feat(waf): 优化配置更新接口 (#4226)

8 months ago · 7f2f7fa195
6 changed files with 66 additions and 41 deletions
--- a/plugins/openresty/waf/conf/token
+++ b/plugins/openresty/waf/conf/token
--- a/plugins/openresty/waf/config.lua
+++ b/plugins/openresty/waf/config.lua
@ -5,7 +5,7 @@ local utils = require "utils"
 local read_rule = file_utils.read_rule
 local read_file2string = file_utils.read_file2string
 local read_file2table = file_utils.read_file2table
-local set_content_to_json_file = file_utils.set_content_to_json_file
+local set_content_to_file = file_utils.set_content_to_file
 local list_dir = lfs.dir
 local attributes = lfs.attributes
 local match_str = string.match
@ -68,21 +68,16 @@ local function ini_waf_info()
    end
 end

+
+
 local function init_global_config()
    local global_config_file = config_dir .. 'global.json'
    global_config = file_utils.read_file2table(global_config_file)
-    local token = utils.random_string(20)
-    global_config["waf"]["token"] = token
-    
-    local waf_dict = ngx.shared.waf
-    waf_dict:set("token", token, 7200)
-    
-    set_content_to_json_file(global_config,global_config_file)
    config.global_config = global_config
-
    config.isProtectionMode = global_config["mode"] == "protection" and true or false
-    

+    _M.get_token()
+    
    local rules = {}
    rules.uaBlack = read_rule(global_rule_dir, "uaBlack")
    rules.uaWhite = read_rule(global_rule_dir, "uaWhite")
@ -114,6 +109,21 @@ local function init_global_config()
    _M.waf_db_path =  _M.waf_db_dir .. "1pwaf.db"
    _M.waf_log_db_path =  _M.waf_db_dir .. "req_log.db"
    _M.config_dir = config_dir
+
+
+    local waf_dict = ngx.shared.waf
+    waf_dict:set("config", config)
+end
+
+local function get_config()
+    local waf_dict = ngx.shared.waf
+    local config_table =  waf_dict:get("config")
+    if config_table == nil then
+        init_global_config()
+        return config
+    end
+    config = config_table
+    return config_table
 end

 function _M.load_config_file()
@ -123,35 +133,35 @@ function _M.load_config_file()
 end

 function _M.get_site_config(website_key)
-    return config.site_config[website_key]
+    return get_config().site_config[website_key]
 end

 function _M.get_site_rules(website_key)
-    return config.site_rules[website_key]
+    return get_config().site_rules[website_key]
 end

 function _M.get_global_config(name)
-    return config.global_config[name]
+    return get_config().global_config[name]
 end

 function _M.get_global_rules(name)
-    return config.global_rules[name]
+    return get_config().global_rules[name]
 end

 function _M.is_global_state_on(name)
-    return config.global_config[name]["state"] == "on" and true or false
+    return get_config().global_config[name]["state"] == "on" and true or false
 end

 function _M.is_site_state_on(name)
-    return config.site_config[name]["state"] == "on" and true or false
+    return get_config().site_config[name]["state"] == "on" and true or false
 end

 function _M.get_redis_config()
-    return config.global_config["redis"]
+    return get_config().global_config["redis"]
 end

 function _M.get_html_res(name)
-    return config.html_res[name]
+    return get_config().html_res[name]
 end

 function _M.is_waf_on()
@ -163,7 +173,7 @@ function _M.is_redis_on()
 end

 function _M.get_secret()
-    return config.global_config["waf"]["secret"]
+    return get_config().global_config["waf"]["secret"]
 end

 function _M.get_token()
@ -172,9 +182,8 @@ function _M.get_token()
    if not token then
        token = utils.random_string(20)
        waf_dict:set("token", token, 86400)
-        global_config["waf"]["token"] = token
-        local global_config_file = config_dir .. 'global.json'
-        set_content_to_json_file(global_config,global_config_file)
+        local token_path = config_dir .. 'token'
+        set_content_to_file(token,token_path)
    end    
    return token
 end
--- a/plugins/openresty/waf/lib/action.lua
+++ b/plugins/openresty/waf/lib/action.lua
@ -5,11 +5,12 @@ local format_str = string.format
 local _M = {}

 local function deny(status_code, res)
-    if not status_code then
+    if status_code == nil then
        status_code = 403
    end
+    
    ngx.status = status_code
-    if res then
+    if res ~= nil and res ~= "" then
        ngx.header.content_type = "text/html; charset=UTF-8"
        ngx.say(config.get_html_res(res))
    end
@ -143,21 +144,25 @@ function _M.exec_action(rule_config, match_rule, data)

    attack_count(rule_config.type)

-    --local msg = "访问 IP " .. ngx.ctx.ip .. " 访问 URL" .. ngx.var.uri .. " 触发动作 " .. action .. "  规则类型 " .. rule_config.type
-    --if match_rule then
-    --    if match_rule.type then
-    --        msg = msg .. " 触发规则类型 " .. match_rule.type
-    --    else 
-    --        msg = msg .. " 触发规则 " .. match_rule.rule
-    --    end
-    --end
-    --
-    --ngx.log(ngx.ERR, msg)
+    local msg = "访问 IP " .. ngx.ctx.ip .. " 访问 URL" .. ngx.var.uri .. " 触发动作 " .. action .. "  规则类型 " .. rule_config.type
+    if match_rule then
+        if match_rule.type then
+            msg = msg .. " 触发规则类型 " .. match_rule.type
+        else 
+            msg = msg .. " 触发规则 " .. match_rule.rule
+        end
+    end
+
+    ngx.log(ngx.ERR, msg)
    if action == "allow" then
        return

    elseif action == "deny" then
-        deny(rule_config.code, rule_config.res)
+        if rule_config.code and rule_config.res then
+            deny(rule_config.code, rule_config.res)
+        else 
+            ngx.exit(403)
+        end
        
    elseif action == "slide" then
        slide()
--- a/plugins/openresty/waf/lib/file.lua
+++ b/plugins/openresty/waf/lib/file.lua
@ -59,11 +59,13 @@ function _M.read_file2table(file_path)
    return decode(str)
 end

-function _M.set_content_to_json_file(data, file_path)
-    local json_str = cjson.encode(data)
+function _M.set_content_to_file(data, file_path)
+    if data == nil or file_path == nil then
+        return 
+    end
    local file = open_file(file_path, "w")
    if file then
-        file:write(json_str)
+        file:write(data)
        file:close()
    end
 end     
--- a/plugins/openresty/waf/log_and_traffic.lua
+++ b/plugins/openresty/waf/log_and_traffic.lua
@ -222,6 +222,9 @@ local function count_req_status(is_attack)
 end

 if config.is_waf_on() then
+    if ngx.ctx.is_waf_url then
+        return
+    end
    count_not_found()
    local is_attack = ngx.ctx.is_attack
    
--- a/plugins/openresty/waf/waf.lua
+++ b/plugins/openresty/waf/waf.lua
@ -97,10 +97,12 @@ local function waf_api()
        end
    end
    if uri == "/slide_check_" .. ngx.md5(ngx.ctx.ip) .. ".js" then
+        ngx.ctx.is_waf_url = true
        return_js("slide_js")
    end

    if uri == "/5s_check_" .. ngx.md5(ngx.ctx.ip) .. ".js" then
+        ngx.ctx.is_waf_url = true
        return_js("five_second_js")
    end
    local method = ngx.req.get_method()
@ -115,16 +117,21 @@ local function waf_api()
    if not body_data then
        return false
    end
+    ngx.log(ngx.ERR,"1111")
    local args
    if body_data then
        args = cjson.decode(body_data)
    end
+    ngx.log(ngx.ERR,"2222")
    if args == nil or args.token == nil then
        return false
    end
+    ngx.log(ngx.ERR,"token",args.token)
+    ngx.log(ngx.ERR,"config token",config.get_token())
    if args.token ~= config.get_token() then
        return false
    end
+    ngx.ctx.is_waf_url = true
    if uri == '/reload_waf_config' then
        config.load_config_file()
        ngx.exit(200)
@ -158,7 +165,7 @@ if config.is_waf_on() then
    lib.black_ua()
    lib.default_ua_black()
    
-    lib.cc_url()
+    --lib.cc_url()
    if lib.is_white_url() then
        return true
    end
@ -169,10 +176,9 @@ if config.is_waf_on() then
    lib.method_check()
    lib.acl()
    lib.cc()
-    lib.bot_check()
+    --lib.bot_check()
    lib.args_check()
    lib.cookie_check()
    lib.post_check()
    lib.header_check()
-    
 end