{"id":13540124,"url":"https://github.com/jx-sec/jxwaf","last_synced_at":"2025-04-02T06:32:10.806Z","repository":{"id":46603664,"uuid":"114102727","full_name":"jx-sec/jxwaf","owner":"jx-sec","description":"JXWAF是一款开源web应用防火墙","archived":false,"fork":false,"pushed_at":"2024-08-20T08:39:06.000Z","size":69614,"stargazers_count":1089,"open_issues_count":2,"forks_count":255,"subscribers_count":55,"default_branch":"master","last_synced_at":"2024-08-20T18:13:48.563Z","etag":null,"topics":["jxwaf","nginx-lua","openresty","waf"],"latest_commit_sha":null,"homepage":"https://www.jxwaf.com/","language":"Lua","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jx-sec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-13T09:45:46.000Z","updated_at":"2024-08-20T08:39:09.000Z","dependencies_parsed_at":"2024-08-01T09:23:57.529Z","dependency_job_id":"f763fec6-7c69-4b9a-b199-961e553ef6a1","html_url":"https://github.com/jx-sec/jxwaf","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jx-sec%2Fjxwaf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jx-sec%2Fjxwaf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jx-sec%2Fjxwaf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jx-sec%2Fjxwaf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jx-sec","download_url":"https://codeload.github.com/jx-sec/jxwaf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246768402,"owners_count":20830658,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jxwaf","nginx-lua","openresty","waf"],"created_at":"2024-08-01T09:01:40.970Z","updated_at":"2025-04-02T06:32:10.795Z","avatar_url":"https://github.com/jx-sec.png","language":"Lua","funding_links":[],"categories":["\u003ca id=\"946d766c6a0fb23b480ff59d4029ec71\"\u003e\u003c/a\u003e防护\u0026\u0026Defense","Lua","\u003ca id=\"0abd611fc3e9a4d9744865ca6e47a6b2\"\u003e\u003c/a\u003e工具","Lua (24)","Go Template"],"sub_categories":["\u003ca id=\"784ea32a3f4edde1cd424b58b17e7269\"\u003e\u003c/a\u003eWAF"],"readme":"# JXWAF\n\n[中文版](https://github.com/jx-sec/jxwaf/blob/master/README.md)\n[English](https://github.com/jx-sec/jxwaf/blob/master/English.md)\n\n## 介绍\n\nJXWAF是一款云Web应用防火墙，可对Web应用流量进行分析检测，清洗过滤恶意流量后将正常流量返回给业务服务器，保障Web业务正常运行。\n\n🌟  云WAF系统 | CDN加速 | 语义分析引擎 | WebTDS深度分析  \n\n## 产品亮点\n\n### 云WAF系统\n\nJXWAF采用云原生架构设计，支持弹性扩展与多节点集群部署，可灵活适配公有云、混合云及私有化环境。通过分布式防护节点，实现流量智能调度与负载均衡，保障业务高可用性。\n\n### CDN加速\n\n深度融合CDN加速与安全防护能力，内置智能缓存引擎，支持动态内容缓存、边缘节点加速。通过缓存策略、不缓存策略的多级配置，显著降低源站负载压力，提升用户访问速度。结合IP区域封禁与流量防护规则，实现全球攻击流量清洗与合法请求加速的一体化处理，安全与性能双效提升。\n\n### 语义分析引擎\n\n自研语义分析引擎基于上下文语义的动态威胁识别技术，突破传统正则匹配局限，大幅提高了准确率，降低误报，可防御各类主流Web漏洞攻击，包括但不限于SQL注入、XSS攻击、命令执行攻击、代码执行攻击、高危Nday防护等。\n\n### WebTDS深度分析\n\n集成Web流量威胁检测系统（Web Threat Detection System），基于自研的数据实时分析引擎，通过实体行为分析和在线学习模型的检测能力，构建Web安全主动防御体系，实现APT级别攻击检测、高级CC攻击防护，业务安全风险分析。\n\n## 文档\n\nhttps://docs.jxwaf.com/\n\n## 功能\n\n- 防护管理\n  - 网站防护\n    - 网站配置\n    - 防护配置 \n      - Web防护引擎\n      - Web防护规则\n      - 扫描攻击防护\n      - 网页防篡改\n      - Web白名单规则\n      - 流量防护引擎\n      - 流量防护规则\n      - IP区域封禁\n      - IP黑名单\n      - 流量白名单规则\n    - 缓存配置\n      - 缓存策略\n      - 不缓存策略\n      - 缓存绕过策略\n    - 高级配置\n      - 自定义请求头\n      - 自定义响应头\n      - 自定义响应内容\n      - 自定义回源地址\n  - 名单防护\n  - 基础组件\n  - 分析组件\n- 运营中心\n  - 数据统计\n  - Web安全报表\n  - 流量安全报表\n  - 攻击事件\n  - 日志查询\n  - 网络封禁黑名单\n  - 网络封禁白名单\n  - 节点状态\n- 系统管理\n  - 基础信息\n  - SSL证书管理\n  - CNAME配置管理\n  - 日志传输配置\n  - 日志查询配置\n  - WebTDS检测配置\n  - 拦截页面配置\n  - 配置备份\u0026加载\n\n## 架构\n\n- JXWAF 系统由三个子系统组成\n  - JXWAF 控制台\n  - JXWAF 节点\n  - JXLOG 日志系统\n\n\u003ckbd\u003e\u003cimg src=\"img/jxwaf_architecture.png\" width=\"1000\"\u003e\u003c/kbd\u003e\n\n\n## 部署\n\n### 环境要求\n\n- 服务器系统 Debian 12.x\n\n- 服务器最低配置 4 核 8G \n\n### jxwaf 控制台部署\n\n服务器 IP 地址\n\n- 公网地址: 47.120.63.196\n- 内网地址: 172.29.198.241\n\n```\n# 1. 安装Docker\ncurl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun\n# 2. 克隆仓库（国内可以换成 https://gitclone.com/github.com/jx-sec/jxwaf.git）\ngit clone https://github.com/jx-sec/jxwaf.git\n# 3. 启动容器\ncd jxwaf/jxwaf_admin_server\ndocker compose up -d\n```\n\n部署完成后，访问控制台地址 http://47.120.63.196， 第一次访问控制台会自动跳转到帐号注册页面。\n\n完成注册并登录控制台后，点击 系统管理 -\u003e 基础信息 页面，查看 waf_auth，后续节点配置需要 \n\n\u003ckbd\u003e\u003cimg src=\"img/waf_auth.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n### jxwaf 节点部署\n\n服务器 IP 地址\n\n- 公网地址: 47.84.176.156\n- 内网地址: 172.22.168.117\n\n```\n# 1. 安装Docker\ncurl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun\n# 2. 克隆仓库（国内可以换成 https://gitclone.com/github.com/jx-sec/jxwaf.git）\ngit clone https://github.com/jx-sec/jxwaf.git\n# 3. 启动容器\ncd jxwaf/jxwaf_node\nvim docker-compose.yml\n```\n\n修改文件中的 JXWAF_SERVER 和 WAF_AUTH\n\n\u003ckbd\u003e\u003cimg src=\"img/compose_conf.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\nJXWAF_SERVER 的值为 jxwaf 控制台服务器地址，这里为 http://47.120.63.196 ，注意地址不能带路径，即 http://47.120.63.196/ 是错误输入\n\n其中 WAF_AUTH 为 系统管理 -\u003e 基础信息 中 waf_auth 的值\n\n修改后如下\n\n\u003ckbd\u003e\u003cimg src=\"img/compose_conf_edit.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n```\ndocker compose  up -d\n```\n\n启动后，可以在 运营中心 -\u003e 节点状态 查看节点是否上线\n\n\u003ckbd\u003e\u003cimg src=\"img/node_status.png\"\u003e\u003c/kbd\u003e\n\n### jxlog 部署\n\n服务器 IP 地址\n\n- 公网地址: 47.115.222.190\n- 内网地址: 172.29.198.239\n\n```\n# 1. 安装Docker\ncurl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun\n# 2. 克隆仓库（国内可以换成 https://gitclone.com/github.com/jx-sec/jxwaf.git）\ngit clone https://github.com/jx-sec/jxwaf.git\n# 3. 启动容器\ncd jxwaf/jxlog\ndocker compose up -d\n```\n\n部署完成后，在控制台中 系统配置 -\u003e 日志传输配置 完成如下配置\n\n\u003ckbd\u003e\u003cimg src=\"img/jxlog_conf.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n在 控制台 系统配置 -\u003e 日志查询配置 完成如下配置，其中 ClickHouse 数据库的帐号密码可以在 docker-compose.yml 文件中修改\n\n\u003ckbd\u003e\u003cimg src=\"img/clickhouse_conf.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n### 效果验证\n\n在控制台 防护管理 -\u003e 网站防护 ，点击新建分组，参考如下配置进行设置\n\n\u003ckbd\u003e\u003cimg src=\"img/prod_group_conf.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n创建完成后，点击 查看网站 ，点击新建网站，参考如下配置进行设置\n\n\u003ckbd\u003e\u003cimg src=\"img/prod_website_conf.png\" width=\"500\"\u003e\u003c/kbd\u003e\n\n\n配置完成后，回到 jxlog 服务器,\n\n```\nroot@iZf8z5lulvvv47480fig8gZ:~/jxwaf# pwd\n/root/jxwaf\n[root@VM-0-13-centos jxlog]# cd waf_test/\n[root@VM-0-13-centos waf_test]# python3 waf_poc_test.py -u http://47.113.220.170\n```\n\n运行 waf 测试脚本后,即可在控制台中的 运营中心 -\u003e Web安全报表 和 运营中心 -\u003e Web安全报表 查看防护效果\n\n\u003ckbd\u003e\u003cimg src=\"img/web_attack_chart.png\" width=\"1000\"\u003e\u003c/kbd\u003e\n\n\u003ckbd\u003e\u003cimg src=\"img/attack_event.png\" width=\"1000\"\u003e\u003c/kbd\u003e\n\n## 性能测试\n\n### 测试环境说明\n\n服务器型号: 阿里云计算型c6\n\n服务器配置: 4核8G\n\n服务器操作系统: Debian 12.8 \n\n控制台配置如下:\n\n- 防护配置为开启流量防护引擎中的无差别紧急防护，执行动作设置为阻断请求\n\n- 自定义拦截页面响应码设置为200，响应内容设置为空\n\n- 日志记录关闭\n\n测试环境为内网环境，仅测试WAF节点本身的性能极限，不涉及业务请求回源，数据仅供参考。\n\n### wrk测试数据\n\n#### HTTP请求性能测试\n\n```\nroot@iZf8z5lulvvv47480fig8hZ:~# wrk -t8 -c5000 -d30s --timeout 10s http://172.29.198.240 \nRunning 30s test @ http://172.29.198.240\n  8 threads and 5000 connections\n  Thread Stats   Avg      Stdev     Max   +/- Stdev\n    Latency   241.95ms  879.69ms  10.00s    95.25%\n    Req/Sec     8.41k     3.17k   17.78k    69.67%\n  1975398 requests in 30.05s, 491.69MB read\n  Socket errors: connect 0, read 151, write 0, timeout 228\nRequests/sec:  65726.31\nTransfer/sec:     16.36MB\n```\n\n本次测试HTTP请求防护能力，单机QPS大概为65000左右。\n\n#### HTTPS请求性能测试 \n\n修改本地hosts，将admin.jxwaf.com解析为172.29.198.240\n\n```\nroot@iZf8z5lulvvv47480fig8hZ:~# wrk -t8 -c5000 -d30s --timeout 10s https://admin.jxwaf.com\nRunning 30s test @ https://admin.jxwaf.com\n  8 threads and 5000 connections\n  Thread Stats   Avg      Stdev     Max   +/- Stdev\n    Latency   223.82ms  590.66ms   5.94s    94.92%\n    Req/Sec     5.49k     1.05k    9.80k    76.66%\n  1058280 requests in 30.10s, 263.42MB read\n  Socket errors: connect 249, read 0, write 0, timeout 0\nRequests/sec:  35161.18\nTransfer/sec:      8.75MB\n```\n\n本次测试HTTPS请求防护能力，单机QPS大概为35000左右。\n\n## 贡献者\n\n- [chenjc](https://github.com/jx-sec)\n- [jiongrizi](https://github.com/jiongrizi)\n- [thankfly](https://github.com/thankfly)\n\n## BUG\u0026需求\n\n- 微信 574604532 添加请备注 jxwaf\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjx-sec%2Fjxwaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjx-sec%2Fjxwaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjx-sec%2Fjxwaf/lists"}