使用docker搭建Web应用防护系统或web防火墙(OpenWAF)
Posted 没刮胡子
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用docker搭建Web应用防护系统或web防火墙(OpenWAF)相关的知识,希望对你有一定的参考价值。
简介
OpenWAF是一个全方位开源的Web应用防护系统(WAF),提供全面的防护功能和多样的防护策略。
他基于nginx_lua API分析HTTP请求信息。OpenWAF由行为分析引擎和规则引擎两大功能引擎构成。其中规则引擎主要对单个请求进行分析,行为分析引擎主要负责跨请求信息追踪。
使用docker运行
拉取镜像
docker pull titansec/openwaf
运行容器复制出配置文件
docker run -d --name openwaf \\
-p 80:80 -p 443:443 \\
titansec/openwaf
mkdir -p /root/openwaf/()
docker cp openwaf:/etc/ngx_openwaf.conf /root/openwaf/conf
docker cp openwaf:/opt/OpenWAF/conf/twaf_access_rule.json /root/openwaf/conf
docker cp openwaf:/var/log/openwaf_error.log /root/openwaf/log/
docker rm -f openwaf
配置文件ngx_openwaf.conf
user root;
worker_processes auto;
worker_cpu_affinity auto;
pid /var/run/openwaf.pid;
pcre_jit on;
error_log /var/log/openwaf_error.log;
events
worker_connections 10000;
multi_accept on;
http
include /usr/local/openresty/nginx/conf/mime.types;
include /opt/OpenWAF/conf/twaf_main.conf;
include /opt/OpenWAF/conf/twaf_api.conf;
default_type text/html;
tcp_nopush on;
sendfile on;
keepalive_requests 100;
keepalive_timeout 60 60;
client_body_buffer_size 100m;
lua_regex_match_limit 1500;
proxy_redirect http://$http_host/ /;
proxy_pass_header Server;
upstream test
server 0.0.0.1; #just an invalid address as a place holder
balancer_by_lua_file /opt/OpenWAF/app/twaf_balancer.lua;
keepalive 16;
server
listen 80;
listen [::]:80 ipv6only=on;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name _;
ssl_certificate /opt/OpenWAF/conf/ssl/nginx.crt;
ssl_certificate_key /opt/OpenWAF/conf/ssl/nginx.key;
ssl_protocols TLSv1.1 TLSv1.2;
include /opt/OpenWAF/conf/twaf_server.conf;
ssl_certificate_by_lua_file /opt/OpenWAF/app/twaf_ssl_cert.lua;
location /
proxy_set_header Accept-Encoding identity;
proxy_set_header Host $http_host;
proxy_set_header X-Server-IP $server_addr;
proxy_set_header X-Server-PORT $server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-PORT $remote_port;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_pass $twaf_upstream_server;
规则文件twaf_access_rule.json
说明:
"twaf_access_rule": [
"rules": [ -- 数组,注意先后顺序
"ngx_ssl": false, -- nginx认证的开关
"ngx_ssl_cert": "path", -- nginx认证所需PEM证书地址
"ngx_ssl_key": "path", -- nginx认证所需PEM私钥地址
"host": "www.baidu.com", -- 域名,正则匹配
"port": 80, -- 端口号(缺省80)
"path": "\\/", -- 路径,正则匹配
"server_ssl": false, -- 后端服务器ssl开关
"forward": "server_5", -- 后端服务器upstream名称
"forward_addr": "192.168.8.100", -- 后端服务器ip地址
"forward_port": "8080", -- 后端服务器端口号(缺省80)
"policy": "policy_uuid" -- 安全策略ID
]
参考:
"twaf_access_rule":
"state": true,
"log_state":true,
"rules":[
"host":"^.*$",
"forward":"test1",
"forward_addr":"192.168.8.100",
"uuid":"test_uuid1",
"policy": "twaf_policy_conf"
,
"host":"localhost",
"port":81,
"path":"/admin/",
"forward":"test2",
"forward_addr":"192.168.8.100",
"forward_port": 82,
"uuid":"test_uuid2",
"policy": "twaf_policy_conf"
,
"host":"localhost",
"ngx_ssl": true,
"ngx_ssl_cert": "/opt/OpenWAF/conf/ssl/nginx.crt",
"ngx_ssl_key": "/opt/OpenWAF/conf/ssl/nginx.key",
"forward":"test3",
"forward_addr": "1.1.1.3",
"uuid":"test_uuid3",
"policy": "twaf_policy_conf"
]
运行容器
docker run -d --name openwaf \\
-p 80:80 -p 443:443 \\
-v /root/openwaf/conf/ngx_openwaf.conf:/etc/ngx_openwaf.conf \\
-v /root/openwaf/conf/twaf_access_rule.json:/opt/OpenWAF/conf/twaf_access_rule.json \\
-v /root/openwaf/log/openwaf_error.log:/var/log/openwaf_error.log \\
titansec/openwaf
参考运行:
docker run -d --name openwaf \\
-p 80:80 -p 443:443 \\
-v /opt/openwaf/conf/ngx_openwaf.conf:/etc/ngx_openwaf.conf \\
-v /opt/openwaf/conf/twaf_access_rule.json:/opt/OpenWAF/conf/twaf_access_rule.json \\
-v /opt/openwaf/log/openwaf_error.log:/var/log/openwaf_error.log \\
titansec/openwaf
拦截
小结
个人搭建和使用的简单总结,不喜勿喷:
1.OpenWAF的规则配置有点繁琐,很容易就配置出错
2.文档相对不算特别多,大多数网上的资料都是比较初级的
3.性能不算很好
4.默认没有管理界面
5.不建议在生产环境使用
以上是关于使用docker搭建Web应用防护系统或web防火墙(OpenWAF)的主要内容,如果未能解决你的问题,请参考以下文章