github
/
ngx_lua_waf
mirror of https://github.com/loveshell/ngx_lua_waf
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix

pull/63/head
ibuler 2016-06-18 11:08:29 +08:00
parent 14bff06b0f
commit d919acf558
2 changed files with 98 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config.lua
View File

@ -1,5 +1,5 @@
debug = false debug = false
rule_path = "/usr/local/nginx/conf/waf/wafconf/" rule_path = "/data/server/nginx/conf/waf/wafconf/"
url_check = false url_check = false
url_write_check = false url_write_check = false
args_check = false args_check = false

196
init.lua
View File

@ -42,25 +42,25 @@ function log(method, url, data, tag)
end end
------------------------------------ 规则读取函数 ----------------------------------------- ------------------------------------ 规则读取函数 -----------------------------------------
function readRule(var) -- function readRule(var)
file = io.open(rule_path..'/'..var, "r") -- file = io.open(rule_path..'/'..var, "r")
if file == nil then -- if file == nil then
return -- return
end -- end
t = {} -- t = {}
for line in file:lines() do -- for line in file:lines() do
table.insert(t, line) -- table.insert(t, line)
end -- end
file:close() -- file:close()
return(t) -- return(t)
end -- end
url_rules = readRule('url') -- url_rules = readRule('url')
white_url_rules = readRule('white_url') -- white_url_rules = readRule('white_url')
args_rules = readRule('args') -- args_rules = readRule('args')
ua_rules = readRule('user_agent') -- ua_rules = readRule('user_agent')
post_rules = readRule('post') -- post_rules = readRule('post')
cookie_rules = readRule('cookie') -- cookie_rules = readRule('cookie')
function debugSay(msg) function debugSay(msg)
@ -73,67 +73,67 @@ function debugSay(msg)
end end
function whiteURLCheck() -- function whiteURLCheck()
if white_url_rules ~= nil then -- if white_url_rules ~= nil then
for _, rule in pairs(white_url_rules) do -- for _, rule in pairs(white_url_rules) do
if ngx_match(ngx.var.uri, rule, "isjo") then -- if ngx_match(ngx.var.uri, rule, "isjo") then
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
function fileExtCheck(ext, black_file_ext) -- function fileExtCheck(ext, black_file_ext)
local items = Set(black_fileExt) -- local items = Set(black_fileExt)
ext = string.lower(ext) -- ext = string.lower(ext)
if ext then -- if ext then
for rule in pairs(items) do -- for rule in pairs(items) do
if ngx.re.match(ext, rule, "isjo") then -- if ngx.re.match(ext, rule, "isjo") then
if attack_log then -- if attack_log then
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext) -- log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
end -- end
if debug then -- if debug then
debugSay(ngx.var.request_uri.."-".."file attack with ext: "..ext) -- debugSay(ngx.var.request_uri.."-".."file attack with ext: "..ext)
end -- end
end -- end
end -- end
end -- end
return false -- return false
end -- end
function set(list) -- function set(list)
local set = {} -- local set = {}
for _, l in ipairs(list) do -- for _, l in ipairs(list) do
set[l] = true -- set[l] = true
end -- end
return set -- return set
end -- end
function checkArgs() -- function checkArgs()
for _, rule in pairs(args_rules) do -- for _, rule in pairs(args_rules) do
local args = ngx.req.get_uri_args() -- local args = ngx.req.get_uri_args()
for key, val in pairs(args) do -- for key, val in pairs(args) do
if type(val) == 'table' then -- if type(val) == 'table' then
if val ~= false then -- if val ~= false then
data = table.concat(val, " ") -- data = table.concat(val, " ")
end -- end
else -- else
data = val -- data = val
end -- end
if data and type(data) ~= "boolean" and rule ~="" and ngx_match(unescape(data), rule, "isjo") then -- if data and type(data) ~= "boolean" and rule ~="" and ngx_match(unescape(data), rule, "isjo") then
log('GET', ngx.var.request_uri, "-", rule) -- log('GET', ngx.var.request_uri, "-", rule)
debugSay(ngx.var.request_uri.."-"..rule) -- debugSay(ngx.var.request_uri.."-"..rule)
return true -- return true
end -- end
end -- end
end -- end
return false -- return false
end -- end
-- function url() -- function url()
@ -188,35 +188,33 @@ end
-- return false -- return false
-- end -- end
-- function denycc() function denyCC(cc_rate, cc_deny_seconds)
-- if CCDeny then local uri = ngx.var.uri
-- local uri=ngx.var.uri cc_count = tonumber(string.match(cc_rate, '(.*)/'))
-- CCcount=tonumber(string.match(CCrate,'(.*)/')) cc_seconds = tonumber(string.match(cc_rate, '/(.*)'))
-- CCseconds=tonumber(string.match(CCrate,'/(.*)')) local token = getClientIp()..uri
-- local token = getClientIp()..uri local limit = ngx.shared.limit
-- local limit = ngx.shared.limit local req, _ = limit:get(token)
-- local req,_ = limit:get(token) local ip = getClientIp()
-- local ip = getClientIp() local block, _ = limit:get(ip)
-- local block,_ = limit:get(ip)
-- if block then if block then
-- ngx.exit(503) ngx.exit(405)
-- end end
-- if req then if req then
-- if req > CCcount then if req > cc_count then
-- limit:set(ip,1,DenySeconds) limit:set(ip, 1, cc_deny_seconds)
-- ngx.exit(503) ngx.exit(405)
-- return true return false
-- else else
-- limit:incr(token,1) limit:incr(token, 1)
-- end end
-- else else
-- limit:set(token,1,CCseconds) limit:set(token, 1, cc_seconds)
-- end end
-- end return true
-- return false end
-- end
-- function get_boundary() -- function get_boundary()
-- local header = get_headers()["content-type"] -- local header = get_headers()["content-type"]