modify

config.lua

@@ -14,11 +14,10 @@ attach_log_dir = "/data/logs/waf/"
 
 redirect = false
 redirect_url = "http://www.baidu.com"
-ip_white_list = {"127.0.0.1", "172.16.1.*"}
+ip_check = false
-ip_black_list = {"1.0.0.1", "172.16.1.*"}
+ip_white_list = {"127.0.0.1", "172.16.1"}
+ip_black_list = {"1.0.0.1", "172.16.1"}
 
 cc_deny = false
 cc_rate = "100/60"
 cc_deny_seconds = "600"
-cc_redirect = false
-cc_redirect_url = redirect_url

entry.lua

@@ -1,10 +1,13 @@
 --------- Global default config -------
 require 'config'
 --------- Local config setting --------
-cc_deny = false
+cc_deny = true
 cc_rate = '10/60'
 
 --------- Init project ----------------
 require 'init'
 --------- Access control limit --------
-require ''
+if cc_deny and denyCC(cc_rate, cc_deny_seconds) then
+elseif ip_check and (whiteIP() or blackIP()) then
+else return
+end

init.lua

@@ -193,16 +193,15 @@ function denyCC(cc_rate, cc_deny_seconds)
     cc_seconds = tonumber(string.match(cc_rate, '/(.*)'))
     local token = getClientIp()..uri
     local limit = ngx.shared.limit
-    local req, _ = limit:get(token)
+    local req, _ = limit:get(token) -- 127.0.0.1_/price/v1.0: 10
     local ip = getClientIp()
-    local block, _ = limit:get(ip)
+    local block, _ = limit:get(ip) -- 127.0.0.1: 1
 
     if block then
         if debug then
             ngx.say('Deny by waf.')
+            ngx.exit('200')
             return false
-        elseif cc_redirect then
-            ngx.redirect(cc_redirect_url)
         else
             ngx.exit(404)
         end
@@ -219,7 +218,7 @@ function denyCC(cc_rate, cc_deny_seconds)
     else
         limit:set(token, 1, cc_seconds)
     end
-    return true
+    return false
 end
 
 -- function get_boundary()
@@ -252,56 +251,36 @@ end
 --     return result
 -- end
 
--- function innet(ip, network)
+function innet(ip, network)
---     local star = ''
+    matched = string.match(ip, network)
---     for i in string.gmatch(network, '%*') do
+    if match then
---         star = star..i
+        return true
---     end
+    else
+        return false
+    end
+end
 
---     local ip = string.split(ip, '%.')
+function whiteIP()
---     local network = string.split(network, '%.')
+    if next(ip_white_list) ~= nil then
---     if ip == nil or network == nil then
+        ip = getClientIp()
---         return false
+        for _, wip in pairs(ip_white_list) do
---     end
+            if ip == wip or innet(ip, wip) then
+                return true
+            end
+        end
+    end
+    return false
+end
 
---     local ip_prefix = {}
+function blackIP()
---     local network_prefix = {}
+     if next(ip_black_list) ~= nil then
---     for i=1, 4-string.len(star) do
+        ip = getClientIp()
---         ip_prefix[i] = ip[i]
+         for _, bip in pairs(ip_black_list) do
---         network_prefix[i] = network[i]
+             if ip == bip or ip == "0.0.0.0" or innet(ip, bip) then
---     end
+                 ngx.exit(403)
-
+                 return true
---     ip_prefix = table.concat(ip_prefix, '.')
+             end
---     network_prefix = table.concat(network_prefix, '.')
+         end
-
+     end
---     if ip_prefix == network_prefix then
+     return false
---         return true
+end
---     else
---         return false
---     end
--- end
-
--- function whiteip()
---     if next(ipWhitelist) ~= nil then
---         ip = getClientIp()
---         for _,wip in pairs(ipWhitelist) do
---             if ip == wip or innet(ip, wip) then
---                 return true
---             end
---         end
---     end
---         return false
--- end
-
--- function blockip()
---      if next(ipBlocklist) ~= nil then
---         ip = getClientIp()
---          for _,bip in pairs(ipBlocklist) do
---              if ip == bip or ip=="0.0.0.0" or innet(ip, bip) then
---                  ngx.exit(403)
---                  return true
---              end
---          end
---      end
---          return false
--- end