How to Install OpenResty on CentOS and Deploy a Lua‑Based Web Application Firewall

OpenResty Overview

OpenResty® is a high‑performance web platform that combines Nginx with Lua, integrating many Lua libraries and third‑party modules. It enables building dynamic web applications, services, and gateways capable of handling tens of thousands of concurrent connections by leveraging Nginx's non‑blocking I/O model.

OpenResty Installation (CentOS 7.6)

1. Install dependency packages

yum install gcc-c++ libtool gmake make -y

yum install pcre-devel openssl-devel zlib-devel readline-devel -y

2. Create nginx user and group

groupadd nginx

useradd -d /home/nginx -g nginx -s /sbin/nginx nginx

3. Download, compile and install OpenResty

wget https://openresty.org/download/openresty-1.17.8.2.tar.gz

tar xf openresty-1.17.8.2.tar.gz

cd openresty-1.17.8.2

./configure --prefix=/usr/local/openresty \
    --sbin-path=/usr/local/openresty/nginx/sbin/nginx \
    --conf-path=/usr/local/openresty/nginx/conf/nginx.conf \
    --pid-path=/usr/local/openresty/nginx/run/nginx.pid \
    --error-log-path=/usr/local/openresty/nginx/logs/error.log \
    --http-log-path=/usr/local/openresty/nginx/logs/access.log \
    --user=nginx --group=nginx \
    --with-pcre --with-stream --with-threads \
    --with-file-aio --with-http_v2_module \
    --with-http_ssl_module --with-http_realip_module \
    --with-http_gzip_static_module --with-http_stub_status_module

make && make install

4. Add OpenResty to the system PATH

vim /etc/profile.d/openresty.sh

export PATH=/usr/local/openresty/bin:$PATH

Reload the profile or log out/in to apply the changes.

What Is a WAF?

A Web Application Firewall (WAF) protects web applications by applying a set of HTTP/HTTPS security policies, filtering malicious requests before they reach the backend.

Implementing the WAF with OpenResty

The WAF is provided as a set of Lua scripts (access.lua, init.lua, lib.lua, etc.) that can be cloned from GitHub . The main steps are:

Clone the repository and copy the waf directory into /usr/local/openresty/nginx/conf/.

Configure Nginx to load the WAF Lua scripts.

Reload OpenResty and verify that the WAF is active.

WAF Configuration File (config.lua)

config_waf_enable = "on"          -- enable or disable the WAF
config_log_dir = "/tmp"           -- log directory (JSON format)
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"  -- rule files location
config_white_url_check = "on"
config_white_ip_check = "on"
config_black_ip_check = "on"
config_url_check = "on"
config_url_args_check = "on"
config_user_agent_check = "on"
config_cookie_check = "on"
config_cc_check = "on"
config_cc_rate = "10/60"          -- 10 requests per 60 seconds per IP
config_post_check = "on"
config_waf_output = "html"        -- response type (html or redirect)
config_waf_redirect_url = "https://www.unixhot.com"
config_output_html = [[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>网站防火墙</title>
</head>
<body>
<h1 align="center">欢迎白帽子进行授权安全测试，安全漏洞请联系QQ：1111111。</h1>
</body>
</html>
]]

IP Blacklist Configuration

Enable config_black_ip_check = "on" and add IPs to /usr/local/openresty/nginx/conf/waf/rule-config/blackip.rule, e.g.: 192.168.31.14 Requests from these IPs will receive a 403 response.

IP Whitelist Configuration

Enable config_white_ip_check = "on" and list allowed IPs in whiteip.rule. Whitelisted IPs bypass all WAF checks.

CC Attack Protection

Enable config_cc_check = "on" and set config_cc_rate. When an IP exceeds the defined request rate for a single URL, it is temporarily blocked (default 10 requests per 60 seconds).

URL Filtering Rules

Enable config_url_check = "on" and edit url.rule. Example patterns block access to .htaccess, .bash_history, backup files, phpMyAdmin, .svn directories, etc.

\. (htaccess|bash_history)
\. (bak|inc|old|mdb|sql|backup|java|class|tgz|gz|tar|zip)$
(phpmyadmin|jmx-console|admin-console|jmxinvokerservlet)
java\.lang
\.svn/
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/\w+\.(php|jsp)
/login

User‑Agent Filtering

Enable config_user_agent_check = "on". The default useragent.rule blocks known scanning tools (HTTrack, nmap, sqlmap, Nikto, etc.). Additional patterns can be added, e.g. to block Chrome:

(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench|Chrome)

GET Parameter Filtering

Enable config_url_args_check = "on". The default args.rule contains regular expressions that detect SQL injection, command execution, file inclusion, XSS, and other malicious payloads.

POST Parameter Filtering

Enable config_post_check = "on". The post.rule file mirrors the GET rules and inspects POST bodies for the same threats.

Troubleshooting

If you see errors like failed to load the 'resty.core' module, install the missing lua-resty-core library:

git clone https://github.com/openresty/lua-resty-core.git

Then add its path to lua_package_path in the Nginx configuration.

Testing the WAF

Use curl with custom User‑Agents or malicious query strings to verify that the WAF returns the configured HTML block page and logs the event.

Original article: https://abcops.cn/1732.html – Author: 好好青年