Closed mojie126 closed 7 years ago
miracleqi
commented
7 years ago 你好,配置ssl_vertificate_by_lua_file后,需要修改access_rule,指定证书路径 详细示例请看:https://github.com/titansec/OpenWAF/blob/master/doc/%E6%B7%B1%E5%85%A5%E7%A0%94%E7%A9%B6OpenWAF%E4%B9%8Bnginx%E9%85%8D%E7%BD%AE.md#ssl_certificate_by_lua 希望以上对你有帮助
mojie126
commented
7 years ago 意思就是除了nginx自己的配置里需要增加ssl证书路径外,还需要在access_rule.json里也增加一遍是咩...?
miracleqi
commented
7 years ago 你看过文档后就知道,nginx中配置的ssl证书和access_rule的证书,有何区别了
mojie126
commented
7 years ago 好的,我研究一下...
mojie126
commented
7 years ago 貌似nginx配置的是OpenWAF自己的私签证书,access_rule里是CA颁发的证书...? 另外是修改/opt/OpenWAF/conf/twaf_default_conf.json里的twaf_access_rule块配置么...?
miracleqi
commented
7 years ago 对的,nginx配置的证书,是任意一套有效的证书即可,到了ssl_vertificate_by_lua阶段,会卸载证书,然后加载接入规则中配置的证书,如此可以实现动态加载证书
修改的access_rule是twaf_access_rule.json,尽量不要动twaf_default_conf.json
mojie126
commented
7 years ago 那twaf_access_rule.json里的state还需要改成flase么?
miracleqi
commented
7 years ago 抱歉,我刚刚说的这些都是access_rule的state为true的提前
如果state为false,不需修改access_rule,只需注释掉ssl_vertificate_by_lua_file
请贴一下注释掉ssl_vertificate_by_lua_file后,报的500错误(nginx的error_log)
mojie126
commented
7 years ago 2017/04/21 10:56:34 [error] 6807#0: *3 lua entry thread aborted: runtime error: /opt/OpenWAF/lib/twaf/inc/request.lua:339: http v2 not supported yet stack traceback: coroutine 0: [C]: in function 'raw_header' /opt/OpenWAF/lib/twaf/inc/request.lua:339: in function </opt/OpenWAF/lib/twaf/inc/request.lua:263> /opt/OpenWAF/lib/twaf/twaf_core.lua:147: in function 'run' /opt/OpenWAF/app/twaf_rewrite.lua:1: in function </opt/OpenWAF/app/twaf_rewrite.lua:1>, client: 60.12.220.19, server: www.liyuzhiqin.com, request: "GET /favicon.ico HTTP/2.0", host: "www.liyuzhiqin.com", referrer: "https://www.liyuzhiqin.com/" 2017/04/21 10:56:39 [error] 6807#0: hc.symcd.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: hc.symcd.com
貌似是不支持http2的问题...?
mojie126
commented
7 years ago 2017/04/21 10:58:29 [error] 6862#0: *1 lua entry thread aborted: runtime error: /opt/OpenWAF/lib/twaf/inc/request.lua:339: http v2 not supported yet stack traceback: coroutine 0: [C]: in function 'raw_header' /opt/OpenWAF/lib/twaf/inc/request.lua:339: in function </opt/OpenWAF/lib/twaf/inc/request.lua:263> /opt/OpenWAF/lib/twaf/twaf_core.lua:147: in function 'run' /opt/OpenWAF/app/twaf_rewrite.lua:1: in function </opt/OpenWAF/app/twaf_rewrite.lua:1>, client: 60.12.220.19, server: www.liyuzhiqin.com, request: "GET /favicon.ico HTTP/2.0", host: "www.liyuzhiqin.com", referrer: "https://www.liyuzhiqin.com/" 2017/04/21 10:58:31 [error] 6862#0: hc.symcd.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: hc.symcd.com
关闭http2也不行...
miracleqi
commented
7 years ago 确实不支持HTTP/2,
mojie126
commented
7 years ago 好吧,怪不得我本地测试非HTTPS的一点儿问题都没,上服务器上就不行了... 那近期有计划支持http2么...? 另外虽然spdy正在逐渐被https2取代,但是依旧有人停留在使用spdy时代的浏览器吧,是否也需要支持下...?
miracleqi
commented
7 years ago 稍等,我做下修改
miracleqi
commented
7 years ago 你好,请将/opt/OpenWAF/lib/twaf/inc/request.lua文件中的L339 和 L340两行替换为: pcall(function() request.RAW_HEADER = ngx.req.raw_header() end) pcall(function() request.RAW_HEADER_TRUE = ngx.req.raw_header(true) end) 如果修改后没问题,我会更新代码
mojie126
commented
7 years ago 修改后确实可以了...
miracleqi
commented
7 years ago HTTP/2和spdy都是nginx的模块,理论上OpenWAF都是支持,我也会尽量覆盖多种测试场景
itchinaa
commented
6 years ago 你好,请问,如果只把openwaf在我的ubuntu里运行起来请问我下载安装好之后都需要配置些什么?
include /opt/OpenWAF/conf/twaf_server.conf; ssl_certificate_by_lua_file /opt/OpenWAF/app/twaf_ssl_cert.lua; set $twaf_https 1;在自己的配置里加入这几行后,一直提示ERR_SSL_PROTOCOL_ERROR 去掉ssl_certificate_by_lua_file /opt/OpenWAF/app/twaf_ssl_cert.lua;后提示500 关闭OpenWAF后正常了就...