在樱花专用服务器上安装SiteGuard并构建反向代理服务器
随着 Siteguard 6.0 系列的版本升级,我们已针对2023/12/15的最新内容进行修正。
总结
使用Sakura互联网的专用服务器和VPS的一个优点是可以免费使用WAF的SiteGuard。
本次我们在专用服务器上的虚拟机中从源代码安装了nginx,并引入了SiteGuard来构建反向代理服务器。
在引入后遇到了一些问题,但在网上找到的信息并不多,所以我将其作为备忘录记录下来。
环境
阿尔玛Linux发布9.3版(南美洲短尾草原猫)
nginx版本:nginx/1.24.0
SiteGuard服务器版6.00
SELINUX启用
目前,我们已经签订了专用的全球网络线路合同,并将固定IP桥接到访客操作系统上。我们也已经通过DNS设置了用于Siteguard GUI的域名A记录(siteguard.domain.com(暂定))。
使用dnf安装nginx
为了创建Nginx用户和组,请执行以下操作。
# dnf install nginx
# dnf remove nginx
网站防护工具SiteGuard的安装。
需要安装组件。
# dnf install glibc perl wget unzip openssl make file apr apr-util apr-devel apr-util-devel java fontconfig zlib-devel
安装SiteGuard
# cd
# wget http://progeny.sakura.ad.jp/siteguard/6.0.0/apache/siteguard-server-edition-6.00-1.apache.x86_64.tar.gz
# tar -zxvf siteguard-server-edition-6.00-1.apache.x86_64.tar.gz
# cd siteguard-server-edition-6.00-1.apache.x86_64/
# make install
从源代码编译安装nginx
由于这个地方取决于个别的环境原因,因此在SiteGuard的安装手册中没有提到,所以根据自己的环境进行相应的设置。
从nginx官方网站上下载最新的源代码并进行解压。
# cd
# wget http://nginx.org/download/nginx-1.24.0.tar.gz
# tar -zxvf nginx-1.24.0.tar.gz
根据不同的环境和版本,安装所需的配置包(具体需求有所差异)
# dnf install gcc pcre-devel openssl-devel
事先创建一个用于nginx缓存的目录(稍后通过配置选项指定的目录)。
# mkdir /var/cache/nginx
在配置时添加了一个长的安装选项。
(顺便说一下,这个安装选项与从nginx的官方存储库中使用dnf安装时附带的选项相同,指定了添加siteguard模块。)
由于在make时缺少-Wno-error=stringop-truncation选项会导致错误,无法创建,所以我们添加了它。
# cd nginx-1.21.6
# ./configure --add-module=/opt/jp-secure/siteguardlite/nginx --with-http_ssl_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-cc-opt='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wno-error=stringop-truncation -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
无事完了后
# make
# make install
由于SELINUX生效的环境下,将其注册到systemd系统。
# vi /lib/systemd/system/nginx.service
请用中文进行重述,只需提供一个选项:
以下内容
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
初创公司注册
# systemctl enable nginx
进行SiteGuard到Nginx的设置
# cd /opt/jp-secure/siteguardlite/
# ./setup.sh
由于提示出现,按照以下内容进行设置。
[root@nginx-siteguard-proxy siteguardlite]# ./setup.sh
------------------------------------------------------
SiteGuard Server Edition setup start...
------------------------------------------------------
please enter Nginx Config File. [] -->/etc/nginx/nginx.conf
Nginx Config File=[/etc/nginx/nginx.conf]
is correct? [yes]|no -->yes
please enter Nginx Binary File (nginx). [/usr/sbin/nginx] -->
Nginx Binary File (nginx)=[/usr/sbin/nginx]
is correct? [yes]|no -->yes
Is the Web server registered in systemd?
please select. [yes]|no -->yes
please enter Nginx service name. [nginx] -->
Nginx service name=[nginx]
is correct? [yes]|no -->yes
------------------------------------------------------
SELinux temporary switch to permissive
------------------------------------------------------
do you want to use the web administrative console?
* to use the console, you will need JDK or JRE is installed.
please select. [yes]|no -->yes
please enter JDK or JRE directory. [/usr/lib/jvm/jre-1.8.0] -->
JDK or JRE directory=[/usr/lib/jvm/jre-1.8.0]
is correct? [yes]|no -->yes
please enter the port number of the web console for https.
please enter port number. [9443] -->
port number=[9443]
is correct? [yes]|no -->yes
please enter the addresses allowed to access the web console for https.
ex:192.168.1.100 10.0.0.0/24
please enter allowed addresses. [all] -->
allowed addresses=[all]
is correct? [yes]|no -->yes
do you change the ssl certificate files?
please select. yes|[no] -->
update server config file done.
------------------------------------------------------
check if the ssl settings on admin console are appropriate....
------------------------------------------------------
Successfully set the ssl protocol.
update Makefile done.
------------------------------------------------------
SELinux Context Setup start
------------------------------------------------------
tomcat settings
logs settings
configured.module settings
tmp settings
notify settings
statistics settings
expire.txt settings
restorecon settings
policy settings
------------------------------------------------------
SELinux Context Setup done
------------------------------------------------------
------------------------------------------------------
Starting services...
------------------------------------------------------
Starting Tomcat(WebUI for SiteGuard Server Edition): [ OK ]
Starting Notify Service: [ OK ]
Nginx restart. Are you sure? [yes]|no -->
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Stopping : [ OK ]
------------------------------------------------------
clear tmp files
------------------------------------------------------
removing tmp files ...
done.
starting web server ...
Starting : [ OK ]
Nginx restart done.
------------------------------------------------------
finished SiteGuard Server Edition setup
------------------------------------------------------
Please access following URL for starting service.
https://nginx-siteguard-proxy:9443/
(default user:admin, default password:admin)
------------------------------------------------------
SELinux switch to enforcing
------------------------------------------------------
------------------------------------------------------
SiteGuard Server Edition setup done...
------------------------------------------------------
端口的开放
# firewall-cmd --add-port 9443/tcp --permanent
# firewall-cmd --add-service http --permanent
# firewall-cmd --add-service https --permanent
# firewall-cmd --reload
为了将Siteguard管理页面进行SSL化,需要安装certbot。
# dnf install epel-release
# dnf install certbot python3-certbot-nginx
nginx的配置文件设置
# vi /etc/nginx/nginx.conf
在http指令内部的末尾添加以下内容
http {
...
include /etc/nginx/conf.d/*.conf;
}
创建用于获取 Siteguard 证书的域名 conf。
# vi /etc/nginx/conf.d/siteguard.domain.com.conf
以下内容(此配置仅用于获取证书)
server {
server_name siteguard.domain.com;
}
SSL证书安装
# certbot --nginx -d siteguard.domain.com
从下面的文件中复制证书的路径。
# view /etc/nginx/conf.d/siteguard.domain.com.conf
请提供以文件以下的内容为基础的选项:
# vi /opt/jp-secure/siteguardlite/conf/nginx.conf.siteguardlite_admin_ssl
请修改 ssl_certificate 和 ssl_certificate_key,并添加 ssl_dhparam。
ssl_certificate /etc/letsencrypt/live/siteguard.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/siteguard.domain.com/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#ssl_certificate /opt/jp-secure/siteguardlite/conf/ssl/server.crt;
#ssl_certificate_key /opt/jp-secure/siteguardlite/conf/ssl/server.key;
使用cron定时自动更新证书
# crontab -e
以下内容
yǐ xià
PATH=/sbin:/bin:/usr/sbin:/usr/bin
0 4 * * * (/bin/certbot renew && /bin/systemctl reload nginx) > /var/log/cronout.log 2>&1
重新启动Nginx并访问GUI(通过https访问siteguard.domain.com的9443端口)。
# systemctl restart nginx
可以使用外部的发件服务器通过SMTPS发送电子邮件。
从”模块设置”页面进行自动邮件通知设置(省略了SPF、DKIM等详细设置)。
设置签名更新URL
# vi /opt/jp-secure/siteguardlite/conf/dbupdate_waf_url.conf
以下内容的中文释义如下:
LATEST_URL=https://www.jp-secure.com/download/siteguardlite_sp/updates_nw/latest-nw.zip
在GUI界面中的签名更新设置中启用自动更新(图片略)。
增加反向代理服务器的设置
在没有安装siteguard的情况下,反向代理的配置方法与之前相同。请创建以下文件。
# vi /etc/nginx/conf.d/reverse.proxy.com.conf
请将以下内容用中文进行同义转述:
server {
server_name reverse.proxy.com;
}
使用Certbot获取证书。
# certbot --nginx -d reverse.proxy.com
添加利巴普罗信息
# vi /etc/nginx/conf.d/reverse.proxy.com.conf
请原生中文写下以下内容(可适度更改)
server {
server_name reverse.proxy.com;
access_log /var/log/nginx/reverse.proxy.com.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.100.101:3000;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/reverse.proxy.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/reverse.proxy.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
...
}
使用后的问题 de
错误通知邮件的处理
由于在访问量高峰时频繁出现以下错误,因此需要调整nginx的性能(很遗憾,虽然我注意到有个failure的拼写错误,但遗憾地无法进行修正…)。
1642582870.361860 [2022/01/19 18:01:10] ###ERROR### [80402]: apr_dbm_open_ex(/opt/jp-secure/siteguardlite/tmp/filter.db) faiulre. ret=24
# vi /etc/nginx/nginx.conf
将默认的工作人员数量从1更改为自动,并根据核心数量启动相应的进程数。另外,将每个工作人员能处理的文件数量上限提高(参考:https://qiita.com/mikene_koko/items/85fbe6a342f89bf53e89)。
worker_processes auto; #値変更
worker_rlimit_nofile 4096; #新規追加
通过重新启动NGINX来应用更改。
systemctl restart nginx
日志大小管理。
如果是从源代码安装的,那么nginx的日志轮转没有进行,直到发现日志已经达到了5GB,因此需要添加轮转设置。
# vi /etc/logrotate.d/nginx
以下内容的中文原生释义如下:
/var/log/nginx/*log {
daily
missingok
rotate 52
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ]; then
kill -USR1 `cat /var/run/nginx.pid`
fi
endscript
}
就是这样。
