Update

2016-06-17 16:37:17 +08:00 · 2016-06-17 16:37:17 +08:00 · e679b8993d
parent 2fb6dc226e
commit e679b8993d
4 changed files with 85 additions and 107 deletions
--- a/config.lua
+++ b/config.lua
@ -1,46 +1,24 @@
-RulePath = "/usr/local/nginx/conf/waf/wafconf/"
+debug = false
-attacklog = "on"
+rule_path = "/usr/local/nginx/conf/waf/wafconf/"
-logdir = "/usr/local/nginx/logs/hack/"
+url_check = false
-UrlDeny="on"
+url_write_check = false
-Redirect="on"
+args_check = false
-CookieMatch="on"
+ua_check = false
-postMatch="on" 
+ua_write_check = false
-whiteModule="on" 
+cookie_check = false
-black_fileExt={"php","jsp"}
+post_check = false
 ipWhitelist={"127.0.0.1"}
 ipBlocklist={"1.0.0.1"}
 CCDeny="off"
 CCrate="100/60"
 DenySeconds="600"
 html=[[
 <html xmlns="http://www.w3.org/1999/xhtml"><head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <title>网站防火墙</title>
 <style>
 p {
 	line-height:20px;
 }
 ul{ list-style-type:none;}
 li{ list-style-type:none;}
 </style>
 </head>
-<body style=" padding:0; margin:0; font:14px/1.5 Microsoft Yahei, 宋体,sans-serif; color:#555;">
+black_file_ext = {"php", "jsp"}
 attack_log = false
 attach_log_dir = "/usr/local/nginx/logs/hack/"
- <div style="margin: 0 auto; width:1000px; padding-top:70px; overflow:hidden;">
+redirect = false
-  
+redirect_url = "http://www.baidu.com"
-  
+ip_white_list = {"127.0.0.1", "172.16.1.*"}
-  <div style="width:600px; float:left;">
+ip_black_list = {"1.0.0.1", "172.16.1.*"}
-    <div style=" height:40px; line-height:40px; color:#fff; font-size:16px; overflow:hidden; background:#6bb3f6; padding-left:20px;">网站防火墙 </div>
+
-    <div style="border:1px dashed #cdcece; border-top:none; font-size:14px; background:#fff; color:#555; line-height:24px; height:220px; padding:20px 20px 0 20px; overflow-y:auto;background:#f3f7f9;">
+cc_deny = false
-      <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;"><span style=" font-weight:600; color:#fc4f03;">您的请求带有不合法参数，已被网站管理员设置拦截！</span></p>
+cc_rate = "100/60"
-<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">可能原因：您提交的内容包含危险的攻击请求</p>
+cc_deny_seconds = "600"
-<p style=" margin-top:12px; margin-bottom:12px; margin-left:0px; margin-right:0px; -qt-block-indent:1; text-indent:0px;">如何解决：</p>
+cc_redirect = false
-<ul style="margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: 1;"><li style=" margin-top:12px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">1）检查提交内容；</li>
+cc_redirect_url = redirect_url
 <li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">2）如网站托管，请联系空间提供商；</li>
 <li style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;">3）普通网站访客，请联系网站管理员；</li></ul>
    </div>
  </div>
 </div>
 </body></html>
 ]]
--- a/init.lua
+++ b/init.lua
@ -1,133 +1,133 @@
-require 'config'
+-- require 'config'
 local match = string.match
-local ngxmatch=ngx.re.match
+local ngx_match = ngx.re.match
-local unescape=ngx.unescape_uri
+local unescape = ngx.unescape_uri
 local get_headers = ngx.req.get_headers
 local optionIsOn = function (options) return options == "on" and true or false end
 logpath = logdir 
 rulepath = RulePath
 UrlDeny = optionIsOn(UrlDeny)
 PostCheck = optionIsOn(postMatch)
 CookieCheck = optionIsOn(cookieMatch)
 WhiteCheck = optionIsOn(whiteModule)
 PathInfoFix = optionIsOn(PathInfoFix)
 attacklog = optionIsOn(attacklog)
 CCDeny = optionIsOn(CCDeny)
 Redirect=optionIsOn(Redirect)
 function getClientIp()
-        IP = ngx.req.get_headers()["X-Real-IP"]
+        IP = get_headers()["X-Real-IP"]
        if IP == nil then
-                IP  = ngx.var.remote_addr 
+            IP  = ngx.var.remote_addr
        end
        if IP == nil then
-                IP  = "unknown"
+            IP  = "unknown"
        end
        return IP
 end
-function write(logfile,msg)
+function write(logfile, msg)
-    local fd = io.open(logfile,"ab")
+    local fd = io.open(logfile, "ab")
-    if fd == nil then return end
+    if fd == nil then
        return
    end
    fd:write(msg)
    fd:flush()
    fd:close()
 end
-function log(method,url,data,ruletag)
+function log(method, url, data, tag)
-    if attacklog then
+    if attack_log then
        local realIp = getClientIp()
        local ua = ngx.var.http_user_agent
        local servername=ngx.var.server_name
        local time=ngx.localtime()
        if ua  then
-            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\"  \""..ua.."\" \""..ruletag.."\"\n"
+            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\"  \""..ua.."\" \""..tag.."\"\n"
        else
-            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
+            line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..tag.."\"\n"
        end
        local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
        write(filename,line)
    end
 end
------------------------------------规则读取函数-----------------------------------------
+------------------------------------ 规则读取函数 -----------------------------------------
-function read_rule(var)
+function readRule(var)
-    file = io.open(rulepath..'/'..var,"r")
+    file = io.open(rulepath..'/'..var, "r")
-    if file==nil then
+    if file == nil then
        return
    end
    t = {}
    for line in file:lines() do
-        table.insert(t,line)
+        table.insert(t, line)
    end
    file:close()
    return(t)
 end
-urlrules=read_rule('url')
+url_rules = read_rule('url')
-argsrules=read_rule('args')
+white_url_rules = read_rule('white_url')
-uarules=read_rule('user-agent')
+args_rules = read_rule('args')
-wturlrules=read_rule('whiteurl')
+ua_rules = read_rule('user_agent')
-postrules=read_rule('post')
+post_rules = read_rule('post')
-ckrules=read_rule('cookie')
+cookie_rules = read_rule('cookie')
-function say_html()
+function debugSay(msg)
-    if Redirect then
+    if debug then
        ngx.header.content_type = "text/html"
        ngx.status = ngx.HTTP_FORBIDDEN
-        ngx.say(html)
+        ngx.say(msg)
        ngx.exit(ngx.status)
    end
 end
-function whiteurl()
+
-    if WhiteCheck then
+function whiteURLCheck()
-        if wturlrules ~=nil then
+    if white_url_rules ~= nil then
-            for _,rule in pairs(wturlrules) do
+        for _, rule in pairs(white_url_rules) do
-                if ngxmatch(ngx.var.uri,rule,"isjo") then
+            if ngx_match(ngx.var.uri, rule, "isjo") then
-                    return true 
+                return true
-                 end
+             end
            end
        end
    end
    return false
 end
-function fileExtCheck(ext)
+
 function fileExtCheck(ext, black_file_ext)
    local items = Set(black_fileExt)
-    ext=string.lower(ext)
+    ext = string.lower(ext)
    if ext then
        for rule in pairs(items) do
-            if ngx.re.match(ext,rule,"isjo") then
+            if ngx.re.match(ext, rule, "isjo") then
-	        log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
+                if attack_log then
-            say_html()
+                    log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
                end
                if debug then
                    debugSay(ngx.var.request_uri.."-".."file attack with ext: "..ext)
                end
            end
        end
    end
    return false
 end
-function Set (list)
+
-  local set = {}
+function set(list)
-  for _, l in ipairs(list) do set[l] = true end
+    local set = {}
-  return set
+    for _, l in ipairs(list) do
        set[l] = true
    end
    return set
 end
-function args()
+
-    for _,rule in pairs(argsrules) do
+function checkArgs()
    for _, rule in pairs(args_rules) do
        local args = ngx.req.get_uri_args()
        for key, val in pairs(args) do
-            if type(val)=='table' then
+            if type(val) == 'table' then
                if val ~= false then
-                    data=table.concat(val, " ")
+                    data = table.concat(val, " ")
                end
            else
-                data=val
+                data = val
            end
-            if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
+            if data and type(data) ~= "boolean" and rule ~="" and ngx_match(unescape(data), rule, "isjo") then
-                log('GET',ngx.var.request_uri,"-",rule)
+                log('GET', ngx.var.request_uri, "-", rule)
-                say_html()
+                debugSay(ngx.var.request_uri.."-"..rule)
                return true
            end
        end
--- a/wafconf/user_agent
+++ b/wafconf/user_agent
--- a/wafconf/white_url
+++ b/wafconf/white_url