jx-sec / Jxwaf
Licence: gpl-2.0
JXWAF(锦衣盾)是一款开源web应用防火墙
Stars: ✭ 768
Programming Languages
lua
6591 projects
Projects that are alternatives of or similar to Jxwaf
nginx-lua-waf
Nginx-Lua-WAF是一款基于Nginx的使用Lua语言开发的灵活高效的Web应用层防火墙
Stars: ✭ 58 (-92.45%)
Mutual labels: waf, openresty
openresty-project-v0.01
🌹 基于OpenResty编写一个MVC模式的WEB项目 V0.01
Stars: ✭ 40 (-94.79%)
Mutual labels: waf, openresty
Lua Resty Waf
High-performance WAF built on the OpenResty stack
Stars: ✭ 1,053 (+37.11%)
Mutual labels: openresty, waf
Openwaf
Web security protection system based on openresty
Stars: ✭ 563 (-26.69%)
Mutual labels: openresty, waf
Meetup
【❤️ 互联网最全大厂技术分享PPT 👍🏻 持续更新中!】🍻各大技术交流会、活动资料汇总 ,如 👉QCon👉全球运维技术大会 👉 GDG 👉 全球技术领导力峰会👉大前端大会👉架构师峰会👉敏捷开发DevOps👉OpenResty👉Elastic,欢迎 PR / Issues
Stars: ✭ 542 (-29.43%)
Mutual labels: openresty
Awesome Nginx Security
🔥 A curated list of awesome links related to application security related to the environments with NGINX or Kubernetes Ingres Controller (based on NGINX)
Stars: ✭ 417 (-45.7%)
Mutual labels: waf
Nginx Openresty Windows
nginx for windows with openresty
Stars: ✭ 404 (-47.4%)
Mutual labels: openresty
Naxsi
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Stars: ✭ 3,927 (+411.33%)
Mutual labels: waf
Blazy
Blazy is a modern login bruteforcer which also tests for CSRF, Clickjacking, Cloudflare and WAF .
Stars: ✭ 637 (-17.06%)
Mutual labels: waf
Waf
Win Application Framework (WAF) is a lightweight Framework that helps you to create well structured XAML Applications.
Stars: ✭ 539 (-29.82%)
Mutual labels: waf
Modsecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys…
Stars: ✭ 5,015 (+552.99%)
Mutual labels: waf
Ledge
An RFC compliant and ESI capable HTTP cache for Nginx / OpenResty, backed by Redis
Stars: ✭ 412 (-46.35%)
Mutual labels: openresty
Cerberus
一款功能强大的漏洞扫描器,子域名爆破使用aioDNS,asyncio异步快速扫描,覆盖目标全方位资产进行批量漏洞扫描,中间件信息收集,自动收集ip代理,探测Waf信息时自动使用来保护本机真实Ip,在本机Ip被Waf杀死后,自动切换代理Ip进行扫描,Waf信息收集(国内外100+款waf信息)包括安全狗,云锁,阿里云,云盾,腾讯云等,提供部分已知waf bypass 方案,中间件漏洞检测(Thinkphp,weblogic等 CVE-2018-5955,CVE-2018-12613,CVE-2018-11759等),支持SQL注入, XSS, 命令执行,文件包含, ssrf 漏洞扫描, 支持自定义漏洞邮箱推送功能
Stars: ✭ 389 (-49.35%)
Mutual labels: waf
Burpsuitehttpsmuggler
A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
Stars: ✭ 529 (-31.12%)
Mutual labels: waf
Janus Webrtc Gateway Docker
Perfect Docker Image for Media Streaming Expert User ( https://github.com/meetecho/janus-gateway )
Stars: ✭ 582 (-24.22%)
Mutual labels: openresty
Aws
A collection of bash shell scripts for automating various tasks with Amazon Web Services using the AWS CLI and jq.
Stars: ✭ 493 (-35.81%)
Mutual labels: waf
Laravel Firewall
Web Application Firewall (WAF) package for Laravel
Stars: ✭ 544 (-29.17%)
Mutual labels: waf
JXWAF
Introduced 介绍
JXWAF 是一款开源 WEB 应用防火墙
Notice 通知
- JXWAF 第三版正式发布(2020-10-01)
Feature 功能
- 应用安全防护
- 语义防护引擎
- Web 攻击 IP 处理
- 自定义规则
- 自定义拦截页面
- 流量安全防护
- CC 攻击防护
- CC 攻击 IP 处理
- IP 黑白名单
- 业务安全防护
- TODO
Architecture 架构
JXWAF 由 jxwaf 节点与 jxwaf 管理中心组成:
- [jxwaf 节点] : 基于 openresty 开发
- [jxwaf 管理中心]:jxwaf-mini-server
Environment 环境
- jxwaf 节点
- Centos 7
- Openresty 1.15.8.3
- jxwaf 管理中心
- Centos 7
- Python 2.7
- Django 1.9.2
Quick Deploy 快速部署 (源代码部署)
环境依赖
- 服务器版本 Centos 7.4
管理中心部署
- $ cd /opt
- $ git clone https://github.com/jx-sec/jxwaf-mini-server.git
- $ cd jxwaf-mini-server/
- $ sh install.sh
- $ pip install -r requirements.txt
- $ python manage.py makemigrations
- $ python manage.py migrate
- $ nohup python manage.py runserver 0.0.0.0:80 &
- 假设管理中心 IP 为 10.0.0.1,则打开网址 http://10.0.0.1 进行注册,注册完后登录账号,在 WAF 更新-> 语义引擎更新 中选择 语义引擎版本 加载。在 WAF 更新-> 人机识别更新 中 选择 人机识别版本 加载,同时点击 随机KEY 更新 加载人机识别对应的 KEY
节点部署
- $ cd /tmp
- $ git clone https://github.com/jx-sec/jxwaf.git
提示: 国内服务器github下载较慢,提供百度网盘下载,该资源不常更新
https://pan.baidu.com/s/1WAt077rrOSNZj1E4X1u6pw 提取码: vcgw
- $ cd jxwaf
- $ sh install_waf.sh
- $ 运行后显示类似信息即安装成功:
nginx: the configuration file /opt/jxwaf/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/jxwaf/nginx/conf/nginx.conf test is successful
- 假设管理中心 IP 为 10.0.0.1,则打开网址 http://10.0.0.1 进行注册,注册完后登录账号,在 WAF 管理下的全局配置页面获取"api key"和"api password"
- $ cd tools
- $ python jxwaf_local_init.py --api_key=a2dde899-96a7-40s2-88ba-31f1f75f1552 --api_password=653cbbde-1cac-11ea-978f-2e728ce88125 --waf_server=http://10.0.0.1
- api_key 为全局配置页面中"api key"的值,api_password 为"api password"的值,运行完成后,显示类似信息即安装成功
config file: /opt/jxwaf/nginx/conf/jxwaf/jxwaf_config.json
config result:
init success,access_id is d7b9fe12-606c-4ca8-bcb5-3dde9853e5f4,access_secret is af5cfc8d-d564-44dd-ba11-f1fecdf95706
auth result:
try to connect jxwaf server auth api_key and api_password,result is True
- $ /opt/jxwaf/nginx/sbin/nginx
- 启动 openresty,openresty 会在启动或者 reload 的时候自动到 jxwaf 管理中心拉取用户配置的最新规则,之后会定期同步配置,周期可在全局配置页面设置。
Quick Deploy 快速部署 (Docker部署)
环境依赖
- Docker
docker安装文档: https://docs.docker.com/get-docker/
管理中心部署
- docker pull jxwaf/jxwaf-mini-server:v20201104
- docker run -p 80:80 -d jxwaf/jxwaf-mini-server:v20201104
- 假设管理中心 IP 为 10.0.0.1,则打开网址 http://10.0.0.1 进行注册,注册完后登录账号,在 WAF 更新-> 语义引擎更新 中选择 语义引擎版本 加载。在 WAF 更新-> 人机识别更新 中 选择 人机识别版本 加载,同时点击 随机KEY 更新 加载人机识别对应的 KEY
节点部署
- docker pull jxwaf/jxwaf:v20201104
- 假设管理中心 IP 为 10.0.0.1,则打开网址 http://10.0.0.1 进行注册,注册完后登录账号,在 WAF 管理下的全局配置页面获取"api key"和"api password"
- docker run -p80:80 --env JXWAF_API_KEY=193b002d-5f3e-45a0-85d1-dba8f7c27b64 --env JXWAF_API_PASSWD=c7a648c3-48f3-459a-bc93-1bbc7932f60e --env WAF_UPDATE_WEBSITE=http://10.0.0.1 jxwaf/jxwaf:v20201104
- JXWAF_API_KEY 为全局配置页面中"api key"JXWAF_API_PASSWD 为"api password"的值,WAF_UPDATE_WEBSITE为管理中心的地址,假设运行后的容器ID为efda21c02e72,则执行下面命令后显示类似信息即正常运行。
- docker logs efda21c02e72
{
"waf_api_key": "193b002d-5f3e-45a0-85d1-dba8f7c27b64",
"waf_api_password": "c7a648c3-48f3-459a-bc93-1bbc7932f60e",
"waf_update_website": "http://10.0.0.1/waf_update",
"waf_monitor_website": "http://10.0.0.1/waf_monitor",
"waf_local":"false",
"server_info":"|efda21c02e72",
"waf_node_monitor":"true"
}
nginx: [alert] [lua] waf.lua:647: init(): jxwaf init success,waf node uuid is ad7b29de-858a-4781-ba1c-53ca92506bfd
2020/11/02 17:01:44 [alert] 20#0: [lua] waf.lua:647: init(): jxwaf init success,waf node uuid is ad7b29de-858a-4781-ba1c-53ca92506bfd
2020/11/02 17:01:45 [alert] 23#0: *2 [lua] waf.lua:401: monitor report success, context: ngx.timer
2020/11/02 17:01:45 [error] 23#0: *4 [lua] waf.lua:483: bot check standard key count is 10, context: ngx.timer
2020/11/02 17:01:45 [error] 23#0: *4 [lua] waf.lua:484: bot check key image count is 10, context: ngx.timer
2020/11/02 17:01:45 [error] 23#0: *4 [lua] waf.lua:485: bot check key slipper count is 10, context: ngx.timer
2020/11/02 17:01:45 [alert] 23#0: *4 [lua] waf.lua:502: global config info md5 is 0f1515005b96d11464bbd130ceb6b902,update config info success, context: ngx.timer
Bast Practice 最佳实践
Articles 文章
请关注公众号 JXWAF
Contributor 贡献者
- chenjc 负责 WAF 引擎开发,管理中心开发
- jiongrizi 负责管理中心前端开发,人机识别功能开发,小程序 JXWAF 助手开发
- thankfly 负责日志,大数据分析平台及机器学习平台开发
BUG&Requirement BUG&需求
- github 提交 BUG 或需求
- QQ 群 730947092
- 邮箱 [email protected]
- 微信/QQ 574604532 添加请备注 jxwaf
Thanks 致谢
- P4NY([email protected]):发现 SQL 语义识别引擎一处绕过漏洞
- zhutougg(github):发现上传绕过漏洞
- Neo(236309539): 发现 SQL 语义识别引擎一处绕过漏洞
- 1249648969(QQ 号):发现 openresty 通用绕过
- kulozzzz(Github): 对比测试 JXWAF 与某厂商语义引擎,发现 XSS 绕过
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].