github
/
ngx_lua_waf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

modify

pull/81/head
TonyChyi 2016-01-22 12:41:21 +08:00
parent 8802cd6ac7
commit e3b48f7ae4
11 changed files with 149 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -111,6 +111,9 @@ nginx安装路径假设为:/usr/local/nginx/conf/
post是只在post请求过滤的规则
whitelist是白名单里面的url匹配到不做过滤
user-agent是对user-agent的过滤规则
ipwhitelist是IP白名单一行一个IP
ipblacklist是IP黑名单一行一个IP
ccrate是CC防护的动态规则修改后生效
默认开启了get和post过滤需要开启cookie过滤的编辑waf.lua取消部分--注释即可

63
config.lua
View File

@ -1,45 +1,40 @@
RulePath = "/usr/local/nginx/conf/waf/wafconf/"
RulePath = "/app/openresty-xwjr/nginx/conf/waf/wafconf/"
attacklog = "on"
logdir = "/usr/local/nginx/logs/hack/"
logdir = "/var/log/nginx/hack/"
UrlDeny="on"
Redirect="on"
CookieMatch="on"
postMatch="on"
whiteModule="on"
black_fileExt={"php","jsp"}
ipWhitelist={"127.0.0.1"}
ipBlocklist={"1.0.0.1"}
uriWhitelist={"assets", "ccc"}
path403 = "403"
CCDeny="on"
CCrate="100/60"
CCrate="240/60"
html=[[
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title></title>
<style>
p {
line-height:20px;
}
ul{ list-style-type:none;}
li{ list-style-type:none;}
</style>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="0.1;url=/403">
<script>window.location.href="/403";<script>
</head>
<body style=" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;">
<div style="margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;">
<div style="width:600px; float:left;">
<div style=" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;"> </div>
<div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600; color:#fc4f03;"></span></p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"></p>
<p style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;"></p>
<ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style=" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1</li>
<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2</li>
<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3访</li></ul>
</div>
</div>
</div>
</body></html>
<body>
<h1>WARNING</h1>
<body>
<html>
]]
html503=[[
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="0.1;url=/503">
<script>window.location.href="/503";<script>
</head>
<body>
<h1>WARNING</h1>
<body>
<html>
]]

126
init.lua
View File

@ -15,14 +15,24 @@ attacklog = optionIsOn(attacklog)
CCDeny = optionIsOn(CCDeny)
Redirect=optionIsOn(Redirect)
function getClientIp()
IP = ngx.req.get_headers()["X-Real-IP"]
if IP == nil then
IP = ngx.var.remote_addr
end
if IP == nil then
IP = "unknown"
end
return IP
IP = ngx.req.get_headers()["X-Real-IP"]
if IP == nil then
IP = ngx.var.remote_addr
end
if IP == nil then
IP = "unknown"
end
return IP
end
function getSLBIP()
IP = ngx.req.get_headers()["x_forwarded_for"]
if IP == nil then
IP = ngx.var.remote_addr
end
if IP == nil then
IP = "unknown"
end
return IP
end
function write(logfile,msg)
local fd = io.open(logfile,"ab")
@ -34,13 +44,14 @@ end
function log(method,url,data,ruletag)
if attacklog then
local realIp = getClientIp()
local xTransIP = getSLBIP()
local ua = ngx.var.http_user_agent
local servername=ngx.var.server_name
local time=ngx.localtime()
if ua then
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
line = realIp.." "..xTransIP.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
else
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
line = realIp.." "..xTransIP.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
end
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
write(filename,line)
@ -67,6 +78,13 @@ wturlrules=read_rule('whiteurl')
postrules=read_rule('post')
ckrules=read_rule('cookie')
function getWhiteList()
return read_rule("ipwhitelist")
end
function getBlackList()
return read_rule("ipblacklist")
end
function say_html()
if Redirect then
@ -77,13 +95,23 @@ function say_html()
end
end
function say_html_503()
if Redirect then
ngx.header.content_type = "text/html"
ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE
ngx.say(html503)
ngx.exit(ngx.status)
end
end
function whiteurl()
if WhiteCheck then
if wturlrules ~=nil then
for _,rule in pairs(wturlrules) do
if ngxmatch(ngx.var.uri,rule,"isjo") then
return true
end
end
end
end
end
@ -95,17 +123,17 @@ function fileExtCheck(ext)
if ext then
for rule in pairs(items) do
if ngx.re.match(ext,rule,"isjo") then
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
say_html()
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
say_html()
end
end
end
return false
end
function Set (list)
local set = {}
for _, l in ipairs(list) do set[l] = true end
return set
local set = {}
for _, l in ipairs(list) do set[l] = true end
return set
end
function args()
@ -127,7 +155,6 @@ function args()
return false
end
function url()
if UrlDeny then
for _,rule in pairs(urlrules) do
@ -148,7 +175,7 @@ function ua()
if rule ~="" and ngxmatch(ua,rule,"isjo") then
log('UA',ngx.var.request_uri,"-",rule)
say_html()
return true
return true
end
end
end
@ -171,7 +198,7 @@ function cookie()
if rule ~="" and ngxmatch(ck,rule,"isjo") then
log('Cookie',ngx.var.request_uri,"-",rule)
say_html()
return true
return true
end
end
end
@ -180,6 +207,17 @@ end
function denycc()
if CCDeny then
-- Yep, use wafconfig
ccconf = read_rule("ccrate")
if next(ccconf) ~= nil then
for _, conf in pairs(ccconf) do
CCrate = conf
conf = nil
break
end
end
ccconf = nil
-- Done
local uri=ngx.var.uri
CCcount=tonumber(string.match(CCrate,'(.*)/'))
CCseconds=tonumber(string.match(CCrate,'/(.*)'))
@ -188,10 +226,13 @@ function denycc()
local req,_=limit:get(token)
if req then
if req > CCcount then
ngx.exit(503)
-- ngx.say(html503)
-- ngx.exit(503)
log('CC',ngx.var.request_uri,"-","We are under attack!")
say_html_503()
return true
else
limit:incr(token,1)
limit:incr(token,1)
end
else
limit:set(token,1,CCseconds)
@ -219,6 +260,7 @@ function get_boundary()
end
function whiteip()
ipWhitelist = getWhiteList()
if next(ipWhitelist) ~= nil then
for _,ip in pairs(ipWhitelist) do
if getClientIp()==ip then
@ -226,17 +268,39 @@ function whiteip()
end
end
end
return false
return false
end
function blockip()
if next(ipBlocklist) ~= nil then
for _,ip in pairs(ipBlocklist) do
if getClientIp()==ip then
ngx.exit(403)
return true
end
end
end
return false
ipBlocklist = getBlackList()
if next(ipBlocklist) ~= nil then
for _,ip in pairs(ipBlocklist) do
if getClientIp()==ip then
if path403 == nil then
path403 = "403"
end
if string.match(ngx.var.request_uri, '/(.*)') ~= path403 then
p = string.match(ngx.var.request_uri, '/([a-zA-Z0-9]*)')
if next(uriWhitelist) ~= nil and p ~= nil then
deny = true
for _,uri in pairs(uriWhitelist) do
if ngx.re.match(p,uri,"isjo") then
deny = false
break
end
end
if deny == true then
log('DENY',ngx.var.request_uri,"-","GO HELL!")
say_html()
end
return true
end
end
return true
end
end
end
return false
end

2
ngx.conf
View File

@ -1,4 +1,4 @@
lua_package_path "waf/?.lua";
lua_package_path "/app/openresty-xwjr/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file conf/waf/init.lua;
access_by_lua_file conf/waf/waf.lua;

6
wafconf/args
View File

@ -2,6 +2,8 @@
\:\$
\$\{
select.+(from|limit)
delete from
update.+set.+\=
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
@ -20,3 +22,7 @@ java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
drop (table|database).+
truncate table
insert into.+(select|values)
create (table|database)

1
wafconf/ccrate Normal file
View File

@ -0,0 +1 @@
240/60

6
wafconf/cookie
View File

@ -2,6 +2,8 @@
\:\$
\$\{
select.+(from|limit)
delete from
update.+set.+\=
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
@ -18,3 +20,7 @@ xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
drop (table|database).+
truncate table
insert into.+(select|values)
create (table|database)

0
wafconf/ipblacklist Normal file
View File

1
wafconf/ipwhitelist Normal file
View File

@ -0,0 +1 @@
127.0.0.1

6
wafconf/post
View File

@ -1,4 +1,6 @@
select.+(from|limit)
delete from
update.+set.+\=
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
@ -17,3 +19,7 @@ java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=
drop (table|database).+
truncate table
insert into.+(select|values)
create (table|database)

2
wafconf/user-agent
View File

@ -1 +1 @@
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf| SF/)