# 经验分享

# JXWAF 节点自定义端口部署

# Docker 部署(推荐)

docker run -p 80:80 -p 443:443  -e  JXWAF_SERVER='you jxwaf server url '  -e WAF_AUTH='your key' -e  HTTP_PORT=80 -e HTTPS_PORT=443 jxwaf/jxwaf:latest

配置变量说明:

JXWAF_SERVER

jxwaf 控制台服务器地址,这里为 http://demo.jxwaf.com:8000 ,注意,地址不需要带路径,即 http://demo.jxwaf.com:8000/ 是错误输入

WAF_AUTH

jxwaf 控制台中 系统配置 -> 基础信息 中 waf_auth 的值

HTTP_PORT

http 端口

HTTPS_PORT

https 端口

例子:

在 8000 端口部署 HTTP 服务

docker run -p 8000:8000 -d -e  JXWAF_SERVER='http://demo.jxwaf.com:8000'  -e WAF_AUTH='ee747988-612b-4790-b8ea-fb49c04fc1ea' -e HTTP_PORT=8000 jxwaf/jxwaf:latest

在 8002 端口部署 HTTPS 服务

docker run -p 8002:8002 -d -e  JXWAF_SERVER='http://demo.jxwaf.com:8000'  -e WAF_AUTH='ee747988-612b-4790-b8ea-fb49c04fc1ea' -e HTTPS_PORT=8002 jxwaf/jxwaf:latest

# Docker Compose 部署

services:
  jxwaf_base:
    image: "jxwaf/jxwaf:latest"
    ports:
      - "80:80"
      - "443:443"
    environment:
      HTTP_PORT: 80
      HTTPS_PORT: 443
      JXWAF_SERVER: you_jxwaf_server_url
      WAF_AUTH: you_auth_key
      TZ: Asia/Shanghai
    restart: unless-stopped

docker-compose.yml 配置文件说明:

JXWAF_SERVER

jxwaf 控制台服务器地址,这里为 http://demo.jxwaf.com:8000 ,注意,地址不需要带路径,即 http://demo.jxwaf.com:8000/ 是错误输入

WAF_AUTH

jxwaf 控制台中 系统配置 -> 基础信息 中 waf_auth 的值

HTTP_PORT

http 端口

HTTPS_PORT

https 端口

例子:

在 8000 端口部署 HTTP 服务

services:
  jxwaf_base:
    image: "jxwaf/jxwaf:latest"
    ports:
      - "8000:8000"
    environment:
      HTTP_PORT: 8000
      JXWAF_SERVER: http://demo.jxwaf.com:8000
      WAF_AUTH: ee747988-612b-4790-b8ea-fb49c04fc1ea
      TZ: Asia/Shanghai
    restart: unless-stopped

在 8002 端口部署 HTTPS 服务

services:
  jxwaf_base:
    image: "jxwaf/jxwaf:latest"
    ports:
      - "8002:8002"
    environment:
      HTTPS_PORT: 8002
      JXWAF_SERVER: http://demo.jxwaf.com:8000
      WAF_AUTH: ee747988-612b-4790-b8ea-fb49c04fc1ea
      TZ: Asia/Shanghai
    restart: unless-stopped

# 控制台新增网站配置

相比于正常的域名配置,比如 demo.jxwaf.com,自定义端口部署,则需要配置为demo.jxwaf.com:8000,直接在需要配置自定义端口的网站地址后面加上端口即可。

# CC防护的JS文件独立部署

默认情况下,CC防护功能中引用的js文件是在域名 cc.jxwaf.top 下面,域名通过CloudFare提供服务。如果需要独立部署在其他CDN上,可以参考下面进行配置。

# JS文件独立部署

JS文件在 https://github.com/jx-sec/jxwaf-mini-server 中的 cc_js.zip,下载后发布到CDN上即可

# Docker启动容器配置

docker run -p 80:80 -p 443:443  -e  JXWAF_SERVER='you jxwaf server url '  -e WAF_AUTH='your key' -e  HTTP_PORT=80 -e HTTPS_PORT=443 -e WAF_CC_JS_WEBSITE='https://cc.jxwaf.top/' jxwaf/jxwaf:latest

配置变量说明:

WAF_CC_JS_WEBSITE

指定CC文件来源网站,这里需要带上路径,即 "https://cc.jxwaf.top/" 是正确输入,"https://cc.jxwaf.top" 是错误输入

# Docker Compose启动容器配置

services:
  jxwaf_base:
    image: "jxwaf/jxwaf:latest"
    ports:
      - "80:80"
      - "443:443"
    environment:
      HTTP_PORT: 80
      HTTPS_PORT: 443
      JXWAF_SERVER: you_jxwaf_server_url
      WAF_AUTH: you_auth_key 
      TZ: Asia/Shanghai
      WAF_CC_JS_WEBSITE: https://cc.jxwaf.top/
    restart: unless-stopped

docker-compose.yml 配置文件说明:

WAF_CC_JS_WEBSITE

指定CC文件来源网站,这里需要带上路径,即 "https://cc.jxwaf.top/" 是正确输入,"https://cc.jxwaf.top" 是错误输入

# 源代码部署配置

配置文件: /opt/jxwaf/nginx/conf/jxwaf/jxwaf_config.json

配置文件内容为json格式,修改 waf_cc_js_website 的值即可
默认值为 "https:\/\/cc.jxwaf.top\/" ,修改的时候要注意json字符串转义,例如新的域名是 cc.test.com,则 正确的字符串应该为 "https:\/\/cc.test.top\/"

# CC攻击网络层封禁

# 节点服务器部署jxwaf_ipset_block

# yum install -y ipset
# ipset create blacklist hash:ip hashsize 65535 maxelem 1000000 timeout 86400
# iptables -I INPUT -m set --match-set blacklist src -j DROP
# iptables -I FORWARD -m set --match-set blacklist src -j DROP
# git clone https://github.com/jx-sec/jxwaf.git
# cd jxwaf/ipset_block
# chmod +x jxwaf_ipset_block
# nohup ./jxwaf_ipset_block -auth aaaa -port 6677 &
# curl 127.0.0.1:6677/banip -d '{"network_block_ip":"1.1.1.1","auth":"aaaa"}'
# ipset list

命令说明:

1、安装IPSet

yum install -y ipset

这步安装IPSet,一个用于管理IP地址集合和使用这些集合进行网络过滤、转发决策的工具。

2、配置IPSet和Iptables以阻止恶意IP

ipset create blacklist hash:ip hashsize 65535 maxelem 1000000 timeout 86400
iptables -I INPUT -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP

这里首先创建了一个名为blacklist的IPSet集合,用来存储需要被阻止的IP地址。然后通过iptables将所有在这个集合中的IP地址发送的包都丢弃,在INPUT(处理进入本机数据包)和FORWARD(处理转发数据包)链上插入这些规则。集合的过期时间是一天,最多100万条数据。

3、部署和运行jxwaf_ipset_block

git clone https://github.com/jx-sec/jxwaf.git
cd jxwaf/ipset_block
chmod +x jxwaf_ipset_block
nohup ./jxwaf_ipset_block -auth aaaa -port 6677 &

先克隆jxwaf的项目代码,进入到ipset_block目录,给jxwaf_ipset_block程序执行权限,然后在后台启动这个应用,它监听6677端口,并设置了认证用的关键字aaaa。

4、通过API调用更新防火墙规则

curl 127.0.0.1:6677/banip -d '{"network_block_ip":"1.1.1.1","auth":"aaaa"}'
ipset list

这个是验证步骤。通过向jxwaf_ipset_block运行的服务发送POST请求,使用之前设置的认证关键字aaaa,请求阻止IP地址1.1.1.1。这条命令实现了对特定IP地址的动态封禁。通过ipset list可以查看封禁的结果。

# JXWAF控制台新建ipset_block组件

JXWAF控制台 -> 防护管理 -> 分析组件 -> 新建组件

  • 组件名称

ipset_block

  • 组件描述

ipset封禁组件

  • CODE
bG9jYWwgX00gPSB7fQpfTS52ZXJzaW9uID0gImp4d2FmNCIKbG9jYWwgaHR0cCA9IHJlcXVpcmUgInJlc3R5Lmp4d2FmLmh0dHAiCmxvY2FsIGNqc29uID0gcmVxdWlyZSAiY2pzb24uc2FmZSIKbG9jYWwgdW5pZnlfYWN0aW9uID0gcmVxdWlyZSAicmVzdHkuanh3YWYudW5pZnlfYWN0aW9uIgoKbG9jYWwgZnVuY3Rpb24gc2VuZF9pcHNldF9ibG9jayhwZXJpb2QsaXBfYmFuX3NlcnZlcixibGFja19pcCxpcF9iYW5fYXV0aCkKICBsb2NhbCBpcF9iYW5fd2Vic2l0ZSA9ICJodHRwOi8vIi4uaXBfYmFuX3NlcnZlci4uIi9iYW5pcCIKICBsb2NhbCBodHRwYyA9IGh0dHAubmV3KCkKICBodHRwYzpzZXRfdGltZW91dHMoMTAwMDAsIDEwMDAwLCAxMDAwMCkKICBsb2NhbCBib2R5X2RhdGEgPSB7CiAgICBuZXR3b3JrX2Jsb2NrX2lwID0gIGJsYWNrX2lwLAogICAgYXV0aCA9IGlwX2Jhbl9hdXRoCiAgfQogIGxvY2FsIHJlcywgZXJyID0gaHR0cGM6cmVxdWVzdF91cmkoIGlwX2Jhbl93ZWJzaXRlICwgewogICAgbWV0aG9kID0gIlBPU1QiLAogICAgaGVhZGVycyA9IHsKICAgICAgWyJDb250ZW50LVR5cGUiXSA9ICJhcHBsaWNhdGlvbi9qc29uO2NoYXJzZXQ9VVRGLTgiLAogICAgfSwKICAgIGJvZHkgPSBjanNvbi5lbmNvZGUoYm9keV9kYXRhKQogIH0pCiAgaWYgbm90IHJlcyB0aGVuCiAgICBuZ3gubG9nKG5neC5FUlIsInNlbmQgaHR0cCBmYWlsZWQgdG8gcmVxdWVzdDogIiwgZXJyKQogICAgcmV0dXJuIAogIGVuZAogIGlmIHJlcy5zdGF0dXMgfj0gMjAwIHRoZW4KICAgIG5neC5sb2cobmd4LkVSUiwgIklQIGJhbiByZXF1ZXN0IHJldHVybmVkIG5vbi0yMDAgcmVzcG9uc2U6ICIsIHJlcy5zdGF0dXMpCiAgICByZXR1cm4KICBlbmQKICBsb2NhbCByZXNfYm9keSA9IGNqc29uLmRlY29kZShyZXMuYm9keSkKICBpZiBub3QgcmVzX2JvZHkgdGhlbgogICAgbmd4LmxvZyhuZ3guRVJSLCJzZW5kICBmYWlsLGZhaWxlZCB0byBkZWNvZGUgcmVzcCBib2R5IikKICAgIG5neC5sb2cobmd4LkVSUixyZXMuYm9keSkKICAgIHJldHVybgogIGVuZAogIGlmIHJlc19ib2R5WydyZXN1bHQnXSB+PSB0cnVlIHRoZW4KICAgIG5neC5sb2cobmd4LkVSUiwicmVzdWx0IH49IHRydWUgIiApCiAgICBuZ3gubG9nKG5neC5FUlIscmVzLmJvZHkpCiAgICByZXR1cm4KICBlbmQKICByZXR1cm4gdHJ1ZQplbmQKCmZ1bmN0aW9uIF9NLmNoZWNrKGNvbmZfZGF0YSkKICBpZiBjb25mX2RhdGEgPT0gbmlsIHRoZW4KICAgIHJldHVybiAKICBlbmQKCiAgbG9jYWwganh3YWZfaXBzZXRfbm9kZSA9ICBjb25mX2RhdGFbJ2p4d2FmX2lwc2V0X25vZGUnXQogIGlmIHR5cGUoanh3YWZfaXBzZXRfbm9kZSkgfj0gJ3RhYmxlJyAgdGhlbgogICAgcmV0dXJuCiAgZW5kCgogIGxvY2FsIGF1dGggPSBjb25mX2RhdGFbJ2F1dGgnXQogIGlmIHR5cGUoYXV0aCkgfj0gJ3N0cmluZycgIHRoZW4KICAgIHJldHVybgogIGVuZAoKICBsb2NhbCBmbG93X2lwX3JlZ2lvbl9ibG9jayA9IGNvbmZfZGF0YVsnZmxvd19pcF9yZWdpb25fYmxvY2snXQogIGlmIHR5cGUoZmxvd19pcF9yZWdpb25fYmxvY2spIH49ICdib29sZWFuJyAgdGhlbgogICAgbmd4LmxvZyhuZ3guRVJSLHR5cGUoZmxvd19pcF9yZWdpb25fYmxvY2spKQogICAgcmV0dXJuCiAgZW5kCgogIGxvY2FsIGZsb3dfcnVsZV9wcm90ZWN0aW9uID0gY29uZl9kYXRhWydmbG93X3J1bGVfcHJvdGVjdGlvbiddCiAgaWYgdHlwZShmbG93X3J1bGVfcHJvdGVjdGlvbikgfj0gJ3RhYmxlJyAgdGhlbgogICAgcmV0dXJuCiAgZW5kCiAgbG9jYWwgZmxvd19lbmdpbmVfcHJvdGVjdGlvbiA9IGNvbmZfZGF0YVsnZmxvd19lbmdpbmVfcHJvdGVjdGlvbiddCiAgaWYgdHlwZShmbG93X2VuZ2luZV9wcm90ZWN0aW9uKSB+PSAndGFibGUnICB0aGVuCiAgICByZXR1cm4KICBlbmQKCiAgbG9jYWwgZmxvd19pcF9yZWdpb25fYmxvY2tfcmVzdWx0ID0gbmd4LmN0eC5mbG93X2lwX3JlZ2lvbl9ibG9ja19yZXN1bHQKICBsb2NhbCBmbG93X3J1bGVfcHJvdGVjdGlvbl9yZXN1bHQgPSBuZ3guY3R4LmZsb3dfcnVsZV9wcm90ZWN0aW9uX3Jlc3VsdAogIGxvY2FsIGZsb3dfZW5naW5lX3Byb3RlY3Rpb25fcmVzdWx0ID0gbmd4LmN0eC5mbG93X2VuZ2luZV9wcm90ZWN0aW9uX3Jlc3VsdAogIGxvY2FsIGNoZWNrX3Jlc3VsdCAKICBpZiAgZmxvd19pcF9yZWdpb25fYmxvY2sgPT0gdHJ1ZSBhbmQgZmxvd19pcF9yZWdpb25fYmxvY2tfcmVzdWx0IHRoZW4KICAgIGNoZWNrX3Jlc3VsdCA9IHRydWUKICBlbmQKCiAgZm9yIF8sdiBpbiBpcGFpcnMoZmxvd19ydWxlX3Byb3RlY3Rpb24pIGRvIAogICAgaWYgZmxvd19ydWxlX3Byb3RlY3Rpb25fcmVzdWx0W3ZdIHRoZW4KICAgICAgY2hlY2tfcmVzdWx0ID0gdHJ1ZQogICAgZW5kCiAgZW5kCgogIGZvciBfLHYgaW4gaXBhaXJzKGZsb3dfZW5naW5lX3Byb3RlY3Rpb24pIGRvIAogICAgaWYgZmxvd19lbmdpbmVfcHJvdGVjdGlvbl9yZXN1bHRbdl0gdGhlbgogICAgICBjaGVja19yZXN1bHQgPSB0cnVlCiAgICBlbmQKICBlbmQKCiAgaWYgY2hlY2tfcmVzdWx0IHRoZW4KICAgIGxvY2FsIHNyY19pcCA9IG5neC5jdHguc3JjX2lwIG9yIG5neC52YXIucmVtb3RlX2FkZHIKICAgIGZvciBfLHYgaW4gaXBhaXJzKGp4d2FmX2lwc2V0X25vZGUpIGRvCiAgICAgIGxvY2FsIG9rLCBlcnIgPSBuZ3gudGltZXIuYXQoMCxzZW5kX2lwc2V0X2Jsb2NrLHYsc3JjX2lwLGF1dGgpCiAgICAgIGlmIG5vdCBvayB0aGVuCiAgICAgICAgaWYgZXJyIH49ICJwcm9jZXNzIGV4aXRpbmciIHRoZW4KICAgICAgICAgIG5neC5sb2cobmd4LkVSUiwgImZhaWxlZCB0byBjcmVhdGUgdGhlIHNlbmQgc2VuZF9pcHNldF9ibG9jayBodHRwIHRpbWVyOiAiLCBlcnIpCiAgICAgICAgZW5kCiAgICAgIGVuZAogICAgZW5kCiAgICBsb2NhbCB3YWZfbG9nID0gbmd4LmN0eC53YWZfbG9nIAogICAgd2FmX2xvZ1snd2FmX2FjdGlvbiddID0gImlwc2V0X2Jsb2NrIgogICAgbmd4LmN0eC53YWZfbG9nID0gd2FmX2xvZwogICAgdW5pZnlfYWN0aW9uLnJlamVjdF9yZXNwb25zZSgpCiAgICByZXR1cm4gdHJ1ZQogIGVuZAogIHJldHVybiAKZW5kCgpyZXR1cm4gX00=
  • 默认配置
{"jxwaf_ipset_node":["1.1.1.1:6677","2.2.2.2:6677"],"auth":"aaaa","flow_ip_region_block":true,"flow_rule_protection":["test_rule"],"flow_engine_protection":["high_freq_cc_rate_check","high_freq_cc_count_check"]}

说明:

详细配置查看 组件分享 -> ipset_block组件 文档,请勿直接复制配置使用。

# 开启网络层封禁

# 开启IP区域网络层封禁

设置 执行动作 为观察模式

ipset_block 组件配置中 flow_ip_region_block 设置 为 true

# 开启流量防护规则网络层封禁

假设已经有一个流量防护规则,规则名称为cc_black_ip,则将规则的执行动作设置为观察模式

ipset_block 组件配置中 flow_rule_protection 设置为 ["cc_black_ip"]

# 开启流量防护引擎网络层封禁

假设需要开启高频CC攻击防护网络层封禁

分别将IP请求频率检测IP请求次数检测的执行动作设置为观察模式

ipset_block 组件配置中 flow_engine_protection 设置为 ["high_freq_cc_rate_check","high_freq_cc_count_check"]