1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# Dockerfile to build openresety Installed Containers FROM 192.168.1.67 /library/centos7 .4:v1
MAINTAINER xiayun <xiay@baomihua.com> #Install necessary tools RUN yum install -y pcre-devel wget net-tools gcc zlib zlib-devel make openssl-devel unzip python-devel
#download tar.gz ADD https: //openresty .org /download/openresty-1 .11.2.5. tar .gz .
ADD http: //labs .frickle.com /files/ngx_cache_purge-2 .3. tar .gz .
ADD https: //github .com /loveshell/ngx_lua_waf/archive/master .zip .
#unzip RUN tar zxvf ngx_cache_purge-2.3. tar .gz
RUN tar -zxvf openresty-1.11.2.5. tar .gz
RUN unzip master.zip #install openresety RUN cd openresty-1.11.2.5 && . /configure --prefix= /usr/local/openresty --with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit --add-module=.. /ngx_cache_purge-2 .3/ && gmake && gmake install
RUN mkdir /usr/local/openresty/nginx/conf/waf/
RUN mkdir /usr/local/openresty/nginx/logs/hack/
RUN cp -r /ngx_lua_waf-master/ * /usr/local/openresty/nginx/conf/waf/
RUN mv /usr/local/openresty/nginx/conf/nginx .conf /usr/local/openresty/nginx/conf/nginx .conf.bak
RUN mv /usr/local/openresty/nginx/conf/waf/config .lua /usr/local/openresty/nginx/conf/waf/config .bak
COPY .nginx_conf /usr/local/openresty/nginx/conf/nginx .conf
COPY config.lua /usr/local/openresty/nginx/conf/waf/config .lua
#add user nginx RUN useradd -s /sbin/nologin nginx
#chown nginx RUN chown -R nginx.nginx /usr/local/openresty/
RUN chown -R nginx.nginx /ngx_cache_purge-2 .3
#Expose ports for 80 EXPOSE 80 #start openresty CMD /usr/local/openresty/nginx/sbin/nginx -g "daemon off;"
|
附1:.nginx_conf 与Dockerfile在同一路径
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
user nginx nginx; worker_processes 2; error_log /usr/local/openresty/nginx/logs/nginx_error .log error;
pid /usr/local/openresty/nginx/nginx .pid;
worker_rlimit_nofile 65535; events { use epoll; worker_connections 65535; } http { lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua" ;
lua_shared_dict limit 10m; init_by_lua_file /usr/local/openresty/nginx/conf/waf/init .lua;
access_by_lua_file /usr/local/openresty/nginx/conf/waf/waf .lua;
include mime.types; default_type application /octet-stream ;
charset utf-8; server_tokens off; log_format main '$host $status [$time_local] $upstream_addr $remote_addr - $remote_user [$time_local] $request_uri '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' '$bytes_sent $request_time $sent_http_x_cache_hit "$upstream_cache_status"' ;
log_format log404 '$status [$time_local] $remote_addr $host$request_uri $sent_http_location' ;
server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 300m; sendfile on; fastcgi_intercept_errors on; tcp_nopush on; keepalive_timeout 20; tcp_nodelay on; client_body_timeout 10; client_body_buffer_size 512k; gzip on;
gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text /plain application /x-javascript text /css application /xml ;
gzip_vary on; send_timeout 60; open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; ssi on; ssi_silent_errors on; ssi_types text /shtml ;
server { listen 80; server_name localhost; index index.html index.htm index.shtml index.php; root /usr/local/openresty/nginx/html ;
if ($http_user_agent ~* "Baiduspider-render|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot" )
{ return 403;
} location ~ \.php$ { include fastcgi_params; fastcgi_pass unix: /tmp/php-fcgi .sock;
fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html $fastcgi_script_name;
} } } |
附2:config.lua与Dockerfile同一路径
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
RulePath = "/usr/local/openresty/nginx/conf/waf/wafconf/"
attacklog = "on"
logdir = "/usr/local/openresty/nginx/logs/hack/"
UrlDeny= "off"
Redirect= "off"
CookieMatch= "off"
postMatch= "off" whiteModule= "off" black_fileExt={ "php" , "jsp" }
ipWhitelist={ "127.0.0.1" , "192.168.20.25" }
ipBlocklist={} CCDeny= "off"
CCrate= "100/60"
html=[[ <html xmlns= "http://www.w3.org/1999/xhtml" >< head >
<meta http-equiv= "Content-Type" content= "text/html; charset=utf-8" >
<title>网站防火墙< /title >
<style> p { line-height:20px;
} ul{ list-style- type :none;}
li{ list-style- type :none;}
< /style >
< /head >
<body style= " padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;" >
<div style= "margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;" >
<div style= "width:600px; float:left;" >
<div style= " height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;" >网站防火墙 < /div >
<div style= "border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;" >
<p style= " margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;" ><span style= " font-weight:600; color:#fc4f03;" >您的请求带有不合法参数,已被网站管理员设置拦截!< /span >< /p >
<p style= " margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;" >可能原因:您提交的内容包含危险的攻击请求< /p >
<p style= " margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;" >如何解决:< /p >
<ul style= "margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;" ><li style= " margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;" >1)检查提交内容;< /li >
<li style= " margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;" >2)如网站托管,请联系空间提供商;< /li >
<li style= " margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;" >3)普通网站访客,请联系网站管理员;< /li >< /ul >
< /div >
< /div >
< /div >
< /body >< /html >
]] |