Building a low-latency WAF inside NGINX using Lua: John Graham-Cumming @nginxconf 2014
ฝัง
- เผยแพร่เมื่อ 27 พ.ย. 2014
- CloudFlare makes extensive use of NGINX for reverse proxying of millions of web sites. One of CloudFlare's services is a Web Application Firewall (WAF) that inspects HTTP requests (including POST bodies) inline. It has to be very flexible and very fast.
Originally, CloudFlare used a combination of Apache with mod_security proxied via NGINX. This would not scale and the WAF was completely replaced by a Lua program that runs inside NGINX using ngx_lua. The WAF compiles mod_security rules into Lua files that are dynamically loaded (and cached) in NGINX.
With tuning the WAF now inspects requests in under 1ms (usually 100s of microseconds) and is highly dynamic allowing customers to turn on and off rules on the fly with only seconds of delay before the configuration is made available worldwide.
This talk will explain how the CloudFlare WAF works and go into detail about tuning a Lua program running inside NGINX for maximum performance including how to optimize for maximum JIT-compilation by LuaJIT. - วิทยาศาสตร์และเทคโนโลยี
It is irritating that the slides are unreadable in the video. The talk was fascinating of course.
Jim Robinson they're available here - github.com/cloudflare/jgc-talks/tree/master/nginx.conf/2014
Slides ? :)
here github.com/cloudflare/jgc-talks/blob/master/nginx.conf/2014/cloudflare-lua-waf.pdf