Analysis of the principle of Nginx using Lua module to implement WAF

1. Background of WAF
2. What is WAF
3. Working Principle
4. WAF Function
5. Differences between WAF and traditional firewalls
6. WAF and DDos
7. Nginx WAF Function
8. Nginx Waf protection process
9. WAF based on Nginx

9.1 Install dependency packages
9.2 Install LuaJIT2.0
9.3 Install ngx_devel_kit
9.4 Install lua-nginx-module
9.5 Install Nginx
9.6 Install ngx_lua_waf
9.7 Test Results

Preface: I have been writing encryption data functions recently, but I still lack the knowledge of security. I accidentally came into contact with WAF related knowledge. It happened that Nginx can realize WAF function. I also learned the Lua language briefly. Share it with me

1. Background of WAF

In the past, enterprises usually used firewalls as the first line of defense for security. At that time, firewalls only effectively blocked some data packets at the third layer (network layer). However, as web applications became more and more functional, Web servers became the main target of attacks (the seventh layer, application layer) because of their powerful computing power, processing performance, and high value. However, traditional firewalls are unable to prevent attacks that exploit application vulnerabilities. In this context, WAF (Web Application Firewall) came into being.

2. What is WAF

Web Application Firewall (WAF) is designed to protect web applications from various application layer attacks, such as cross-site scripting (XSS), SQL injection, and cookie poisoning. Applications are the gateway to your important data, so attacks against applications are the main cause of vulnerabilities. With WAF, you can block a series of attacks that attempt to leak data by invading the system.

3. Working Principle

1. The user sends a web page request to the web server through the browser.

2. Before the user's request reaches the Web server, WAF filters the user's request

3. WAF obtains the user's HTTP request parameters and compares them with the rules defined in the configuration file (such as the IP blacklist). If a match is found, a 403 rejection is returned; otherwise, the request is allowed.

4. The WEB server responds to the user's request and returns the page data to the user.

4. WAF Function

WAF is a product that provides protection for Web applications by executing a series of security policies for HTTP/HTTPS.

5. Differences between WAF and traditional firewalls

1. Traditional firewalls work at the network layer (layer 3) and the transport layer (layer 4)

2.WAF works at the application layer (layer 7)

3. Traditional firewalls filter IP and port

4.WAF filters HTTP requests, including URL, IP, User-Agent, etc.

6. WAF and DDos

The full name of DDos is Distributed Denial of service. It mainly relies on a group of computers to initiate requests to a single target system, causing the target system resources to be exhausted and normal requests to be rejected.

According to the OSI network model, there are three most common types of DDos: Layer 3 (network layer) DDos, Layer 4 (transport layer) DDos, and Layer 7 (application layer) DDos.

WAF mainly deals with layer 7 DDos attacks, and it is more efficient than other protection measures in dealing with layer 7 DDos attacks. WAF performs detailed analysis of HTTP traffic so that it can model normal access requests and then use these models to distinguish normal requests from requests triggered by attackers using robots or scripts.

7. Nginx WAF Function

Support IP whitelist and blacklist functions, directly deny access to blacklisted IPs (newly added cdip function supports IP segments)
Support URL whitelist to define URLs that do not need to be filtered
Supports User-Agent filtering, matches entries in custom rules, and then processes them
Support CC attack protection, the number of visits to a single URL within a specified time exceeds the set value (newly added for different domain names)
Supports cookie filtering, matching entries in custom rules, and then processing
Supports URL filtering, matching entries in custom rules. If the URL requested by the user contains these
Support URL parameter filtering, the principle is the same as above
Supports logging, recording all rejected operations in the log
Added support for blacklisting cache (default 600 seconds)

8. Nginx Waf protection process

if whiteip() then
elseif blockip() then
elseif denycc() then
elseif ngx.var.http_Acunetix_Aspect then
ngx.exit(444)
elseif ngx.var.http_X_Scan_Memo then
ngx.exit(444)
elseif whiteurl() then
elseif ua() then
elseif url() then
elseif args() then
elseif cookie() then
elseif PostCheck then

Check the IP whitelist, and if it passes, it will not be detected;
Check the IP blacklist and reject if it fails;
Check CC attack, reject if matched
Check if http_Acunetix_Aspect scanning is enabled
Check if http_X_Scan_Memo scanning is enabled
Check Whitelist URL Check;
Check UA, and reject if UA fails;
Check URL parameter checking;
Check cookies;
Check post;

9. WAF based on Nginx

9.1 Install dependency packages

yum -y install gcc gcc-c++ autoconf automake make unzip
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel

9.2 Install LuaJIT2.0

LuaJIT is Lua's just-in-time compiler. Simply put, LuaJIT is an efficient Lua virtual machine.

# Enter the directory cd /usr/local/src/
 
# Download LuaJIT2.0
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
 
# Unzip tar xf LuaJIT-2.0.5.tar.gz && cd LuaJIT-2.0.5
 
# Compile make
 
# Install make install PREFIX=/usr/local/lj2
 
# Create a soft link ln -s /usr/local/lj2/lib/libluajit-5.1.so.2 /lib64/
 
# Add environment variable export LUAJIT_LIB=/usr/local/lj2/lib/
export LUAJIT_INC=/usr/local/lj2/include/luajit-2.0/

9.3 Install ngx_devel_kit

The kit module is a module that expands the core functions of the nginx server. Third-party module development can be quickly implemented based on it.

# Enter the directory cd /user/local/src/
 
# Download v0.3.0.tar.gz
wget https://github.com/simplresty/ngx_devel_kit/archive/v0.3.0.tar.gz -O ngx_devel_kit.tar.gz
 
# Unzip tar xf ngx_devel_kit.tar.gz

9.4 Install lua-nginx-module

ngx_lua_module is an nginx http module that embeds the lua parser into nginx to parse and execute web backend scripts written in lua language.

Principle of ngx_lua module

1. Each worker (work process) creates a Lua VM, and all coroutines in the worker share the VM;
2. Encapsulate the Nginx I/O primitives and inject them into the Lua VM, allowing Lua code to access them directly;
3. Each external request is handled by a Lua coroutine, and data between coroutines is isolated;
4. When Lua code calls asynchronous interfaces such as I/O operations, it will suspend the current coroutine (and protect the context data) without blocking the worker;
5. When asynchronous operations such as I/O are completed, the relevant coroutine context data is restored and the operation continues

Install

# Enter the directory cd /user/local/src/
 
# Download v0.10.9rc7.tar.gz
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.9rc7.tar.gz
 
# Unzip tar -xzvf v0.10.9rc7.tar.gz

9.5 Install Nginx

# Enter the directory cd /user/local/src/
 
# Download wget http://nginx.org/download/nginx-1.21.0.tar.gz
 
# Unzip tar xf nginx-1.21.0.tar.gz
 
# Enter the nginx directory cd nginx-1.21.0
 
# Compile ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --add-module=/usr/local/src/lua-nginx-module-0.10.9rc7 --add-module=/usr/local/src/ngx_devel_kit-0.3.0 --with-stream
 
# Install make && make install
 
# Add nginx configuration and add the following content in the server block [root@localhost_test_192.168.10.132 11:04:48 ~]# vim /usr/local/nginx/conf/nginx.conf
 
location /lua {
    default_type 'text/plain';
 
    content_by_lua 'ngx.say("hello, lua")';
}
 
# Check syntax [root@localhost_test_192.168.10.132 09:59:33 /usr/local/src]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
 
# Start [root@localhost_test_192.168.10.132 11:08:35 ~]# nginx
 
# Test curl 127.0.0.1:80/lua

9.6 Install ngx_lua_waf

# Enter the directory cd /user/local/src/
 
# Download ngx_lua_waf to the conf directory wget https://github.com/loveshell/ngx_lua_waf/archive/master.zip
 
# Unzip and name it waf
unzip master.zip -d /usr/local/nginx/conf/
 
# Change the directory name mv /usr/local/nginx/conf/ngx_lua_waf-master /usr/local/nginx/conf/waf
 
# Add lua_package_path "/usr/local/nginx/conf/waf/?.lua" to the http section of nginx.conf;
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
 
# Add user www to the outermost layer of nginx.conf;
 
# Create a log directory mkdir /usr/local/nginx/logs/hack
chown www /usr/local/nginx/logs/hack
 
# Lua_waf configuration [root@localhost_test_192.168.10.132 11:33:53 /usr/local/nginx/conf/waf]# cat config.lua
#Rule storage path RulePath = "/usr/local/nginx/conf/waf/wafconf/"
# Whether to enable attack information logging, logdir needs to be configured
attacklog = "on"
# Log storage directory, which needs to be created by the user and must have writable permissions for the nginx user logdir = "/usr/local/nginx/logs/hack/"
# Whether to block url access UrlDeny="on"
# Whether to redirect after interception Redirect="on"
# Whether to intercept cookie attacks CookieMatch="on"
# Whether to intercept post attacks postMatch="on"
# Whether to enable URL whitelist whiteModule="on"
# Fill in the file extension type that is not allowed to upload black_fileExt={"php","jsp"}
#ip whitelist, multiple ips are separated by commas ipWhitelist={"127.0.0.1"}
#ip blacklist, multiple ips are separated by commas ipBlocklist={"192.168.10.1"}
# Whether to enable interception of cc attacks (need to add lua_shared_dict limit 10m in the http section of nginx.conf;)
CCDeny="off"
# Set the cc attack frequency in seconds.
# By default, the same IP can only request the same address 100 times in 1 minute CCrate="100/60"
# Warning content html = []
 
# Rule file [root@localhost_test_192.168.10.132 11:42:12 /usr/local/nginx/conf/waf]# ll wafconf/
total 24
-rw-r--r-- 1 root root 749 Apr 6 2016 args
-rw-r--r-- 1 root root 652 Apr 6 2016 cookie
-rw-r--r-- 1 root root 733 Apr 6 2016 post
-rw-r--r-- 1 root root 335 Apr 6 2016 url
-rw-r--r-- 1 root root 177 Apr 6 2016 user-agent
-rw-r--r-- 1 root root 8 Apr 6 2016 whiteurl
 
The rules in args are: get parameter filtering, cookie filtering is the cookie filtering for request filtering, url filtering is the rule for filtering only in get request url, post filtering is the rule for filtering only in post request, whiteurl is the whitelist, and the urls in it are matched without filtering, user-agent is the filtering rule for user-agent # Load Nginx
[root@localhost_test_192.168.10.132 11:32:41]# nginx -s reload

9.7 Test Results

Accessing a URL with parameters

http://192.168.10.132/?id=<script

Summary: Nginx uses Lua module to implement WAF, which is very powerful. You can modify the code for secondary development and modify it to achieve the desired effect. You may want to give it a try.

This is the end of this article about the principle analysis of how Nginx uses Lua module to implement WAF. For more relevant content about Nginx implementing WAF, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in: