Zhangsan 2015/04/30 8:00

0 x00 preface

In the previous article “waf development practices based on ngx_lua modules” (link is: http://drops.wooyun.org/tips/5136), puts forward the three research direction of follow-up, one of them is under the multi-site waf separation research, researchers will now share with you.

0x01 Fault Analysis

The original idea was to configure multiple sites directly in Nginx, and then load a copy of WAF code in each site.

The flow chart is as follows:

In this case, nginx configuration can be messy if there are many sites, and problems can occur when nginx is configured for multiple sites. Here I borrow a comparison table of security treasure to illustrate.

Of course, in practice, it is not usually applied to so many sites, but here is just an illustration. But the above problems do exist.

0x02 Requirement Analysis

Requirement 1: be able to listen to only 1 site in nginx and be able to forward all sites

Requirement 2: Each site can be controlled independently, including WAF development, logging switch, and rules to use

0x03 Requirement Implementation

For requirement 1, the flow chart is as follows:

Nginx.conf

Waf. Lua key code:

Access process analysis:

When a user accesses the WAF server, the user first obtains the host parameter and searches for the corresponding upstream in the url configuration, and adds the pre-defined variable $upstream to achieve correct forwarding.

And later can also store the website information in the database, when the first access to the time to load into memory, to achieve the purpose of dynamic loading.

For demand 2:

The url configuration code is as follows:

The rule configuration code is as follows:

This can give each site a separate configuration rule set, and in the url configuration can be noted.

In the url configuration, you can specify the WAF switch for each site, whether to log, and which rules.

In rule configuration, you can specify whether to permit or block rules and whether to enable or disable logs.

0x04 Follow-up Problem To be Solved

This approach is a good idea for site-to-site, but relies on upstream to configure each site in Nginx. Consider configuring it directly in Lua code later.
In view of the situation of multiple sites, it is best to combine the database, the website information is stored in the database, to achieve dynamic loading.
As nginx needs to be reloaded every time it changes, we should consider writing a control page for dynamic control in the later stage, such as the opening or closing of rules, the display of various states of WAF and the processing and display of logs

0 x05 summary

This article is just to provide a way of thinking, of course, it is not my idea, but also reference various materials, the most important is for now a variety of large traffic and large concurrent network environment, many companies including our company have such a demand, so share it, hope to communicate with more people, learning.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Study on ngX_LUA_WAF adapting to multi-site situation

0 x00 preface

0x01 Fault Analysis

0x02 Requirement Analysis

0x03 Requirement Implementation

0x04 Follow-up Problem To be Solved

0 x05 summary

Study on ngX_LUA_WAF adapting to multi-site situation

0 x00 preface

0x01 Fault Analysis

0x02 Requirement Analysis

0x03 Requirement Implementation

0x04 Follow-up Problem To be Solved

0 x05 summary

Related Posts

I read a few good books in 2016

Elasticsearch Shard and copy policy

Kubernetes- Service for core resources