這篇博文是根據回憶所寫,可能存在謬誤,歡迎大家指正。

系統簡介

這套系統是一套高可靠性 WAF 平臺,讓 haproxy, Naxsi(Nginx 模塊) 和 fail2ban 協同工作來保護網路服務,對注入、XSS、CC、DDoS等攻擊方式有一定效果。

系統結構

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  訪客
|
\|/
1.2.3.4
====== ======
|ft_waf| ---> | |
|------| |bk_waf|
|ft_web| <--- | |
====== ======
10.0.0.1 10.0.0.2
|
\|/
======
|bk_web|
======
10.0.0.3

ft_ 前綴系 HAProxy frontends
bk_ 前綴系 HAProxy backends

具體設定

Nginx 和 Naxsi

Nginx 和 Naxsi 安裝在 bk_waf 上。
nginx.conf 啓用 Naxsi,修改 Nginx 默認站點文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
server {
proxy_set_header Proxy-Connection "";
listen 10.0.0.2:80;

set_real_ip_from 10.0.0.1;
real_ip_header X-Client-IP;

access_log /var/log/nginx/naxsi_access.log;
error_log /var/log/nginx/naxsi_error.log debug;

location / {
include /etc/nginx/test.rules;
proxy_pass http://10.0.0.1:81/;
}

error_page 403 /403.html;
location = /403.html {
root /opt/nginx/html;
internal;
}

location /RequestDenied {
return 403;
}
}

HAProxy

參考設定:

  • DDoS 防禦
  • bk_waf 分析攻擊行爲並由 ft_waf 阻擋
  • bk_waf 不可用時自動跳過 WAF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
defaults
option http-server-close
option dontlognull
option redispatch
option contstats
retries 3
timeout connect 5s
timeout http-keep-alive 1s
# Slowloris protection
timeout http-request 15s
timeout queue 30s
timeout tarpit 1m # tarpit hold tim
backlog 10000

bind 1.2.3.4:80 name http
mode http
log global
option httplog
timeout client 25s
maxconn 10000

# DDOS protection
# Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter
# Monitors the number of request sent by an IP over a period of 10 seconds
stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s)
tcp-request connection track-sc1 src
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
# Abuser means more than 100reqs/10s
acl abuse sc1_http_req_rate(ft_web) ge 100
acl flag_abuser sc1_inc_gpc0(ft_web)
tcp-request content reject if abuse flag_abuser

acl static path_beg /static/ /dokuwiki/images/
acl no_waf nbsrv(bk_waf) eq 0
acl waf_max_capacity queue(bk_waf) ge 1
# bypass WAF farm if no WAF available
use_backend bk_web if no_waf
# bypass WAF farm if it reaches its capacity
use_backend bk_web if static waf_max_capacity
default_backend bk_waf

# WAF farm where users' traffic is routed first
backend bk_waf
balance roundrobin
mode http
log global
option httplog
option forwardfor header X-Client-IP
option httpchk HEAD /waf_health_check HTTP/1.0

# If the source IP generated 10 or more http request over the defined period,
# flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate(ft_waf) ge 10
acl flag_abuser sc1_inc_gpc0(ft_waf)
tcp-request content reject if abuse flag_abuser

# Specific WAF checking: a DENY means everything is OK
http-check expect status 403
timeout server 25s
default-server inter 3s rise 2 fall 3
server waf1 10.0.0.2:80 maxconn 100 weight 10 check

# Traffic secured by the WAF arrives here
frontend ft_web
bind 10.0.0.1:81 name http
mode http
log global
option httplog
timeout client 25s
maxconn 1000
# route health check requests to a specific backend to avoid graph pollution in ALOHA GUI
use_backend bk_waf_health_check if { path /waf_health_check }
default_backend bk_web

# application server farm
backend bk_web
balance roundrobin
mode http
log global
option httplog
option forwardfor
cookie SERVERID insert indirect nocache
default-server inter 3s rise 2 fall 3
option httpchk HEAD /
# get connected on the application server using the user ip
# provided in the X-Client-IP header setup by ft_waf frontend
source 0.0.0.0 usesrc hdr_ip(X-Client-IP)
timeout server 25s
server server1 10.0.0.3:80 maxconn 100 weight 10 cookie server1 check

# backend dedicated to WAF checking (to avoid graph pollution)
backend bk_waf_health_check
balance roundrobin
mode http
log global
option httplog
option forwardfor
default-server inter 3s rise 2 fall 3
timeout server 25s
server server1 10.0.0.3:80 maxconn 100 weight 10 check

Fail2ban

bk_waf

創建 /etc/fail2ban/filter.d/nginx-naxsi.conf

1
2
3
4
5
6
[INCLUDES]
before = common.conf

[Definition]
failregex = NAXSI_FMT: ip=.*
ignoreregex =

/etc/fail2ban/jail.conf 添加:

1
2
3
4
5
6
7
[nginx-naxsi]

enabled = true
port = http,https
filter = nginx-naxsi
logpath = /var/log/nginx/naxsi_error.log
maxretry = 6

參考資料

http://blog.haproxy.com/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.