ngx_lua_waf

ngx_lua_waf是一个基于lua-nginx-module(openresty)的web应用防火墙

3,933

1,445

3,933

View on GitHub

Top Related Projects

ModSecurity

8,029

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

lua-resty-waf

1,273

High-performance WAF built on the OpenResty stack

Quick Overview

ngx_lua_waf is a web application firewall (WAF) implemented using Lua for NGINX. It provides protection against various web attacks, including SQL injection, XSS, and more. The project aims to offer a lightweight and efficient WAF solution that can be easily integrated with NGINX servers.

Pros

Easy integration with NGINX servers
Lightweight and efficient, with minimal performance impact
Customizable rules and configurations
Active development and community support

Cons

Requires Lua knowledge for advanced customization
May require fine-tuning to avoid false positives
Limited documentation compared to some commercial WAF solutions
Potential compatibility issues with certain NGINX modules

Code Examples

Configuring basic WAF rules:

-- In config.lua
config_waf_enable = "on"
config_attack_log = "on"
config_log_dir = "/usr/local/nginx/logs/"
config_rule_dir = "/usr/local/nginx/conf/waf/wafconf/"
config_white_url_list = "white-url.rule"
config_black_url_list = "black-url.rule"
config_white_ip_list = "white-ip.rule"
config_black_ip_list = "black-ip.rule"

Customizing WAF behavior:

-- In init.lua
local content_length = tonumber(ngx.req.get_headers()['content-length'])
local method = ngx.req.get_method()
if method == "POST" then
   if content_length > 10485760 then
      ngx.exit(ngx.HTTP_FORBIDDEN)
   end
end

Adding a custom rule:

-- In user-agent.rule
(?i)(bot|spider|crawl|harvest)

Getting Started

Clone the repository:

git clone https://github.com/loveshell/ngx_lua_waf.git

Copy the waf folder to your NGINX configuration directory:
```
cp -R ngx_lua_waf/waf /usr/local/nginx/conf/
```

Add the following to your NGINX configuration:

lua_package_path "/usr/local/nginx/conf/waf/?.lua";
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

Restart NGINX to apply the changes:
```
nginx -s reload
```

Competitor Comparisons

ModSecurity

8,029

Pros of ModSecurity

More comprehensive and mature Web Application Firewall (WAF) solution
Supports multiple web servers including Apache, Nginx, and IIS
Extensive rule set and regular updates from the OWASP community

Cons of ModSecurity

Can be resource-intensive, potentially impacting server performance
More complex configuration and setup process
Steeper learning curve for customization and rule management

Code Comparison

ModSecurity (example rule):

SecRule REQUEST_HEADERS:User-Agent "nikto" \
    "id:1000,phase:1,deny,log,msg:'Nikto Scan Detected'"

ngx_lua_waf (example rule):

if ngx.var.http_user_agent and ngx.var.http_user_agent:find("nikto") then
    ngx.exit(ngx.HTTP_FORBIDDEN)
end

ModSecurity offers a more structured and feature-rich rule syntax, while ngx_lua_waf provides a simpler, Lua-based approach. ModSecurity's rules are generally more verbose but offer greater flexibility and control. ngx_lua_waf's rules are more concise and easier to read for those familiar with Lua, but may lack some of the advanced features found in ModSecurity.

Both solutions aim to protect web applications from various attacks, but ModSecurity is a more comprehensive and widely adopted solution, while ngx_lua_waf is a lightweight alternative specifically designed for Nginx with LuaJIT.

lua-resty-waf

1,273

High-performance WAF built on the OpenResty stack

Pros of lua-resty-waf

More actively maintained with recent updates and contributions
Extensive documentation and configuration options
Better performance due to optimized Lua code and caching mechanisms

Cons of lua-resty-waf

More complex setup and configuration process
Steeper learning curve for users new to WAF systems
Requires additional dependencies and modules

Code Comparison

ngx_lua_waf:

function waf_main()
    if white_ip_check() then
    elseif black_ip_check() then
    elseif user_agent_attack_check() then
    elseif cc_attack_check() then
    elseif cookie_attack_check() then
    elseif url_attack_check() then
    elseif url_args_attack_check() then
    end
end

lua-resty-waf:

local waf = require "resty.waf"
local waf_instance = waf:new()

waf_instance:set_option("debug", true)
waf_instance:set_option("mode", "ACTIVE")
waf_instance:exec()

The code comparison shows that lua-resty-waf offers a more modular and configurable approach, while ngx_lua_waf uses a more straightforward, sequential check method. lua-resty-waf's design allows for easier customization and extension of WAF functionality.

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

##ngx_lua_waf

ngx_lua_wafæ¯æåå¥èè¶£æ¸¸æ¶åå¼åçä¸ä¸ªåºäºngx_luaçwebåºç¨é²ç«å¢ã

###ç¨éï¼

é²æ¢sqlæ³¨å¥ï¼æ¬å°åå«ï¼é¨åæº¢åºï¼fuzzingæµè¯ï¼xss,SSRFçwebæ»å»
é²æ¢svn/å¤ä»½ä¹ç±»æä»¶æ³æ¼
é²æ¢ApacheBenchä¹ç±»ååæµè¯å·¥å·çæ»å»
å±è½å¸¸è§çæ«æé»å®¢å·¥å·ï¼æ«æå¨
å±è½å¼å¸¸çç½ç»è¯·æ±
å±è½å¾çéä»¶ç±»ç®å½phpæ§è¡æé
é²æ¢webshellä¸ä¼

###æ¨èå®è£:

æ¨èä½¿ç¨lujit2.1åluaæ¯æ

###ä½¿ç¨è¯´æï¼

nginxå®è£è·¯å¾åè®¾ä¸º:/usr/local/nginx/conf/

ængx_lua_wafä¸è½½å°confç®å½ä¸,è§£åå½åä¸ºwaf

å¨nginx.confçhttpæ®µæ·»å

	lua_package_path "/usr/local/nginx/conf/waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /usr/local/nginx/conf/waf/init.lua; 
	access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;

éç½®config.luaéçwafè§åç®å½(ä¸è¬å¨waf/conf/ç®å½ä¸)

    RulePath = "/usr/local/nginx/conf/waf/wafconf/"

ç»å¯¹è·¯å¾å¦æåå¨ï¼éå¯¹åºä¿®æ¹

ç¶åéå¯nginxå³å¯

###éç½®æä»¶è¯¦ç»è¯´æï¼

	RulePath = "/usr/local/nginx/conf/waf/wafconf/"
    --è§ååæ¾ç®å½
    attacklog = "off"
    --æ¯å¦å¼å¯æ»å»ä¿¡æ¯è®°å½ï¼éè¦éç½®logdir
    logdir = "/usr/local/nginx/logs/hack/"
    --logåå¨ç®å½ï¼è¯¥ç®å½éè¦ç¨æ·èªå·±æ°å»ºï¼åéè¦nginxç¨æ·çå¯åæé
    UrlDeny="on"
    --æ¯å¦æ¦æªurlè®¿é®
    Redirect="on"
    --æ¯å¦æ¦æªåéå®å
    CookieMatch = "on"
    --æ¯å¦æ¦æªcookieæ»å»
    postMatch = "on" 
    --æ¯å¦æ¦æªpostæ»å»
    whiteModule = "on" 
    --æ¯å¦å¼å¯URLç½åå
    black_fileExt={"php","jsp"}
    --å¡«åä¸åè®¸ä¸ä¼ æä»¶åç¼ç±»å
    ipWhitelist={"127.0.0.1"}
    --ipç½ååï¼å¤ä¸ªipç¨éå·åé
    ipBlocklist={"1.0.0.1"}
    --ipé»ååï¼å¤ä¸ªipç¨éå·åé
    CCDeny="on"
    --æ¯å¦å¼å¯æ¦æªccæ»å»(éè¦nginx.confçhttpæ®µå¢å lua_shared_dict limit 10m;)
    CCrate = "100/60"
    --è®¾ç½®ccæ»å»é¢çï¼åä½ä¸ºç§.
    --é»è®¤1åéåä¸ä¸ªIPåªè½è¯·æ±åä¸ä¸ªå°å100æ¬¡
    html=[[Please go away~~]]
    --è¦ååå®¹,å¯å¨ä¸æ¬å·åèªå®ä¹
    å¤æ³¨:ä¸è¦ä¹±å¨åå¼å·ï¼åºåå¤§å°å

###æ£æ¥è§åæ¯å¦çæ

é¨ç½²å®æ¯å¯ä»¥å°è¯å¦ä¸å½ä»¤ï¼

    curl http://xxxx/test.php?id=../etc/passwd
    è¿å"Please go away~~"åæ ·ï¼è¯´æè§åçæã

###ææå¾å¦ä¸ï¼

sec

###è§åæ´æ°ï¼

###ä¸äºè¯´æï¼

è¿æ»¤è§åå¨wafconfä¸ï¼å¯æ ¹æ®éæ±èªè¡è°æ´ï¼æ¯æ¡è§åéæ¢è¡,æèç¨|åå²

	argséé¢çè§ågetåæ°è¿è¡è¿æ»¤ç
	urlæ¯åªå¨getè¯·æ±urlè¿æ»¤çè§å		
	postæ¯åªå¨postè¯·æ±è¿æ»¤çè§å		
	whitelistæ¯ç½ååï¼éé¢çurlå¹éå°ä¸åè¿æ»¤		
	user-agentæ¯å¯¹user-agentçè¿æ»¤è§å


é»è®¤å¼å¯äºgetåpostè¿æ»¤ï¼éè¦å¼å¯cookieè¿æ»¤çï¼ç¼è¾waf.luaåæ¶é¨å--æ³¨éå³å¯

æ¥å¿æä»¶åç§°æ ¼å¼å¦ä¸:èæä¸»æºå_sec.log

Copyright

Weibo	ç¥å¥çéæ³å¸
Forum	http://bbs.linuxtone.org/
Copyright	Copyright (c) 2013- loveshell
License	MIT License

æè°¢ngx_luaæ¨¡åçå¼åè@agentzh,æ¥å¥æ¯æææ¥è§¦è¿å¼æºç²¾ç¥æå¥½çäºº

Top Related Projects

ModSecurity

8,029

lua-resty-waf

1,273

High-performance WAF built on the OpenResty stack

Convert designs to code with AI

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot