1

$ apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git

1
2
3

$ wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.6/modsecurity-v3.0.6.tar.gz
$ tar -zxvf modsecurity-v3.0.6.tar.gz
$ cd modsecurity-v3.0.6

1
2
3
4
5

$ sudo ./build.sh
# --enable-mutex-on-pm：保证 pm operators 操作是多线程安全的
$ sudo ./configure --prefix=/usr/local/platform/modsecurity --enable-mutex-on-pm
$ sudo make
$ sudo make install

1
2

$ wget https://github.com/openresty/openresty/releases/download/v1.15.8.3/openresty-1.15.8.3.tar.gz
$ tar -zxvf openresty-1.15.8.3.tar.gz

1
2

$ wget https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.2/modsecurity-nginx-v1.0.2.tar.gz
$ tar -zxvf modsecurity-nginx-v1.0.2.tar.gz

1
2
3
4
5
6
7

# 声明环境变量 MODSECURITY_LIB 和 MODSECURITY_INC，路径为 modsecurity 安装后对应文件路径
export MODSECURITY_LIB="/usr/local/platform/modsecurity/lib"
export MODSECURITY_INC="/usr/local/platform/modsecurity/include"
# home/xxx/modsecurity-nginx-v1.0.2 为 ModSecurity-nginx 解压后目录
$ ./configure --prefix=/usr/local/platform/openresty \
--with-luajit --without-http_redis2_module  \
--with-http_iconv_module --add-module=/home/xxx/modsecurity-nginx-v1.0.2

1
2

$ sudo make
$ sudo make install

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

$ sudo make
## 备份之前 nginx
$ cd /usr/local/platform/openresty/nginx/sbin/
$ sudo mv nginx nginx.old
$ sudo mv ~/openresty-1.15.8.3/build/nginx-1.15.8/objs/nginx .
## 获取当前 OpenResty PID
$ sudo ps aux |grep openresty
## 向当前 OpenResty PID 发送 USR2 信号，用新 OpenResty 拉起进程
$ sudo kill -USR2 3875418
## 验证新进程没问题后，向可关闭的进程发送 QUIT 信号
$ sudo kill -QUIT 3875418

1
2

$ wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.tar.gz
$ tar -zxvf coreruleset-3.3.2.tar.gz

1
2
3
4
5
6

$ sudo mkdir /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs
$ cd /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs
$ sudo mv ~/coreruleset-3.3.2/rules/ .
$ sudo mv ~/coreruleset-3.3.2/crs-setup.conf.example crs-setup.conf
$ sudo mv ~/modsecurity-v3.0.6/modsecurity.conf-recommended modsecurity.conf
$ sudo mv ~/modsecurity-v3.0.6/unicode.mapping unicode.mapping

1
2
3
4

$ sudo vim /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs/modsecurity-include.conf
Include /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs/modsecurity.conf
Include /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs/crs-setup.conf
Include /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs/rules/*.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

server {
    listen       80;
    listen       443 ssl;
    server_name XXX.XXXX.XXX;

    ssl_certificate      certs/XXX.XXXX.XXX.pem;
    ssl_certificate_key  certs/XXX.XXXX.XXX.key;

    ssl_session_timeout  5m;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
    ssl_prefer_server_ciphers   on;

    access_log  logs/blog_access.log accesslog;
    error_log   logs/blog_error.log;

    # 开启 modsecurity，并指定规则文件路径
    modsecurity on;
    modsecurity_rules_file /usr/local/platform/openresty/nginx/conf/configs/owasp-modsecurity-crs/modsecurity-include.conf;
    # end

    location ~* \.well-known/ {
            root html;
    }

    location ~* / {
        root /usr/local/platform/webroot/xiang-blog/;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

1
2

$ curl -I https://XXX.XXXX.XXX/.env
HTTP/2 403