diff --git a/plugins/openresty/waf/conf/token b/plugins/openresty/waf/conf/token new file mode 100644 index 000000000..e69de29bb diff --git a/plugins/openresty/waf/config.lua b/plugins/openresty/waf/config.lua index 5ec0b4a0c..38a716954 100644 --- a/plugins/openresty/waf/config.lua +++ b/plugins/openresty/waf/config.lua @@ -5,7 +5,7 @@ local utils = require "utils" local read_rule = file_utils.read_rule local read_file2string = file_utils.read_file2string local read_file2table = file_utils.read_file2table -local set_content_to_json_file = file_utils.set_content_to_json_file +local set_content_to_file = file_utils.set_content_to_file local list_dir = lfs.dir local attributes = lfs.attributes local match_str = string.match @@ -68,21 +68,16 @@ local function ini_waf_info() end end + + local function init_global_config() local global_config_file = config_dir .. 'global.json' global_config = file_utils.read_file2table(global_config_file) - local token = utils.random_string(20) - global_config["waf"]["token"] = token - - local waf_dict = ngx.shared.waf - waf_dict:set("token", token, 7200) - - set_content_to_json_file(global_config,global_config_file) config.global_config = global_config - config.isProtectionMode = global_config["mode"] == "protection" and true or false - + _M.get_token() + local rules = {} rules.uaBlack = read_rule(global_rule_dir, "uaBlack") rules.uaWhite = read_rule(global_rule_dir, "uaWhite") @@ -114,6 +109,21 @@ local function init_global_config() _M.waf_db_path = _M.waf_db_dir .. "1pwaf.db" _M.waf_log_db_path = _M.waf_db_dir .. "req_log.db" _M.config_dir = config_dir + + + local waf_dict = ngx.shared.waf + waf_dict:set("config", config) +end + +local function get_config() + local waf_dict = ngx.shared.waf + local config_table = waf_dict:get("config") + if config_table == nil then + init_global_config() + return config + end + config = config_table + return config_table end function _M.load_config_file() @@ -123,35 +133,35 @@ function _M.load_config_file() end function _M.get_site_config(website_key) - return config.site_config[website_key] + return get_config().site_config[website_key] end function _M.get_site_rules(website_key) - return config.site_rules[website_key] + return get_config().site_rules[website_key] end function _M.get_global_config(name) - return config.global_config[name] + return get_config().global_config[name] end function _M.get_global_rules(name) - return config.global_rules[name] + return get_config().global_rules[name] end function _M.is_global_state_on(name) - return config.global_config[name]["state"] == "on" and true or false + return get_config().global_config[name]["state"] == "on" and true or false end function _M.is_site_state_on(name) - return config.site_config[name]["state"] == "on" and true or false + return get_config().site_config[name]["state"] == "on" and true or false end function _M.get_redis_config() - return config.global_config["redis"] + return get_config().global_config["redis"] end function _M.get_html_res(name) - return config.html_res[name] + return get_config().html_res[name] end function _M.is_waf_on() @@ -163,7 +173,7 @@ function _M.is_redis_on() end function _M.get_secret() - return config.global_config["waf"]["secret"] + return get_config().global_config["waf"]["secret"] end function _M.get_token() @@ -172,9 +182,8 @@ function _M.get_token() if not token then token = utils.random_string(20) waf_dict:set("token", token, 86400) - global_config["waf"]["token"] = token - local global_config_file = config_dir .. 'global.json' - set_content_to_json_file(global_config,global_config_file) + local token_path = config_dir .. 'token' + set_content_to_file(token,token_path) end return token end diff --git a/plugins/openresty/waf/lib/action.lua b/plugins/openresty/waf/lib/action.lua index 76b99c4c3..5d34fe998 100644 --- a/plugins/openresty/waf/lib/action.lua +++ b/plugins/openresty/waf/lib/action.lua @@ -5,11 +5,12 @@ local format_str = string.format local _M = {} local function deny(status_code, res) - if not status_code then + if status_code == nil then status_code = 403 end + ngx.status = status_code - if res then + if res ~= nil and res ~= "" then ngx.header.content_type = "text/html; charset=UTF-8" ngx.say(config.get_html_res(res)) end @@ -143,21 +144,25 @@ function _M.exec_action(rule_config, match_rule, data) attack_count(rule_config.type) - --local msg = "访问 IP " .. ngx.ctx.ip .. " 访问 URL" .. ngx.var.uri .. " 触发动作 " .. action .. " 规则类型 " .. rule_config.type - --if match_rule then - -- if match_rule.type then - -- msg = msg .. " 触发规则类型 " .. match_rule.type - -- else - -- msg = msg .. " 触发规则 " .. match_rule.rule - -- end - --end - -- - --ngx.log(ngx.ERR, msg) + local msg = "访问 IP " .. ngx.ctx.ip .. " 访问 URL" .. ngx.var.uri .. " 触发动作 " .. action .. " 规则类型 " .. rule_config.type + if match_rule then + if match_rule.type then + msg = msg .. " 触发规则类型 " .. match_rule.type + else + msg = msg .. " 触发规则 " .. match_rule.rule + end + end + + ngx.log(ngx.ERR, msg) if action == "allow" then return elseif action == "deny" then - deny(rule_config.code, rule_config.res) + if rule_config.code and rule_config.res then + deny(rule_config.code, rule_config.res) + else + ngx.exit(403) + end elseif action == "slide" then slide() diff --git a/plugins/openresty/waf/lib/file.lua b/plugins/openresty/waf/lib/file.lua index ecda723a0..736926e74 100644 --- a/plugins/openresty/waf/lib/file.lua +++ b/plugins/openresty/waf/lib/file.lua @@ -59,11 +59,13 @@ function _M.read_file2table(file_path) return decode(str) end -function _M.set_content_to_json_file(data, file_path) - local json_str = cjson.encode(data) +function _M.set_content_to_file(data, file_path) + if data == nil or file_path == nil then + return + end local file = open_file(file_path, "w") if file then - file:write(json_str) + file:write(data) file:close() end end diff --git a/plugins/openresty/waf/log_and_traffic.lua b/plugins/openresty/waf/log_and_traffic.lua index 6949c9431..556876db9 100644 --- a/plugins/openresty/waf/log_and_traffic.lua +++ b/plugins/openresty/waf/log_and_traffic.lua @@ -222,6 +222,9 @@ local function count_req_status(is_attack) end if config.is_waf_on() then + if ngx.ctx.is_waf_url then + return + end count_not_found() local is_attack = ngx.ctx.is_attack diff --git a/plugins/openresty/waf/waf.lua b/plugins/openresty/waf/waf.lua index 40c480450..b83f79772 100644 --- a/plugins/openresty/waf/waf.lua +++ b/plugins/openresty/waf/waf.lua @@ -97,10 +97,12 @@ local function waf_api() end end if uri == "/slide_check_" .. ngx.md5(ngx.ctx.ip) .. ".js" then + ngx.ctx.is_waf_url = true return_js("slide_js") end if uri == "/5s_check_" .. ngx.md5(ngx.ctx.ip) .. ".js" then + ngx.ctx.is_waf_url = true return_js("five_second_js") end local method = ngx.req.get_method() @@ -115,16 +117,21 @@ local function waf_api() if not body_data then return false end + ngx.log(ngx.ERR,"1111") local args if body_data then args = cjson.decode(body_data) end + ngx.log(ngx.ERR,"2222") if args == nil or args.token == nil then return false end + ngx.log(ngx.ERR,"token",args.token) + ngx.log(ngx.ERR,"config token",config.get_token()) if args.token ~= config.get_token() then return false end + ngx.ctx.is_waf_url = true if uri == '/reload_waf_config' then config.load_config_file() ngx.exit(200) @@ -158,7 +165,7 @@ if config.is_waf_on() then lib.black_ua() lib.default_ua_black() - lib.cc_url() + --lib.cc_url() if lib.is_white_url() then return true end @@ -169,10 +176,9 @@ if config.is_waf_on() then lib.method_check() lib.acl() lib.cc() - lib.bot_check() + --lib.bot_check() lib.args_check() lib.cookie_check() lib.post_check() lib.header_check() - end \ No newline at end of file