BestHub
Sign in
Backend Development 7 min read

How to Install Nginx with Lua and Set Up a Web Application Firewall (WAF)

This guide walks through installing LuaJIT, ngx_devel_kit, and lua-nginx-module, compiling Nginx with Lua support, fixing common libluajit errors, optionally installing OpenResty, and configuring the ngx_lua_waf module to protect web applications.

Open Source Linux
Open Source Linux
Open Source Linux
How to Install Nginx with Lua and Set Up a Web Application Firewall (WAF)

Web Application Firewall (WAF) protects web applications by applying security policies to HTTP/HTTPS traffic.

Method 1: Install Nginx with Lua module

Install LuaJIT

git clone https://github.com/openresty/luajit2.git
cd luajit2
make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit

Add the following to /etc/profile and reload:

export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1
source /etc/profile

Install ngx_devel_kit (NDK)

cd /mnt
wget https://github.com/vision5/ngx_devel_kit/archive/v0.3.1.tar.gz
tar -xzvf v0.3.1.tar.gz

Install lua-nginx-module

cd /mnt
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.15.tar.gz
tar -xzvf v0.10.15.tar.gz

Compile Nginx with Lua modules

cd /mnt/nginx-1.18.0
./configure \
  --prefix=/etc/nginx \
  --add-module=/mnt/lua-nginx-module-0.10.15 \
  --add-module=/mnt/ngx_devel_kit-0.3.1 \
  --with-http_gzip_static_module \
  --with-http_realip_module \
  --with-http_ssl_module \
  --with-openssl=/mnt/openssl-1.1.1g \
  --with-zlib=/mnt/zlib-1.2.11 \
  --with-pcre=/mnt/pcre-8.44
make
make install

If Nginx fails to start with error while loading shared libraries: libluajit-5.1.so.2, add the library path and run ldconfig:

echo "/usr/local/luajit/lib/" >> /etc/ld.so.conf
ldconfig

Test the Lua integration with:

content_by_lua 'ngx.say("hello, lua")';

Method 2: Install OpenResty directly

cd /opt
tar -xzvf openresty-1.15.8.3.tar.gz
./configure \
  --prefix=/opt/openresty \
  --with-pcre=/opt/pcre-8.44 \
  --with-zlib=/opt/zlib-1.2.11 \
  --with-openssl=/opt/openssl-1.1.1g \
  --with-poll_module \
  --with-http_v2_module \
  --with-http_realip_module \
  --with-http_addition_module \
  --with-stream \
  --with-stream_ssl_module \
  --with-stream_ssl_preread_module \
  --with-http_ssl_module
make
gmake install

After installation, the same test as method 1 should work.

WAF module installation

cd /opt/openresty/lualib
git clone https://github.com/loveshell/ngx_lua_waf.git waf

Add the following directives to the OpenResty configuration:

lua_package_path "/opt/openresty/lualib/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /opt/openresty/lualib/waf/init.lua;
access_by_lua_file /opt/openresty/lualib/waf/waf.lua;

The WAF directory contains config.lua, init.lua, a wafconf folder with rule files, and waf.lua. Example config.lua enables URL blocking, cookie and POST protection, IP whitelist/blacklist, and optional CC attack mitigation.

Test the WAF by requesting a malicious URL; seeing a block page confirms successful installation.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

NginxInstallationLuaOpenRestyWAFWeb Application Firewall
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment