我们如何使用 Nginx modsecurity 模块控制对 web 应用程序的恶意调用?
[英]How can we control malicious calls to a web application with Nginx modsecurity module?
问题描述
There is much commercial software(Akamai, Cloudflare, etc) to control the malicious calls/attacks (XSS, injection, DDOS, etc).
有很多商业软件(Akamai、Cloudflare 等)可以控制恶意调用/攻击(XSS、注入、DDOS 等)。 Although, can we use ModSecurity with Nginx?虽然,我们可以将 ModSecurity 与 Nginx 一起使用吗? How to write custom rules in Lua to avoid major vulnerabilities for my web application.如何在 Lua 中编写自定义规则以避免我的 web 应用程序出现重大漏洞。 May i get some guidance on this?我可以得到一些指导吗? is there any opensource templates to follow?是否有任何开源模板可以遵循?
1 个解决方案
解决方案1
2 2022-04-15 20:15:35
ModSecurity Core Rule Set Developer on Duty here.在这里值班的 ModSecurity 核心规则集开发人员。 First of all, ModSecurity rules are written in "SecLang", a domain-specific language used to express ModSecurity rules and logic.首先,ModSecurity 规则是用“SecLang”编写的,这是一种用于表达 ModSecurity 规则和逻辑的领域特定语言。 It is also possible to write Lua scripts to provide extremely custom behaviour, but in practice this is very rarely necessary.也可以编写 Lua 脚本来提供极其自定义的行为,但实际上很少需要这样做。
If you want to start with a great set of ModSecurity WAF rules to protect web applications, take a look at the Core Rule Set (CRS), which can be found at coreruleset.org .如果您想从一组很棒的 ModSecurity WAF 规则开始保护 web 应用程序,请查看可在coreruleset.org上找到的核心规则集 (CRS)。 CRS is the de facto set of free and open-source WAF/ModSecurity rules, and it's used by some very big WAF vendors and service providers . CRS 是事实上的免费开源 WAF/ModSecurity 规则集, 一些非常大的 WAF 供应商和服务提供商都在使用它。
There are lots of great resources available to help get you started with Nginx + ModSecurity.有很多很棒的资源可以帮助您开始使用 Nginx + ModSecurity。 I'll run few some of them here:我将在这里运行其中的一些:
- Pre-made Docker images of Nginx + ModSecurity, as well as Apache + ModSecurity ( https://github.com/coreruleset/modsecurity-docker ) Nginx + ModSecurity 的预制 Docker 图像,以及 Apache + ModSecurity ( https://github.com/coreruleset/modsecurity-docker )
- Pre-made Docker images of Nginx + ModSecurity + Core Rule Set (CRS), the de facto free and open-source WAF rule set ( https://github.com/coreruleset/modsecurity-crs-docker ) Nginx 的预制 Docker 图像 + ModSecurity + 核心规则集 (CRS),事实上的免费开源 WAF 规则集 ( https://github.com/coreruleset/modsecurity-crs-docker )
- Christian Folini's tutorial series over at.netnea on building your own Nginx + ModSecurity setup from scratch ( https://www.netnea.com/cms/nginx-modsecurity-tutorials/ ) Christian Folini 在 at.netnea 上关于构建您自己的教程系列 Nginx + 从头开始设置 ModSecurity ( https://www.netnea.com/cms/nginx-modsecurity-tutorials/ )
- The ModSecurity (v3) Reference Manual ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29 ) ModSecurity (v3) 参考手册 ( https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29 )
- The ModSecurity Handbook from Feisty Duck, which is worth every penny if you're going to be using ModSecurity for real world applications ( https://www.feistyduck.com/books/modsecurity-handbook/ )来自 Feisty Duck 的 ModSecurity 手册,如果您打算将 ModSecurity 用于现实世界的应用程序,那么它物有所值 ( https://www.feistyduck.com/books/modsecurity-handbook/ )
- The official Core Rule Set documentation, for CRS-specific information ( https://coreruleset.org/docs/ )官方核心规则集文档,用于特定于 CRS 的信息 ( https://coreruleset.org/docs/ )
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.