一、问题描述
某次安全扫描通过Dirsearch工具发现,nginx代理访问某后端业务时,发现:Springboot未授权漏洞,存在信息泄露风险,危险等级:中危;
相关资源:openresty官网、/lua-nginx-module模块地址、Nginx lua模块说明、lua-nignx与Nginx兼容性
二、处理过程
1)经分析,只需要再nginx代理侧增加鉴权控制接口,无需修改代码;这里我们通过该Nginx+Lua模块来实现基于lua规则的自定义访问控制和鉴权逻辑。
2)安装 lua-nginx-module模块
ngx_lua_module 是一个nginx http模块,它把 lua 解析器内嵌到 nginx,是异步非阻塞的方式,运行时占用内存特别少,它可解析并执行lua 语言编写的网页后台脚本;它依赖LuaJIT,因此我们需要首先安装LuaJIT,对于LuaJIT,强烈推荐使用OpenResty发行版,LuaJIT 2.0 or 2.1,它自集成了 integrate Nginx, ngx_lua,有更好的兼容性,否则后期会报兼容性错误;OpenResty包括它自己的LuaJIT版本,该版本专门针对OpenResty环境进行了优化和增强。OpenResty,它是一个基于Nginx的可扩展平台,集成了Lua和其他一些常用的模块。安装完成后,可以使用Lua编写Nginx配置文件中的各种指令和处理逻辑。兼容性:
wget https://openresty.org/download/openresty-1.25.3.1.tar.gz
tar xzf openresty-1.25.3.1.tar.gz
cd openresty-1.25.3.1
#安全相关,注释如下
cd ./bundle/nginx-1.21.4
# - 1.隐藏版本
vim src/core/nginx.h
#define NGINX_VERSION "6666"
#define NGINX_VER "FW/" NGINX_VERSION ".6"
#define NGINX_VAR "FW"
# - 2.修改头部
vim src/http/ngx_http_header_filter_module.c
# 49 static u_char ngx_http_server_string[] = "Server: FW" CRLF;
# - 3.修改错误页响应头部(response header)
vim src/http/ngx_http_special_response.c
# 22 "<hr><center>FW</center>" CRLF
# ...
# 29 "<hr><center>FW</center>" CRLF
# ...
# 36 "<hr><center>FW</center>" CRLF
#如果不需要可跳过
./configure -j4
make all test
gmake -j4
sudo gmake install
#下载 ngx_devel_kit (NDK) module
wget https://github.com/vision5/ngx_devel_kit/archive/refs/tags/v0.3.3.tar.gz
#下载lua-nginx-module
wget https://github.com/openresty/lua-nginx-module/archive/refs/tags/v0.10.26.tar.gz
#接口授权认证相关依赖安装(可选)
#下载lua-cjson库
wget https://www.kyne.com.au/~mark/software/download/lua-cjson-2.1.0.tar.gz
tar xf lua-cjson-2.1.0.tar.gz
cd /lua-cjson-2.1.0
#修改/root/lua-cjson-2.1.0/Makefile文件
PREFIX = /usr/local/LuaJIT
LUA_INCLUDE_DIR = $(PREFIX)/include/luajit-2.0 (安装luajit的路径)
LUA_CMODULE_DIR = $(PREFIX)/lib/lua/$(LUA_VERSION)
LUA_MODULE_DIR = $(PREFIX)/share/lua/$(LUA_VERSION)
LUA_BIN_DIR = $(PREFIX)/bin
#安装
make && make install
#Nginx添加以上模块
./configure --prefix=/usr/local/nginx \
--with-ld-opt="-Wl,-rpath,/usr/local/LuaJIT/luajit-or-lua/lib" \
--add-module=/path/to/ngx_devel_kit \
--add-module=/path/to/lua-nginx-module
make -j2
cd objs #替换Nginx即可
如果不用OpenResty的版本会报如下错误:
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/local/share/luajit-2.0.5/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /usr/local/nginx/conf/nginx.conf:218
卸载从github上安装的luajit:
make uninstall
==== Uninstalling LuaJIT 2.1. from /usr/local ====
rm -f /usr/local/bin/luajit-2.1. /usr/local/lib/libluajit-5.1.a /usr/local/lib/libluajit-5.1.so.2.1. /usr/local/lib/libluajit-5.1.so /usr/local/lib/libluajit-5.1.so.2 /usr/local/share/man/man1/luajit.1 /usr/local/lib/pkgconfig/luajit.pc
for file in bc.lua bcsave.lua dump.lua p.lua v.lua zone.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_arm64.lua dis_arm64be.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua dis_mips64.lua dis_mips64el.lua dis_mips64r6.lua dis_mips64r6el.lua vmdef.lua; do \
rm -f /usr/local/share/luajit-2.1/jit/$file; \
done
for file in lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h; do \
rm -f /usr/local/include/luajit-2.1/$file; \
done
ldconfig -n 2>/dev/null /usr/local/lib
rmdir 2>/dev/null /usr/local/share/luajit-2.1/jit /usr/local/share/luajit-2.1 /usr/local/include/luajit-2.1 /usr/local/share/lua/5.1 /usr/local/share/lua /usr/local/lib/lua/5.1 /usr/local/lib/lua || :
==== Successfully uninstalled LuaJIT 2.1. from /usr/local ====
#重新安装
wget https://github.com/openresty/luajit2/archive/refs/tags/v2.0.4.zip
unzip luajit2-2.0.4.zip
/data1/mysoftware/luajit2-2.0.4
#安装
make install PREFIX=/usr/local/LuaJIT
……
LINK luajit
OK Successfully built LuaJIT
make[1]: Leaving directory '/data1/mysoftware/luajit2-2.0.4/src'
==== Successfully built LuaJIT 2.0.4 ====
==== Installing LuaJIT 2.0.4 to /usr/local/LuaJIT ====
mkdir -p /usr/local/LuaJIT/bin /usr/local/LuaJIT/lib /usr/local/LuaJIT/include/luajit-2.0 /usr/local/LuaJIT/share/man/man1 /usr/local/LuaJIT/lib/pkgconfig /usr/local/LuaJIT/share/luajit-2.0.4/jit /usr/local/LuaJIT/share/lua/5.1 /usr/local/LuaJIT/lib/lua/5.1
cd src && install -m 0755 luajit /usr/local/LuaJIT/bin/luajit-2.0.4
cd src && test -f libluajit.a && install -m 0644 libluajit.a /usr/local/LuaJIT/lib/libluajit-5.1.a || :
rm -f /usr/local/LuaJIT/bin/luajit /usr/local/LuaJIT/lib/libluajit-5.1.so.2.0.4 /usr/local/LuaJIT/lib/libluajit-5.1.so /usr/local/LuaJIT/lib/libluajit-5.1.so
cd src && test -f libluajit.so && \
install -m 0755 libluajit.so /usr/local/LuaJIT/lib/libluajit-5.1.so.2.0.4 && \
ldconfig -n /usr/local/LuaJIT/lib && \
ln -sf libluajit-5.1.so.2.0.4 /usr/local/LuaJIT/lib/libluajit-5.1.so && \
ln -sf libluajit-5.1.so.2.0.4 /usr/local/LuaJIT/lib/libluajit-5.1.so || :
cd etc && install -m 0644 luajit.1 /usr/local/LuaJIT/share/man/man1
cd etc && sed -e "s|^prefix=.*|prefix=/usr/local/LuaJIT|" -e "s|^multilib=.*|multilib=lib|" luajit.pc > luajit.pc.tmp && \
install -m 0644 luajit.pc.tmp /usr/local/LuaJIT/lib/pkgconfig/luajit.pc && \
rm -f luajit.pc.tmp
cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h /usr/local/LuaJIT/include/luajit-2.0
cd src/jit && install -m 0644 bc.lua v.lua dump.lua dis_x86.lua dis_x64.lua dis_arm.lua dis_ppc.lua dis_mips.lua dis_mipsel.lua bcsave.lua vmdef.lua /usr/local/LuaJIT/share/luajit-2.0.4/jit
ln -sf luajit-2.0.4 /usr/local/LuaJIT/bin/luajit
==== Successfully installed LuaJIT 2.0.4 to /usr/local/LuaJIT ====
#编译安装
gmake[2]: Leaving directory '/data1/mysoftware/openresty-1.25.3.1/build/nginx-1.25.3'
gmake[1]: Leaving directory '/data1/mysoftware/openresty-1.25.3.1/build/nginx-1.25.3'
mkdir -p /usr/local/openresty/site/lualib /usr/local/openresty/site/pod /usr/local/openresty/site/manifest
ln -sf /usr/local/openresty/nginx/sbin/nginx /usr/local/openresty/bin/openresty
#配置环境变量
vi /etc/profile
export LUAJIT_LIB=/usr/local/openresty/luajit/lib
export LUAJIT_INC=/usr/local/openresty/luajit/include/luajit-2.1
export LD_LIBRARY_PATH=$LUAJIT_LIBB:$LD_LIBRARY_PATH
vi /etc/ld.so.conf.d/libc.conf
/usr/local/openresty/luajit/lib
/usr/local/openresty/luajit/include/luajit-2.1
#验证
lua -v #输出
Lua 5.4.3 Copyright (C) 1994-2021 Lua.org, PUC-Rio
重新编译Nginx后启动依然报错:
nginx: [alert] failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/local/openresty/luajit/share/luajit-2.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/core.lua'
no file '/usr/local/openresty/luajit/share/lua/5.1/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so') in /usr/local/nginx/conf/nginx.conf:217
#查找文件core.lua
find / -name core.lua
ln -s /usr/local/openresty/lualib/resty /usr/local/nginx/sbin/ #然后再启动就好了
#验证
ldconfig -v|grep libluajit-
……
ldconfig: Cannot stat /usr/lib64/libebtc.so: No such file or directory
libluajit-5.1.so.2 -> libluajit-5.1.so.2.1.ROLLING
nginx -V
nginx version: nginx/1.20.2
built by gcc 10.3.1 (GCC)
built with OpenSSL 1.1.1m 14 Dec 2021
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_sub_module --with-http_v2_module --with-http_slice_module --with-pcre-jit --with-pcre --with-http_dav_module --with-http_addition_module --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/data1/mysoftware/lua-nginx-module-0.10.26 --add-module=/data1/mysoftware/ngx_devel_kit-0.3.3
#验证示例
#Nginx.conf新增如下,然后测试http://ip//hello_lua会出现”hello, lua”表示安装成功
location /hello_lua {
default_type 'text/plain';
content_by_lua 'ngx.say("hello, lua")';
}
3)配置Nginx lua:
三、附录
1)Nginx打补丁
yum install git -y
cd /appdata/nginx
git clone https://github.com/yzprofile/ngx_http_dyups_module.git
git clone https://github.com/yaoweibin/nginx_upstream_check_module.git
git clone https://github.com/vozlt/nginx-module-vts.git
yum install patch -y
yum install gd gd-devel -y
# nginx_upstream_check_module 补丁
cd /appdata/nginx/openresty-1.21.4.1/bundle/nginx-1.21.4
patch -p1 < /appdata/nginx/nginx_upstream_check_module/check_1.20.1+.patch
#重新编译
./configure --prefix=/appdata/nginx/nginx-1.21.4 \
--with-luajit \
--with-pcre \
--with-pcre-jit \
--with-http_realip_module \
--with-http_v2_module \
--with-http_image_filter_module \
--with-http_iconv_module \
--with-stream_realip_module \
--with-stream \
--with-stream_ssl_module \
--with-http_slice_module \
--with-http_sub_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--add-module=../nginx-module-vts \
--add-module=../ngx_log_if-master \
--add-module=../ngx_http_dyups_module \
--add-module=../nginx_upstream_check_module \
--without-http_autoindex_module
![绘图软件 excalidraw 部署流程 [ Ubuntu 22.4已验证 ]](https://img-blog.csdnimg.cn/direct/847225c4a43742c9a02e1cd82ca833fa.png)
