github
/
ngx_lua_waf
mirror of https://github.com/loveshell/ngx_lua_waf
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

comment some line

pull/63/head
ibuler 2016-06-18 09:58:12 +08:00
parent 0563938d96
commit 14bff06b0f
1 changed files with 147 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
init.lua
View File

@ -43,7 +43,7 @@ end
------------------------------------ 规则读取函数 -----------------------------------------
function readRule(var)
file = io.open(rulepath..'/'..var, "r")
file = io.open(rule_path..'/'..var, "r")
if file == nil then
return
end
@ -136,168 +136,168 @@ function checkArgs()
end
function url()
if UrlDeny then
for _,rule in pairs(urlrules) do
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
log('GET',ngx.var.request_uri,"-",rule)
say_html()
return true
end
end
end
return false
end
-- function url()
-- if UrlDeny then
-- for _,rule in pairs(urlrules) do
-- if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
-- log('GET',ngx.var.request_uri,"-",rule)
-- say_html()
-- return true
-- end
-- end
-- end
-- return false
-- end
function ua()
local ua = ngx.var.http_user_agent
if ua ~= nil then
for _,rule in pairs(uarules) do
if rule ~="" and ngxmatch(ua,rule,"isjo") then
log('UA',ngx.var.request_uri,"-",rule)
say_html()
return true
end
end
end
return false
end
-- function ua()
-- local ua = ngx.var.http_user_agent
-- if ua ~= nil then
-- for _,rule in pairs(uarules) do
-- if rule ~="" and ngxmatch(ua,rule,"isjo") then
-- log('UA',ngx.var.request_uri,"-",rule)
-- say_html()
-- return true
-- end
-- end
-- end
-- return false
-- end
function body(data)
for _,rule in pairs(postrules) do
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
log('POST',ngx.var.request_uri,data,rule)
say_html()
return true
end
end
return false
end
-- function body(data)
-- for _,rule in pairs(postrules) do
-- if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
-- log('POST',ngx.var.request_uri,data,rule)
-- say_html()
-- return true
-- end
-- end
-- return false
-- end
function cookie()
local ck = ngx.var.http_cookie
if CookieCheck and ck then
for _,rule in pairs(ckrules) do
if rule ~="" and ngxmatch(ck,rule,"isjo") then
log('Cookie',ngx.var.request_uri,"-",rule)
say_html()
return true
end
end
end
return false
end
-- function cookie()
-- local ck = ngx.var.http_cookie
-- if CookieCheck and ck then
-- for _,rule in pairs(ckrules) do
-- if rule ~="" and ngxmatch(ck,rule,"isjo") then
-- log('Cookie',ngx.var.request_uri,"-",rule)
-- say_html()
-- return true
-- end
-- end
-- end
-- return false
-- end
function denycc()
if CCDeny then
local uri=ngx.var.uri
CCcount=tonumber(string.match(CCrate,'(.*)/'))
CCseconds=tonumber(string.match(CCrate,'/(.*)'))
local token = getClientIp()..uri
local limit = ngx.shared.limit
local req,_ = limit:get(token)
local ip = getClientIp()
local block,_ = limit:get(ip)
-- function denycc()
-- if CCDeny then
-- local uri=ngx.var.uri
-- CCcount=tonumber(string.match(CCrate,'(.*)/'))
-- CCseconds=tonumber(string.match(CCrate,'/(.*)'))
-- local token = getClientIp()..uri
-- local limit = ngx.shared.limit
-- local req,_ = limit:get(token)
-- local ip = getClientIp()
-- local block,_ = limit:get(ip)
if block then
ngx.exit(503)
end
-- if block then
-- ngx.exit(503)
-- end
if req then
if req > CCcount then
limit:set(ip,1,DenySeconds)
ngx.exit(503)
return true
else
limit:incr(token,1)
end
else
limit:set(token,1,CCseconds)
end
end
return false
end
-- if req then
-- if req > CCcount then
-- limit:set(ip,1,DenySeconds)
-- ngx.exit(503)
-- return true
-- else
-- limit:incr(token,1)
-- end
-- else
-- limit:set(token,1,CCseconds)
-- end
-- end
-- return false
-- end
function get_boundary()
local header = get_headers()["content-type"]
if not header then
return nil
end
-- function get_boundary()
-- local header = get_headers()["content-type"]
-- if not header then
-- return nil
-- end
if type(header) == "table" then
header = header[1]
end
-- if type(header) == "table" then
-- header = header[1]
-- end
local m = match(header, ";%s*boundary=\"([^\"]+)\"")
if m then
return m
end
-- local m = match(header, ";%s*boundary=\"([^\"]+)\"")
-- if m then
-- return m
-- end
return match(header, ";%s*boundary=([^\",;]+)")
end
-- return match(header, ";%s*boundary=([^\",;]+)")
-- end
function string.split(str, delimiter)
if str==nil or str=='' or delimiter==nil then
return nil
end
-- function string.split(str, delimiter)
-- if str==nil or str=='' or delimiter==nil then
-- return nil
-- end
local result = {}
for match in (str..delimiter):gmatch("(.-)"..delimiter) do
table.insert(result, match)
end
return result
end
-- local result = {}
-- for match in (str..delimiter):gmatch("(.-)"..delimiter) do
-- table.insert(result, match)
-- end
-- return result
-- end
function innet(ip, network)
local star = ''
for i in string.gmatch(network, '%*') do
star = star..i
end
-- function innet(ip, network)
-- local star = ''
-- for i in string.gmatch(network, '%*') do
-- star = star..i
-- end
local ip = string.split(ip, '%.')
local network = string.split(network, '%.')
if ip == nil or network == nil then
return false
end
-- local ip = string.split(ip, '%.')
-- local network = string.split(network, '%.')
-- if ip == nil or network == nil then
-- return false
-- end
local ip_prefix = {}
local network_prefix = {}
for i=1, 4-string.len(star) do
ip_prefix[i] = ip[i]
network_prefix[i] = network[i]
end
-- local ip_prefix = {}
-- local network_prefix = {}
-- for i=1, 4-string.len(star) do
-- ip_prefix[i] = ip[i]
-- network_prefix[i] = network[i]
-- end
ip_prefix = table.concat(ip_prefix, '.')
network_prefix = table.concat(network_prefix, '.')
-- ip_prefix = table.concat(ip_prefix, '.')
-- network_prefix = table.concat(network_prefix, '.')
if ip_prefix == network_prefix then
return true
else
return false
end
end
-- if ip_prefix == network_prefix then
-- return true
-- else
-- return false
-- end
-- end
function whiteip()
if next(ipWhitelist) ~= nil then
ip = getClientIp()
for _,wip in pairs(ipWhitelist) do
if ip == wip or innet(ip, wip) then
return true
end
end
end
return false
end
-- function whiteip()
-- if next(ipWhitelist) ~= nil then
-- ip = getClientIp()
-- for _,wip in pairs(ipWhitelist) do
-- if ip == wip or innet(ip, wip) then
-- return true
-- end
-- end
-- end
-- return false
-- end
function blockip()
if next(ipBlocklist) ~= nil then
ip = getClientIp()
for _,bip in pairs(ipBlocklist) do
if ip == bip or ip=="0.0.0.0" or innet(ip, bip) then
ngx.exit(403)
return true
end
end
end
return false
end
-- function blockip()
-- if next(ipBlocklist) ~= nil then
-- ip = getClientIp()
-- for _,bip in pairs(ipBlocklist) do
-- if ip == bip or ip=="0.0.0.0" or innet(ip, bip) then
-- ngx.exit(403)
-- return true
-- end
-- end
-- end
-- return false
-- end