原文地址:宝塔部署长亭 waf 防护本人的网站
雷池是长亭科技耗时近 10 年倾情打造的 WAF,外围检测能力由智能语义剖析算法驱动。
Slogan: 不让黑客越雷池半步。这里是官网地址:长亭雷池 WAF 社区版 (chaitin.cn)。
部署资源
零碎版本:Ubuntu Server 20.04 LTS 64bit
规格:CPU – 2 核 内存 – 2GB 系统盘 – SSD 云硬盘 40GB
部署形式
单机下部署:宝塔负责运维治理网站、长亭 WAF 负责防护外来攻打
部署开始
装置宝塔
自行部署
装置网站建设必要软件
我这里是动态站所以只须要装置 nginx
,docker
是后边 waf 装置须要动用到的所以也是必须装置。依据本人的网站环境须要装置即可。
批改默认端口
这里须要批改 nginx 默认监听端口 80(http)443(https)
找到 /www/server/panel/vhost/nginx/0.default.conf
文件批改如下:
server
{
listen 81;
server_name _;
index index.html;
root /www/server/nginx/html;
}
找到 /www/server/panel/vhost/nginx/phpfpm_status.conf
文件批改如下:
server {
listen 81;
server_name 127.0.0.1;
allow 127.0.0.1;
location /nginx_status {
stub_status on;
access_log off;
}
location /phpfpm_52_status {
fastcgi_pass unix:/tmp/php-cgi-52.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_53_status {
fastcgi_pass unix:/tmp/php-cgi-53.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_54_status {
fastcgi_pass unix:/tmp/php-cgi-54.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_55_status {
fastcgi_pass unix:/tmp/php-cgi-55.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_56_status {
fastcgi_pass unix:/tmp/php-cgi-56.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_70_status {
fastcgi_pass unix:/tmp/php-cgi-70.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_71_status {
fastcgi_pass unix:/tmp/php-cgi-71.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_72_status {
fastcgi_pass unix:/tmp/php-cgi-72.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_73_status {
fastcgi_pass unix:/tmp/php-cgi-73.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_74_status {
fastcgi_pass unix:/tmp/php-cgi-74.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_75_status {
fastcgi_pass unix:/tmp/php-cgi-75.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_80_status {
fastcgi_pass unix:/tmp/php-cgi-80.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_81_status {
fastcgi_pass unix:/tmp/php-cgi-81.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
location /phpfpm_82_status {
fastcgi_pass unix:/tmp/php-cgi-82.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}
}
更改实现后须要到 nginx 面板去重载配置以及重启操作!以防万一这两项操作必须都进行!
新建网站
新建网站时,域名后边加除 80 的其余端口。这里我批改成 81
网站开启 ssl 后须要批改端口除 443 的其余端口。这里我批改成 8443
装置长亭 waf
官网提供了三种装置形式,这里我抉择在线装置,应用命令:
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/setup.sh)"
依据脚本提醒装置,实现后是这样的
浏览器关上后盾治理页面 https://<waf-ip>:9443
。依据界面提醒,应用 反对 TOTP 的认证软件或者小程序 扫描二维码,而后输出动静口令登录:
看到这个页面阐明 长亭 waf 装置胜利啦。
配置防护网站
配置 https
测试防护成果
- 确认网站能够失常拜访
- 尝试手动模仿攻打
- 模仿 SQL 注入,请拜访
http://<IP 或域名 >:< 端口 >/?id=1%20AND%201=1
- 模仿 XSS,请拜访
http://<IP 或域名 >:< 端口 >/?html=<script>alert(1)</script>
- 通过浏览器,你将会看到雷池曾经发现并阻断了攻打申请。
配置 cdn
咱们还能够增加 cdn 来减速本人的网站来达到暗藏源站的需要,减速的域名是防护网站的域名,回源端口默认的就好,这里揭示一下:倡议回源协定 ssl 懂的都懂。