- Prevent SQL injection, local inclusion, partial overflow, fuzzing, xss, SSRF and other web attacks
- Prevent file leaks, such as svn / backup
- Prevent attacks from stress testing tools such as ApacheBench
- Block common scanning hacking tools, scanners
- Block unusual network requests
- Block image attachment class directory php execute permission
- Prevent webshell uploads
Lua is a scripting language. Specifically, it is a full-featured multi-paradigm language with a simple syntax and semantics that resemble JavaScript or Scheme. Nginx+Lua is a self-contained web server embedding the scripting language Lua. Powerful applications can be written directly inside Nginx without using cgi, fastcgi, or uwsgi. By adding a little Lua code to an existing Nginx configuration file, it is easy to add small features. lua-nginx-module is an nginx module which makes it possible to handle http request directly in nginx using Lua.
Pre-requirements
CentOS 7, update and install some dependenciesyum -y update && yum -y upgrade && yum -y install git && yum -y install zlib-devel && yum -y install gcc && yum -y install gcc+
Install from Source
It is also quite easy to install. To put it bluntly, add two modules: ngx_devel_kit and lua-nginx-module to nginx, and then modify the nginx configuration to run ngx_lua_waf.
note: https://github.com/unixhot/waf
1 Download latest Luajit and ngx_devel_kit (NDK), also lua-nginx-module
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
2 Create a Nginx Running User
3 Unzip NDK/lua-nginx-module/Luajit and compile Luajit
unzip modules:
1 Get Dependencies : Nginx and PCRE
[root@centos-nginx1-16 src]# wget 'http://nginx.org/download/nginx-1.12.1.tar.gz'
[root@centos-nginx1-16 src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
[root@centos-nginx1-16 src]# wget 'http://nginx.org/download/nginx-1.12.1.tar.gz'
[root@centos-nginx1-16 src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
[root@centos-nginx1-16 ~]# cd /usr/local/src [root@centos-nginx1-16 src]# [root@centos-nginx1-16 src]# wget 'http://nginx.org/download/nginx-1.12.1.tar.gz' --2020-06-21 02:30:26-- http://nginx.org/download/nginx-1.12.1.tar.gz Resolving nginx.org (nginx.org)... 95.211.80.227, 62.210.92.35, 2001:1af8:4060:a004:21::e3 Connecting to nginx.org (nginx.org)|95.211.80.227|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 981093 (958K) [application/octet-stream] Saving to: ‘nginx-1.12.1.tar.gz’ 100%[========================================================================================================================================>] 981,093 1.16MB/s in 0.8s 2020-06-21 02:30:27 (1.16 MB/s) - ‘nginx-1.12.1.tar.gz’ saved [981093/981093] [root@centos-nginx1-16 src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz --2020-06-21 02:30:41-- https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz Resolving nchc.dl.sourceforge.net (nchc.dl.sourceforge.net)... 140.110.96.69, 2001:e10:ffff:1f02::17 Connecting to nchc.dl.sourceforge.net (nchc.dl.sourceforge.net)|140.110.96.69|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2068775 (2.0M) [application/x-gzip] Saving to: ‘pcre-8.41.tar.gz’ 100%[========================================================================================================================================>] 2,068,775 740KB/s in 2.7s 2020-06-21 02:30:45 (740 KB/s) - ‘pcre-8.41.tar.gz’ saved [2068775/2068775]
1 Download latest Luajit and ngx_devel_kit (NDK), also lua-nginx-module
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
[root@centos-nginx1-16 src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
--2020-06-21 02:30:48-- http://luajit.org/download/LuaJIT-2.0.5.tar.gz
Resolving luajit.org (luajit.org)... 163.172.177.144
Connecting to luajit.org (luajit.org)|163.172.177.144|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 849845 (830K) [application/octet-stream]
Saving to: ‘LuaJIT-2.0.5.tar.gz’
100%[========================================================================================================================================>] 849,845 1.72MB/s in 0.5s
2020-06-21 02:30:49 (1.72 MB/s) - ‘LuaJIT-2.0.5.tar.gz’ saved [849845/849845]
[root@centos-nginx1-16 src]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
--2020-06-21 02:30:54-- https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/vision5/ngx_devel_kit/archive/v0.3.0.tar.gz [following]
--2020-06-21 02:30:54-- https://github.com/vision5/ngx_devel_kit/archive/v0.3.0.tar.gz
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/vision5/ngx_devel_kit/tar.gz/v0.3.0 [following]
--2020-06-21 02:30:54-- https://codeload.github.com/vision5/ngx_devel_kit/tar.gz/v0.3.0
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘v0.3.0.tar.gz’
[ <=> ] 66,455 --.-K/s in 0.1s
2020-06-21 02:30:55 (580 KB/s) - ‘v0.3.0.tar.gz’ saved [66455]
[root@centos-nginx1-16 src]# wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
--2020-06-21 02:31:03-- https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip
Resolving github.com (github.com)... 140.82.114.4
Connecting to github.com (github.com)|140.82.114.4|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/openresty/lua-nginx-module/archive/v0.10.10.zip [following]
--2020-06-21 02:31:03-- https://github.com/openresty/lua-nginx-module/archive/v0.10.10.zip
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/openresty/lua-nginx-module/zip/v0.10.10 [following]
--2020-06-21 02:31:03-- https://codeload.github.com/openresty/lua-nginx-module/zip/v0.10.10
Resolving codeload.github.com (codeload.github.com)... 140.82.114.9
Connecting to codeload.github.com (codeload.github.com)|140.82.114.9|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘v0.10.10.zip’
[ <=> ] 793,438 --.-K/s in 0.08s
2020-06-21 02:31:03 (9.79 MB/s) - ‘v0.10.10.zip’ saved [793438]
FINISHED --2020-06-21 02:31:03--
Total wall clock time: 0.7s
Downloaded: 1 files, 775K in 0.08s (9.79 MB/s)
2 Create a Nginx Running User
[root@centos-nginx1-16 src]# useradd -s /sbin/nologin -M www
3 Unzip NDK/lua-nginx-module/Luajit and compile Luajit
unzip modules:
v0.3.0.tar.gz is ngx_devel_kit-0.3.0
v0.10.10.zip is lua-nginx-module-0.10.10
LuaJIT-2.0.5.tar.gz is LuaJIT source file
Unfortunately, it will fail when make install LuaJIT becase of missing GCC.
4 Install GCC and GCC+
5 Make and Make install LuaJIT again
6 Install Nginx
If Nginx has been compiled before, you will not need to do "make install" for only adding Nginx modules.
9 Create two links
ln -s /usr/local/nginx/nginx /usr/bin/nginx
Requirement:
yum -y install git
To start nginx process:
Before include waf.conf, by visiting http://x.x.x.x/?a=a.sql, you will get a normal Nginx page.
After added waf.conf, you will get a predefined error in config.lua file.
There are more you can test such as CC attack, blacklist, download limitation, etc.
4 Reload NGINX Plus to enable the module:
$ nginx -t && nginx -s reload
Note: Nginx Dynaic Module Docs. Using this installation method, you will not need to compile your nginx.
[root@centos-nginx1-16 logs]# systemctl enable php-fpm
[root@centos-nginx1-16 logs]# systemctl status php-fpm
vi nginx.conf
Uncomment "location ~ \.php$" section. And you will need to change following line:
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
to:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Create a index.php file under /usr/local/openresty/nginx/html, with content <?php phpinfo(); ?>
restart the nginx service to take it into effect with command "systemctl restart nginx".
Restart nginx service
create a test.php file under /usr/local/openresty/nginx/html, with content <?php echo $_GET['id']; ?>
add a new rule in args file under /usr/local/openresty/nginx/conf/waf/wafconf
http://140.238.155.214/test.php?id=%3Cscript%3Ealert(%22xxx%22);%3C/script%3E
http://140.238.155.214/test.php?id=<script>alert("xxx");</script>
2 使用Nginx+Lua实现的WAF(版本v1.0)
3 openresty/lua-nginx-module
4 ngx_lua_waf
5 WAF安全应用防火墙(openresty部署)
6 Nginx + Lua 搭建网站WAF防火墙
7 https://github.com/unixhot/waf
8 Nginx + Lua实现WAF引用防火墙 -SQL Injection Test
9 使用Oneinstack部署网页环境并部署WAF防火墙
[root@centos-nginx1-16 src]# tar zxvf v0.3.0.tar.gz ngx_devel_kit-0.3.0/ ngx_devel_kit-0.3.0/.gitignore ngx_devel_kit-0.3.0/LICENSE ngx_devel_kit-0.3.0/README.md ngx_devel_kit-0.3.0/README_AUTO_LIB ngx_devel_kit-0.3.0/TODO ngx_devel_kit-0.3.0/auto/ ngx_devel_kit-0.3.0/auto/actions/ ngx_devel_kit-0.3.0/auto/actions/array ngx_devel_kit-0.3.0/auto/actions/palloc ngx_devel_kit-0.3.0/auto/build ngx_devel_kit-0.3.0/auto/data/ ngx_devel_kit-0.3.0/auto/data/action_replacements ngx_devel_kit-0.3.0/auto/data/action_types ngx_devel_kit-0.3.0/auto/data/conf_args ngx_devel_kit-0.3.0/auto/data/conf_locs ngx_devel_kit-0.3.0/auto/data/conf_macros ngx_devel_kit-0.3.0/auto/data/contexts ngx_devel_kit-0.3.0/auto/data/header_files ngx_devel_kit-0.3.0/auto/data/headers ngx_devel_kit-0.3.0/auto/data/module_dependencies ngx_devel_kit-0.3.0/auto/data/modules_optional ngx_devel_kit-0.3.0/auto/data/prefixes ngx_devel_kit-0.3.0/auto/src/ ngx_devel_kit-0.3.0/auto/src/array.h ngx_devel_kit-0.3.0/auto/src/conf_cmd_basic.h ngx_devel_kit-0.3.0/auto/src/conf_merge.h ngx_devel_kit-0.3.0/auto/src/palloc.h ngx_devel_kit-0.3.0/auto/text/ ngx_devel_kit-0.3.0/auto/text/autogen ngx_devel_kit-0.3.0/config ngx_devel_kit-0.3.0/docs/ ngx_devel_kit-0.3.0/docs/core/ ngx_devel_kit-0.3.0/docs/core/action_macros ngx_devel_kit-0.3.0/docs/core/conf_cmds ngx_devel_kit-0.3.0/docs/modules/ ngx_devel_kit-0.3.0/docs/modules/set_var ngx_devel_kit-0.3.0/docs/patches/ ngx_devel_kit-0.3.0/docs/patches/more_logging_info ngx_devel_kit-0.3.0/docs/upstream/ ngx_devel_kit-0.3.0/docs/upstream/list ngx_devel_kit-0.3.0/examples/ ngx_devel_kit-0.3.0/examples/README ngx_devel_kit-0.3.0/examples/http/ ngx_devel_kit-0.3.0/examples/http/set_var/ ngx_devel_kit-0.3.0/examples/http/set_var/config ngx_devel_kit-0.3.0/examples/http/set_var/ngx_http_set_var_examples_module.c ngx_devel_kit-0.3.0/ngx_auto_lib_core ngx_devel_kit-0.3.0/notes/ ngx_devel_kit-0.3.0/notes/CHANGES ngx_devel_kit-0.3.0/notes/LICENSE ngx_devel_kit-0.3.0/objs/ ngx_devel_kit-0.3.0/objs/ndk_array.h ngx_devel_kit-0.3.0/objs/ndk_conf_cmd_basic.h ngx_devel_kit-0.3.0/objs/ndk_conf_cmd_extra.h ngx_devel_kit-0.3.0/objs/ndk_conf_merge.h ngx_devel_kit-0.3.0/objs/ndk_config.c ngx_devel_kit-0.3.0/objs/ndk_config.h ngx_devel_kit-0.3.0/objs/ndk_includes.h ngx_devel_kit-0.3.0/objs/ndk_palloc.h ngx_devel_kit-0.3.0/patches/ ngx_devel_kit-0.3.0/patches/auto_config ngx_devel_kit-0.3.0/patches/expose_rewrite_functions ngx_devel_kit-0.3.0/patches/rewrite_phase_handler ngx_devel_kit-0.3.0/src/ ngx_devel_kit-0.3.0/src/hash/ ngx_devel_kit-0.3.0/src/hash/md5.h ngx_devel_kit-0.3.0/src/hash/murmurhash2.c ngx_devel_kit-0.3.0/src/hash/sha.h ngx_devel_kit-0.3.0/src/ndk.c ngx_devel_kit-0.3.0/src/ndk.h ngx_devel_kit-0.3.0/src/ndk_buf.c ngx_devel_kit-0.3.0/src/ndk_buf.h ngx_devel_kit-0.3.0/src/ndk_complex_path.c ngx_devel_kit-0.3.0/src/ndk_complex_path.h ngx_devel_kit-0.3.0/src/ndk_complex_value.c ngx_devel_kit-0.3.0/src/ndk_complex_value.h ngx_devel_kit-0.3.0/src/ndk_conf_file.c ngx_devel_kit-0.3.0/src/ndk_conf_file.h ngx_devel_kit-0.3.0/src/ndk_debug.c ngx_devel_kit-0.3.0/src/ndk_debug.h ngx_devel_kit-0.3.0/src/ndk_encoding.c ngx_devel_kit-0.3.0/src/ndk_encoding.h ngx_devel_kit-0.3.0/src/ndk_hash.c ngx_devel_kit-0.3.0/src/ndk_hash.h ngx_devel_kit-0.3.0/src/ndk_http.c ngx_devel_kit-0.3.0/src/ndk_http.h ngx_devel_kit-0.3.0/src/ndk_http_headers.h ngx_devel_kit-0.3.0/src/ndk_log.c ngx_devel_kit-0.3.0/src/ndk_log.h ngx_devel_kit-0.3.0/src/ndk_parse.h ngx_devel_kit-0.3.0/src/ndk_path.c ngx_devel_kit-0.3.0/src/ndk_path.h ngx_devel_kit-0.3.0/src/ndk_process.c ngx_devel_kit-0.3.0/src/ndk_process.h ngx_devel_kit-0.3.0/src/ndk_regex.c ngx_devel_kit-0.3.0/src/ndk_regex.h ngx_devel_kit-0.3.0/src/ndk_rewrite.c ngx_devel_kit-0.3.0/src/ndk_rewrite.h ngx_devel_kit-0.3.0/src/ndk_set_var.c ngx_devel_kit-0.3.0/src/ndk_set_var.h ngx_devel_kit-0.3.0/src/ndk_string.c ngx_devel_kit-0.3.0/src/ndk_string.h ngx_devel_kit-0.3.0/src/ndk_string_util.h ngx_devel_kit-0.3.0/src/ndk_upstream_list.c ngx_devel_kit-0.3.0/src/ndk_upstream_list.h ngx_devel_kit-0.3.0/src/ndk_uri.c ngx_devel_kit-0.3.0/src/ndk_uri.h [root@centos-nginx1-16 src]# unzip -q v0.10.10.zip [root@centos-nginx1-16 src]# ls LuaJIT-2.0.5.tar.gz lua-nginx-module-0.10.10 nginx-1.12.1.tar.gz ngx_devel_kit-0.3.0 pcre-8.41.tar.gz v0.10.10.zip v0.3.0.tar.gz [root@centos-nginx1-16 src]# tar zxvf LuaJIT-2.0.5.tar.gz LuaJIT-2.0.5/ LuaJIT-2.0.5/COPYRIGHT LuaJIT-2.0.5/Makefile LuaJIT-2.0.5/README LuaJIT-2.0.5/doc/ LuaJIT-2.0.5/doc/bluequad-print.css LuaJIT-2.0.5/doc/bluequad.css LuaJIT-2.0.5/doc/changes.html LuaJIT-2.0.5/doc/contact.html LuaJIT-2.0.5/doc/ext_c_api.html LuaJIT-2.0.5/doc/ext_ffi.html LuaJIT-2.0.5/doc/ext_ffi_api.html LuaJIT-2.0.5/doc/ext_ffi_semantics.html LuaJIT-2.0.5/doc/ext_ffi_tutorial.html LuaJIT-2.0.5/doc/ext_jit.html LuaJIT-2.0.5/doc/extensions.html LuaJIT-2.0.5/doc/faq.html LuaJIT-2.0.5/doc/img/ LuaJIT-2.0.5/doc/img/contact.png LuaJIT-2.0.5/doc/install.html LuaJIT-2.0.5/doc/luajit.html LuaJIT-2.0.5/doc/running.html LuaJIT-2.0.5/doc/status.html LuaJIT-2.0.5/dynasm/ LuaJIT-2.0.5/dynasm/dasm_arm.h LuaJIT-2.0.5/dynasm/dasm_arm.lua LuaJIT-2.0.5/dynasm/dasm_mips.h LuaJIT-2.0.5/dynasm/dasm_mips.lua LuaJIT-2.0.5/dynasm/dasm_ppc.h LuaJIT-2.0.5/dynasm/dasm_ppc.lua LuaJIT-2.0.5/dynasm/dasm_proto.h LuaJIT-2.0.5/dynasm/dasm_x64.lua LuaJIT-2.0.5/dynasm/dasm_x86.h LuaJIT-2.0.5/dynasm/dasm_x86.lua LuaJIT-2.0.5/dynasm/dynasm.lua LuaJIT-2.0.5/etc/ LuaJIT-2.0.5/etc/luajit.1 LuaJIT-2.0.5/etc/luajit.pc LuaJIT-2.0.5/src/ LuaJIT-2.0.5/src/Makefile LuaJIT-2.0.5/src/Makefile.dep LuaJIT-2.0.5/src/host/ LuaJIT-2.0.5/src/host/README LuaJIT-2.0.5/src/host/buildvm.c LuaJIT-2.0.5/src/host/buildvm.h LuaJIT-2.0.5/src/host/buildvm_asm.c LuaJIT-2.0.5/src/host/buildvm_fold.c LuaJIT-2.0.5/src/host/buildvm_lib.c LuaJIT-2.0.5/src/host/buildvm_peobj.c LuaJIT-2.0.5/src/host/genminilua.lua LuaJIT-2.0.5/src/host/minilua.c LuaJIT-2.0.5/src/jit/ LuaJIT-2.0.5/src/jit/bc.lua LuaJIT-2.0.5/src/jit/bcsave.lua LuaJIT-2.0.5/src/jit/dis_arm.lua LuaJIT-2.0.5/src/jit/dis_mips.lua LuaJIT-2.0.5/src/jit/dis_mipsel.lua LuaJIT-2.0.5/src/jit/dis_ppc.lua LuaJIT-2.0.5/src/jit/dis_x64.lua LuaJIT-2.0.5/src/jit/dis_x86.lua LuaJIT-2.0.5/src/jit/dump.lua LuaJIT-2.0.5/src/jit/v.lua LuaJIT-2.0.5/src/lauxlib.h LuaJIT-2.0.5/src/lib_aux.c LuaJIT-2.0.5/src/lib_base.c LuaJIT-2.0.5/src/lib_bit.c LuaJIT-2.0.5/src/lib_debug.c LuaJIT-2.0.5/src/lib_ffi.c LuaJIT-2.0.5/src/lib_init.c LuaJIT-2.0.5/src/lib_io.c LuaJIT-2.0.5/src/lib_jit.c LuaJIT-2.0.5/src/lib_math.c LuaJIT-2.0.5/src/lib_os.c LuaJIT-2.0.5/src/lib_package.c LuaJIT-2.0.5/src/lib_string.c LuaJIT-2.0.5/src/lib_table.c LuaJIT-2.0.5/src/lj.supp LuaJIT-2.0.5/src/lj_alloc.c LuaJIT-2.0.5/src/lj_alloc.h LuaJIT-2.0.5/src/lj_api.c LuaJIT-2.0.5/src/lj_arch.h LuaJIT-2.0.5/src/lj_asm.c LuaJIT-2.0.5/src/lj_asm.h LuaJIT-2.0.5/src/lj_asm_arm.h LuaJIT-2.0.5/src/lj_asm_mips.h LuaJIT-2.0.5/src/lj_asm_ppc.h LuaJIT-2.0.5/src/lj_asm_x86.h LuaJIT-2.0.5/src/lj_bc.c LuaJIT-2.0.5/src/lj_bc.h LuaJIT-2.0.5/src/lj_bcdump.h LuaJIT-2.0.5/src/lj_bcread.c LuaJIT-2.0.5/src/lj_bcwrite.c LuaJIT-2.0.5/src/lj_carith.c LuaJIT-2.0.5/src/lj_carith.h LuaJIT-2.0.5/src/lj_ccall.c LuaJIT-2.0.5/src/lj_ccall.h LuaJIT-2.0.5/src/lj_ccallback.c LuaJIT-2.0.5/src/lj_ccallback.h LuaJIT-2.0.5/src/lj_cconv.c LuaJIT-2.0.5/src/lj_cconv.h LuaJIT-2.0.5/src/lj_cdata.c LuaJIT-2.0.5/src/lj_cdata.h LuaJIT-2.0.5/src/lj_char.c LuaJIT-2.0.5/src/lj_char.h LuaJIT-2.0.5/src/lj_clib.c LuaJIT-2.0.5/src/lj_clib.h LuaJIT-2.0.5/src/lj_cparse.c LuaJIT-2.0.5/src/lj_cparse.h LuaJIT-2.0.5/src/lj_crecord.c LuaJIT-2.0.5/src/lj_crecord.h LuaJIT-2.0.5/src/lj_ctype.c LuaJIT-2.0.5/src/lj_ctype.h LuaJIT-2.0.5/src/lj_debug.c LuaJIT-2.0.5/src/lj_debug.h LuaJIT-2.0.5/src/lj_def.h LuaJIT-2.0.5/src/lj_dispatch.c LuaJIT-2.0.5/src/lj_dispatch.h LuaJIT-2.0.5/src/lj_emit_arm.h LuaJIT-2.0.5/src/lj_emit_mips.h LuaJIT-2.0.5/src/lj_emit_ppc.h LuaJIT-2.0.5/src/lj_emit_x86.h LuaJIT-2.0.5/src/lj_err.c LuaJIT-2.0.5/src/lj_err.h LuaJIT-2.0.5/src/lj_errmsg.h LuaJIT-2.0.5/src/lj_ff.h LuaJIT-2.0.5/src/lj_ffrecord.c LuaJIT-2.0.5/src/lj_ffrecord.h LuaJIT-2.0.5/src/lj_frame.h LuaJIT-2.0.5/src/lj_func.c LuaJIT-2.0.5/src/lj_func.h LuaJIT-2.0.5/src/lj_gc.c LuaJIT-2.0.5/src/lj_gc.h LuaJIT-2.0.5/src/lj_gdbjit.c LuaJIT-2.0.5/src/lj_gdbjit.h LuaJIT-2.0.5/src/lj_ir.c LuaJIT-2.0.5/src/lj_ir.h LuaJIT-2.0.5/src/lj_ircall.h LuaJIT-2.0.5/src/lj_iropt.h LuaJIT-2.0.5/src/lj_jit.h LuaJIT-2.0.5/src/lj_lex.c LuaJIT-2.0.5/src/lj_lex.h LuaJIT-2.0.5/src/lj_lib.c LuaJIT-2.0.5/src/lj_lib.h LuaJIT-2.0.5/src/lj_load.c LuaJIT-2.0.5/src/lj_mcode.c LuaJIT-2.0.5/src/lj_mcode.h LuaJIT-2.0.5/src/lj_meta.c LuaJIT-2.0.5/src/lj_meta.h LuaJIT-2.0.5/src/lj_obj.c LuaJIT-2.0.5/src/lj_obj.h LuaJIT-2.0.5/src/lj_opt_dce.c LuaJIT-2.0.5/src/lj_opt_fold.c LuaJIT-2.0.5/src/lj_opt_loop.c LuaJIT-2.0.5/src/lj_opt_mem.c LuaJIT-2.0.5/src/lj_opt_narrow.c LuaJIT-2.0.5/src/lj_opt_sink.c LuaJIT-2.0.5/src/lj_opt_split.c LuaJIT-2.0.5/src/lj_parse.c LuaJIT-2.0.5/src/lj_parse.h LuaJIT-2.0.5/src/lj_record.c LuaJIT-2.0.5/src/lj_record.h LuaJIT-2.0.5/src/lj_snap.c LuaJIT-2.0.5/src/lj_snap.h LuaJIT-2.0.5/src/lj_state.c LuaJIT-2.0.5/src/lj_state.h LuaJIT-2.0.5/src/lj_str.c LuaJIT-2.0.5/src/lj_str.h LuaJIT-2.0.5/src/lj_strscan.c LuaJIT-2.0.5/src/lj_strscan.h LuaJIT-2.0.5/src/lj_tab.c LuaJIT-2.0.5/src/lj_tab.h LuaJIT-2.0.5/src/lj_target.h LuaJIT-2.0.5/src/lj_target_arm.h LuaJIT-2.0.5/src/lj_target_mips.h LuaJIT-2.0.5/src/lj_target_ppc.h LuaJIT-2.0.5/src/lj_target_x86.h LuaJIT-2.0.5/src/lj_trace.c LuaJIT-2.0.5/src/lj_trace.h LuaJIT-2.0.5/src/lj_traceerr.h LuaJIT-2.0.5/src/lj_udata.c LuaJIT-2.0.5/src/lj_udata.h LuaJIT-2.0.5/src/lj_vm.h LuaJIT-2.0.5/src/lj_vmevent.c LuaJIT-2.0.5/src/lj_vmevent.h LuaJIT-2.0.5/src/lj_vmmath.c LuaJIT-2.0.5/src/ljamalg.c LuaJIT-2.0.5/src/lua.h LuaJIT-2.0.5/src/lua.hpp LuaJIT-2.0.5/src/luaconf.h LuaJIT-2.0.5/src/luajit.c LuaJIT-2.0.5/src/luajit.h LuaJIT-2.0.5/src/lualib.h LuaJIT-2.0.5/src/msvcbuild.bat LuaJIT-2.0.5/src/ps4build.bat LuaJIT-2.0.5/src/psvitabuild.bat LuaJIT-2.0.5/src/vm_arm.dasc LuaJIT-2.0.5/src/vm_mips.dasc LuaJIT-2.0.5/src/vm_ppc.dasc LuaJIT-2.0.5/src/vm_ppcspe.dasc LuaJIT-2.0.5/src/vm_x86.dasc LuaJIT-2.0.5/src/xedkbuild.bat [root@centos-nginx1-16 src]# cd LuaJIT-2.0.5 [root@centos-nginx1-16 LuaJIT-2.0.5]# make && make install ==== Building LuaJIT 2.0.5 ==== make -C src make[1]: gcc: Command not found make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.5/src' make[1]: gcc: Command not found make[1]: gcc: Command not found make[1]: gcc: Command not found make[1]: gcc: Command not found make[1]: gcc: Command not found Makefile:254: *** Unsupported target architecture. Stop. make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.5/src' make: *** [default] Error 2
[root@centos-nginx1-16 LuaJIT-2.0.5]# yum -y install gcc Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: less.cogeco.net * epel: mirrors.mit.edu * extras: less.cogeco.net * updates: less.cogeco.net Resolving Dependencies --> Running transaction check ---> Package gcc.x86_64 0:4.8.5-39.el7 will be installed --> Processing Dependency: cpp = 4.8.5-39.el7 for package: gcc-4.8.5-39.el7.x86_64 --> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.8.5-39.el7.x86_64 --> Processing Dependency: libmpfr.so.4()(64bit) for package: gcc-4.8.5-39.el7.x86_64 --> Processing Dependency: libmpc.so.3()(64bit) for package: gcc-4.8.5-39.el7.x86_64 --> Running transaction check ---> Package cpp.x86_64 0:4.8.5-39.el7 will be installed ---> Package glibc-devel.x86_64 0:2.17-307.el7.1 will be installed --> Processing Dependency: glibc-headers = 2.17-307.el7.1 for package: glibc-devel-2.17-307.el7.1.x86_64 --> Processing Dependency: glibc-headers for package: glibc-devel-2.17-307.el7.1.x86_64 ---> Package libmpc.x86_64 0:1.0.1-3.el7 will be installed ---> Package mpfr.x86_64 0:3.1.1-4.el7 will be installed --> Running transaction check ---> Package glibc-headers.x86_64 0:2.17-307.el7.1 will be installed --> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.17-307.el7.1.x86_64 --> Processing Dependency: kernel-headers for package: glibc-headers-2.17-307.el7.1.x86_64 --> Running transaction check ---> Package kernel-headers.x86_64 0:3.10.0-1127.10.1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================================================== Installing: gcc x86_64 4.8.5-39.el7 base 16 M Installing for dependencies: cpp x86_64 4.8.5-39.el7 base 5.9 M glibc-devel x86_64 2.17-307.el7.1 base 1.1 M glibc-headers x86_64 2.17-307.el7.1 base 689 k kernel-headers x86_64 3.10.0-1127.10.1.el7 updates 8.9 M libmpc x86_64 1.0.1-3.el7 base 51 k mpfr x86_64 3.1.1-4.el7 base 203 k Transaction Summary ================================================================================================================================================================================== Install 1 Package (+6 Dependent packages) Total download size: 33 M Installed size: 60 M Downloading packages: (1/7): glibc-devel-2.17-307.el7.1.x86_64.rpm | 1.1 MB 00:00:00 (2/7): glibc-headers-2.17-307.el7.1.x86_64.rpm | 689 kB 00:00:00 (3/7): libmpc-1.0.1-3.el7.x86_64.rpm | 51 kB 00:00:00 (4/7): mpfr-3.1.1-4.el7.x86_64.rpm | 203 kB 00:00:00 (5/7): cpp-4.8.5-39.el7.x86_64.rpm | 5.9 MB 00:00:03 (6/7): kernel-headers-3.10.0-1127.10.1.el7.x86_64.rpm | 8.9 MB 00:00:04 (7/7): gcc-4.8.5-39.el7.x86_64.rpm | 16 MB 00:00:05 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.7 MB/s | 33 MB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : mpfr-3.1.1-4.el7.x86_64 1/7 Installing : libmpc-1.0.1-3.el7.x86_64 2/7 Installing : cpp-4.8.5-39.el7.x86_64 3/7 Installing : kernel-headers-3.10.0-1127.10.1.el7.x86_64 4/7 Installing : glibc-headers-2.17-307.el7.1.x86_64 5/7 Installing : glibc-devel-2.17-307.el7.1.x86_64 6/7 Installing : gcc-4.8.5-39.el7.x86_64 7/7 Verifying : glibc-headers-2.17-307.el7.1.x86_64 1/7 Verifying : glibc-devel-2.17-307.el7.1.x86_64 2/7 Verifying : mpfr-3.1.1-4.el7.x86_64 3/7 Verifying : libmpc-1.0.1-3.el7.x86_64 4/7 Verifying : cpp-4.8.5-39.el7.x86_64 5/7 Verifying : gcc-4.8.5-39.el7.x86_64 6/7 Verifying : kernel-headers-3.10.0-1127.10.1.el7.x86_64 7/7 Installed: gcc.x86_64 0:4.8.5-39.el7 Dependency Installed: cpp.x86_64 0:4.8.5-39.el7 glibc-devel.x86_64 0:2.17-307.el7.1 glibc-headers.x86_64 0:2.17-307.el7.1 kernel-headers.x86_64 0:3.10.0-1127.10.1.el7 libmpc.x86_64 0:1.0.1-3.el7 mpfr.x86_64 0:3.1.1-4.el7 Complete! [root@centos-nginx1-16 LuaJIT-2.0.5]# yum -y install gcc-c++ Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: less.cogeco.net * epel: mirrors.mit.edu * extras: less.cogeco.net * updates: less.cogeco.net Resolving Dependencies --> Running transaction check ---> Package gcc-c++.x86_64 0:4.8.5-39.el7 will be installed --> Processing Dependency: libstdc++-devel = 4.8.5-39.el7 for package: gcc-c++-4.8.5-39.el7.x86_64 --> Running transaction check ---> Package libstdc++-devel.x86_64 0:4.8.5-39.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================================================== Installing: gcc-c++ x86_64 4.8.5-39.el7 base 7.2 M Installing for dependencies: libstdc++-devel x86_64 4.8.5-39.el7 base 1.5 M Transaction Summary ================================================================================================================================================================================== Install 1 Package (+1 Dependent package) Total download size: 8.7 M Installed size: 25 M Downloading packages: (1/2): libstdc++-devel-4.8.5-39.el7.x86_64.rpm | 1.5 MB 00:00:00 (2/2): gcc-c++-4.8.5-39.el7.x86_64.rpm | 7.2 MB 00:00:01 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 6.2 MB/s | 8.7 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libstdc++-devel-4.8.5-39.el7.x86_64 1/2 Installing : gcc-c++-4.8.5-39.el7.x86_64 2/2 Verifying : gcc-c++-4.8.5-39.el7.x86_64 1/2 Verifying : libstdc++-devel-4.8.5-39.el7.x86_64 2/2 Installed: gcc-c++.x86_64 0:4.8.5-39.el7 Dependency Installed: libstdc++-devel.x86_64 0:4.8.5-39.el7 Complete! [root@centos-nginx1-16 LuaJIT-2.0.5]#
5 Make and Make install LuaJIT again
[root@centos-nginx1-16 LuaJIT-2.0.5]# make && make install ==== Building LuaJIT 2.0.5 ==== make -C src make[1]: Entering directory `/usr/local/src/LuaJIT-2.0.5/src' HOSTCC host/minilua.o HOSTLINK host/minilua DYNASM host/buildvm_arch.h HOSTCC host/buildvm.o HOSTCC host/buildvm_asm.o HOSTCC host/buildvm_peobj.o HOSTCC host/buildvm_lib.o HOSTCC host/buildvm_fold.o HOSTLINK host/buildvm BUILDVM lj_vm.s ASM lj_vm.o CC lj_gc.o BUILDVM lj_ffdef.h CC lj_err.o CC lj_char.o BUILDVM lj_bcdef.h CC lj_bc.o CC lj_obj.o CC lj_str.o CC lj_tab.o CC lj_func.o CC lj_udata.o CC lj_meta.o CC lj_debug.o CC lj_state.o CC lj_dispatch.o CC lj_vmevent.o CC lj_vmmath.o CC lj_strscan.o CC lj_api.o CC lj_lex.o CC lj_parse.o CC lj_bcread.o CC lj_bcwrite.o CC lj_load.o CC lj_ir.o CC lj_opt_mem.o BUILDVM lj_folddef.h CC lj_opt_fold.o CC lj_opt_narrow.o CC lj_opt_dce.o CC lj_opt_loop.o CC lj_opt_split.o CC lj_opt_sink.o CC lj_mcode.o CC lj_snap.o CC lj_record.o CC lj_crecord.o BUILDVM lj_recdef.h CC lj_ffrecord.o CC lj_asm.o CC lj_trace.o CC lj_gdbjit.o CC lj_ctype.o CC lj_cdata.o CC lj_cconv.o CC lj_ccall.o CC lj_ccallback.o CC lj_carith.o CC lj_clib.o CC lj_cparse.o CC lj_lib.o CC lj_alloc.o CC lib_aux.o BUILDVM lj_libdef.h CC lib_base.o CC lib_math.o CC lib_bit.o CC lib_string.o CC lib_table.o CC lib_io.o CC lib_os.o CC lib_package.o CC lib_debug.o CC lib_jit.o CC lib_ffi.o CC lib_init.o AR libluajit.a CC luajit.o BUILDVM jit/vmdef.lua DYNLINK libluajit.so LINK luajit OK Successfully built LuaJIT make[1]: Leaving directory `/usr/local/src/LuaJIT-2.0.5/src' ==== Successfully built LuaJIT 2.0.5 ==== ==== Installing LuaJIT 2.0.5 to /usr/local ==== mkdir -p /usr/local/bin /usr/local/lib /usr/local/include/luajit-2.0 /usr/local/share/man/man1 /usr/local/lib/pkgconfig /usr/local/share/luajit-2.0.5/jit /usr/local/share/lua/5.1 /usr/local/lib/lua/5.1 cd src && install -m 0755 luajit /usr/local/bin/luajit-2.0.5 cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/lib/libluajit-5.1.a || : rm -f /usr/local/bin/luajit /usr/local/lib/libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so /usr/local/lib/libluajit-5.1.so.2 cd src && test -f libluajit.so && \ install -m 0755 libluajit.so /usr/local/lib/libluajit-5.1.so.2.0.5 && \ ldconfig -n /usr/local/lib && \ ln -sf libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so && \ ln -sf libluajit-5.1.so.2.0.5 /usr/local/lib/libluajit-5.1.so.2 || : cd etc && install -m 0644 luajit.1 /usr/local/share/man/man1 cd etc && sed -e "s|^prefix=.*|prefix=/usr/local|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && \ install -m 0644 luajit.pc.tmp /usr/local/lib/pkgconfig/luajit.pc && \ rm -f luajit.pc.tmp cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/include/luajit-2.0 cd src/jit && install -m 0644 bc.lua v.lua dump.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua bcsave.lua vmdef.lua /usr/local/share/luajit-2.0.5/jit ln -sf luajit-2.0.5 /usr/local/bin/luajit ==== Successfully installed LuaJIT 2.0.5 to /usr/local ==== [root@centos-nginx1-16 LuaJIT-2.0.5]#
[root@centos-nginx1-16 src]# tar zxf nginx-1.12.1.tar.gz [root@centos-nginx1-16 src]# tar zxvf pcre-8.41.tar.gz [root@centos-nginx1-16 src]# cd nginx-1.12.1 [root@centos-nginx1-16 nginx-1.12.1]# export LUAJIT_LIB=/usr/local/lib [root@centos-nginx1-16 nginx-1.12.1]# export LUAJIT_INC=/usr/local/include/luajit-2.0 [root@centos-nginx1-16 nginx-1.12.1]#./configure --user=www --group=www --prefix=/usr/local/nginx-1.12.1/ --with-pcre=/usr/local/src/pcre-8.41 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.10/ checking for OS + Linux 3.10.0-1127.8.2.el7.x86_64 x86_64 checking for C compiler ... found + using GNU C compiler + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) checking for gcc -pipe switch ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for sched_setaffinity() ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_RECVDSTADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for eventfd() ... found checking for int size ... 4 bytes checking for long size ... 8 bytes checking for long long size ... 8 bytes checking for void * size ... 8 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... little endian checking for size_t size ... 8 bytes checking for off_t size ... 8 bytes checking for time_t size ... 8 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for sys_nerr ... found checking for localtime_r() ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found checking for mmap("/dev/zero", MAP_SHARED) ... found checking for System V shared memory ... found checking for POSIX semaphores ... not found checking for POSIX semaphores in libpthread ... found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in ../ngx_devel_kit-0.3.0/ + ngx_devel_kit was configured adding module in ../lua-nginx-module-0.10.10/ checking for LuaJIT library in /usr/local/lib and /usr/local/include/luajit-2.0 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found checking for export symbols by default (-E) ... found checking for export symbols by default (--export-all-symbols) ... not found checking for SO_PASSCRED ... found checking for __attribute__(constructor) ... found checking for malloc_trim ... found + ngx_http_lua_module was configured checking for zlib library ... not found ./configure: error: the HTTP gzip module requires the zlib library. You can either disable the module by using --without-http_gzip_module option, or install the zlib library into the system, or build the zlib library statically from the source with nginx by using --with-zlib=<path> option.
If Nginx has been compiled before, you will not need to do "make install" for only adding Nginx modules.
1
2
3
4
5
6
| cd /usr/local/src/nginx-1.12.2./configure --add-module=/usr/local/src/ngx_devel_kit-0.3.0 --add-module=/usr/local/src/lua-nginx-module-0.10.11 --with-ld-opt=-Wl,-rpath,$LUAJIT_LIBmakemv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bakcp objs/nginx /usr/local/nginx/sbin/systemctl reload nginx |
7 Install missing Zlib-devel package
[root@centos-nginx1-16 nginx-1.12.1]# yum install zlib-devel Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: less.cogeco.net * epel: mirrors.mit.edu * extras: less.cogeco.net * updates: less.cogeco.net Resolving Dependencies --> Running transaction check ---> Package zlib-devel.x86_64 0:1.2.7-18.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================================================== Installing: zlib-devel x86_64 1.2.7-18.el7 base 50 k Transaction Summary ================================================================================================================================================================================== Install 1 Package Total download size: 50 k Installed size: 132 k Is this ok [y/d/N]: y Downloading packages: zlib-devel-1.2.7-18.el7.x86_64.rpm | 50 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : zlib-devel-1.2.7-18.el7.x86_64 1/1 Verifying : zlib-devel-1.2.7-18.el7.x86_64 1/1 Installed: zlib-devel.x86_64 0:1.2.7-18.el7 Complete! [root@centos-nginx1-16 nginx-1.12.1]# ./configure --user=www --group=www --prefix=/usr/local/nginx-1.12.1/ --with-pcre=/usr/local/src/pcre-8.41 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.10/ checking for OS + Linux 3.10.0-1127.8.2.el7.x86_64 x86_64 checking for C compiler ... found + using GNU C compiler + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) checking for gcc -pipe switch ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for sched_setaffinity() ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_RECVDSTADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for eventfd() ... found checking for int size ... 4 bytes checking for long size ... 8 bytes checking for long long size ... 8 bytes checking for void * size ... 8 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... little endian checking for size_t size ... 8 bytes checking for off_t size ... 8 bytes checking for time_t size ... 8 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for sys_nerr ... found checking for localtime_r() ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found checking for mmap("/dev/zero", MAP_SHARED) ... found checking for System V shared memory ... found checking for POSIX semaphores ... not found checking for POSIX semaphores in libpthread ... found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in ../ngx_devel_kit-0.3.0/ + ngx_devel_kit was configured adding module in ../lua-nginx-module-0.10.10/ checking for LuaJIT library in /usr/local/lib and /usr/local/include/luajit-2.0 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... found checking for export symbols by default (-E) ... found checking for export symbols by default (--export-all-symbols) ... not found checking for SO_PASSCRED ... found checking for __attribute__(constructor) ... found checking for malloc_trim ... found + ngx_http_lua_module was configured checking for zlib library ... found creating objs/Makefile Configuration summary + using PCRE library: /usr/local/src/pcre-8.41 + OpenSSL library is not used + using system zlib library nginx path prefix: "/usr/local/nginx-1.12.1/" nginx binary file: "/usr/local/nginx-1.12.1//sbin/nginx" nginx modules path: "/usr/local/nginx-1.12.1//modules" nginx configuration prefix: "/usr/local/nginx-1.12.1//conf" nginx configuration file: "/usr/local/nginx-1.12.1//conf/nginx.conf" nginx pid file: "/usr/local/nginx-1.12.1//logs/nginx.pid" nginx error log file: "/usr/local/nginx-1.12.1//logs/error.log" nginx http access log file: "/usr/local/nginx-1.12.1//logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" [root@centos-nginx1-16 nginx-1.12.1]#
8 Install Nginx, this time it will be succeed.
[root@centos-nginx1-16 nginx-1.12.1]# make -j2 && make install
[root@centos-nginx1-16 nginx-1.12.1]# ln -s /usr/local/nginx-1.12.1 /usr/local/nginx
[root@centos-nginx1-16 nginx-1.12.1]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
[root@centos-nginx1-16 nginx-1.12.1]#
ln -s /usr/local/nginx/nginx /usr/bin/nginx
You can run nginx in any folder now.
10 Edit nginx.conf to load lua test site
10 Edit nginx.conf to load lua test site
[root@centos-nginx1-16 conf]# pwd /usr/local/src/nginx-1.12.1/conf [root@centos-nginx1-16 conf]# vi nginx.conf
10 Test nginx configuration file and run Nginx
To kill nginx process:
[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.12.1//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.12.1//conf/nginx.conf test is successful
[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/nginx/sbin/nginx
[root@centos-nginx1-16 nginx-1.12.1]#
To kill nginx process:
[root@centos-nginx1-16 nginx-1.12.1]# pkill -9 nginx
Disable FirewallD Service
You might want to disable FirewallD service
[root@centos-nginx1-16 conf]# service firewalld stop Redirecting to /bin/systemctl stop firewalld.service [root@centos-nginx1-16 conf]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@centos-nginx1-16 conf]#
OpenResty Deployment (Nginx and Lua)
Install dependencies
# yum install -y readline-devel pcre-devel openssl-devel
# cd /usr/local/src
Download and Compile/install openresty
# wget "https://openresty.org/download/openresty-1.11.2.5.tar.gz"
# tar zxf openresty-1.11.2.5.tar.gz
# cd openresty-1.11.2.5
# ./configure --prefix=/usr/local/openresty-1.11.2.5 \
--with-luajit --with-http_stub_status_module \
--with-pcre=/usr/local/src/pcre-8.41 --with-pcre-jit
# gmake && gmake install
# ln -s /usr/local/openresty-1.11.2.5 /usr/local/openresty
Test openresty installation
# vim /usr/local/openresty/nginx/conf/nginx.conf
server {
location /hello {
default_type text/html;
content_by_lua_block {
ngx.say("HelloWorld")
}
}
}
[root@webs-ebt src]# /usr/local/openresty-1.11.2.5/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf test is successful
# /usr/local/openresty/nginx/sbin/nginx
Hello World
# curl http://192.168.199.33/hello
HelloWorld
WAF Deployment
Requirement:
yum -y install git
cd /usr/local/openresty/nginx/conf/ git clone https://github.com/xzhih/ngx_lua_waf.git waf cat > /usr/local/openresty/nginx/conf/waf.conf << EOF lua_shared_dict limit 20m; lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua"; init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua"; access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua"; EOF mkdir -p /usr/local/openresty/nginx/logs/waf chown www:www /usr/local/openresty/nginx/logs/waf
[root@centos-nginx1-16 ~]# cd /usr/local/openresty/nginx/conf/
[root@centos-nginx1-16 conf]# git clone https://github.com/xzhih/ngx_lua_waf.git waf
Cloning into 'waf'...
remote: Enumerating objects: 53, done.
remote: Total 53 (delta 0), reused 0 (delta 0), pack-reused 53
Unpacking objects: 100% (53/53), done.
[root@centos-nginx1-16 conf]# cat > /usr/local/openresty/nginx/conf/waf.conf << EOF
> lua_shared_dict limit 20m;
> lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
> init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
> access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
> EOF
[root@centos-nginx1-16 conf]# mkdir -p /usr/local/openresty/nginx/logs/waf
[root@centos-nginx1-16 conf]# chown www:www /usr/local/openresty/nginx/logs/waf
[root@centos-nginx1-16 conf]#
The waf log you can find in
/usr/local/openresty/nginx/logs/waf
Finally include
waf.conf by vi /usr/local/openresty/nginx/conf/nginx.confinclude waf.conf;
To kill nginx process:
[root@centos-nginx1-16 nginx-1.12.1]# pkill -9 nginx
[root@centos-nginx1-16 nginx-1.12.1]# /usr/local/openresty/nginx/sbin/nginx
After added waf.conf, you will get a predefined error in config.lua file.
[root@centos-nginx1-16 waf]# cat config.lua --WAF config file,enable = "on",disable = "off" --waf status config_waf_enable = "on" --log dir config_log_dir = "/usr/local/openresty/nginx/logs/waf" --rule setting config_rule_dir = "/usr/local/openresty/nginx/conf/waf/wafconf" --enable/disable white url config_white_url_check = "on" --enable/disable white ip config_white_ip_check = "on" --enable/disable block ip config_black_ip_check = "on" --enable/disable url filtering config_url_check = "on" --enalbe/disable url args filtering config_url_args_check = "on" --enable/disable user agent filtering config_user_agent_check = "on" --enable/disable cookie deny filtering config_cookie_check = "on" --enable/disable cc filtering config_cc_check = "on" --cc rate the xxx of xxx seconds config_cc_rate = "120/120" --enable/disable post filtering config_post_check = "on" --config waf output redirect/html config_waf_output = "html" --if config_waf_output ,setting url config_waf_redirect_url = "/captcha" config_output_html=[[ <!DOCTYPE html><html><head><meta name="viewport" content="initial-scale=1,minimum-scale=1,width=device-width"><title>WAF Security Warning</title><style>body{font-size:100%;background-color:#ce3426;color:#fff;margin:15px}h1{font-size:1.5em;line-height:1.5em;margin-bottom:16px;font-weight:400}.wrapper{margin:20vh auto 0;max-width:500px}@media (max-width:420px){body{font-size:90%}}</style></head><body><div class="wrapper"><h1>Web APP Firewall</h1><p>Your request has invalit parameters, and has been blocked based on security policy<br>Possible reason: The information you submitted has potential malicious contents</p><p>1. Check your content<br>2. If this is your website, please contact your provider<br>3. if you are regular user, please contact website admin</p></div></body></html> ]] [root@centos-nginx1-16 waf]#
There are more you can test such as CC attack, blacklist, download limitation, etc.
Install Lua Module Dynamic With Nginx
1 Install the Lua module.
For Amazon Linux, CentOS, Oracle Linux, and RHEL:
$ yum install nginx-plus-module-lua
For Debian and Ubuntu:
$ apt-get install nginx-plus-module-lua
For SLES:
$ zypper install nginx-plus-module-lua
2 Put both of the
load_module directives in the top‑level (“main”) context of NGINX Plus configuration file, nginx.conf:load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
3 Perform additional configuration as required by the module.Note: The directives must be in this order.
Add Nginx as a service
Add the service file:
# vi /usr/lib/systemd/system/nginx.service [Unit] Description=The NGINX HTTP and reverse proxy server After=syslog.target network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/openresty/nginx/logs/nginx.pid ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t ExecStart=/usr/local/openresty/nginx/sbin/nginx ExecReload=/usr/local/openresty/nginx/sbin/nginx -s reload ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target
Save and quit. Start the service:
# systemctl start nginx
# systemctl enable nginx
ln -s /usr/local/nginx/nginx /usr/bin/nginx
You can check version by executing following command.
You can check version by executing following command.
# /opt/nginx/sbin/nginx -v[root@centos-nginx1-16 opc]# ln -s /usr/local/nginx/nginx /usr/bin/nginx ln: failed to create symbolic link ‘/usr/bin/nginx’: File exists [root@centos-nginx1-16 opc]# ls -l /usr/bin/nginx lrwxrwxrwx. 1 root root 27 Jun 21 23:52 /usr/bin/nginx -> /usr/local/nginx/sbin/nginx [root@centos-nginx1-16 opc]# rm /usr/bin/nginx rm: remove symbolic link ‘/usr/bin/nginx’? y [root@centos-nginx1-16 opc]# ln -s /usr/local/openresty/nginx/nginx /usr/bin/nginx [root@centos-nginx1-16 opc]# service nginx status Redirecting to /bin/systemctl status nginx.service ● nginx.service - The NGINX HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-06-22 12:25:20 GMT; 3min 36s ago Process: 1589 ExecStart=/usr/local/openresty/nginx/sbin/nginx (code=exited, status=0/SUCCESS) Process: 1531 ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t (code=exited, status=0/SUCCESS) Main PID: 1597 (nginx) CGroup: /system.slice/nginx.service ├─1597 nginx: master process /usr/local/openresty/nginx/sbin/nginx └─1600 nginx: worker process Jun 22 12:25:19 centos-nginx1-16 systemd[1]: Starting The NGINX HTTP and reverse proxy server... Jun 22 12:25:20 centos-nginx1-16 nginx[1531]: nginx: the configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf syntax is ok Jun 22 12:25:20 centos-nginx1-16 nginx[1531]: nginx: configuration file /usr/local/openresty-1.11.2.5/nginx/conf/nginx.conf test is successful Jun 22 12:25:20 centos-nginx1-16 systemd[1]: Failed to parse PID from file /usr/local/openresty/nginx/logs/nginx.pid: Invalid argument Jun 22 12:25:20 centos-nginx1-16 systemd[1]: Started The NGINX HTTP and reverse proxy server. [root@centos-nginx1-16 opc]#
Build a PHP test environment
install php-fpm
[root@centos-nginx1-16 logs]# systemctl start php-fpm[root@centos-nginx1-16 logs]# systemctl enable php-fpm
[root@centos-nginx1-16 logs]# systemctl status php-fpm
vi nginx.conf
Uncomment "location ~ \.php$" section. And you will need to change following line:
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
to:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
Create a index.php file under /usr/local/openresty/nginx/html, with content <?php phpinfo(); ?>
restart the nginx service to take it into effect with command "systemctl restart nginx".
PHP - xss atack testing
Add a new rule in args file under (/usr/local/nginx/conf/waf/wafconf)
\sor\s+create a test.php file under /usr/local/openresty/nginx/html, with content <?php echo $_GET['id']; ?>
add a new rule in args file under /usr/local/openresty/nginx/conf/waf/wafconf
http://140.238.155.214/test.php?id=%3Cscript%3Ealert(%22xxx%22);%3C/script%3E
http://140.238.155.214/test.php?id=<script>alert("xxx");</script>
References
2 使用Nginx+Lua实现的WAF(版本v1.0)
3 openresty/lua-nginx-module
4 ngx_lua_waf
5 WAF安全应用防火墙(openresty部署)
6 Nginx + Lua 搭建网站WAF防火墙
7 https://github.com/unixhot/waf
8 Nginx + Lua实现WAF引用防火墙 -SQL Injection Test
9 使用Oneinstack部署网页环境并部署WAF防火墙
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uzNMdKE0WJbzjXK0-x-uGPvYNQuBQsqrE6cwYkEq4J1d9Zb9B1mfN5ub0smrGVs4_8uRLEzucuegcvig39vLB1-09YcZKV_WBkcXTo_TtOHw)
No comments:
Post a Comment