Design And Implementation Of Web Application Firewall Based On Nginx

With the rapid development of web technology,more and more enterprises deploy various applications in the form of web.The popularity of web applications has also brought a large number of web attacks,web attacks will seriously affect the normal operation of web application.Web Application Firewall is an attack detection system which is between users and web applications,it can conduct various attack detection for HTTP requests of users.The attack request will be blocked and the normal request will be delivered to the web server.In this way,Web Application Firewall can protect web applications from various web attack.On the basis of Nginx,this paper designs and implements a distributed Web Application Firewall aiming at the poor flexibility and low detection efficiency of Web Application Firewall.The main research contents include:1 Design and implement attack detection engine based on regular expressions matching.The attack detection engine is implemented based on Nginx,it can conduct various attack detection for HTTP requests of users.The attack detection engine will make a match between user's request content and blacklist rule library.When an attack is detected,the request will be intercepted.The main attacks that can be detected include SQL Injection,Cross Site Script,File Include,Directory Traversal,File Upload,Code Execution and Command Execution.The attack detection engine will identify and decode the content of user's request,so as to prevent the attacker from bypassing the Web Application Firewall through encoding the content of request.In order to improve the detection efficiency of the attack detection engine,a regular expression matching engine is designed and implemented.The regular expression matching engine is based on virtual machine which is like Java virtual machine,it will compile the regular expression rule to an intermediate program,and it will run the virtual machine to execute the program so that the regular expression matching will be finished.The matching algorithm is no backtracking,and the engine has a high detection efficiency.2 Design and implement the distributed architecture of Web Application Firewall.The distributed architecture mainly includes three parts:attack detection node,service registration center and load balance server.The attack detection node will process all the detection tasks.All the detection nodes will register in the service registration center,they will upload their identity information and their resources information to the service registration center.The information will be updated every other time.The load balance server will monitor the change of the node resource information and get the latest node information in real time.The load balance server selects the detection node to distribute the detection task according to the resource information.3 Design and implement a real-time log processing system.The function of log processing system mainly includes log collection,log storage and log processing.The log processing system will collect attack log data in real time,and the log data is produced on the every detection node.The log data will be stored,at the same time,all the log data will be transferred to buffer queue.The log processing program will read the log data from buffer queue and process it,and then save the result to the database.The processing result will be displayed in the form of web.