hihttps first commit

Author: qq4108863

Makefile

@@ -0,0 +1,10 @@
+TARGET=hihttps
+
+all:
+	cd src; make
+	/bin/cp -rf ./src/$(TARGET) ./
+
+
+clean:
+	rm -f $(TARGET)
+	cd src; make clean

README.TXT

@@ -0,0 +1,61 @@
+一、HiHTTPS是一款高性能Web安全SSL防火墙
+    [开源版提供基础防护功能]
+	    1. 恶意Web漏洞扫描
+	    2. 数据库SQL注入
+	    3. 跨站脚本攻击（XSS)
+	    4. URL黑白名单
+	    5. 危险文件上传检测
+	    6. 非法URL/文件访问
+	    7. 支持HTTP1.1所有的SSL Web服务器
+	    8. HTTP错误检测、可以扩展的日志
+	    9. 兼容OWASP的ModSecurity正则规则
+	    10.epoll模型单核3万+并发连接请求
+	   
+	 [专业版提供高级防护功能]
+	    1. 超10万+高并发请求
+	    2. CC  & DDOS
+	    3. 密码暴力破解
+	    4. 机器人/爬虫
+	    5. 精准IP/URL等访问控制
+	    6. 支持HTTP 2.0
+	    7. 人工智能防御未知攻击(目标)
+	    8. Web管理界面
+	    9.  支持独立硬件部署，保护后端多台服务器 
+	    10. 支持云虚拟化部署，保护云端多台服务器
+	    ......(更多定制需求请加QQ/微信:4108863)
+	    
+二、安装步骤  
+  1. 安装OpenSSL和libpcre开发库
+  CentOS : 
+  	yum install openssl openssl-devel
+  	yum install -y pcre pcre-devel 
+  	
+  Debian/Ubuntu:
+  	sudo apt-get install openssl libssl-dev
+  	apt-get install libpcre3 libpcre3-dev  
+  
+  2.编译
+  解压到任意目录，make即可，完成后生成可执行文件hihttps.
+  
+  3.规则
+  规则放在和hihttps同一级的rules目录即可，注意后缀是.conf或者.rule,更多规则请在
+  https://github.com/SpiderLabs/owasp-modsecurity-crs/下载，根据需求配置。
+  具体请看rules/main.conf详细说明。
+  
+  4.运行
+  通常是hihttps前端运行443（https）端口，后端反向代理80端口。
+  首先保证Web服务器80端口运行正常，443端口没占用（或者端口在config.cfg里改变配置)
+  ./hihttps默认读取当前目录下的confg.cfg文件， 或者./hihttps --config /dir/config.cfg
+  具体请看config.cfg详细说明， 如果成功打印加载了rules目录下的规则，代表运行成功。
+  
+  5.测试
+  rules/main.rule默认加载了一条SQL语句检测规则，可以访问https://ip/select.html?testsql=delete * from test
+  或者用WEB漏洞扫描器nikto运行：./nikto  -host ip -ssl -port 443 -C all
+  如果产生了报警记录，则代表正常！相关图片在doc目录。
+  
+  
+  6.需要更多高级防护和web管理功能，请加QQ/微信:4108863
+  
+  
+  
+  

config.cfg

@@ -0,0 +1,24 @@
+# 前端SSL绑定的端口，默认443，注意不要冲突了
+frontend = {
+    host = "*"
+    port = "443"
+}
+
+backend = "[127.0.0.1]:80"    # 后端默认反向连接80端口
+
+
+workers = 1                   #  CPU 数量
+daemon = off                  #  关闭后台模式，方便调试
+
+#证书文件,建议设置绝对路径
+pem-file = "server.pem"
+
+
+# 为了安全，请设置运行的用户组和权限，默认nobody，请确认系统存在有nobody。
+# user and group
+user = "nobody"
+group = "nobody"
+
+
+
+

doc/1.make.png

@@ -0,0 +1,215 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.1.0
+# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ Vulnerability Scanner Checks ]=-
+#
+# These rules inspect the default User-Agent and Header values sent by
+# various commercial and open source vuln scanners.
+#
+# The following rules contain User-Agent lists:
+# 913100 - security scanners (data file scanners-user-agents.data)
+# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
+# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
+#
+
+
+
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
+    "id:913100,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    
+    
+    msg:'Found User-Agent associated with security scanner',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
+    tag:'WASCTC/WASC-21',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    setvar:'ip.reput_block_flag=1',\
+    setvar:'ip.reput_block_reason=%{rule.msg}',\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+
+SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
+    "id:913110,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Found request header associated with security scanner',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
+    tag:'WASCTC/WASC-21',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    setvar:'ip.reput_block_flag=1',\
+    setvar:'ip.reput_block_reason=%{rule.msg}',\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+
+
+
+SecRule REQUEST_HEADERS|REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
+    "id:913120,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Found request filename/argument associated with security scanner',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
+    tag:'WASCTC/WASC-21',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    setvar:'ip.reput_block_flag=1',\
+    setvar:'ip.reput_block_reason=%{rule.msg}',\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+
+#
+# -=[ Scripting/Generic User-Agents ]=-
+#
+# This rule detects user-agents associated with various HTTP client libraries
+# and scripting languages. Detection suggests attempted access by some
+# automated tool.
+#
+# This rule is a sibling of rule 913100.
+#
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
+    "id:913101,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Found User-Agent associated with scripting/generic HTTP client',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-reputation-scripting',\
+    tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
+    tag:'WASCTC/WASC-21',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    tag:'paranoia-level/2',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    setvar:'ip.reput_block_flag=1',\
+    setvar:'ip.reput_block_reason=%{rule.msg}',\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+
+
+
+#
+# -=[ Crawler User-Agents ]=-
+#
+# This rule detects user-agents associated with various crawlers, SEO tools,
+# and bots, which have been reported to potentially misbehave.
+# These crawlers can have legitimate uses when used with authorization.
+#
+# This rule is a sibling of rule 913100.
+#
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
+    "id:913102,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Found User-Agent associated with web crawler/bot',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-reputation-crawler',\
+    tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
+    tag:'WASCTC/WASC-21',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'PCI/6.5.10',\
+    tag:'paranoia-level/2',\
+    ver:'OWASP_CRS/3.1.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.msg=%{rule.msg}',\
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+    setvar:'ip.reput_block_flag=1',\
+    setvar:'ip.reput_block_reason=%{rule.msg}',\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+#
+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+#
+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-913-SCANNER-DETECTION"