How to build openresty with GeoIP and Naxsi on CentOS 7 | Free Online Tutorials

How to build openresty with GeoIP and Naxsi on CentOS 7

phptuts May 20, 2020

How to build openresty with GeoIP and Naxsi on CentOS 7

What is Naxsi?
NAXSI means Nginx Anti XSS & SQL Injection.

File openresty.sh

#!/usr/bin/env bash
# Script to install the openresty from source and to tidy up after...

set -eu
set -o pipefail

GEOIP_CITY_URL='https://github.com/texnikru/GeoLite2-Database/blob/master/GeoLite2-City.mmdb.gz?raw=true'
GEOIP_COUNTRY_URL='https://github.com/texnikru/GeoLite2-Database/blob/master/GeoLite2-Country.mmdb.gz?raw=true'
GEOIP_MOD_URL='https://github.com/leev/ngx_http_geoip2_module/archive/3.0.tar.gz'
GEOIP_UPDATE_CLI='https://github.com/maxmind/geoipupdate/releases/download/v3.1.1/geoipupdate-3.1.1.tar.gz'
GEOIP_URL='https://github.com/maxmind/libmaxminddb/releases/download/1.3.2/libmaxminddb-1.3.2.tar.gz'
LUAROCKS_URL='http://luarocks.org/releases/luarocks-2.4.2.tar.gz'
NAXSI_URL='https://github.com/nbs-system/naxsi/archive/0.56.tar.gz'
OPEN_RESTY_URL='http://openresty.org/download/openresty-1.11.2.4.tar.gz'
STATSD_URL='https://github.com/UKHomeOffice/nginx-statsd/archive/0.0.1.tar.gz'

MAXMIND_PATH='/usr/share/GeoIP'

# Install dependencies to build from source
yum -y install \
    gcc-c++ \
    gcc \
    git \
    make \
    libcurl-devel \
    openssl-devel \
    openssl \
    perl \
    pcre-devel \
    pcre \
    readline-devel \
    tar \
    unzip \
    wget

mkdir -p openresty luarocks naxsi nginx-statsd geoip geoipupdate ngx_http_geoip2_module

# Prepare
wget -qO - "$OPEN_RESTY_URL"   | tar xzv --strip-components 1 -C openresty/
wget -qO - "$LUAROCKS_URL"     | tar xzv --strip-components 1 -C luarocks/
wget -qO - "$NAXSI_URL"        | tar xzv --strip-components 1 -C naxsi/
wget -qO - "$STATSD_URL"       | tar xzv --strip-components 1 -C nginx-statsd/
wget -qO - "$GEOIP_URL"        | tar xzv --strip-components 1 -C geoip/
wget -qO - "$GEOIP_UPDATE_CLI" | tar xzv --strip-components 1 -C geoipupdate/
wget -qO - "$GEOIP_MOD_URL"    | tar xzv --strip-components 1 -C ngx_http_geoip2_module/

# Build
pushd geoip
mkdir -p ${MAXMIND_PATH}
./configure
make check install
echo "/usr/local/lib" >> /etc/ld.so.conf.d/libmaxminddb.conf
curl -fSL ${GEOIP_COUNTRY_URL} | gzip -d > ${MAXMIND_PATH}/GeoLite2-Country.mmdb
curl -fSL ${GEOIP_CITY_URL} | gzip -d > ${MAXMIND_PATH}/GeoLite2-City.mmdb
chown -R 1000:1000 ${MAXMIND_PATH}
popd

pushd geoipupdate
./configure
make check install
popd

# check maxmind module
echo "Checking libmaxminddb module"
ldconfig && ldconfig -p | grep libmaxminddb

pushd openresty
./configure --add-dynamic-module="/root/ngx_http_geoip2_module" \
            --add-module="../naxsi/naxsi_src" \
            --add-module="../nginx-statsd" \
            --with-http_realip_module \
            --with-http_stub_status_module
make install
popd

# Install NAXSI default rules...
mkdir -p /usr/local/openresty/naxsi/
cp "./naxsi/naxsi_config/naxsi_core.rules" /usr/local/openresty/naxsi/

pushd luarocks
./configure --with-lua=/usr/local/openresty/luajit \
            --lua-suffix=jit-2.1.0-beta2 \
            --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make build install
popd

luarocks install uuid
luarocks install luasocket

# Remove the developer tooling
rm -fr openresty naxsi nginx-statsd geoip luarocks ngx_http_geoip2_module
yum -y remove \
    gcc-c++ \
    gcc \
    git \
    make \
    openssl-devel \
    libcurl-devel \
    perl \
    pcre-devel \
    readline-devel

yum clean all

export PATH=$PATH:/usr/local/openresty/bin
echo "export PATH=\$PATH:/usr/local/openresty/bin" >> ~/.bashrc

pushd /usr/local/src
wget http://developer.axis.com/download/distribution/apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
tar zxvf apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
cd apps/sys-utils/start-stop-daemon-IR1_9_18-2
gcc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/sbin/
popd

echo $'[Unit]\n'\
$'Description=full-fledged web platform\n'\
$'After=syslog.target network-online.target remote-fs.target nss-lookup.target\n'\
$'Wants=network-online.target\n\n'\
$'[Service]\n'\
$'Type=forking\n'\
$'PIDFile=/usr/local/openresty/nginx/logs/nginx.pid\n'\
$'ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t -q -g \'daemon on; master_process on;\'\n'\
$'ExecStart=/usr/local/openresty/nginx/sbin/nginx -g \'daemon on; master_process on;\'\n'\
$'ExecReload=/usr/local/openresty/nginx/sbin/nginx -g \'daemon on; master_process on;\' -s reload\n'\
$'ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /usr/local/openresty/nginx/logs/nginx.pid\n'\
$'TimeoutStopSec=5\n'\
$'KillMode=mixed\n\n'\
$'[Install]\n'\
$'WantedBy=multi-user.target'>/usr/lib/systemd/system/openresty.service

systemctl enable openresty.service
systemctl start openresty.service

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="80" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="udp" port="80" accept'
sudo firewall-cmd --reload

Reference: https://github.com/UKHomeOffice/docker-nginx-proxy

We can use GeoLite2-ASN

GEOIP_ASN_URL='https://github.com/robcowart/eslog_tutorial/blob/master/logstash/geoipdbs/GeoLite2-ASN.mmdb?raw=true'
wget ${GEOIP_ASN_URL} -O ${MAXMIND_PATH}/GeoLite2-ASN.mmdb

phptuts

1 Comment

Openresty: Simple GeoIP and ASNnum query server | Free Online Tutorials
(May 21, 2020 - 6:07 am)

[…] How to build openresty with GeoIP and Naxsi on CentOS 7 […]

Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.