0.0:81, ready: 0

2017/06/22 10:52:52 [debug] 5474#0: posix_memalign: 0000000001674B70:512 @16

2017/06/22 10:52:52 [debug] 5474#0: *3 accept: 127.0.0.1:36900 fd:15

2017/06/22 10:52:52 [debug] 5474#0: *3 event timer add: 15: 60000:1498100032928

2017/06/22 10:52:52 [debug] 5474#0: *3 reusable connection: 1

2017/06/22 10:52:52 [debug] 5474#0: *3 epoll add event: fd:15 op:1 ev:80002001

2017/06/22 10:52:52 [debug] 5474#0: timer delta: 0

2017/06/22 10:52:52 [debug] 5474#0: worker cycle

2017/06/22 10:52:52 [debug] 5474#0: epoll timer: 60000

2017/06/22 10:52:52 [debug] 5474#0: epoll: fd:15 ev:0001 d:00007FAB90C6D520

2017/06/22 10:52:52 [debug] 5474#0: *3 http wait request handler

2017/06/22 10:52:52 [debug] 5474#0: *3 malloc: 00000000016424E0:1024

2017/06/22 10:52:52 [debug] 5474#0: *3 recv: fd:15 95 of 1024

2017/06/22 10:52:52 [debug] 5474#0: *3 reusable connection: 0

2017/06/22 10:52:52 [debug] 5474#0: *3 posix_memalign: 0000000001638140:4096 @16

2017/06/22 10:52:52 [debug] 5474#0: *3 http process request line

2017/06/22 10:52:52 [debug] 5474#0: *3 http request line: "GET / HTTP/1.0"

2017/06/22 10:52:52 [debug] 5474#0: *3 http uri: "/"

2017/06/22 10:52:52 [debug] 5474#0: *3 http args: ""

2017/06/22 10:52:52 [debug] 5474#0: *3 http exten: ""

2017/06/22 10:52:52 [debug] 5474#0: *3 http process request header line

2017/06/22 10:52:52 [debug] 5474#0: *3 http header: "Host: localhost:81"

2017/06/22 10:52:52 [debug] 5474#0: *3 http header: "Connection: close"

2017/06/22 10:52:52 [debug] 5474#0: *3 http header: "User-Agent: curl/7.54.1"

2017/06/22 10:52:52 [debug] 5474#0: *3 http header: "Accept: */*"

// :: [debug] #: * http header done

// :: [debug] #: * event timer del: :

// :: [debug] #: * rewrite phase:

// :: [debug] #: * test location: "/"

// :: [debug] #: * using configuration "/"

// :: [debug] #: * http cl:- max:

// :: [debug] #: * rewrite phase:

// :: [debug] #: * post rewrite phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * access phase:

// :: [debug] #: * access phase:

// :: [debug] #: * post access phase:

// :: [debug] #: * content phase:

// :: [debug] #: * open index "/root/modsecurity/output/html/index.html"

// :: [debug] #: * internal redirect: "/index.html?"

// :: [debug] #: * rewrite phase:

// :: [debug] #: * test location: "/"

// :: [debug] #: * test location: "50x.html"

// :: [debug] #: * using configuration "/"

// :: [debug] #: * http cl:- max:

// :: [debug] #: * rewrite phase:

// :: [debug] #: * post rewrite phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * generic phase:

// :: [debug] #: * access phase:

// :: [debug] #: * access phase:

// :: [debug] #: * post access phase:

// :: [debug] #: * content phase:

// :: [debug] #: * content phase:

// :: [debug] #: * content phase:

// :: [debug] #: * http filename: "/root/modsecurity/output/html/index.html"

// :: [debug] #: * add cleanup:

// :: [debug] #: * http static fd:

// :: [debug] #: * http set discard body

// :: [debug] #: * posix_memalign: 00000000016ABEA0: @

// :: [debug] #: * HTTP/1.1  OK

Server: nginx/1.10.

Date: Thu,  Jun  :: GMT

Content-Type: text/html

Content-Length:

Last-Modified: Tue,  Jun  :: GMT

Connection: close

ETag: "593f61d6-264"

Accept-Ranges: bytes

// :: [debug] #: * write new buf t: f: 00000000016ABFD8, pos 00000000016ABFD8, size:  file: , size:

// :: [debug] #: * http write filter: l: f: s:

// :: [debug] #: * http output filter "/index.html?"

// :: [debug] #: * http copy filter: "/index.html?"

// :: [debug] #: * http postpone filter "/index.html?" 00007FFE272AE960

// :: [debug] #: * write old buf t: f: 00000000016ABFD8, pos 00000000016ABFD8, size:  file: , size:

// :: [debug] #: * write new buf t: f: , pos , size:  file: , size:

// :: [debug] #: * http write filter: l: f: s:

// :: [debug] #: * http write filter limit

// :: [debug] #: * writev:  of

// :: [debug] #: * sendfile: @

// :: [debug] #: * sendfile:  of  @

// :: [debug] #: * http write filter

// :: [debug] #: * http copy filter:  "/index.html?"

// :: [debug] #: * http finalize request: , "/index.html?" a:, c:

// :: [debug] #: * http request count: blk:

// :: [debug] #: * http finalize request: -, "/index.html?" a:, c:

// :: [debug] #: * event timer add: : :

// :: [debug] #: * http lingering close handler

// :: [debug] #: * recv: fd: - of

// :: [debug] #: * recv() not ready (: Resource temporarily unavailable)

// :: [debug] #: * lingering read: -

// :: [debug] #: * event timer: , old: , new:

// :: [debug] #: timer delta:

// :: [debug] #: worker cycle

// :: [debug] #: epoll timer:

// :: [debug] #: epoll: fd: ev: d:00007FAB90C6D448

// :: [debug] #: * http upstream request: "/?"

// :: [debug] #: * http upstream process header

// :: [debug] #: * malloc: 00000000016ACEB0:

// :: [debug] #: * recv: fd:  of

// :: [debug] #: * http proxy status  "200 OK"

// :: [debug] #: * http proxy header: "Server: nginx/1.10.1"

// :: [debug] #: * http proxy header: "Date: Thu, 22 Jun 2017 02:52:52 GMT"

// :: [debug] #: * http proxy header: "Content-Type: text/html"

// :: [debug] #: * http proxy header: "Content-Length: 612"

// :: [debug] #: * http proxy header: "Last-Modified: Tue, 13 Jun 2017 03:53:58 GMT"

// :: [debug] #: * http proxy header: "Connection: close"

// :: [debug] #: * http proxy header: "ETag: "593f61d6-""

// :: [debug] #: * http proxy header: "Accept-Ranges: bytes"

// :: [debug] #: * http proxy header done

// :: [debug] #: * modSecurity: header filter

// :: [debug] #: * http cacheable:

// :: [debug] #: * http proxy filter init s: h: c: l:

// :: [debug] #: * http upstream process upstream

// :: [debug] #: * pipe read upstream:

// :: [debug] #: * pipe preread:

// :: [debug] #: * readv: , last:

// :: [debug] #: * pipe recv chain:

// :: [debug] #: * pipe buf free s: t: f: 00000000016ACEB0, pos 00000000016ACF99, size:  file: , size:

// :: [debug] #: * pipe length:

// :: [debug] #: * input buf #

// :: [debug] #: * pipe write downstream:

// :: [debug] #: * pipe write downstream flush in

// :: [debug] #: * http output filter "/?"

// :: [debug] #: * http copy filter: "/?"

// :: [debug] #: * modSecurity: body filter

// :: [debug] #: * http copy filter: - "/?"

// :: [debug] #: * pipe write downstream done

// :: [debug] #: * event timer: , old: , new:

// :: [debug] #: * http upstream exit:

// :: [debug] #: * finalize http upstream request:

// :: [debug] #: * finalize http proxy request

// :: [debug] #: * free rr peer

// :: [debug] #: * close http upstream connection:

// :: [debug] #: * free: 0000000001674AE0, unused:

// :: [debug] #: * event timer del: :

// :: [debug] #: * reusable connection:

// :: [debug] #: * http upstream temp fd: -

// :: [debug] #: * http output filter "/?"

// :: [debug] #: * http copy filter: "/?"

// :: [debug] #: * modSecurity: body filter

// :: [debug] #: * ModSecurity: load headers in: "Host: 192.168.7.4:82"

// :: [debug] #: * ModSecurity: load headers in: "User-Agent: curl/7.54.1"

// :: [debug] #: * ModSecurity: load headers in: "Accept: */*"

// :: [debug] #: * ModSecurity: load headers in done

// :: [debug] #: * ModSecurity: load headers out: "Last-Modified: Tue, 13 Jun 2017 03:53:58 GMT"

// :: [debug] #: * ModSecurity: load headers out: "ETag: "593f61d6-""

// :: [debug] #: * ModSecurity: load headers out: "Accept-Ranges: bytes"

// :: [debug] #: * ModSecurity: load headers out: "Content-Type: text/html"

// :: [debug] #: * ModSecurity: load headers out: "Content-Length: 612"

// :: [debug] #: * ModSecurity: load headers out: "Last-Modified: Tue, 13 Jun 2017 03:53:58 GMT"

// :: [debug] #: * ModSecurity: load headers out: "Connection: keep-alive"

// :: [debug] #: * ModSecurity: load headers out done

// :: [debug] #: * ModSecurity: status -

// :: [debug] #: * posix_memalign: 00000000016ADEC0: @

// :: [debug] #: * ModSecurity: save headers in: "Host: 192.168.7.4:82"

// :: [debug] #: * ModSecurity: save headers in: "User-Agent: curl/7.54.1"

// :: [debug] #: * ModSecurity: save headers in: "Accept: */*"

// :: [debug] #: * ModSecurity: save headers in done

// :: [debug] #: * ModSecurity: save headers out: "Last-Modified: Tue, 13 Jun 2017 03:53:58 GMT"

// :: [debug] #: * ModSecurity: save headers out: "ETag: "593f61d6-""

// :: [notice] #: signal  (SIGCHLD) received

// :: [alert] #: worker process  exited on signal

// :: [debug] #: shmtx forced unlock

// :: [debug] #: wake up, sigio

// :: [debug] #: reap children

// :: [debug] #: child:   e: t: d: r: j:

// :: [debug] #: channel :

// :: [notice] #: start worker process

// :: [debug] #: sigsuspend

// :: [debug] #: notify eventfd:

// :: [debug] #: malloc: 000000000163F8B0:

// :: [debug] #: malloc: 00007FAB90C6D010:

// :: [debug] #: malloc: 0000000001677E60:

// :: [debug] #: malloc: 000000000168FE70:

// :: [debug] #: epoll add event: fd: op: ev:

// :: [debug] #: epoll add event: fd: op: ev:

// :: [debug] #: epoll add event: fd: op: ev:

// :: [debug] #: epoll add event: fd: op: ev:

// :: [debug] #: setproctitle: "nginx: worker process"

// :: [debug] #: worker cycle

// :: [debug] #: epoll timer: -

  这一条很有问题: 2017/06/22 10:52:52 [alert] 5473#0: worker process 5474 exited on signal 11

  也许是modsecurity有什么bug。

  回退两个版本至 ModSecurity-2.8.0

  2.8.0 依然有这个问题。

这是一个BUG,https://github.com/SpiderLabs/ModSecurity/issues/839

在2.x版本里,作者们都不准备fix了。

  解决办法,设置 proxy_force_ranges on

  http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_force_ranges

  2.8.0 错误消失。

  2.9.0  错误消失。

七:简单规则测试

  7.1  使用如下规则:

[root@dpdk output]# cat conf/mymod.conf

#SecRuleEngine DetectionOnly

SecRuleEngine On

SecRequestBodyAccess On

SecResponseBodyAccess On

SecDebugLogLevel

SecDebugLog /root/modsecurity/output/logs/modsec_debug.log

#SecAuditEngine On

SecAuditEngine RelevantOnly

SecAuditLogType Serial

SecAuditLog /root/modsecurity/output/logs/modsec_audit.log

SecRule REQUEST_METHOD "GET" "phase:1,log,id:1001,msg:'test1'"

#SecRule REQUEST_METHOD "POST" "phase:1,log,id:1002,msg:'test2'"

#SecRule REQUEST_HEADERS:User-Agent "curl" "phase:1,log,id:1003,msg:'test3'"

SecRule REQUEST_BODY_LENGTH "@eq 5" "phase:2,log,id:1004,msg:'test4'"

[root@dpdk output]#

  7.2  每次修改后,使用如下命令重载:

[root@dpdk output]# ./sbin/nginx -s reload

[root@dpdk output]#

  7.3  生效后,使用如下命令测试:

/home/tong/Temp [tong@T7] [:]

> curl 192.168.7.4:

/home/tong/Temp [tong@T7] [:]

> curl 192.168.7.4: -d xx

/home/tong/Temp [tong@T7] [:]

> curl 192.168.7.4: -d xxxxx

  7.4  操作后,使用如下命令查看测试结果:

[root@dpdk output]# tailf logs/modsec_audit.log

... ...

Message: Warning. Pattern match "POST" at REQUEST_METHOD. [file "/root/modsecurity/output/conf/mymod.conf"] [line ""] [id ""] [msg "test2"]

Message: Warning. Pattern match "curl" at REQUEST_HEADERS:User-Agent. [file "/root/modsecurity/output/conf/mymod.conf"] [line ""] [id ""] [msg "test3"]

Message: Warning. Operator EQ matched  at REQUEST_BODY_LENGTH. [file "/root/modsecurity/output/conf/mymod.conf"] [line ""] [id ""] [msg "test4"]

... ...

八,看 ModSecurity-2.9.1 的代码

  传送门:[development][security][modsecurity][nginx] nginx / modsecurity development things

[security][modsecurity][nginx] nginx 与 modsecurity的更多相关文章

  1. [development][security][modsecurity][nginx] nginx / modsecurity development things

    接续前节:[security][modsecurity][nginx] nginx 与 modsecurity nginx开发手册:https://nginx.org/en/docs/dev/deve ...

  2. ModSecurity for Nginx

    Announcing the availability of ModSecurity extension for Nginx ModSecurity for Nginx ModSecurity for ...

  3. Centos7.4 modsecurity with nginx 安装

    1.准备: 系统环境:Centos7.4 软件及版本: nginx:OpenResty1.13.6.1 ModSecurity:ModSecurity v3.0.0rc1 (Linux) modsec ...

  4. ubuntu 重启 nginx 失败,* Restarting nginx nginx ...fail!

    ubuntu 重启 nginx 失败,* Restarting nginx nginx ...fail!       执行 nginx 重启服务时,提示失败如下: $ sudo service ngi ...

  5. nginx: [error] open() "/var/run/nginx/nginx.pid" failed (2: No such file or directory)

    在重启nginx服务的时候,出现了这个错误. [root@izuf68g6a94fj32w0afx00z etc]# nginx -c /var/run/nginx/nginx.pid nginx: ...

  6. nginx入门与实战 安装 启动 配置nginx Nginx状态信息(status)配置 正向代理 反向代理 nginx语法之location详解

    nginx入门与实战 网站服务 想必我们大多数人都是通过访问网站而开始接触互联网的吧.我们平时访问的网站服务 就是 Web 网络服务,一般是指允许用户通过浏览器访问到互联网中各种资源的服务. Web ...

  7. nginx: [error] invalid PID number "" in "/var/run/nginx/nginx.pid"

    一.出现这个的情况 解决方法一: 1.添加正在运行pid号到/var/run/nginx/nginx.pid就可以解决问题了(这个情况是在重启的情况下发现的) 2.如果是重启机器之后,系统有时会删掉/ ...

  8. 解决nginx重启“var/run/nginx/nginx.pid" no such file or directory问题

    重启虚拟机后,再次重启nginx会报错“/var/run/nginx/nginx.pid” no such file or directory. 方法一(已试过可行): 到/var/run下看没有ng ...

  9. 重启虚拟机后,再次重启nginx会报错:[emerg] open() "/var/run/nginx/nginx.pid" failed (2: No such file or directory)

    问题: 重启虚拟机后,再次重启nginx会报错: open() "/var/run/nginx/nginx.pid" failed (2: No such file or dire ...

随机推荐

  1. MySql事务select for update及数据的一致性处理讲解

    MySQL中的事务,默认是自动提交的,即autocommit = 1: 但是这样的话,在某些情形中就会出现问题:比如: 如果你想一次性插入了1000条数据,mysql会commit1000次的, 如果 ...

  2. 【iCore4 双核心板_FPGA】例程四:Signal Tapll 实验——逻辑分析仪

    实验现象: 三色led轮流闪烁,具体的逻辑分析仪使用教程请参考iCore3逻辑分析仪例程 核心代码: module signal_ctrl( input clk_25m, input rst_n, o ...

  3. 【emWin】例程十七:窗口对象——Button

    介绍: 按钮小工具通常用作触摸屏的主要用户界面元素,本例程介绍按钮小工具的创建及使用方法. 触摸校准(上电可选择是否进入校准界面) 自绘按钮(通过回调函数来自行绘制各种形状的按钮) 设置按钮字体 设置 ...

  4. InstallShield:卸载时文字叠加,文字乱码

    问题: InstallShield2010打包的程序.如果程序正在运行,卸载程序,提示关闭程序,然后消息界面出现文字叠加. 定位问题: 新建Installshield项目,依次修改SetupType, ...

  5. YouTube上最火的十个大数据视频

    http://blog.jobbole.com/84148/ YouTube上最火的十个大数据视频

  6. headfirst python 07 ~ 08

    Web 不论你在 web 上做什么, 都离不开请求和响应, web请求作为某个用户交互的结果由web浏览器发送到web服务器, 在web服务器上, 会生成web响应(或应答)并发回到 web 浏览器. ...

  7. 关于Unity中NGUI的背包实现之Scrollview(基于Camera)

    基于UIPanel的scrollview实现方式在移动设备上的性能不如基于camera的方式.因为UIPanel的scrollview实现方式要渲染很多的道具图,性能自然就降低了.如果是用第二个摄像机 ...

  8. 超酷!纯CSS3烧烤动画实现教程

    今天在老外的网站上看到一款很有创意的纯CSS3动画,是模拟烧烤活动的.款动画模拟了一个烧烤架,烧烤架上的食物也都是用纯CSS3绘制而成,没有用一张图片,效果相当逼真.另外一个有意思的是,这个CSS3烧 ...

  9. 上网爱快?EasyRadius FOR 爱快V2接口测试版正式推出,欢迎广大爱迷们测试噢

    …… …… 有些人问:为什么上面要打省略号?那些因为此处省略无数字,但是我还是要和大伙们谈谈EasyRadius支持爱快的故事 早在2013年的时候,我们内部就有发布爱快接口,但是由于当时V1的爱快, ...

  10. AOP 切入点表达式

    8.切入点表达式 现在我们介绍一下最重要的切入点表达式: 如上文所说,定义切入点时需要一个包含名字和任意参数的签名,还有一个切入点表达式,就是* findById*(..)这一部分. 切入点表达式的格 ...