Install and Configure ngx_lua_waf Based on Nginx+Lua ( OpenResty) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, June 20, 2020

Install and Configure ngx_lua_waf Based on Nginx+Lua ( OpenResty)

Ngx_lua_waf is a web application firewall based on lua-nginx-module.
  • Prevent SQL injection, local inclusion, partial overflow, fuzzing, xss, SSRF and other web attacks
  • Prevent file leaks, such as svn / backup
  • Prevent attacks from stress testing tools such as ApacheBench
  • Block common scanning hacking tools, scanners
  • Block unusual network requests
  • Block image attachment class directory php execute permission
  • Prevent webshell uploads

Lua is a scripting language. Specifically, it is a full-featured multi-paradigm language with a simple syntax and semantics that resemble JavaScript or Scheme. Nginx+Lua is a self-contained web server embedding the scripting language Lua. Powerful applications can be written directly inside Nginx without using cgi, fastcgi, or uwsgi. By adding a little Lua code to an existing Nginx configuration file, it is easy to add small features. lua-nginx-module is an nginx module which makes it possible to handle http request directly in nginx using Lua. 

Pre-requirements

CentOS 7, update and install some dependencies

yum -y update && yum -y upgrade && yum -y install git && yum -y install zlib-devel && yum -y install gcc && yum -y install gcc+

Install from Source


It is also quite easy to install. To put it bluntly, add two modules: ngx_devel_kit and lua-nginx-module to nginx, and then modify the nginx configuration to run ngx_lua_waf.
note: https://github.com/unixhot/waf

1 Get Dependencies : Nginx and PCRE
[root@centos-nginx1-16 src]# wget 'http://nginx.org/download/nginx-1.12.1.tar.gz'
[root@centos-nginx1-16 src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
[root@centos-nginx1-16 ~]#  cd /usr/local/src

[root@centos-nginx1-16 src]#
[root@centos-nginx1-16 src]# wget 'http://nginx.org/download/nginx-1.12.1.tar.gz'
--2020-06-21 02:30:26--  http://nginx.org/download/nginx-1.12.1.tar.gz
Resolving nginx.org (nginx.org)... 95.211.80.227, 62.210.92.35, 2001:1af8:4060:a004:21::e3
Connecting to nginx.org (nginx.org)|95.211.80.227|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 981093 (958K) [application/octet-stream]
Saving to: ‘nginx-1.12.1.tar.gz’

100%[========================================================================================================================================>] 981,093     1.16MB/s   in 0.8s

2020-06-21 02:30:27 (1.16 MB/s) - ‘nginx-1.12.1.tar.gz’ saved [981093/981093]

[root@centos-nginx1-16 src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
--2020-06-21 02:30:41--  https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
Resolving nchc.dl.sourceforge.net (nchc.dl.sourceforge.net)... 140.110.96.69, 2001:e10:ffff:1f02::17
Connecting to nchc.dl.sourceforge.net (nchc.dl.sourceforge.net)|140.110.96.69|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2068775 (2.0M) [application/x-gzip]
Saving to: ‘pcre-8.41.tar.gz’

100%[========================================================================================================================================>] 2,068,775    740KB/s   in 2.7s

2020-06-21 02:30:45 (740 KB/s) - ‘pcre-8.41.tar.gz’ saved [2068775/2068775]



1 Download latest Luajit and ngx_devel_kit (NDK), also lua-nginx-module
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip

[root@centos-nginx1-16 src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
--2020-06-21 02:30:48--  http://luajit.org/download/LuaJIT-2.0.5.tar.gz
Resolving luajit.org (luajit.org)... 163.172.177.144
Connecting to luajit.org (luajit.org)|163.172.177.144|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 849845 (830K) [application/octet-stream]
Saving to: ‘LuaJIT-2.0.5.tar.gz’

100%[========================================================================================================================================>] 849,845     1.72MB/s   in 0.5s

2020-06-21 02:30:49 (1.72 MB/s) - ‘LuaJIT-2.0.5.tar.gz’ saved [849845/849845]

[root@centos-nginx1-16 src]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
--2020-06-21 02:30:54--  https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/vision5/ngx_devel_kit/archive/v0.3.0.tar.gz [following]
--2020-06-21 02:30:54--  https://github.com/vision5/ngx_devel_kit/archive/v0.3.0.tar.gz
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/vision5/ngx_devel_kit/tar.gz/v0.3.0 [following]
--2020-06-21 02:30:54--  https://codeload.github.com/vision5/ngx_devel_kit/tar.gz/v0.3.0
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘v0.3.0.tar.gz’

    [ <=>                                                                                                                                     ] 66,455      --.-K/s   in 0.1s

2020-06-21 02:30:55 (580 KB/s) - ‘v0.3.0.tar.gz’ saved [66455]

[root@centos-nginx1-16 src]# wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
--2020-06-21 02:31:03--  https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
Resolving github.com (github.com)... 140.82.114.4
Connecting to github.com (github.com)|140.82.114.4|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/openresty/lua-nginx-module/archive/v0.10.10.zip [following]
--2020-06-21 02:31:03--  https://github.com/openresty/lua-nginx-module/archive/v0.10.10.zip
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/openresty/lua-nginx-module/zip/v0.10.10 [following]
--2020-06-21 02:31:03--  https://codeload.github.com/openresty/lua-nginx-module/zip/v0.10.10
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘v0.10.10.zip’

    [ <=>                                                                                                                                     ] 793,438     --.-K/s   in 0.08s

2020-06-21 02:31:03 (9.79 MB/s) - ‘v0.10.10.zip’ saved [793438]

FINISHED --2020-06-21 02:31:03--
Total wall clock time: 0.7s
Downloaded: 1 files, 775K in 0.08s (9.79 MB/s)


2 Create a Nginx Running User


[root@centos-nginx1-16 src]# useradd -s /sbin/nologin -M www


3 Unzip NDK/lua-nginx-module/Luajit and compile Luajit

unzip modules:
v0.3.0.tar.gz is ngx_devel_kit-0.3.0
v0.10.10.zip is lua-nginx-module-0.10.10
LuaJIT-2.0.5.tar.gz is LuaJIT source file

Unfortunately, it will fail when make install LuaJIT becase of missing GCC.
[root@centos-nginx1-16 src]# tar zxvf v0.3.0.tar.gz
ngx_devel_kit-0.3.0/
ngx_devel_kit-0.3.0/.gitignore
ngx_devel_kit-0.3.0/LICENSE
ngx_devel_kit-0.3.0/README.md
ngx_devel_kit-0.3.0/README_AUTO_LIB
ngx_devel_kit-0.3.0/TODO
ngx_devel_kit-0.3.0/auto/
ngx_devel_kit-0.3.0/auto/actions/
ngx_devel_kit-0.3.0/auto/actions/array
ngx_devel_kit-0.3.0/auto/actions/palloc
ngx_devel_kit-0.3.0/auto/build
ngx_devel_kit-0.3.0/auto/data/
ngx_devel_kit-0.3.0/auto/data/action_replacements
ngx_devel_kit-0.3.0/auto/data/action_types
ngx_devel_kit-0.3.0/auto/data/conf_args
ngx_devel_kit-0.3.0/auto/data/conf_locs
ngx_devel_kit-0.3.0/auto/data/conf_macros
ngx_devel_kit-0.3.0/auto/data/contexts
ngx_devel_kit-0.3.0/auto/data/header_files
ngx_devel_kit-0.3.0/auto/data/headers
ngx_devel_kit-0.3.0/auto/data/module_dependencies
ngx_devel_kit-0.3.0/auto/data/modules_optional
ngx_devel_kit-0.3.0/auto/data/prefixes
ngx_devel_kit-0.3.0/auto/src/
ngx_devel_kit-0.3.0/auto/src/array.h
ngx_devel_kit-0.3.0/auto/src/conf_cmd_basic.h
ngx_devel_kit-0.3.0/auto/src/conf_merge.h
ngx_devel_kit-0.3.0/auto/src/palloc.h
ngx_devel_kit-0.3.0/auto/text/
ngx_devel_kit-0.3.0/auto/text/autogen
ngx_devel_kit-0.3.0/config
ngx_devel_kit-0.3.0/docs/
ngx_devel_kit-0.3.0/docs/core/
ngx_devel_kit-0.3.0/docs/core/action_macros
ngx_devel_kit-0.3.0/docs/core/conf_cmds
ngx_devel_kit-0.3.0/docs/modules/
ngx_devel_kit-0.3.0/docs/modules/set_var
ngx_devel_kit-0.3.0/docs/patches/
ngx_devel_kit-0.3.0/docs/patches/more_logging_info
ngx_devel_kit-0.3.0/docs/upstream/
ngx_devel_kit-0.3.0/docs/upstream/list
ngx_devel_kit-0.3.0/examples/
ngx_devel_kit-0.3.0/examples/README
ngx_devel_kit-0.3.0/examples/http/
ngx_devel_kit-0.3.0/examples/http/set_var/
ngx_devel_kit-0.3.0/examples/http/set_var/config
ngx_devel_kit-0.3.0/examples/http/set_var/ngx_http_set_var_examples_module.c
ngx_devel_kit-0.3.0/ngx_auto_lib_core
ngx_devel_kit-0.3.0/notes/
ngx_devel_kit-0.3.0/notes/CHANGES
ngx_devel_kit-0.3.0/notes/LICENSE
ngx_devel_kit-0.3.0/objs/
ngx_devel_kit-0.3.0/objs/ndk_array.h
ngx_devel_kit-0.3.0/objs/ndk_conf_cmd_basic.h
ngx_devel_kit-0.3.0/objs/ndk_conf_cmd_extra.h
ngx_devel_kit-0.3.0/objs/ndk_conf_merge.h
ngx_devel_kit-0.3.0/objs/ndk_config.c
ngx_devel_kit-0.3.0/objs/ndk_config.h
ngx_devel_kit-0.3.0/objs/ndk_includes.h
ngx_devel_kit-0.3.0/objs/ndk_palloc.h
ngx_devel_kit-0.3.0/patches/
ngx_devel_kit-0.3.0/patches/auto_config
ngx_devel_kit-0.3.0/patches/expose_rewrite_functions
ngx_devel_kit-0.3.0/patches/rewrite_phase_handler
ngx_devel_kit-0.3.0/src/
ngx_devel_kit-0.3.0/src/hash/
ngx_devel_kit-0.3.0/src/hash/md5.h
ngx_devel_kit-0.3.0/src/hash/murmurhash2.c
ngx_devel_kit-0.3.0/src/hash/sha.h
ngx_devel_kit-0.3.0/src/ndk.c
ngx_devel_kit-0.3.0/src/ndk.h
ngx_devel_kit-0.3.0/src/ndk_buf.c
ngx_devel_kit-0.3.0/src/ndk_buf.h
ngx_devel_kit-0.3.0/src/ndk_complex_path.c
ngx_devel_kit-0.3.0/src/ndk_complex_path.h
ngx_devel_kit-0.3.0/src/ndk_complex_value.c
ngx_devel_kit-0.3.0/src/ndk_complex_value.h
ngx_devel_kit-0.3.0/src/ndk_conf_file.c
ngx_devel_kit-0.3.0/src/ndk_conf_file.h
ngx_devel_kit-0.3.0/src/ndk_debug.c
ngx_devel_kit-0.3.0/src/ndk_debug.h
ngx_devel_kit-0.3.0/src/ndk_encoding.c
ngx_devel_kit-0.3.0/src/ndk_encoding.h
ngx_devel_kit-0.3.0/src/ndk_hash.c
ngx_devel_kit-0.3.0/src/ndk_hash.h
ngx_devel_kit-0.3.0/src/ndk_http.c
ngx_devel_kit-0.3.0/src/ndk_http.h
ngx_devel_kit-0.3.0/src/ndk_http_headers.h
ngx_devel_kit-0.3.0/src/ndk_log.c
ngx_devel_kit-0.3.0/src/ndk_log.h
ngx_devel_kit-0.3.0/src/ndk_parse.h
ngx_devel_kit-0.3.0/src/ndk_path.c
ngx_devel_kit-0.3.0/src/ndk_path.h
ngx_devel_kit-0.3.0/src/ndk_process.c
ngx_devel_kit-0.3.0/src/ndk_process.h
ngx_devel_kit-0.3.0/src/ndk_regex.c
ngx_devel_kit-0.3.0/src/ndk_regex.h
ngx_devel_kit-0.3.0/src/ndk_rewrite.c
ngx_devel_kit-0.3.0/src/ndk_rewrite.h
ngx_devel_kit-0.3.0/src/ndk_set_var.c
ngx_devel_kit-0.3.0/src/ndk_set_var.h
ngx_devel_kit-0.3.0/src/ndk_string.c
ngx_devel_kit-0.3.0/src/ndk_string.h
ngx_devel_kit-0.3.0/src/ndk_string_util.h
ngx_devel_kit-0.3.0/src/ndk_upstream_list.c
ngx_devel_kit-0.3.0/src/ndk_upstream_list.h
ngx_devel_kit-0.3.0/src/ndk_uri.c
ngx_devel_kit-0.3.0/src/ndk_uri.h
[root@centos-nginx1-16 src]# unzip -q v0.10.10.zip
[root@centos-nginx1-16 src]# ls
LuaJIT-2.0.5.tar.gz  lua-nginx-module-0.10.10  nginx-1.12.1.tar.gz  ngx_devel_kit-0.3.0  pcre-8.41.tar.gz  v0.10.10.zip  v0.3.0.tar.gz
[root@centos-nginx1-16 src]# tar zxvf LuaJIT-2.0.5.tar.gz
LuaJIT-2.0.5/
LuaJIT-2.0.5/COPYRIGHT
LuaJIT-2.0.5/Makefile
LuaJIT-2.0.5/README
LuaJIT-2.0.5/doc/
LuaJIT-2.0.5/doc/bluequad-print.css
LuaJIT-2.0.5/doc/bluequad.css
LuaJIT-2.0.5/doc/changes.html
LuaJIT-2.0.5/doc/contact.html
LuaJIT-2.0.5/doc/ext_c_api.html
LuaJIT-2.0.5/doc/ext_ffi.html
LuaJIT-2.0.5/doc/ext_ffi_api.html
LuaJIT-2.0.5/doc/ext_ffi_semantics.html
LuaJIT-2.0.5/doc/ext_ffi_tutorial.html
LuaJIT-2.0.5/doc/ext_jit.html
LuaJIT-2.0.5/doc/extensions.html
LuaJIT-2.0.5/doc/faq.html
LuaJIT-2.0.5/doc/img/
LuaJIT-2.0.5/doc/img/contact.png
LuaJIT-2.0.5/doc/install.html
LuaJIT-2.0.5/doc/luajit.html
LuaJIT-2.0.5/doc/running.html
LuaJIT-2.0.5/doc/status.html
LuaJIT-2.0.5/dynasm/
LuaJIT-2.0.5/dynasm/dasm_arm.h
LuaJIT-2.0.5/dynasm/dasm_arm.lua
LuaJIT-2.0.5/dynasm/dasm_mips.h
LuaJIT-2.0.5/dynasm/dasm_mips.lua
LuaJIT-2.0.5/dynasm/dasm_ppc.h
LuaJIT-2.0.5/dynasm/dasm_ppc.lua
LuaJIT-2.0.5/dynasm/dasm_proto.h
LuaJIT-2.0.5/dynasm/dasm_x64.lua
LuaJIT-2.0.5/dynasm/dasm_x86.h
LuaJIT-2.0.5/dynasm/dasm_x86.lua
LuaJIT-2.0.5/dynasm/dynasm.lua
LuaJIT-2.0.5/etc/
LuaJIT-2.0.5/etc/luajit.1
LuaJIT-2.0.5/etc/luajit.pc
LuaJIT-2.0.5/src/
LuaJIT-2.0.5/src/Makefile
LuaJIT-2.0.5/src/Makefile.dep
LuaJIT-2.0.5/src/host/
LuaJIT-2.0.5/src/host/README
LuaJIT-2.0.5/src/host/buildvm.c
LuaJIT-2.0.5/src/host/buildvm.h
LuaJIT-2.0.5/src/host/buildvm_asm.c
LuaJIT-2.0.5/src/host/buildvm_fold.c
LuaJIT-2.0.5/src/host/buildvm_lib.c
LuaJIT-2.0.5/src/host/buildvm_peobj.c
LuaJIT-2.0.5/src/host/genminilua.lua
LuaJIT-2.0.5/src/host/minilua.c
LuaJIT-2.0.5/src/jit/
LuaJIT-2.0.5/src/jit/bc.lua
LuaJIT-2.0.5/src/jit/bcsave.lua
LuaJIT-2.0.5/src/jit/dis_arm.lua
LuaJIT-2.0.5/src/jit/dis_mips.lua
LuaJIT-2.0.5/src/jit/dis_mipsel.lua
LuaJIT-2.0.5/src/jit/dis_ppc.lua
LuaJIT-2.0.5/src/jit/dis_x64.lua
LuaJIT-2.0.5/src/jit/dis_x86.lua
LuaJIT-2.0.5/src/jit/dump.lua
LuaJIT-2.0.5/src/jit/v.lua
LuaJIT-2.0.5/src/lauxlib.h
LuaJIT-2.0.5/src/lib_aux.c
LuaJIT-2.0.5/src/lib_base.c
LuaJIT-2.0.5/src/lib_bit.c
LuaJIT-2.0.5/src/lib_debug.c
LuaJIT-2.0.5/src/lib_ffi.c
LuaJIT-2.0.5/src/lib_init.c
LuaJIT-2.0.5/src/lib_io.c
LuaJIT-2.0.5/src/lib_jit.c
LuaJIT-2.0.5/src/lib_math.c
LuaJIT-2.0.5/src/lib_os.c
LuaJIT-2.0.5/src/lib_package.c
LuaJIT-2.0.5/src/lib_string.c
LuaJIT-2.0.5/src/lib_table.c
LuaJIT-2.0.5/src/lj.supp
LuaJIT-2.0.5/src/lj_alloc.c
LuaJIT-2.0.5/src/lj_alloc.h
LuaJIT-2.0.5/src/lj_api.c
LuaJIT-2.0.5/src/lj_arch.h
LuaJIT-2.0.5/src/lj_asm.c
LuaJIT-2.0.5/src/lj_asm.h
LuaJIT-2.0.5/src/lj_asm_arm.h
LuaJIT-2.0.5/src/lj_asm_mips.h
LuaJIT-2.0.5/src/lj_asm_ppc.h
LuaJIT-2.0.5/src/lj_asm_x86.h
LuaJIT-2.0.5/src/lj_bc.c
LuaJIT-2.0.5/src/lj_bc.h
LuaJIT-2.0.5/src/lj_bcdump.h
LuaJIT-2.0.5/src/lj_bcread.c
LuaJIT-2.0.5/src/lj_bcwrite.c
LuaJIT-2.0.5/src/lj_carith.c
LuaJIT-2.0.5/src/lj_carith.h
LuaJIT-2.0.5/src/lj_ccall.c
LuaJIT-2.0.5/src/lj_ccall.h
LuaJIT-2.0.5/src/lj_ccallback.c
LuaJIT-2.0.5/src/lj_ccallback.h
LuaJIT-2.0.5/src/lj_cconv.c
LuaJIT-2.0.5/src/lj_cconv.h
LuaJIT-2.0.5/src/lj_cdata.c
LuaJIT-2.0.5/src/lj_cdata.h
LuaJIT-2.0.5/src/lj_char.c
LuaJIT-2.0.5/src/lj_char.h
LuaJIT-2.0.5/src/lj_clib.c
LuaJIT-2.0.5/src/lj_clib.h
LuaJIT-2.0.5/src/lj_cparse.c
LuaJIT-2.0.5/src/lj_cparse.h
LuaJIT-2.0.5/src/lj_crecord.c
LuaJIT-2.0.5/src/lj_crecord.h
LuaJIT-2.0.5/src/lj_ctype.c
LuaJIT-2.0.5/src/lj_ctype.h
LuaJIT-2.0.5/src/lj_debug.c
LuaJIT-2.0.5/src/lj_debug.h
LuaJIT-2.0.5/src/lj_def.h
LuaJIT-2.0.5/src/lj_dispatch.c
LuaJIT-2.0.5/src/lj_dispatch.h
LuaJIT-2.0.5/src/lj_emit_arm.h
LuaJIT-2.0.5/src/lj_emit_mips.h
LuaJIT-2.0.5/src/lj_emit_ppc.h
LuaJIT-2.0.5/src/lj_emit_x86.h
LuaJIT-2.0.5/src/lj_err.c
LuaJIT-2.0.5/src/lj_err.h
LuaJIT-2.0.5/src/lj_errmsg.h
LuaJIT-2.0.5/src/lj_ff.h
LuaJIT-2.0.5/src/lj_ffrecord.c
LuaJIT-2.0.5/src/lj_ffrecord.h
LuaJIT-2.0.5/src/lj_frame.h
LuaJIT-2.0.5/src/lj_func.c
LuaJIT-2.0.5/src/lj_func.h
LuaJIT-2.0.5/src/lj_gc.c
LuaJIT-2.0.5/src/lj_gc.h
LuaJIT-2.0.5/src/lj_gdbjit.c
LuaJIT-2.0.5/src/lj_gdbjit.h
LuaJIT-2.0.5/src/lj_ir.c
LuaJIT-2.0.5/src/lj_ir.h
LuaJIT-2.0.5/src/lj_ircall.h
LuaJIT-2.0.5/src/lj_iropt.h
LuaJIT-2.0.5/src/lj_jit.h
LuaJIT-2.0.5/src/lj_lex.c
LuaJIT-2.0.5/src/lj_lex.h
LuaJIT-2.0.5/src/lj_lib.c
LuaJIT-2.0.5/src/lj_lib.h
LuaJIT-2.0.5/src/lj_load.c
LuaJIT-2.0.5/src/lj_mcode.c
LuaJIT-2.0.5/src/lj_mcode.h
LuaJIT-2.0.5/src/lj_meta.c
LuaJIT-2.0.5/src/lj_meta.h
LuaJIT-2.0.5/src/lj_obj.c
LuaJIT-2.0.5/src/lj_obj.h
LuaJIT-2.0.5/src/lj_opt_dce.c
LuaJIT-2.0.5/src/lj_opt_fold.c
LuaJIT-2.0.5/src/lj_opt_loop.c
LuaJIT-2.0.5/src/lj_opt_mem.c
LuaJIT-2.0.5/src/lj_opt_narrow.c
LuaJIT-2.0.5/src/lj_opt_sink.c
LuaJIT-2.0.5/src/lj_opt_split.c
LuaJIT-2.0.5/src/lj_parse.c
LuaJIT-2.0.5/src/lj_parse.h
LuaJIT-2.0.5/src/lj_record.c
LuaJIT-2.0.5/src/lj_record.h
LuaJIT-2.0.5/src/lj_snap.c
LuaJIT-2.0.5/src/lj_snap.h
LuaJIT-2.0.5/src/lj_state.c
LuaJIT-2.0.5/src/lj_state.h
LuaJIT-2.0.5/src/lj_str.c
LuaJIT-2.0.5/src/lj_str.h
LuaJIT-2.0.5/src/lj_strscan.c
LuaJIT-2.0.5/src/lj_strscan.h
LuaJIT-2.0.5/src/lj_tab.c
LuaJIT-2.0.5/src/lj_tab.h
LuaJIT-2.0.5/src/lj_target.h
LuaJIT-2.0.5/src/lj_target_arm.h
LuaJIT-2.0.5/src/lj_target_mips.h
LuaJIT-2.0.5/src/lj_target_ppc.h
LuaJIT-2.0.5/src/lj_target_x86.h
LuaJIT-2.0.5/src/lj_trace.c
LuaJIT-2.0.5/src/lj_trace.h
LuaJIT-2.0.5/src/lj_traceerr.h
LuaJIT-2.0.5/src/lj_udata.c
LuaJIT-2.0.5/src/lj_udata.h
LuaJIT-2.0.5/src/lj_vm.h
LuaJIT-2.0.5/src/lj_vmevent.c
LuaJIT-2.0.5/src/lj_vmevent.h
LuaJIT-2.0.5/src/lj_vmmath.c
LuaJIT-2.0.5/src/ljamalg.c
LuaJIT-2.0.5/src/lua.h
LuaJIT-2.0.5/src/lua.hpp
LuaJIT-2.0.5/src/luaconf.h
LuaJIT-2.0.5/src/luajit.c
LuaJIT-2.0.5/src/luajit.h
LuaJIT-2.0.5/src/lualib.h
LuaJIT-2.0.5/src/msvcbuild.bat
LuaJIT-2.0.5/src/ps4build.bat
LuaJIT-2.0.5/src/psvitabuild.bat
LuaJIT-2.0.5/src/vm_arm.dasc
LuaJIT-2.0.5/src/vm_mips.dasc
LuaJIT-2.0.5/src/vm_ppc.dasc
LuaJIT-2.0.5/src/vm_ppcspe.dasc
LuaJIT-2.0.5/src/vm_x86.dasc
LuaJIT-2.0.5/src/xedkbuild.bat
[root@centos-nginx1-16 src]# cd LuaJIT-2.0.5
[root@centos-nginx1-16 LuaJIT-2.0.5]# make && make install
==== Building LuaJIT 2.0.5 ====
make -C src
make[1]: gcc: Command not found
make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.5/src'
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
make[1]: gcc: Command not found
Makefile:254: *** Unsupported target architecture.  Stop.
make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.5/src'
make: *** [default] Error 2

4 Install GCC and GCC+
[root@centos-nginx1-16 LuaJIT-2.0.5]# yum -y install gcc
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: less.cogeco.net
 * epel: mirrors.mit.edu
 * extras: less.cogeco.net
 * updates: less.cogeco.net
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.8.5-39.el7 will be installed
--> Processing Dependency: cpp = 4.8.5-39.el7 for package: gcc-4.8.5-39.el7.x86_64
--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.8.5-39.el7.x86_64
--> Processing Dependency: libmpfr.so.4()(64bit) for package: gcc-4.8.5-39.el7.x86_64
--> Processing Dependency: libmpc.so.3()(64bit) for package: gcc-4.8.5-39.el7.x86_64
--> Running transaction check
---> Package cpp.x86_64 0:4.8.5-39.el7 will be installed
---> Package glibc-devel.x86_64 0:2.17-307.el7.1 will be installed
--> Processing Dependency: glibc-headers = 2.17-307.el7.1 for package: glibc-devel-2.17-307.el7.1.x86_64
--> Processing Dependency: glibc-headers for package: glibc-devel-2.17-307.el7.1.x86_64
---> Package libmpc.x86_64 0:1.0.1-3.el7 will be installed
---> Package mpfr.x86_64 0:3.1.1-4.el7 will be installed
--> Running transaction check
---> Package glibc-headers.x86_64 0:2.17-307.el7.1 will be installed
--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.17-307.el7.1.x86_64
--> Processing Dependency: kernel-headers for package: glibc-headers-2.17-307.el7.1.x86_64
--> Running transaction check
---> Package kernel-headers.x86_64 0:3.10.0-1127.10.1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
 Package                                      Arch                                 Version                                            Repository                             Size
==================================================================================================================================================================================
Installing:
 gcc                                          x86_64                               4.8.5-39.el7                                       base                                   16 M
Installing for dependencies:
 cpp                                          x86_64                               4.8.5-39.el7                                       base                                  5.9 M
 glibc-devel                                  x86_64                               2.17-307.el7.1                                     base                                  1.1 M
 glibc-headers                                x86_64                               2.17-307.el7.1                                     base                                  689 k
 kernel-headers                               x86_64                               3.10.0-1127.10.1.el7                               updates                               8.9 M
 libmpc                                       x86_64                               1.0.1-3.el7                                        base                                   51 k
 mpfr                                         x86_64                               3.1.1-4.el7                                        base                                  203 k

Transaction Summary
==================================================================================================================================================================================
Install  1 Package (+6 Dependent packages)

Total download size: 33 M
Installed size: 60 M
Downloading packages:
(1/7): glibc-devel-2.17-307.el7.1.x86_64.rpm                                                                                                               | 1.1 MB  00:00:00
(2/7): glibc-headers-2.17-307.el7.1.x86_64.rpm                                                                                                             | 689 kB  00:00:00
(3/7): libmpc-1.0.1-3.el7.x86_64.rpm                                                                                                                       |  51 kB  00:00:00
(4/7): mpfr-3.1.1-4.el7.x86_64.rpm                                                                                                                         | 203 kB  00:00:00
(5/7): cpp-4.8.5-39.el7.x86_64.rpm                                                                                                                         | 5.9 MB  00:00:03
(6/7): kernel-headers-3.10.0-1127.10.1.el7.x86_64.rpm                                                                                                      | 8.9 MB  00:00:04
(7/7): gcc-4.8.5-39.el7.x86_64.rpm                                                                                                                         |  16 MB  00:00:05
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                             5.7 MB/s |  33 MB  00:00:05
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : mpfr-3.1.1-4.el7.x86_64                                                                                                                                        1/7
  Installing : libmpc-1.0.1-3.el7.x86_64                                                                                                                                      2/7
  Installing : cpp-4.8.5-39.el7.x86_64                                                                                                                                        3/7
  Installing : kernel-headers-3.10.0-1127.10.1.el7.x86_64                                                                                                                     4/7
  Installing : glibc-headers-2.17-307.el7.1.x86_64                                                                                                                            5/7
  Installing : glibc-devel-2.17-307.el7.1.x86_64                                                                                                                              6/7
  Installing : gcc-4.8.5-39.el7.x86_64                                                                                                                                        7/7
  Verifying  : glibc-headers-2.17-307.el7.1.x86_64                                                                                                                            1/7
  Verifying  : glibc-devel-2.17-307.el7.1.x86_64                                                                                                                              2/7
  Verifying  : mpfr-3.1.1-4.el7.x86_64                                                                                                                                        3/7
  Verifying  : libmpc-1.0.1-3.el7.x86_64                                                                                                                                      4/7
  Verifying  : cpp-4.8.5-39.el7.x86_64                                                                                                                                        5/7
  Verifying  : gcc-4.8.5-39.el7.x86_64                                                                                                                                        6/7
  Verifying  : kernel-headers-3.10.0-1127.10.1.el7.x86_64                                                                                                                     7/7

Installed:
  gcc.x86_64 0:4.8.5-39.el7

Dependency Installed:
  cpp.x86_64 0:4.8.5-39.el7 glibc-devel.x86_64 0:2.17-307.el7.1 glibc-headers.x86_64 0:2.17-307.el7.1 kernel-headers.x86_64 0:3.10.0-1127.10.1.el7 libmpc.x86_64 0:1.0.1-3.el7
  mpfr.x86_64 0:3.1.1-4.el7

Complete!
[root@centos-nginx1-16 LuaJIT-2.0.5]# yum -y install gcc-c++

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: less.cogeco.net
 * epel: mirrors.mit.edu
 * extras: less.cogeco.net
 * updates: less.cogeco.net
Resolving Dependencies
--> Running transaction check
---> Package gcc-c++.x86_64 0:4.8.5-39.el7 will be installed
--> Processing Dependency: libstdc++-devel = 4.8.5-39.el7 for package: gcc-c++-4.8.5-39.el7.x86_64
--> Running transaction check
---> Package libstdc++-devel.x86_64 0:4.8.5-39.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
 Package                                         Arch                                   Version                                        Repository                            Size
==================================================================================================================================================================================
Installing:
 gcc-c++                                         x86_64                                 4.8.5-39.el7                                   base                                 7.2 M
Installing for dependencies:
 libstdc++-devel                                 x86_64                                 4.8.5-39.el7                                   base                                 1.5 M

Transaction Summary
==================================================================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 8.7 M
Installed size: 25 M
Downloading packages:
(1/2): libstdc++-devel-4.8.5-39.el7.x86_64.rpm                                                                                                             | 1.5 MB  00:00:00
(2/2): gcc-c++-4.8.5-39.el7.x86_64.rpm                                                                                                                     | 7.2 MB  00:00:01
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                             6.2 MB/s | 8.7 MB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libstdc++-devel-4.8.5-39.el7.x86_64                                                                                                                            1/2
  Installing : gcc-c++-4.8.5-39.el7.x86_64                                                                                                                                    2/2
  Verifying  : gcc-c++-4.8.5-39.el7.x86_64                                                                                                                                    1/2
  Verifying  : libstdc++-devel-4.8.5-39.el7.x86_64                                                                                                                            2/2

Installed:
  gcc-c++.x86_64 0:4.8.5-39.el7

Dependency Installed:
  libstdc++-devel.x86_64 0:4.8.5-39.el7

Complete!
[root@centos-nginx1-16 LuaJIT-2.0.5]#



5 Make and Make install LuaJIT again

[root@centos-nginx1-16 LuaJIT-2.0.5]# make && make install
==== Building LuaJIT 2.0.5 ====
make -C src
make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.5/src'
HOSTCC    host/minilua.o
HOSTLINK  host/minilua
DYNASM    host/buildvm_arch.h
HOSTCC    host/buildvm.o
HOSTCC    host/buildvm_asm.o
HOSTCC    host/buildvm_peobj.o
HOSTCC    host/buildvm_lib.o
HOSTCC    host/buildvm_fold.o
HOSTLINK  host/buildvm
BUILDVM   lj_vm.s
ASM       lj_vm.o
CC        lj_gc.o
BUILDVM   lj_ffdef.h
CC        lj_err.o
CC        lj_char.o
BUILDVM   lj_bcdef.h
CC        lj_bc.o
CC        lj_obj.o
CC        lj_str.o
CC        lj_tab.o
CC        lj_func.o
CC        lj_udata.o
CC        lj_meta.o
CC        lj_debug.o
CC        lj_state.o
CC        lj_dispatch.o
CC        lj_vmevent.o
CC        lj_vmmath.o
CC        lj_strscan.o
CC        lj_api.o
CC        lj_lex.o
CC        lj_parse.o
CC        lj_bcread.o
CC        lj_bcwrite.o
CC        lj_load.o
CC        lj_ir.o
CC        lj_opt_mem.o
BUILDVM   lj_folddef.h
CC        lj_opt_fold.o
CC        lj_opt_narrow.o
CC        lj_opt_dce.o
CC        lj_opt_loop.o
CC        lj_opt_split.o
CC        lj_opt_sink.o
CC        lj_mcode.o
CC        lj_snap.o
CC        lj_record.o
CC        lj_crecord.o
BUILDVM   lj_recdef.h
CC        lj_ffrecord.o
CC        lj_asm.o
CC        lj_trace.o
CC        lj_gdbjit.o
CC        lj_ctype.o
CC        lj_cdata.o
CC        lj_cconv.o
CC        lj_ccall.o
CC        lj_ccallback.o
CC        lj_carith.o
CC        lj_clib.o
CC        lj_cparse.o
CC        lj_lib.o
CC        lj_alloc.o
CC        lib_aux.o
BUILDVM   lj_libdef.h
CC        lib_base.o
CC        lib_math.o
CC        lib_bit.o
CC        lib_string.o
CC        lib_table.o
CC        lib_io.o
CC        lib_os.o
CC        lib_package.o
CC        lib_debug.o
CC        lib_jit.o
CC        lib_ffi.o
CC        lib_init.o
AR        libluajit.a
CC        luajit.o
BUILDVM   jit/vmdef.lua
DYNLINK   libluajit.so
LINK      luajit
OK        Successfully built LuaJIT
make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.5/src'
==== Successfully built LuaJIT 2.0.5 ====
==== Installing LuaJIT 2.0.5 to /usr/local ====
mkdir -p /usr/local/bin /usr/local/lib /usr/local/include/luajit-2.0 /usr/local/share/man/man1 /usr/local/lib/pkgconfig /usr/local/share/luajit-2.0.5/jit /usr/local/share/lua/5.1 /usr/local/lib/lua/5.1
cd src && install -m 0755 luajit /usr/local/bin/luajit-2.0.5
cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/lib/libluajit-5.1.a || :
rm -f /usr/local/bin/luajit /usr/local/lib/libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so /usr/local/lib/libluajit-5.1.so.2
cd src && test -f libluajit.so && \
  install -m 0755 libluajit.so /usr/local/lib/libluajit-5.1.so.2.0.5 && \
  ldconfig -n /usr/local/lib && \
  ln -sf libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so && \
  ln -sf libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so.2 || :
cd etc && install -m 0644 luajit.1 /usr/local/share/man/man1
cd etc && sed -e "s|^prefix=.*|prefix=/usr/local|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && \
  install -m 0644 luajit.pc.tmp /usr/local/lib/pkgconfig/luajit.pc && \
  rm -f luajit.pc.tmp
cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/include/luajit-2.0
cd src/jit && install -m 0644 bc.lua v.lua dump.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua bcsave.lua vmdef.lua /usr/local/share/luajit-2.0.5/jit
ln -sf luajit-2.0.5 /usr/local/bin/luajit
==== Successfully installed LuaJIT 2.0.5 to /usr/local ====
[root@centos-nginx1-16 LuaJIT-2.0.5]#

6 Install Nginx 
[root@centos-nginx1-16 src]# tar zxf nginx-1.12.1.tar.gz
[root@centos-nginx1-16 src]# tar zxvf pcre-8.41.tar.gz 
[root@centos-nginx1-16 src]# cd nginx-1.12.1
[root@centos-nginx1-16 nginx-1.12.1]# export LUAJIT_LIB=/usr/local/lib
[root@centos-nginx1-16 nginx-1.12.1]# export LUAJIT_INC=/usr/local/include/luajit-2.0
[root@centos-nginx1-16 nginx-1.12.1]#./configure --user=www --group=www --prefix=/usr/local/nginx-1.12.1/ --with-pcre=/usr/local/src/pcre-8.41 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module  --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.10/
checking for OS
 + Linux 3.10.0-1127.8.2.el7.x86_64 x86_64
checking for C compiler ...
 found
 + using GNU C compiler
 + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... not found
checking for O_PATH ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for sched_setaffinity() ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_RECVDSTADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for eventfd() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in ../ngx_devel_kit-0.3.0/
 + ngx_devel_kit was configured
adding module in ../lua-nginx-module-0.10.10/
checking for LuaJIT library in /usr/local/lib and /usr/local/include/luajit-2.0 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found
checking for export symbols by default (-E) ... found
checking for export symbols by default (--export-all-symbols) ... not found
checking for SO_PASSCRED ... found
checking for __attribute__(constructor) ... found
checking for malloc_trim ... found
 + ngx_http_lua_module was configured
checking for zlib library ... not found

./configure: error: the HTTP gzip module requires the zlib library.
You can either disable the module by using --without-http_gzip_module
option, or install the zlib library into the system, or build the zlib library
statically from the source with nginx by using --with-zlib=<path> option.

If Nginx has been compiled before, you will not need to do "make install" for only adding Nginx modules.

1
2
3
4
5
6
cd /usr/local/src/nginx-1.12.2
./configure --add-module=/usr/local/src/ngx_devel_kit-0.3.0 --add-module=/usr/local/src/lua-nginx-module-0.10.11 --with-ld-opt=-Wl,-rpath,$LUAJIT_LIB
make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
cp objs/nginx /usr/local/nginx/sbin/
systemctl reload nginx


7 Install missing Zlib-devel package
[root@centos-nginx1-16 nginx-1.12.1]# yum install zlib-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: less.cogeco.net
 * epel: mirrors.mit.edu
 * extras: less.cogeco.net
 * updates: less.cogeco.net
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-18.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================================================================
 Package                                     Arch                                    Version                                          Repository                             Size
==================================================================================================================================================================================
Installing:
 zlib-devel                                  x86_64                                  1.2.7-18.el7                                     base                                   50 k

Transaction Summary
==================================================================================================================================================================================
Install  1 Package

Total download size: 50 k
Installed size: 132 k
Is this ok [y/d/N]: y
Downloading packages:
zlib-devel-1.2.7-18.el7.x86_64.rpm                                                                                                                         |  50 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : zlib-devel-1.2.7-18.el7.x86_64                                                                                                                                 1/1
  Verifying  : zlib-devel-1.2.7-18.el7.x86_64                                                                                                                                 1/1

Installed:
  zlib-devel.x86_64 0:1.2.7-18.el7

Complete!
[root@centos-nginx1-16 nginx-1.12.1]# ./configure --user=www --group=www --prefix=/usr/local/nginx-1.12.1/ --with-pcre=/usr/local/src/pcre-8.41 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module  --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.10/
checking for OS
 + Linux 3.10.0-1127.8.2.el7.x86_64 x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not found
checking for sys/param.h ... found
checking for sys/mount.h ... found
checking for sys/statvfs.h ... found
checking for crypt.h ... found
checking for Linux specific features
checking for epoll ... found
checking for EPOLLRDHUP ... found
checking for EPOLLEXCLUSIVE ... not found
checking for O_PATH ... found
checking for sendfile() ... found
checking for sendfile64() ... found
checking for sys/prctl.h ... found
checking for prctl(PR_SET_DUMPABLE) ... found
checking for sched_setaffinity() ... found
checking for crypt_r() ... found
checking for sys/vfs.h ... found
checking for poll() ... found
checking for /dev/poll ... not found
checking for kqueue ... not found
checking for crypt() ... not found
checking for crypt() in libcrypt ... found
checking for F_READAHEAD ... not found
checking for posix_fadvise() ... found
checking for O_DIRECT ... found
checking for F_NOCACHE ... not found
checking for directio() ... not found
checking for statfs() ... found
checking for statvfs() ... found
checking for dlopen() ... not found
checking for dlopen() in libdl ... found
checking for sched_yield() ... found
checking for SO_SETFIB ... not found
checking for SO_REUSEPORT ... found
checking for SO_ACCEPTFILTER ... not found
checking for SO_BINDANY ... not found
checking for IP_BIND_ADDRESS_NO_PORT ... found
checking for IP_TRANSPARENT ... found
checking for IP_BINDANY ... not found
checking for IP_RECVDSTADDR ... not found
checking for IP_PKTINFO ... found
checking for IPV6_RECVPKTINFO ... found
checking for TCP_DEFER_ACCEPT ... found
checking for TCP_KEEPIDLE ... found
checking for TCP_FASTOPEN ... found
checking for TCP_INFO ... found
checking for accept4() ... found
checking for eventfd() ... found
checking for int size ... 4 bytes
checking for long size ... 8 bytes
checking for long long size ... 8 bytes
checking for void * size ... 8 bytes
checking for uint32_t ... found
checking for uint64_t ... found
checking for sig_atomic_t ... found
checking for sig_atomic_t size ... 4 bytes
checking for socklen_t ... found
checking for in_addr_t ... found
checking for in_port_t ... found
checking for rlim_t ... found
checking for uintptr_t ... uintptr_t found
checking for system byte ordering ... little endian
checking for size_t size ... 8 bytes
checking for off_t size ... 8 bytes
checking for time_t size ... 8 bytes
checking for AF_INET6 ... found
checking for setproctitle() ... not found
checking for pread() ... found
checking for pwrite() ... found
checking for pwritev() ... found
checking for sys_nerr ... found
checking for localtime_r() ... found
checking for posix_memalign() ... found
checking for memalign() ... found
checking for mmap(MAP_ANON|MAP_SHARED) ... found
checking for mmap("/dev/zero", MAP_SHARED) ... found
checking for System V shared memory ... found
checking for POSIX semaphores ... not found
checking for POSIX semaphores in libpthread ... found
checking for struct msghdr.msg_control ... found
checking for ioctl(FIONBIO) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional modules
adding module in ../ngx_devel_kit-0.3.0/
 + ngx_devel_kit was configured
adding module in ../lua-nginx-module-0.10.10/
checking for LuaJIT library in /usr/local/lib and /usr/local/include/luajit-2.0 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found
checking for export symbols by default (-E) ... found
checking for export symbols by default (--export-all-symbols) ... not found
checking for SO_PASSCRED ... found
checking for __attribute__(constructor) ... found
checking for malloc_trim ... found
 + ngx_http_lua_module was configured
checking for zlib library ... found
creating objs/Makefile

Configuration summary
  + using PCRE library: /usr/local/src/pcre-8.41
  + OpenSSL library is not used
  + using system zlib library

  nginx path prefix: "/usr/local/nginx-1.12.1/"
  nginx binary file: "/usr/local/nginx-1.12.1//sbin/nginx"
  nginx modules path: "/usr/local/nginx-1.12.1//modules"
  nginx configuration prefix: "/usr/local/nginx-1.12.1//conf"
  nginx configuration file: "/usr/local/nginx-1.12.1//conf/nginx.conf"
  nginx pid file: "/usr/local/nginx-1.12.1//logs/nginx.pid"
  nginx error log file: "/usr/local/nginx-1.12.1//logs/error.log"
  nginx http access log file: "/usr/local/nginx-1.12.1//logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

[root@centos-nginx1-16 nginx-1.12.1]#
8 Install Nginx, this time it will be succeed. 

[root@centos-nginx1-16 nginx-1.12.1]# make -j2 && make install
9 Create two links
[root@centos-nginx1-16 nginx-1.12.1]# ln -s /usr/local/nginx-1.12.1 /usr/local/nginx
[root@centos-nginx1-16 nginx-1.12.1]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
[root@centos-nginx1-16 nginx-1.12.1]#

ln -s /usr/local/nginx/nginx /usr/bin/nginx

You can run nginx in any folder now.

10 Edit nginx.conf to load lua test site
[root@centos-nginx1-16 conf]# pwd
/usr/local/src/nginx-1.12.1/conf
[root@centos-nginx1-16 conf]# vi nginx.conf


10 Test nginx configuration file and run Nginx
[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.12.1//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.12.1//conf/nginx.conf test is successful
[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/nginx/sbin/nginx
[root@centos-nginx1-16 nginx-1.12.1]#




To kill nginx process:

[root@centos-nginx1-16 nginx-1.12.1]# pkill -9 nginx




Disable FirewallD Service

You might want to disable FirewallD service 
[root@centos-nginx1-16 conf]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service

[root@centos-nginx1-16 conf]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-nginx1-16 conf]#




OpenResty Deployment (Nginx and Lua)


Install dependencies
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
Download and Compile/install openresty
# wget "https://openresty.org/download/openresty-1.11.2.5.tar.gz"
# tar zxf openresty-1.11.2.5.tar.gz
# cd openresty-1.11.2.5
# ./configure --prefix=/usr/local/openresty-1.11.2.5 \
--with-luajit --with-http_stub_status_module \
--with-pcre=/usr/local/src/pcre-8.41 --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.11.2.5 /usr/local/openresty

Test openresty installation
# vim /usr/local/openresty/nginx/conf/nginx.conf
server {
    location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")
            }
        }
}
[root@webs-ebt src]# /usr/local/openresty-1.11.2.5/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf test is successful
# /usr/local/openresty/nginx/sbin/nginx
Hello World
# curl http://192.168.199.33/hello
HelloWorld




WAF Deployment


Requirement:
yum -y install git

cd /usr/local/openresty/nginx/conf/
git clone https://github.com/xzhih/ngx_lua_waf.git waf 

cat > /usr/local/openresty/nginx/conf/waf.conf << EOF
lua_shared_dict limit 20m;
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
EOF

mkdir -p /usr/local/openresty/nginx/logs/waf 
chown www:www /usr/local/openresty/nginx/logs/waf 

[root@centos-nginx1-16 ~]# cd /usr/local/openresty/nginx/conf/
[root@centos-nginx1-16 conf]# git clone https://github.com/xzhih/ngx_lua_waf.git waf
Cloning into 'waf'...
remote: Enumerating objects: 53, done.
remote: Total 53 (delta 0), reused 0 (delta 0), pack-reused 53
Unpacking objects: 100% (53/53), done.
[root@centos-nginx1-16 conf]# cat > /usr/local/openresty/nginx/conf/waf.conf << EOF
> lua_shared_dict limit 20m;
> lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
> init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
> access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
> EOF
[root@centos-nginx1-16 conf]# mkdir -p /usr/local/openresty/nginx/logs/waf
[root@centos-nginx1-16 conf]# chown www:www /usr/local/openresty/nginx/logs/waf
[root@centos-nginx1-16 conf]#


The waf log you can find in /usr/local/openresty/nginx/logs/waf
Finally include waf.conf by vi /usr/local/openresty/nginx/conf/nginx.conf
include waf.conf;

To kill nginx process:

[root@centos-nginx1-16 nginx-1.12.1]# pkill -9 nginx

To start nginx process:

[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/openresty/nginx/sbin/nginx

Before include waf.conf, by visiting http://x.x.x.x/?a=a.sql, you will get a normal Nginx page.
After added waf.conf, you will get a predefined error in config.lua file.



[root@centos-nginx1-16 waf]# cat config.lua
--WAF config file,enable = "on",disable = "off"

--waf status
config_waf_enable = "on"
--log dir
config_log_dir = "/usr/local/openresty/nginx/logs/waf"
--rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/wafconf"
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "120/120"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
--if config_waf_output ,setting url
config_waf_redirect_url = "/captcha"
config_output_html=[[
<!DOCTYPE html><html><head><meta name="viewport" content="initial-scale=1,minimum-scale=1,width=device-width"><title>WAF Security Warning</title><style>body{font-size:100%;background-color:#ce3426;color:#fff;margin:15px}h1{font-size:1.5em;line-height:1.5em;margin-bottom:16px;font-weight:400}.wrapper{margin:20vh auto 0;max-width:500px}@media (max-width:420px){body{font-size:90%}}</style></head><body><div class="wrapper"><h1>Web APP Firewall</h1><p>Your request has invalit parameters, and has been blocked based on security policy<br>Possible reason: The information you submitted has potential malicious contents</p><p>1. Check your content<br>2. If this is your website, please contact your provider<br>3. if you are regular user, please contact website admin</p></div></body></html>
]]
[root@centos-nginx1-16 waf]#



There are more you can test such as CC attack, blacklist, download limitation, etc.

Install Lua Module Dynamic With Nginx



1 Install the Lua module.
For Amazon Linux, CentOS, Oracle Linux, and RHEL:
$ yum install nginx-plus-module-lua
For Debian and Ubuntu:
$ apt-get install nginx-plus-module-lua
For SLES:
$ zypper install nginx-plus-module-lua
2 Put both of the load_module directives in the top‑level (“main”) context of NGINX Plus configuration file, nginx.conf:
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
Note: The directives must be in this order.
3 Perform additional configuration as required by the module.

4 Reload NGINX Plus to enable the module:

$ nginx -t && nginx -s reload
Note: Nginx Dynaic Module Docs. Using this installation method, you will not need to compile your nginx.


Add Nginx as a service


Add the service file:
# vi /usr/lib/systemd/system/nginx.service

[Unit]
        Description=The NGINX HTTP and reverse proxy server
        After=syslog.target network.target remote-fs.target nss-lookup.target

        [Service]
        Type=forking
        PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
        ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t
        ExecStart=/usr/local/openresty/nginx/sbin/nginx
        ExecReload=/usr/local/openresty/nginx/sbin/nginx -s reload
        ExecStop=/bin/kill -s QUIT $MAINPID
        PrivateTmp=true

        [Install]
        WantedBy=multi-user.target

Save and quit. Start the service:
 # systemctl start nginx
 # systemctl enable nginx
ln -s /usr/local/nginx/nginx /usr/bin/nginx
You can check version by executing following command.
# /opt/nginx/sbin/nginx  -v
Here are some commands relating to soft link command "ln":
[root@centos-nginx1-16 opc]# ln -s /usr/local/nginx/nginx /usr/bin/nginx
ln: failed to create symbolic link ‘/usr/bin/nginx’: File exists
[root@centos-nginx1-16 opc]# ls -l /usr/bin/nginx
lrwxrwxrwx. 1 root root 27 Jun 21 23:52 /usr/bin/nginx -> /usr/local/nginx/sbin/nginx
[root@centos-nginx1-16 opc]# rm /usr/bin/nginx
rm: remove symbolic link ‘/usr/bin/nginx’? y
[root@centos-nginx1-16 opc]# ln -s /usr/local/openresty/nginx/nginx /usr/bin/nginx
[root@centos-nginx1-16 opc]# service nginx status
Redirecting to /bin/systemctl status nginx.service
● nginx.service - The NGINX HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-06-22 12:25:20 GMT; 3min 36s ago
  Process: 1589 ExecStart=/usr/local/openresty/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 1531 ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t (code=exited, status=0/SUCCESS)
 Main PID: 1597 (nginx)
   CGroup: /system.slice/nginx.service
           ├─1597 nginx: master process /usr/local/openresty/nginx/sbin/nginx
           └─1600 nginx: worker process

Jun 22 12:25:19 centos-nginx1-16 systemd[1]: Starting The NGINX HTTP and reverse proxy server...
Jun 22 12:25:20 centos-nginx1-16 nginx[1531]: nginx: the configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf syntax is ok
Jun 22 12:25:20 centos-nginx1-16 nginx[1531]: nginx: configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf test is successful
Jun 22 12:25:20 centos-nginx1-16 systemd[1]: Failed to parse PID from file /usr/local/openresty/nginx/logs/nginx.pid: Invalid argument
Jun 22 12:25:20 centos-nginx1-16 systemd[1]: Started The NGINX HTTP and reverse proxy server.
[root@centos-nginx1-16 opc]#



Build a PHP test environment

install php-fpm
yum install php-fpm
[root@centos-nginx1-16 logs]# systemctl start php-fpm
[root@centos-nginx1-16 logs]# systemctl enable php-fpm

[root@centos-nginx1-16 logs]# systemctl status php-fpm


vi nginx.conf

Uncomment "location ~ \.php$" section. And you will need to change following line:
#fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

to:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

location ~ \.php$ {
        root           html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
}
Create a index.php file under /usr/local/openresty/nginx/html, with content <?php phpinfo(); ?>

restart the nginx service to take it into effect with command "systemctl restart nginx".


PHP - xss atack testing

Add a new rule in args file under (/usr/local/nginx/conf/waf/wafconf)
\sor\s+
Restart nginx service
[root@wr waf]# nginx -s reload

create a test.php file under /usr/local/openresty/nginx/html, with content <?php echo $_GET['id']; ?>
add a new rule in args file under /usr/local/openresty/nginx/conf/waf/wafconf



http://140.238.155.214/test.php?id=%3Cscript%3Ealert(%22xxx%22);%3C/script%3E
http://140.238.155.214/test.php?id=<script>alert("xxx");</script>


References



2 使用Nginx+Lua实现的WAF(版本v1.0)

3 openresty/lua-nginx-module

4 ngx_lua_waf

5 WAF安全应用防火墙(openresty部署)

6 Nginx + Lua 搭建网站WAF防火墙

7 https://github.com/unixhot/waf

8 Nginx + Lua实现WAF引用防火墙 -SQL Injection Test

9 使用Oneinstack部署网页环境并部署WAF防火墙


















No comments:

Post a Comment