CN109167792A - A kind of novel WAF design method based on Nginx - Google Patents

A kind of novel WAF design method based on Nginx Download PDF

Info

Publication number
CN109167792A
CN109167792A CN201811093835.0A CN201811093835A CN109167792A CN 109167792 A CN109167792 A CN 109167792A CN 201811093835 A CN201811093835 A CN 201811093835A CN 109167792 A CN109167792 A CN 109167792A
Authority
CN
China
Prior art keywords
waf
business
request
nginx
mirroring service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811093835.0A
Other languages
Chinese (zh)
Inventor
冯其
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201811093835.0A priority Critical patent/CN109167792A/en
Publication of CN109167792A publication Critical patent/CN109167792A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Abstract

The novel WAF design method based on Nginx that the invention discloses a kind of, it include: step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station is used to carry out mirror image to business on the line to form mirroring service, WAF is deployed in Nginx server, and is deployed in the front end of business and mirroring service on the line;Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;The difficult detection request is forwarded to the mirroring service, and the response returned according to mirroring service by step S300:WAF, is detected and judges that the difficult detection request be to intercept also to be off obstruction.The present invention provides a kind of novel waf design method based on Nginx, can effectively reduce failing to report, reporting by mistake for traditional WAF, prevents traditional WAF to be bypassed and attacks with 0day.User's request can be detected in real time, prevent various network attacks.

Description

A kind of novel WAF design method based on Nginx
Technical field
The present invention relates to field of information security technology, are a kind of novel WAF design methods based on Nginx specifically.
Background technique
With the continuous development of computer technology, web is using more and more extensive.Nginx takes as the Web of a lightweight Business device, HTTP processing capacity and reverse proxy function with high performance are widely used as WAF deployment services device.WAF is Web The safety guarantee of application, WAF provide guarantor exclusively for web application by executing a series of security strategies for HTTP/HTTPS Shield.Tradition WAF is all based on rule and policy mostly earlier, by judge request whether with rule match come detect request whether With attack.Currently, some WAF are also added into machine learning scheduling algorithm, model is established by a large amount of machine learning, thus Exception request is filtered out from a large amount of request to be intercepted.Since traditional WAF is laid down a regulation according to attack, institute Have the shortcomings that with these waf it is some common, i.e., in the presence of wrong report fail to report, fail to report, bypass, and can not prevent 0day from attacking.
Summary of the invention
The novel WAF design method based on Nginx that the purpose of the present invention is to provide a kind of, for solving in the prior art , come specified rule, there is wrong report according to attack, fail to report and around exception in WAF.
The present invention is solved the above problems by following technical proposals:
A kind of novel WAF design method based on Nginx, comprising:
Step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station Mirroring service is formed for carrying out mirror image to business on the line, WAF is deployed in Nginx server, and be deployed in institute State the front end of business and mirroring service on line;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the sound returned according to mirroring service by step S300:WAF It answers, detected and judges that the difficult detection request be to intercept also to be off obstruction.
Original location uses following configuration code:
The configuration service source station in Original, when needing to add mirror module, it is only necessary in the business source station of script Original configuration code is added in configuration.When the normal URL of determination is matched to original location, Nginx can be by Normal flow processing request, for user and business source station, without any variation.Only when request matches original When location, the backstage Nginx can be instructed request duplication is a to specified mirroring service source station, mirror image industry by mirror The response return of business source station can be ignored by Nginx, so mirroring service source station will not be to the industry on line by this deployment way Business source station impacts.It when uncertain request reaches, then needs temporary block to request, then mirror image will be requested to mirror image industry Business.When mirror request reaches Mirror location, nginx can forward this request to mirroring service, according to mirroring service Response, by the special rules in Nginx judge request it is whether legal, if illegal direct interception, otherwise stop user asking The obstruction asked forwards requests to business on line.Since mirroring service is the simulation to business on line, can guarantee to respond The similitude of feature to accurately judge whether it is normal request, and will not cause spy to business on line in detection process Not big influence.
Further, the step S300 is specifically included:
The difficult detection request is carried out mirror image by the ngx_http_mirror_modulek module of step S310:Nginx And it is forwarded to the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and industry on line according to the difficult detection request It is engaged in identical;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult inspection Request is surveyed, obstruction is otherwise stopped, the difficult detection request is transmitted to business on line, completes user's request and response.
WAF is located on line before business and mirroring service, and request is initiated to access by Nginx reverse proxy to business source station When, all requests can all be detected by WAF.When there is user to request to reach WAF, it can be filtered ask according to general rule first It asks, the request filtered by general rule includes common attack request and normal request, can filter most common attack in this way It hits, eases off the pressure for subsequent processing.Still suffering from some query-attacks can not be detected, and especially waf is bypassed, and 0day is attacked It hits.Waf is forwarded to mirror image industry by this component requests of temporary block, by the request that the mirror module mirror image portion of nginx blocks Business judges whether request is legitimate request according to the response of mirroring service.It is transmitted to business on line if it is legitimate request, is completed Http request process, otherwise WAF intercepts request.By business on the artificial line of backstage, the ngx_http_ of Nginx is utilized Real user request is mapped on mirroring service by mirror_module module, and is simulated each after business on request arrival line Kind response condition.Web application protection is carried out by this entire access process of simulation, can not only be reduced and be failed to report, reports by mistake, also It can prevent from bypassing, 0day attack.It if there is attack, will be intercepted after requesting access to mirroring service, to avoid Query-attack causes damages to business on line.
Further, switch is set in the WAF, for controlling the rule and function opening and need to detect.
Further, white list, the request that the white list is sent are arranged to some IP sections of normal requests in the WAF It is detected without WAF, directly arrival business source station.
In whole flow process, switch can also be set, to decide whether to open various detection functions.And it can be to some White list is arranged in ip sections of normal request, allows the request in white list directly to reach source station, to improve request speed.
Compared with prior art, the present invention have the following advantages that and the utility model has the advantages that
(1) present invention provides a kind of novel waf design method based on Nginx, can effectively reduce the leakage of traditional WAF Report, wrong report prevent traditional WAF to be bypassed and attack with 0day.User's request can be detected in real time, prevent various networks from attacking It hits.
(2) business on platform artificial line after the present invention, will be true using the ngx_http_mirror_module module of Nginx Real user's request is mapped on the analog service of backstage, to simulate the various response conditions on request arrival line after business.If There are attacks, will be intercepted after requesting access to mirroring service, so that query-attack be avoided to cause to endanger to business on line Evil.
(3) WAF can simulate a simple mirroring service on backstage according to different business.In mirroring service, do not need Simulate business on entire line, it is only necessary to need important interface to be protected to be simulated for business on line, analog content includes asking Content and response are asked, the response of simulation does not need identical with service response on line, it is only necessary to simulate the important spy of response Sign, after mirror request reaches mirroring service, mirroring service can respond as business on line.
Detailed description of the invention
Fig. 1 is the principle of the present invention block diagram;
Fig. 2 is request processing flow figure of the invention.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, embodiments of the present invention are not limited thereto.
Embodiment 1:
In conjunction with shown in attached drawing 1, a kind of novel WAF design method based on Nginx, comprising:
Step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station Mirroring service is formed for carrying out mirror image to business on the line, WAF is deployed in Nginx server, and be deployed in institute State the front end of business and mirroring service on line;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the sound returned according to mirroring service by step S300:WAF It answers, detected and judges that the difficult detection request be to intercept also to be off obstruction.
Original location uses following configuration code:
The configuration service source station in Original, when needing to add mirror module, it is only necessary in the business source station of script Original configuration code is added in configuration.When the normal URL of determination is matched to original location, Nginx can be by Normal flow processing request, for user and business source station, without any variation.Only when request matches original When location, the backstage Nginx can be instructed request duplication is a to specified mirroring service source station, mirror image industry by mirror The response return of business source station can be ignored by Nginx, so mirroring service source station will not be to the industry on line by this deployment way Business source station impacts.When uncertain request is that difficult detection request reaches, then needs temporary block to request, then detect hardly possible Request mirror image to mirroring service, that is, request to be detected, when mirror request reaches Mirror location, nginx can ask this It asks and is forwarded to mirroring service, according to the response of mirroring service, judge whether request is legal by the special rules in Nginx, if Otherwise illegal direct interception stops the obstruction of user's request, forwards requests to business on line.Since mirroring service is to line The simulation of upper business, therefore can guarantee the similitude of response characteristic, to accurately judge whether it is normal request, and examine During survey king-sized influence will not be caused on business on line.
Embodiment 2:
On the basis of embodiment 1, in conjunction with shown in attached drawing 1 and Fig. 2, the step S300 is specifically included:
The difficult detection request is carried out mirror image by the ngx_http_mirror_modulek module of step S310:Nginx And it is forwarded to the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and industry on line according to the difficult detection request It is engaged in identical;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult inspection Request is surveyed, obstruction is otherwise stopped, the difficult detection request is transmitted to business on line, completes user's request and response.
WAF is located on line before business and mirroring service, and request is initiated to access by Nginx reverse proxy to business source station When, all requests can all be detected by WAF.When there is user to request to reach waf, it can be filtered ask according to general rule first It asks, the request filtered by general rule includes common attack request and normal request, can filter most common attack in this way It hits, eases off the pressure for subsequent processing.Still suffering from some query-attacks can not be detected, and especially waf is bypassed, and 0day is attacked It hits.Waf is forwarded to mirror image industry by this component requests of temporary block, by the request that the mirror module mirror image portion of nginx blocks Business judges whether request is legitimate request according to the response of mirroring service.It is transmitted to business on line if it is legitimate request, is completed Http request process, otherwise WAF intercepts request.By business on the artificial line of backstage, the ngx_http_ of Nginx is utilized Real user request is mapped on mirroring service by mirror_module module, and is simulated each after business on request arrival line Kind response condition.Web application protection is carried out by this entire access process of simulation, can not only be reduced and be failed to report, reports by mistake, also It can prevent from bypassing, 0day attack.It if there is attack, will be intercepted after requesting access to mirroring service, to avoid Query-attack causes damages to business on line.
Further, switch is set in the WAF, for controlling the rule and function opening and need to detect.
Further, white list, the request that the white list is sent are arranged to some IP sections of normal requests in the WAF It is detected without WAF, directly arrival business source station.
In whole flow process, switch can also be set, to decide whether to open various detection functions.And it can be to some White list is arranged in ip sections of normal request, allows the request in white list directly to reach source station, to improve request speed.
Although reference be made herein to invention has been described for explanatory embodiment of the invention, and above-described embodiment is only this hair Bright preferable embodiment, embodiment of the present invention are not limited by the above embodiments, it should be appreciated that those skilled in the art Member can be designed that a lot of other modification and implementations, these modifications and implementations will fall in principle disclosed in the present application Within scope and spirit.

Claims (4)

1. a kind of novel WAF design method based on Nginx characterized by comprising
Step S100: configuration service source station and mirror image source station, for business on line, the mirror image source station is used for for the business source station Mirror image is carried out to business on the line and forms mirroring service, WAF is deployed in Nginx server, and be deployed in the line The front end of upper business and mirroring service;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the response returned according to mirroring service by step S300:WAF, It is detected and judges that the difficult detection request be to intercept also to be off obstruction.
2. a kind of novel WAF design method based on Nginx according to claim 1, which is characterized in that the step S300 is specifically included:
The difficult detection request is carried out mirror image and turned by the ngx_http_mirror_modulek module of step S310:Nginx It is dealt into the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and business phase on line according to the difficult detection request Together;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult detection and asks It asks, otherwise stops obstruction, the difficult detection request is transmitted to business on line, completes user's request and response.
3. a kind of novel WAF design method based on Nginx according to claim 2, which is characterized in that in the WAF Setting switch, for controlling the rule and function opening and need to detect.
4. a kind of novel WAF design method based on Nginx according to claim 2 or 3, which is characterized in that the WAF In white list is arranged to some IP sections of normal requests, the request that the white list is sent is detected without WAF, directly arrival business Source station.
CN201811093835.0A 2018-09-19 2018-09-19 A kind of novel WAF design method based on Nginx Pending CN109167792A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811093835.0A CN109167792A (en) 2018-09-19 2018-09-19 A kind of novel WAF design method based on Nginx

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811093835.0A CN109167792A (en) 2018-09-19 2018-09-19 A kind of novel WAF design method based on Nginx

Publications (1)

Publication Number Publication Date
CN109167792A true CN109167792A (en) 2019-01-08

Family

ID=64879561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811093835.0A Pending CN109167792A (en) 2018-09-19 2018-09-19 A kind of novel WAF design method based on Nginx

Country Status (1)

Country Link
CN (1) CN109167792A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505235A (en) * 2019-09-02 2019-11-26 四川长虹电器股份有限公司 A kind of detection system and method for the malicious requests around cloud WAF
CN110995640A (en) * 2019-09-19 2020-04-10 中国银联股份有限公司 Method for identifying network attack and honeypot protection system
CN111585981A (en) * 2020-04-24 2020-08-25 上海泛微网络科技股份有限公司 Security detection method based on application firewall and related equipment
CN115296932A (en) * 2022-09-30 2022-11-04 北京知其安科技有限公司 Method and device for detecting WAF interception effectiveness and storage medium
CN117395082A (en) * 2023-12-11 2024-01-12 深圳市移卡科技有限公司 Service processing method, electronic device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140259145A1 (en) * 2013-03-08 2014-09-11 Barracuda Networks, Inc. Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients
CN104361283A (en) * 2014-12-05 2015-02-18 网宿科技股份有限公司 Web attack protection method
CN105227571A (en) * 2015-10-20 2016-01-06 福建六壬网安股份有限公司 Based on web application firewall system and its implementation of nginx+lua
CN105262771A (en) * 2015-11-04 2016-01-20 国家电网公司 Attack and defense test method for network safety of power industry
CN106357696A (en) * 2016-11-14 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Detection method and detection system for SQL injection attack
CN106534042A (en) * 2015-09-09 2017-03-22 阿里巴巴集团控股有限公司 Server invasion identifying method and apparatus based on data analysis and cloud safety system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140259145A1 (en) * 2013-03-08 2014-09-11 Barracuda Networks, Inc. Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients
CN104361283A (en) * 2014-12-05 2015-02-18 网宿科技股份有限公司 Web attack protection method
CN106534042A (en) * 2015-09-09 2017-03-22 阿里巴巴集团控股有限公司 Server invasion identifying method and apparatus based on data analysis and cloud safety system
CN105227571A (en) * 2015-10-20 2016-01-06 福建六壬网安股份有限公司 Based on web application firewall system and its implementation of nginx+lua
CN105262771A (en) * 2015-11-04 2016-01-20 国家电网公司 Attack and defense test method for network safety of power industry
CN106357696A (en) * 2016-11-14 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Detection method and detection system for SQL injection attack

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505235A (en) * 2019-09-02 2019-11-26 四川长虹电器股份有限公司 A kind of detection system and method for the malicious requests around cloud WAF
CN110995640A (en) * 2019-09-19 2020-04-10 中国银联股份有限公司 Method for identifying network attack and honeypot protection system
CN110995640B (en) * 2019-09-19 2022-04-05 中国银联股份有限公司 Method for identifying network attack and honeypot protection system
CN111585981A (en) * 2020-04-24 2020-08-25 上海泛微网络科技股份有限公司 Security detection method based on application firewall and related equipment
CN115296932A (en) * 2022-09-30 2022-11-04 北京知其安科技有限公司 Method and device for detecting WAF interception effectiveness and storage medium
CN115296932B (en) * 2022-09-30 2023-01-06 北京知其安科技有限公司 Method and device for detecting WAF interception effectiveness and storage medium
CN117395082A (en) * 2023-12-11 2024-01-12 深圳市移卡科技有限公司 Service processing method, electronic device and storage medium
CN117395082B (en) * 2023-12-11 2024-03-22 深圳市移卡科技有限公司 Service processing method, electronic device and storage medium

Similar Documents

Publication Publication Date Title
CN109167792A (en) A kind of novel WAF design method based on Nginx
CN112073411B (en) Network security deduction method, device, equipment and storage medium
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
CN103370715B (en) System and method for securing virtual computing environments
WO2021233373A1 (en) Network security protection method and apparatus, storage medium and electronic device
CN105184159B (en) The recognition methods of webpage tamper and device
CN103309808B (en) Based on privacy disclosure of Android user black box detection method and the system of label
CN107888546A (en) network attack defence method, device and system
CN111294333B (en) Construction system of open type adaptive vulnerability drilling platform
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
CN107493256A (en) Security incident defence method and device
US11323473B2 (en) Network threat prevention and information security using machine learning
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
US20220141252A1 (en) System and method for data filtering in machine learning model to detect impersonation attacks
CN113572730A (en) Implementation method for actively and automatically trapping honeypots based on web
CN109711162A (en) A kind of security application method and system based on block chain
CN105447385A (en) Multilayer detection based application type database honey pot realization system and method
KR102118382B1 (en) Providing training device for cyber threat
CN107196969B (en) The automatic identification and verification method and system of attack traffic
CN108667687A (en) A kind of WAF test methods based on Nginx
CN113407946A (en) Intelligent protection method and system for IoT (IoT) equipment
CN108494791A (en) A kind of DDOS attack detection method and device based on Netflow daily record datas
US10965693B2 (en) Method and system for detecting movement of malware and other potential threats
CN114143052B (en) Network defense system risk assessment method, device and storage medium based on controllable intrusion simulation
EP3926501B1 (en) System and method of processing information security events to detect cyberattacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190108

RJ01 Rejection of invention patent application after publication