CN109167792A - A kind of novel WAF design method based on Nginx - Google Patents
A kind of novel WAF design method based on Nginx Download PDFInfo
- Publication number
- CN109167792A CN109167792A CN201811093835.0A CN201811093835A CN109167792A CN 109167792 A CN109167792 A CN 109167792A CN 201811093835 A CN201811093835 A CN 201811093835A CN 109167792 A CN109167792 A CN 109167792A
- Authority
- CN
- China
- Prior art keywords
- waf
- business
- request
- nginx
- mirroring service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Abstract
The novel WAF design method based on Nginx that the invention discloses a kind of, it include: step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station is used to carry out mirror image to business on the line to form mirroring service, WAF is deployed in Nginx server, and is deployed in the front end of business and mirroring service on the line;Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;The difficult detection request is forwarded to the mirroring service, and the response returned according to mirroring service by step S300:WAF, is detected and judges that the difficult detection request be to intercept also to be off obstruction.The present invention provides a kind of novel waf design method based on Nginx, can effectively reduce failing to report, reporting by mistake for traditional WAF, prevents traditional WAF to be bypassed and attacks with 0day.User's request can be detected in real time, prevent various network attacks.
Description
Technical field
The present invention relates to field of information security technology, are a kind of novel WAF design methods based on Nginx specifically.
Background technique
With the continuous development of computer technology, web is using more and more extensive.Nginx takes as the Web of a lightweight
Business device, HTTP processing capacity and reverse proxy function with high performance are widely used as WAF deployment services device.WAF is Web
The safety guarantee of application, WAF provide guarantor exclusively for web application by executing a series of security strategies for HTTP/HTTPS
Shield.Tradition WAF is all based on rule and policy mostly earlier, by judge request whether with rule match come detect request whether
With attack.Currently, some WAF are also added into machine learning scheduling algorithm, model is established by a large amount of machine learning, thus
Exception request is filtered out from a large amount of request to be intercepted.Since traditional WAF is laid down a regulation according to attack, institute
Have the shortcomings that with these waf it is some common, i.e., in the presence of wrong report fail to report, fail to report, bypass, and can not prevent 0day from attacking.
Summary of the invention
The novel WAF design method based on Nginx that the purpose of the present invention is to provide a kind of, for solving in the prior art
, come specified rule, there is wrong report according to attack, fail to report and around exception in WAF.
The present invention is solved the above problems by following technical proposals:
A kind of novel WAF design method based on Nginx, comprising:
Step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station
Mirroring service is formed for carrying out mirror image to business on the line, WAF is deployed in Nginx server, and be deployed in institute
State the front end of business and mirroring service on line;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the sound returned according to mirroring service by step S300:WAF
It answers, detected and judges that the difficult detection request be to intercept also to be off obstruction.
Original location uses following configuration code:
The configuration service source station in Original, when needing to add mirror module, it is only necessary in the business source station of script
Original configuration code is added in configuration.When the normal URL of determination is matched to original location, Nginx can be by
Normal flow processing request, for user and business source station, without any variation.Only when request matches original
When location, the backstage Nginx can be instructed request duplication is a to specified mirroring service source station, mirror image industry by mirror
The response return of business source station can be ignored by Nginx, so mirroring service source station will not be to the industry on line by this deployment way
Business source station impacts.It when uncertain request reaches, then needs temporary block to request, then mirror image will be requested to mirror image industry
Business.When mirror request reaches Mirror location, nginx can forward this request to mirroring service, according to mirroring service
Response, by the special rules in Nginx judge request it is whether legal, if illegal direct interception, otherwise stop user asking
The obstruction asked forwards requests to business on line.Since mirroring service is the simulation to business on line, can guarantee to respond
The similitude of feature to accurately judge whether it is normal request, and will not cause spy to business on line in detection process
Not big influence.
Further, the step S300 is specifically included:
The difficult detection request is carried out mirror image by the ngx_http_mirror_modulek module of step S310:Nginx
And it is forwarded to the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and industry on line according to the difficult detection request
It is engaged in identical;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult inspection
Request is surveyed, obstruction is otherwise stopped, the difficult detection request is transmitted to business on line, completes user's request and response.
WAF is located on line before business and mirroring service, and request is initiated to access by Nginx reverse proxy to business source station
When, all requests can all be detected by WAF.When there is user to request to reach WAF, it can be filtered ask according to general rule first
It asks, the request filtered by general rule includes common attack request and normal request, can filter most common attack in this way
It hits, eases off the pressure for subsequent processing.Still suffering from some query-attacks can not be detected, and especially waf is bypassed, and 0day is attacked
It hits.Waf is forwarded to mirror image industry by this component requests of temporary block, by the request that the mirror module mirror image portion of nginx blocks
Business judges whether request is legitimate request according to the response of mirroring service.It is transmitted to business on line if it is legitimate request, is completed
Http request process, otherwise WAF intercepts request.By business on the artificial line of backstage, the ngx_http_ of Nginx is utilized
Real user request is mapped on mirroring service by mirror_module module, and is simulated each after business on request arrival line
Kind response condition.Web application protection is carried out by this entire access process of simulation, can not only be reduced and be failed to report, reports by mistake, also
It can prevent from bypassing, 0day attack.It if there is attack, will be intercepted after requesting access to mirroring service, to avoid
Query-attack causes damages to business on line.
Further, switch is set in the WAF, for controlling the rule and function opening and need to detect.
Further, white list, the request that the white list is sent are arranged to some IP sections of normal requests in the WAF
It is detected without WAF, directly arrival business source station.
In whole flow process, switch can also be set, to decide whether to open various detection functions.And it can be to some
White list is arranged in ip sections of normal request, allows the request in white list directly to reach source station, to improve request speed.
Compared with prior art, the present invention have the following advantages that and the utility model has the advantages that
(1) present invention provides a kind of novel waf design method based on Nginx, can effectively reduce the leakage of traditional WAF
Report, wrong report prevent traditional WAF to be bypassed and attack with 0day.User's request can be detected in real time, prevent various networks from attacking
It hits.
(2) business on platform artificial line after the present invention, will be true using the ngx_http_mirror_module module of Nginx
Real user's request is mapped on the analog service of backstage, to simulate the various response conditions on request arrival line after business.If
There are attacks, will be intercepted after requesting access to mirroring service, so that query-attack be avoided to cause to endanger to business on line
Evil.
(3) WAF can simulate a simple mirroring service on backstage according to different business.In mirroring service, do not need
Simulate business on entire line, it is only necessary to need important interface to be protected to be simulated for business on line, analog content includes asking
Content and response are asked, the response of simulation does not need identical with service response on line, it is only necessary to simulate the important spy of response
Sign, after mirror request reaches mirroring service, mirroring service can respond as business on line.
Detailed description of the invention
Fig. 1 is the principle of the present invention block diagram;
Fig. 2 is request processing flow figure of the invention.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, embodiments of the present invention are not limited thereto.
Embodiment 1:
In conjunction with shown in attached drawing 1, a kind of novel WAF design method based on Nginx, comprising:
Step S100: configuration service source station and mirror image source station, the business source station is for business on line, the mirror image source station
Mirroring service is formed for carrying out mirror image to business on the line, WAF is deployed in Nginx server, and be deployed in institute
State the front end of business and mirroring service on line;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the sound returned according to mirroring service by step S300:WAF
It answers, detected and judges that the difficult detection request be to intercept also to be off obstruction.
Original location uses following configuration code:
The configuration service source station in Original, when needing to add mirror module, it is only necessary in the business source station of script
Original configuration code is added in configuration.When the normal URL of determination is matched to original location, Nginx can be by
Normal flow processing request, for user and business source station, without any variation.Only when request matches original
When location, the backstage Nginx can be instructed request duplication is a to specified mirroring service source station, mirror image industry by mirror
The response return of business source station can be ignored by Nginx, so mirroring service source station will not be to the industry on line by this deployment way
Business source station impacts.When uncertain request is that difficult detection request reaches, then needs temporary block to request, then detect hardly possible
Request mirror image to mirroring service, that is, request to be detected, when mirror request reaches Mirror location, nginx can ask this
It asks and is forwarded to mirroring service, according to the response of mirroring service, judge whether request is legal by the special rules in Nginx, if
Otherwise illegal direct interception stops the obstruction of user's request, forwards requests to business on line.Since mirroring service is to line
The simulation of upper business, therefore can guarantee the similitude of response characteristic, to accurately judge whether it is normal request, and examine
During survey king-sized influence will not be caused on business on line.
Embodiment 2:
On the basis of embodiment 1, in conjunction with shown in attached drawing 1 and Fig. 2, the step S300 is specifically included:
The difficult detection request is carried out mirror image by the ngx_http_mirror_modulek module of step S310:Nginx
And it is forwarded to the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and industry on line according to the difficult detection request
It is engaged in identical;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult inspection
Request is surveyed, obstruction is otherwise stopped, the difficult detection request is transmitted to business on line, completes user's request and response.
WAF is located on line before business and mirroring service, and request is initiated to access by Nginx reverse proxy to business source station
When, all requests can all be detected by WAF.When there is user to request to reach waf, it can be filtered ask according to general rule first
It asks, the request filtered by general rule includes common attack request and normal request, can filter most common attack in this way
It hits, eases off the pressure for subsequent processing.Still suffering from some query-attacks can not be detected, and especially waf is bypassed, and 0day is attacked
It hits.Waf is forwarded to mirror image industry by this component requests of temporary block, by the request that the mirror module mirror image portion of nginx blocks
Business judges whether request is legitimate request according to the response of mirroring service.It is transmitted to business on line if it is legitimate request, is completed
Http request process, otherwise WAF intercepts request.By business on the artificial line of backstage, the ngx_http_ of Nginx is utilized
Real user request is mapped on mirroring service by mirror_module module, and is simulated each after business on request arrival line
Kind response condition.Web application protection is carried out by this entire access process of simulation, can not only be reduced and be failed to report, reports by mistake, also
It can prevent from bypassing, 0day attack.It if there is attack, will be intercepted after requesting access to mirroring service, to avoid
Query-attack causes damages to business on line.
Further, switch is set in the WAF, for controlling the rule and function opening and need to detect.
Further, white list, the request that the white list is sent are arranged to some IP sections of normal requests in the WAF
It is detected without WAF, directly arrival business source station.
In whole flow process, switch can also be set, to decide whether to open various detection functions.And it can be to some
White list is arranged in ip sections of normal request, allows the request in white list directly to reach source station, to improve request speed.
Although reference be made herein to invention has been described for explanatory embodiment of the invention, and above-described embodiment is only this hair
Bright preferable embodiment, embodiment of the present invention are not limited by the above embodiments, it should be appreciated that those skilled in the art
Member can be designed that a lot of other modification and implementations, these modifications and implementations will fall in principle disclosed in the present application
Within scope and spirit.
Claims (4)
1. a kind of novel WAF design method based on Nginx characterized by comprising
Step S100: configuration service source station and mirror image source station, for business on line, the mirror image source station is used for for the business source station
Mirror image is carried out to business on the line and forms mirroring service, WAF is deployed in Nginx server, and be deployed in the line
The front end of upper business and mirroring service;
Step S200:WAF uses general rule intercept attack, and blocks difficult detection request;
The difficult detection request is forwarded to the mirroring service, and the response returned according to mirroring service by step S300:WAF,
It is detected and judges that the difficult detection request be to intercept also to be off obstruction.
2. a kind of novel WAF design method based on Nginx according to claim 1, which is characterized in that the step
S300 is specifically included:
The difficult detection request is carried out mirror image and turned by the ngx_http_mirror_modulek module of step S310:Nginx
It is dealt into the mirroring service;
Step S320: mirroring service responds and returns WAF, the response and business phase on line according to the difficult detection request
Together;
Step S330:WAF detects the response results of mirroring service, if detecting attack, WAF intercepts the difficult detection and asks
It asks, otherwise stops obstruction, the difficult detection request is transmitted to business on line, completes user's request and response.
3. a kind of novel WAF design method based on Nginx according to claim 2, which is characterized in that in the WAF
Setting switch, for controlling the rule and function opening and need to detect.
4. a kind of novel WAF design method based on Nginx according to claim 2 or 3, which is characterized in that the WAF
In white list is arranged to some IP sections of normal requests, the request that the white list is sent is detected without WAF, directly arrival business
Source station.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811093835.0A CN109167792A (en) | 2018-09-19 | 2018-09-19 | A kind of novel WAF design method based on Nginx |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811093835.0A CN109167792A (en) | 2018-09-19 | 2018-09-19 | A kind of novel WAF design method based on Nginx |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109167792A true CN109167792A (en) | 2019-01-08 |
Family
ID=64879561
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811093835.0A Pending CN109167792A (en) | 2018-09-19 | 2018-09-19 | A kind of novel WAF design method based on Nginx |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109167792A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505235A (en) * | 2019-09-02 | 2019-11-26 | 四川长虹电器股份有限公司 | A kind of detection system and method for the malicious requests around cloud WAF |
CN110995640A (en) * | 2019-09-19 | 2020-04-10 | 中国银联股份有限公司 | Method for identifying network attack and honeypot protection system |
CN111585981A (en) * | 2020-04-24 | 2020-08-25 | 上海泛微网络科技股份有限公司 | Security detection method based on application firewall and related equipment |
CN115296932A (en) * | 2022-09-30 | 2022-11-04 | 北京知其安科技有限公司 | Method and device for detecting WAF interception effectiveness and storage medium |
CN117395082A (en) * | 2023-12-11 | 2024-01-12 | 深圳市移卡科技有限公司 | Service processing method, electronic device and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140259145A1 (en) * | 2013-03-08 | 2014-09-11 | Barracuda Networks, Inc. | Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients |
CN104361283A (en) * | 2014-12-05 | 2015-02-18 | 网宿科技股份有限公司 | Web attack protection method |
CN105227571A (en) * | 2015-10-20 | 2016-01-06 | 福建六壬网安股份有限公司 | Based on web application firewall system and its implementation of nginx+lua |
CN105262771A (en) * | 2015-11-04 | 2016-01-20 | 国家电网公司 | Attack and defense test method for network safety of power industry |
CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
-
2018
- 2018-09-19 CN CN201811093835.0A patent/CN109167792A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140259145A1 (en) * | 2013-03-08 | 2014-09-11 | Barracuda Networks, Inc. | Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients |
CN104361283A (en) * | 2014-12-05 | 2015-02-18 | 网宿科技股份有限公司 | Web attack protection method |
CN106534042A (en) * | 2015-09-09 | 2017-03-22 | 阿里巴巴集团控股有限公司 | Server invasion identifying method and apparatus based on data analysis and cloud safety system |
CN105227571A (en) * | 2015-10-20 | 2016-01-06 | 福建六壬网安股份有限公司 | Based on web application firewall system and its implementation of nginx+lua |
CN105262771A (en) * | 2015-11-04 | 2016-01-20 | 国家电网公司 | Attack and defense test method for network safety of power industry |
CN106357696A (en) * | 2016-11-14 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Detection method and detection system for SQL injection attack |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505235A (en) * | 2019-09-02 | 2019-11-26 | 四川长虹电器股份有限公司 | A kind of detection system and method for the malicious requests around cloud WAF |
CN110995640A (en) * | 2019-09-19 | 2020-04-10 | 中国银联股份有限公司 | Method for identifying network attack and honeypot protection system |
CN110995640B (en) * | 2019-09-19 | 2022-04-05 | 中国银联股份有限公司 | Method for identifying network attack and honeypot protection system |
CN111585981A (en) * | 2020-04-24 | 2020-08-25 | 上海泛微网络科技股份有限公司 | Security detection method based on application firewall and related equipment |
CN115296932A (en) * | 2022-09-30 | 2022-11-04 | 北京知其安科技有限公司 | Method and device for detecting WAF interception effectiveness and storage medium |
CN115296932B (en) * | 2022-09-30 | 2023-01-06 | 北京知其安科技有限公司 | Method and device for detecting WAF interception effectiveness and storage medium |
CN117395082A (en) * | 2023-12-11 | 2024-01-12 | 深圳市移卡科技有限公司 | Service processing method, electronic device and storage medium |
CN117395082B (en) * | 2023-12-11 | 2024-03-22 | 深圳市移卡科技有限公司 | Service processing method, electronic device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109167792A (en) | A kind of novel WAF design method based on Nginx | |
CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
CN103370715B (en) | System and method for securing virtual computing environments | |
WO2021233373A1 (en) | Network security protection method and apparatus, storage medium and electronic device | |
CN105184159B (en) | The recognition methods of webpage tamper and device | |
CN103309808B (en) | Based on privacy disclosure of Android user black box detection method and the system of label | |
CN107888546A (en) | network attack defence method, device and system | |
CN111294333B (en) | Construction system of open type adaptive vulnerability drilling platform | |
WO2017071148A1 (en) | Cloud computing platform-based intelligent defense system | |
CN107493256A (en) | Security incident defence method and device | |
US11323473B2 (en) | Network threat prevention and information security using machine learning | |
CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
US20220141252A1 (en) | System and method for data filtering in machine learning model to detect impersonation attacks | |
CN113572730A (en) | Implementation method for actively and automatically trapping honeypots based on web | |
CN109711162A (en) | A kind of security application method and system based on block chain | |
CN105447385A (en) | Multilayer detection based application type database honey pot realization system and method | |
KR102118382B1 (en) | Providing training device for cyber threat | |
CN107196969B (en) | The automatic identification and verification method and system of attack traffic | |
CN108667687A (en) | A kind of WAF test methods based on Nginx | |
CN113407946A (en) | Intelligent protection method and system for IoT (IoT) equipment | |
CN108494791A (en) | A kind of DDOS attack detection method and device based on Netflow daily record datas | |
US10965693B2 (en) | Method and system for detecting movement of malware and other potential threats | |
CN114143052B (en) | Network defense system risk assessment method, device and storage medium based on controllable intrusion simulation | |
EP3926501B1 (en) | System and method of processing information security events to detect cyberattacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190108 |
|
RJ01 | Rejection of invention patent application after publication |