1、安装pcre

yum -y install pcre-devel  openssl openssl-devel zlib zlib-devel

2、安装 openResty

cd /usr/local/
wget https://openresty.org/download/openresty-1.11.2.2.tar.gz
tar xf openresty-1.11.2.2.tar.gz
cd openresty-1.11.2.2
./configure
gmake && gmake install

建立用户www，供nginx使用

useradd www -M -s /sbin/nologin

3、配置nginx

vim /usr/local/openresty/nginx/conf/nginx.conf
user  www;
worker_processes  1;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;sendfile        on;keepalive_timeout  65;server {listen       80;server_name localhost;location / {default_type text/html;content_by_lua_block {ngx.say("Hello World！");}}}}

保存配置文件，启动nginx

ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/nginx
nginx  //启动nginx

curl localhost
# 打印Hello World!

4、下载ngx_lua_waf模块

cd /usr/local/openresty/nginx
git clone https://github.com/loveshell/ngx_lua_waf.git

在nginx的http模块中添加

lua_package_path "/usr/local/openresty/nginx/ngx_lua_waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/openresty/nginx/ngx_lua_waf/init.lua;
access_by_lua_file /usr/local/openresty/nginx/ngx_lua_waf/waf.lua;

进入ngx_lua_waf安装目录，并修改config.lua

RulePath = "/usr/local/openresty/nginx/ngx_lua_waf/wafconf/"
attacklog = "on"
logdir = "/usr/local/openresty/nginx/logs/ngx_lua_waf/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
CCDeny="off"
CCrate="100/60"
html=[[
go away!
]]

5、手动添加日志文件

cd /usr/local/openresty/nginx/logs
mkdir ngx_lua_waf
cd ../
chown www.www logs/ -R

重启nginx

nginx -s reload

6、测试（浏览器）

http://182.92.200.105/index.asp?id=../etc/passwd

结果：go away!

进入刚刚创建的日志目录，查看生成的日志

[root@iZ25l0m95piZ sbin]# cd /usr/local/openresty/nginx/logs/ngx_lua_waf/
[root@iZ25l0m95piZ ngx_lua_waf]# ls
localhost_2016-12-13_sec.log
[root@iZ25l0m95piZ ngx_lua_waf]# cat localhost_2016-12-13_sec.log 
192.168.1.52 [2016-12-13 14:06:48] "GET localhost/index.asp?id=../etc/passwd" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" "\.\./"
192.168.1.52 [2016-12-13 14:16:17] "GET localhost/index.asp?id=../etc/passwd" "-"  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" "\.\./"

====>>>>END