1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Dockerfile to build openresety Installed Containers
FROM 192.168.1.67
/library/centos7
.4:v1
MAINTAINER xiayun <xiay@baomihua.com>
 
#Install necessary tools 
RUN yum 
install 
-y pcre-devel wget net-tools gcc zlib zlib-devel 
make 
openssl-devel unzip python-devel
#download tar.gz
ADD https:
//openresty
.org
/download/openresty-1
.11.2.5.
tar
.gz .
ADD http:
//labs
.frickle.com
/files/ngx_cache_purge-2
.3.
tar
.gz .
ADD https:
//github
.com
/loveshell/ngx_lua_waf/archive/master
.zip .
#unzip 
RUN 
tar 
zxvf ngx_cache_purge-2.3.
tar
.gz 
RUN 
tar 
-zxvf openresty-1.11.2.5.
tar
.gz 
RUN unzip master.zip
#install openresety
RUN 
cd 
openresty-1.11.2.5 && .
/configure 
--prefix=
/usr/local/openresty 
--with-luajit --with-http_stub_status_module --with-pcre --with-pcre-jit --add-module=..
/ngx_cache_purge-2
.3/ && gmake && gmake 
install
RUN 
mkdir 
/usr/local/openresty/nginx/conf/waf/
RUN 
mkdir 
/usr/local/openresty/nginx/logs/hack/
RUN 
cp 
-r 
/ngx_lua_waf-master/
/usr/local/openresty/nginx/conf/waf/
RUN 
mv 
/usr/local/openresty/nginx/conf/nginx
.conf 
/usr/local/openresty/nginx/conf/nginx
.conf.bak
RUN 
mv 
/usr/local/openresty/nginx/conf/waf/config
.lua 
/usr/local/openresty/nginx/conf/waf/config
.bak
COPY .nginx_conf 
/usr/local/openresty/nginx/conf/nginx
.conf
COPY config.lua 
/usr/local/openresty/nginx/conf/waf/config
.lua
#add user nginx 
RUN 
useradd 
-s 
/sbin/nologin 
nginx
#chown nginx
RUN 
chown  
-R nginx.nginx 
/usr/local/openresty/
RUN 
chown  
-R nginx.nginx 
/ngx_cache_purge-2
.3
#Expose ports for 80
EXPOSE 80
#start openresty
CMD 
/usr/local/openresty/nginx/sbin/nginx 
-g 
"daemon off;"

附1:.nginx_conf 与Dockerfile在同一路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
user  nginx nginx;
worker_processes 2;
error_log  
/usr/local/openresty/nginx/logs/nginx_error
.log  error;
pid        
/usr/local/openresty/nginx/nginx
.pid;
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 65535;
}
http
{
lua_package_path 
"/usr/local/openresty/nginx/conf/waf/?.lua"
;
lua_shared_dict limit 10m;
init_by_lua_file  
/usr/local/openresty/nginx/conf/waf/init
.lua;
access_by_lua_file 
/usr/local/openresty/nginx/conf/waf/waf
.lua;
include       mime.types;
default_type  application
/octet-stream
;
charset   utf-8;
server_tokens off;
log_format main 
'$host $status [$time_local] $upstream_addr $remote_addr - $remote_user [$time_local] $request_uri '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'$bytes_sent $request_time $sent_http_x_cache_hit "$upstream_cache_status"'
;
log_format log404 
'$status [$time_local] $remote_addr $host$request_uri $sent_http_location'
;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
sendfile on;
fastcgi_intercept_errors on;
tcp_nopush     on;
keepalive_timeout 20;
tcp_nodelay on;
client_body_timeout 10;
client_body_buffer_size  512k;
gzip 
on;
gzip_min_length  1k;
gzip_buffers     4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types       text
/plain 
application
/x-javascript 
text
/css 
application
/xml
;
gzip_vary on;
send_timeout 60;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
ssi on;
ssi_silent_errors on;
ssi_types text
/shtml
;
server
{
listen       80;
server_name  localhost;
index index.html index.htm index.shtml index.php;
    
root 
/usr/local/openresty/nginx/html
;
     
if 
($http_user_agent ~* 
"Baiduspider-render|qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot"
)
{
return 
403;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:
/tmp/php-fcgi
.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME 
/usr/local/nginx/html
$fastcgi_script_name;
}
}
}

附2:config.lua与Dockerfile同一路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
RulePath = 
"/usr/local/openresty/nginx/conf/waf/wafconf/"
attacklog = 
"on"
logdir = 
"/usr/local/openresty/nginx/logs/hack/"
UrlDeny=
"off"
Redirect=
"off"
CookieMatch=
"off"
postMatch=
"off" 
whiteModule=
"off" 
black_fileExt={
"php"
,
"jsp"
}
ipWhitelist={
"127.0.0.1"
,
"192.168.20.25"
}
ipBlocklist={}
CCDeny=
"off"
CCrate=
"100/60"
html=[[
<html xmlns=
"http://www.w3.org/1999/xhtml"
><
head
>
<meta http-equiv=
"Content-Type" 
content=
"text/html; charset=utf-8"
>
<title>网站防火墙<
/title
>
<style>
p {
        
line-height:20px;
}
ul{ list-style-
type
:none;}
li{ list-style-
type
:none;}
<
/style
>
<
/head
>
 
<body style=
" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;"
>
 
 
<div style=
"margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;"
>
   
   
  
<div style=
"width:600px; float:left;"
>
    
<div style=
" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;"
>网站防火墙 <
/div
>
    
<div style=
"border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;"
>
      
<p style=
" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"
><span style=
" font-weight:600; color:#fc4f03;"
>您的请求带有不合法参数,已被网站管理员设置拦截!<
/span
><
/p
>
<p style=
" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"
>可能原因:您提交的内容包含危险的攻击请求<
/p
>
<p style=
" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;"
>如何解决:<
/p
>
<ul style=
"margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"
><li style=
" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"
>1)检查提交内容;<
/li
>
<li style=
" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"
>2)如网站托管,请联系空间提供商;<
/li
>
<li style=
" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"
>3)普通网站访客,请联系网站管理员;<
/li
><
/ul
>
    
<
/div
>
  
<
/div
>
<
/div
>
<
/body
><
/html
>
]]