github
/
ngx_lua_waf
mirror of https://github.com/loveshell/ngx_lua_waf
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

comment some line

pull/63/head
ibuler 2016-06-18 09:58:12 +08:00
parent 0563938d96
commit 14bff06b0f
1 changed files with 147 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
init.lua
View File

@ -43,7 +43,7 @@ end
------------------------------------ 规则读取函数 ----------------------------------------- ------------------------------------ 规则读取函数 -----------------------------------------
function readRule(var) function readRule(var)
file = io.open(rulepath..'/'..var, "r") file = io.open(rule_path..'/'..var, "r")
if file == nil then if file == nil then
return return
end end
@ -136,168 +136,168 @@ function checkArgs()
end end
function url() -- function url()
if UrlDeny then -- if UrlDeny then
for _,rule in pairs(urlrules) do -- for _,rule in pairs(urlrules) do
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then -- if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
log('GET',ngx.var.request_uri,"-",rule) -- log('GET',ngx.var.request_uri,"-",rule)
say_html() -- say_html()
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
function ua() -- function ua()
local ua = ngx.var.http_user_agent -- local ua = ngx.var.http_user_agent
if ua ~= nil then -- if ua ~= nil then
for _,rule in pairs(uarules) do -- for _,rule in pairs(uarules) do
if rule ~="" and ngxmatch(ua,rule,"isjo") then -- if rule ~="" and ngxmatch(ua,rule,"isjo") then
log('UA',ngx.var.request_uri,"-",rule) -- log('UA',ngx.var.request_uri,"-",rule)
say_html() -- say_html()
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
function body(data) -- function body(data)
for _,rule in pairs(postrules) do -- for _,rule in pairs(postrules) do
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then -- if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
log('POST',ngx.var.request_uri,data,rule) -- log('POST',ngx.var.request_uri,data,rule)
say_html() -- say_html()
return true -- return true
end -- end
end -- end
return false -- return false
end -- end
function cookie() -- function cookie()
local ck = ngx.var.http_cookie -- local ck = ngx.var.http_cookie
if CookieCheck and ck then -- if CookieCheck and ck then
for _,rule in pairs(ckrules) do -- for _,rule in pairs(ckrules) do
if rule ~="" and ngxmatch(ck,rule,"isjo") then -- if rule ~="" and ngxmatch(ck,rule,"isjo") then
log('Cookie',ngx.var.request_uri,"-",rule) -- log('Cookie',ngx.var.request_uri,"-",rule)
say_html() -- say_html()
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
function denycc() -- function denycc()
if CCDeny then -- if CCDeny then
local uri=ngx.var.uri -- local uri=ngx.var.uri
CCcount=tonumber(string.match(CCrate,'(.*)/')) -- CCcount=tonumber(string.match(CCrate,'(.*)/'))
CCseconds=tonumber(string.match(CCrate,'/(.*)')) -- CCseconds=tonumber(string.match(CCrate,'/(.*)'))
local token = getClientIp()..uri -- local token = getClientIp()..uri
local limit = ngx.shared.limit -- local limit = ngx.shared.limit
local req,_ = limit:get(token) -- local req,_ = limit:get(token)
local ip = getClientIp() -- local ip = getClientIp()
local block,_ = limit:get(ip) -- local block,_ = limit:get(ip)
if block then -- if block then
ngx.exit(503) -- ngx.exit(503)
end -- end
if req then -- if req then
if req > CCcount then -- if req > CCcount then
limit:set(ip,1,DenySeconds) -- limit:set(ip,1,DenySeconds)
ngx.exit(503) -- ngx.exit(503)
return true -- return true
else -- else
limit:incr(token,1) -- limit:incr(token,1)
end -- end
else -- else
limit:set(token,1,CCseconds) -- limit:set(token,1,CCseconds)
end -- end
end -- end
return false -- return false
end -- end
function get_boundary() -- function get_boundary()
local header = get_headers()["content-type"] -- local header = get_headers()["content-type"]
if not header then -- if not header then
return nil -- return nil
end -- end
if type(header) == "table" then -- if type(header) == "table" then
header = header[1] -- header = header[1]
end -- end
local m = match(header, ";%s*boundary=\"([^\"]+)\"") -- local m = match(header, ";%s*boundary=\"([^\"]+)\"")
if m then -- if m then
return m -- return m
end -- end
return match(header, ";%s*boundary=([^\",;]+)") -- return match(header, ";%s*boundary=([^\",;]+)")
end -- end
function string.split(str, delimiter) -- function string.split(str, delimiter)
if str==nil or str=='' or delimiter==nil then -- if str==nil or str=='' or delimiter==nil then
return nil -- return nil
end -- end
local result = {} -- local result = {}
for match in (str..delimiter):gmatch("(.-)"..delimiter) do -- for match in (str..delimiter):gmatch("(.-)"..delimiter) do
table.insert(result, match) -- table.insert(result, match)
end -- end
return result -- return result
end -- end
function innet(ip, network) -- function innet(ip, network)
local star = '' -- local star = ''
for i in string.gmatch(network, '%*') do -- for i in string.gmatch(network, '%*') do
star = star..i -- star = star..i
end -- end
local ip = string.split(ip, '%.') -- local ip = string.split(ip, '%.')
local network = string.split(network, '%.') -- local network = string.split(network, '%.')
if ip == nil or network == nil then -- if ip == nil or network == nil then
return false -- return false
end -- end
local ip_prefix = {} -- local ip_prefix = {}
local network_prefix = {} -- local network_prefix = {}
for i=1, 4-string.len(star) do -- for i=1, 4-string.len(star) do
ip_prefix[i] = ip[i] -- ip_prefix[i] = ip[i]
network_prefix[i] = network[i] -- network_prefix[i] = network[i]
end -- end
ip_prefix = table.concat(ip_prefix, '.') -- ip_prefix = table.concat(ip_prefix, '.')
network_prefix = table.concat(network_prefix, '.') -- network_prefix = table.concat(network_prefix, '.')
if ip_prefix == network_prefix then -- if ip_prefix == network_prefix then
return true -- return true
else -- else
return false -- return false
end -- end
end -- end
function whiteip() -- function whiteip()
if next(ipWhitelist) ~= nil then -- if next(ipWhitelist) ~= nil then
ip = getClientIp() -- ip = getClientIp()
for _,wip in pairs(ipWhitelist) do -- for _,wip in pairs(ipWhitelist) do
if ip == wip or innet(ip, wip) then -- if ip == wip or innet(ip, wip) then
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
function blockip() -- function blockip()
if next(ipBlocklist) ~= nil then -- if next(ipBlocklist) ~= nil then
ip = getClientIp() -- ip = getClientIp()
for _,bip in pairs(ipBlocklist) do -- for _,bip in pairs(ipBlocklist) do
if ip == bip or ip=="0.0.0.0" or innet(ip, bip) then -- if ip == bip or ip=="0.0.0.0" or innet(ip, bip) then
ngx.exit(403) -- ngx.exit(403)
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end