From e3b48f7ae4ccedbe0580a2d19fb22297a4f9f1c2 Mon Sep 17 00:00:00 2001
From: TonyChyi <tonychee1989@gmail.com>
Date: Fri, 22 Jan 2016 12:41:21 +0800
Subject: [PATCH] modify

---
 README.md           |   3 ++
 config.lua          |  63 ++++++++++------------
 init.lua            | 126 +++++++++++++++++++++++++++++++++-----------
 ngx.conf            |   2 +-
 wafconf/args        |   6 +++
 wafconf/ccrate      |   1 +
 wafconf/cookie      |   6 +++
 wafconf/ipblacklist |   0
 wafconf/ipwhitelist |   1 +
 wafconf/post        |   6 +++
 wafconf/user-agent  |   2 +-
 11 files changed, 149 insertions(+), 67 deletions(-)
 create mode 100644 wafconf/ccrate
 create mode 100644 wafconf/ipblacklist
 create mode 100644 wafconf/ipwhitelist

diff --git a/README.md b/README.md
index 72b1ed3..b546a7d 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,9 @@ nginx安装路径假设为:/usr/local/nginx/conf/
 		post是只在post请求过滤的规则		
 		whitelist是白名单，里面的url匹配到不做过滤		
 		user-agent是对user-agent的过滤规则
+        ipwhitelist是IP白名单，一行一个IP
+        ipblacklist是IP黑名单，一行一个IP
+        ccrate是CC防护的动态规则，修改后生效
 	
 
 	默认开启了get和post过滤，需要开启cookie过滤的，编辑waf.lua取消部分--注释即可
diff --git a/config.lua b/config.lua
index 1345c69..34d510c 100644
--- a/config.lua
+++ b/config.lua
@@ -1,45 +1,40 @@
-RulePath = "/usr/local/nginx/conf/waf/wafconf/"
+RulePath = "/app/openresty-xwjr/nginx/conf/waf/wafconf/"
 attacklog = "on"
-logdir = "/usr/local/nginx/logs/hack/"
+logdir = "/var/log/nginx/hack/"
 UrlDeny="on"
 Redirect="on"
 CookieMatch="on"
 postMatch="on" 
 whiteModule="on" 
 black_fileExt={"php","jsp"}
-ipWhitelist={"127.0.0.1"}
-ipBlocklist={"1.0.0.1"}
+uriWhitelist={"assets", "ccc"}
+path403 = "403"
 CCDeny="on"
-CCrate="100/60"
+CCrate="240/60"
 html=[[
-<html xmlns="http://www.w3.org/1999/xhtml"><head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-<title>网站防火墙</title>
-<style>
-p {
-	line-height:20px;
-}
-ul{ list-style-type:none;}
-li{ list-style-type:none;}
-</style>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0.1;url=/403">
+<script>window.location.href="/403";<script>
 </head>
-
-<body style=" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;">
-
- <div style="margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;">
-  
-  
-  <div style="width:600px; float:left;">
-    <div style=" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;">网站防火墙 </div>
-    <div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;">
-      <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600; color:#fc4f03;">您的请求带有不合法参数，已被网站管理员设置拦截！</span></p>
-<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">可能原因：您提交的内容包含危险的攻击请求</p>
-<p style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;">如何解决：</p>
-<ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style=" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1）检查提交内容；</li>
-<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2）如网站托管，请联系空间提供商；</li>
-<li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3）普通网站访客，请联系网站管理员；</li></ul>
-    </div>
-  </div>
-</div>
-</body></html>
+<body>
+<h1>WARNING</h1>
+<body>
+<html>
+]]
+html503=[[
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0.1;url=/503">
+<script>window.location.href="/503";<script>
+</head>
+<body>
+<h1>WARNING</h1>
+<body>
+<html>
+
 ]]
diff --git a/init.lua b/init.lua
index de225bd..f1ea07d 100644
--- a/init.lua
+++ b/init.lua
@@ -15,14 +15,24 @@ attacklog = optionIsOn(attacklog)
 CCDeny = optionIsOn(CCDeny)
 Redirect=optionIsOn(Redirect)
 function getClientIp()
-        IP = ngx.req.get_headers()["X-Real-IP"]
-        if IP == nil then
-                IP  = ngx.var.remote_addr 
-        end
-        if IP == nil then
-                IP  = "unknown"
-        end
-        return IP
+    IP = ngx.req.get_headers()["X-Real-IP"]
+    if IP == nil then
+        IP  = ngx.var.remote_addr 
+    end
+    if IP == nil then
+        IP = "unknown"
+    end
+    return IP
+end
+function getSLBIP()
+    IP = ngx.req.get_headers()["x_forwarded_for"]
+    if IP == nil then
+        IP = ngx.var.remote_addr
+    end
+    if IP == nil then
+        IP = "unknown"
+    end
+    return IP
 end
 function write(logfile,msg)
     local fd = io.open(logfile,"ab")
@@ -34,13 +44,14 @@ end
 function log(method,url,data,ruletag)
     if attacklog then
         local realIp = getClientIp()
+        local xTransIP = getSLBIP()
         local ua = ngx.var.http_user_agent
         local servername=ngx.var.server_name
         local time=ngx.localtime()
         if ua  then
-            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\"  \""..ua.."\" \""..ruletag.."\"\n"
+            line = realIp.." "..xTransIP.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\"  \""..ua.."\" \""..ruletag.."\"\n"
         else
-            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
+            line = realIp.." "..xTransIP.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
         end
         local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
         write(filename,line)
@@ -67,6 +78,13 @@ wturlrules=read_rule('whiteurl')
 postrules=read_rule('post')
 ckrules=read_rule('cookie')
 
+function getWhiteList()
+    return read_rule("ipwhitelist")
+end 
+
+function getBlackList()
+    return read_rule("ipblacklist")
+end
 
 function say_html()
     if Redirect then
@@ -77,13 +95,23 @@ function say_html()
     end
 end
 
+function say_html_503()
+    if Redirect then
+        ngx.header.content_type = "text/html"
+        ngx.status = ngx.HTTP_SERVICE_UNAVAILABLE
+        ngx.say(html503)
+        ngx.exit(ngx.status)
+    end
+end
+
+
 function whiteurl()
     if WhiteCheck then
         if wturlrules ~=nil then
             for _,rule in pairs(wturlrules) do
                 if ngxmatch(ngx.var.uri,rule,"isjo") then
                     return true 
-                 end
+                end
             end
         end
     end
@@ -95,17 +123,17 @@ function fileExtCheck(ext)
     if ext then
         for rule in pairs(items) do
             if ngx.re.match(ext,rule,"isjo") then
-	        log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
-            say_html()
+                log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
+                say_html()
             end
         end
     end
     return false
 end
 function Set (list)
-  local set = {}
-  for _, l in ipairs(list) do set[l] = true end
-  return set
+    local set = {}
+    for _, l in ipairs(list) do set[l] = true end
+    return set
 end
 
 function args()
@@ -127,7 +155,6 @@ function args()
     return false
 end
 
-
 function url()
     if UrlDeny then
         for _,rule in pairs(urlrules) do
@@ -148,7 +175,7 @@ function ua()
             if rule ~="" and ngxmatch(ua,rule,"isjo") then
                 log('UA',ngx.var.request_uri,"-",rule)
                 say_html()
-            return true
+                return true
             end
         end
     end
@@ -171,7 +198,7 @@ function cookie()
             if rule ~="" and ngxmatch(ck,rule,"isjo") then
                 log('Cookie',ngx.var.request_uri,"-",rule)
                 say_html()
-            return true
+                return true
             end
         end
     end
@@ -180,6 +207,17 @@ end
 
 function denycc()
     if CCDeny then
+        -- Yep, use wafconfig 
+        ccconf = read_rule("ccrate")
+        if next(ccconf) ~= nil then
+            for _, conf in pairs(ccconf) do
+                CCrate = conf
+                conf = nil
+                break
+            end
+        end
+        ccconf = nil
+        -- Done
         local uri=ngx.var.uri
         CCcount=tonumber(string.match(CCrate,'(.*)/'))
         CCseconds=tonumber(string.match(CCrate,'/(.*)'))
@@ -188,10 +226,13 @@ function denycc()
         local req,_=limit:get(token)
         if req then
             if req > CCcount then
-                 ngx.exit(503)
+                -- ngx.say(html503)
+                -- ngx.exit(503)
+                log('CC',ngx.var.request_uri,"-","We are under attack!")
+                say_html_503()
                 return true
             else
-                 limit:incr(token,1)
+                limit:incr(token,1)
             end
         else
             limit:set(token,1,CCseconds)
@@ -219,6 +260,7 @@ function get_boundary()
 end
 
 function whiteip()
+    ipWhitelist = getWhiteList()
     if next(ipWhitelist) ~= nil then
         for _,ip in pairs(ipWhitelist) do
             if getClientIp()==ip then
@@ -226,17 +268,39 @@ function whiteip()
             end
         end
     end
-        return false
+    return false
 end
 
 function blockip()
-     if next(ipBlocklist) ~= nil then
-         for _,ip in pairs(ipBlocklist) do
-             if getClientIp()==ip then
-                 ngx.exit(403)
-                 return true
-             end
-         end
-     end
-         return false
+    ipBlocklist = getBlackList()
+    if next(ipBlocklist) ~= nil then
+        for _,ip in pairs(ipBlocklist) do
+            if getClientIp()==ip then
+                if path403 == nil then
+                    path403 = "403"
+                end
+                if string.match(ngx.var.request_uri, '/(.*)') ~= path403 then
+                    p = string.match(ngx.var.request_uri, '/([a-zA-Z0-9]*)')
+                    if next(uriWhitelist) ~= nil and p ~= nil then
+                        deny = true
+                        for _,uri in pairs(uriWhitelist) do
+                            if ngx.re.match(p,uri,"isjo") then
+                                deny = false
+                                break
+                            end
+                        end
+                        if deny == true then
+                            log('DENY',ngx.var.request_uri,"-","GO HELL!")
+                            say_html()
+                        end
+                        return true
+                    end
+                end
+
+                return true
+            end
+        end
+    end
+    return false
 end
+
diff --git a/ngx.conf b/ngx.conf
index bfb503f..1485d58 100644
--- a/ngx.conf
+++ b/ngx.conf
@@ -1,4 +1,4 @@
- lua_package_path "waf/?.lua";
+ lua_package_path "/app/openresty-xwjr/nginx/conf/waf/?.lua";
  lua_shared_dict limit 10m;
  init_by_lua_file  conf/waf/init.lua; 
  access_by_lua_file conf/waf/waf.lua;
diff --git a/wafconf/args b/wafconf/args
index d5bf8e8..5213b6b 100644
--- a/wafconf/args
+++ b/wafconf/args
@@ -2,6 +2,8 @@
 \:\$
 \$\{
 select.+(from|limit)
+delete from
+update.+set.+\=
 (?:(union(.*?)select))
 having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
@@ -20,3 +22,7 @@ java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
 \<(iframe|script|body|img|layer|div|meta|style|base|object|input)
 (onmouseover|onerror|onload)\=
+drop (table|database).+
+truncate table
+insert into.+(select|values)
+create (table|database)
diff --git a/wafconf/ccrate b/wafconf/ccrate
new file mode 100644
index 0000000..a7e7568
--- /dev/null
+++ b/wafconf/ccrate
@@ -0,0 +1 @@
+240/60
diff --git a/wafconf/cookie b/wafconf/cookie
index 30554ca..608800a 100644
--- a/wafconf/cookie
+++ b/wafconf/cookie
@@ -2,6 +2,8 @@
 \:\$
 \$\{
 select.+(from|limit)
+delete from
+update.+set.+\=
 (?:(union(.*?)select))
 having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
@@ -18,3 +20,7 @@ xwork\.MethodAccessor
 (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
 java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
+drop (table|database).+
+truncate table
+insert into.+(select|values)
+create (table|database)
diff --git a/wafconf/ipblacklist b/wafconf/ipblacklist
new file mode 100644
index 0000000..e69de29
diff --git a/wafconf/ipwhitelist b/wafconf/ipwhitelist
new file mode 100644
index 0000000..7b9ad53
--- /dev/null
+++ b/wafconf/ipwhitelist
@@ -0,0 +1 @@
+127.0.0.1
diff --git a/wafconf/post b/wafconf/post
index 87d0946..7a2be26 100644
--- a/wafconf/post
+++ b/wafconf/post
@@ -1,4 +1,6 @@
 select.+(from|limit)
+delete from
+update.+set.+\=
 (?:(union(.*?)select))
 having|rongjitest
 sleep\((\s*)(\d*)(\s*)\)
@@ -17,3 +19,7 @@ java\.lang
 \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
 \<(iframe|script|body|img|layer|div|meta|style|base|object|input)
 (onmouseover|onerror|onload)\=
+drop (table|database).+
+truncate table
+insert into.+(select|values)
+create (table|database)
diff --git a/wafconf/user-agent b/wafconf/user-agent
index f929be2..28f7e36 100644
--- a/wafconf/user-agent
+++ b/wafconf/user-agent
@@ -1 +1 @@
-(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)
+(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf| SF/)