How to Install Nginx with Lua and WAF Using OpenResty on Linux

Web Application Firewall (WAF) protects web applications by enforcing security policies on HTTP/HTTPS traffic.

nginx+lua Installation Method

Method 1: Install nginx and integrate Lua module

Install LuaJIT

LuaJIT is a Just‑In‑Time compiler for Lua. Clone the source from GitHub and build it.

git clone https://github.com/openresty/luajit2.git
cd luajit2
make PREFIX=/usr/local/luajit
make install PREFIX=/usr/local/luajit

Add the following environment variables to /etc/profile and reload:

export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1

Install ngx_devel_kit (NDK)

cd /mnt
wget https://github.com/vision5/ngx_devel_kit/archive/v0.3.1.tar.gz
tar -xzvf v0.3.1.tar.gz

Install the latest lua-nginx-module

cd /mnt
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.15.tar.gz
tar -xzvf v0.10.16rc5.tar.gz

Compile Nginx with Lua modules

cd /mnt/nginx-1.18.0
./configure \
  --prefix=/etc/nginx \
  --sbin-path=/usr/sbin/nginx \
  --modules-path=/usr/lib64/nginx/modules \
  --conf-path=/etc/nginx/nginx.conf \
  --error-log-path=/var/log/nginx/error.log \
  --http-log-path=/var/log/nginx/access.log \
  --pid-path=/var/run/nginx.pid \
  --lock-path=/var/run/nginx.lock \
  --user=nginx \
  --group=nginx \
  --with-http_gzip_static_module \
  --with-http_realip_module \
  --with-http_ssl_module \
  --with-openssl=/mnt/openssl-1.1.1g \
  --with-zlib=/mnt/zlib-1.2.11 \
  --with-pcre=/mnt/pcre-8.44 \
  --add-module=/mnt/lua-nginx-module-0.10.15 \
  --add-module=/mnt/ngx_devel_kit-0.3.1

Note: OpenSSL, PCRE, and Zlib must be downloaded and extracted to /mnt before configuring.

If Nginx fails to start with an error about libluajit-5.1.so.2, add the library path to /etc/ld.so.conf and run ldconfig:

echo "/usr/local/luajit/lib/" >> /etc/ld.so.conf
ldconfig

Test the Lua integration with a simple location:

content_by_lua 'ngx.say("hello, lua")';

Method 2: Directly install OpenResty

OpenResty is a high‑performance web platform based on Nginx and Lua, bundling many useful modules and dependencies.

cd /opt
tar -xzvf openresty-1.15.8.3.tar.gz
./configure \
  --prefix=/opt/openresty \
  --with-pcre=/opt/pcre-8.44 \
  --with-zlib=/opt/zlib-1.2.11 \
  --with-openssl=/opt/openssl-1.1.1g \
  --with-poll_module \
  --with-http_v2_module \
  --with-http_realip_module \
  --with-http_addition_module \
  --with-stream \
  --with-stream_ssl_module \
  --with-stream_ssl_preread_module \
  --with-http_ssl_module

gmake
gmake install

After installation, test using the steps from Method 1.

WAF Module Installation

The ngx_lua_waf project can be cloned and integrated with OpenResty:

cd /opt/openresty/lualib
git clone https://github.com/loveshell/ngx_lua_waf.git waf

Add the following directives to the OpenResty configuration:

lua_package_path "/opt/openresty/lualib/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /opt/openresty/lualib/waf/init.lua;
access_by_lua_file /opt/openresty/lualib/waf/waf.lua;

The WAF directory structure:

[root@k8s-node lualib]# tree waf
waf
├── config.lua
├── init.lua
├── wafconf
│   ├── args
│   ├── cookie
│   ├── post
│   ├── url
│   ├── user-agent
│   └── whiteurl
└── waf.lua

1 directory, 9 files

Key configuration options in config.lua include rule paths, logging, URL and cookie filtering, IP whitelist/blacklist, and CC attack protection.

Test the WAF by requesting a malicious URL; a blocked response indicates successful installation.

Source: https://www.cnblogs.com/ltzhang/p/13544582.html