Add captcha-waf.html

2018-12-06 15:21:54 +08:00 · 2018-12-06 15:21:54 +08:00 · 4f5382bb7c
parent d9198e1812
commit 4f5382bb7c
4 changed files with 105 additions and 6 deletions
--- a/access.lua
+++ b/access.lua
@ -1,5 +1,12 @@
 require "init"

+-- captcha url
+if ngx.re.match(ngx.var.request_uri,"^/captcha-waf.html","jo") then
+    ngx.header.content_type = "text/html"
+    ngx.say(config_waf_captcha_html)
+    ngx.exit(200)
+end
+
 local function waf_main()
    if black_ip_check() then
    elseif white_ip_check() then
--- a/config.lua
+++ b/config.lua
@ -23,13 +23,103 @@ config_cookie_check = "on"
 --enable/disable cc filtering
 config_cc_check = "on"
 --cc rate the xxx of xxx seconds
-config_cc_rate = "120/120"
+config_cc_rate = "60/60"
 --enable/disable post filtering
 config_post_check = "on"
 --config waf output redirect/html
 config_waf_output = "html"
 --if config_waf_output ,setting url
 config_waf_redirect_url = "/captcha"
+config_waf_captcha_html=[[
+<html>
+    <head>
+        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+        <title data-sw-translate>Please enter verification code - OneinStack WAF</title>
+        <style> body { font-family: Tahoma, Verdana, Arial, sans-serif; }
+                        .head_title{margin-top:100px; font-family:"微软雅黑"; font-size:50px; font-weight:lighter;}
+                        p{font-family:"微软雅黑"; font-size:16px; font-weight:lighter; color:#666666;}
+                        .btn{ float:left;margin-left:15px; margin-top:5px; width:85px; height:30px; background:#56c458;font-family:"微软雅黑"; font-size:16px; color:#FFFFFF; border:0;}
+                        .inp_s{ float:left; margin-left:15px; margin-top:5px; width:200px; height:30px;}
+                        .yz{float:left; width:160px; height:40px;}
+                        .fors{ margin:0 auto;width:500px; height:40px;}
+                .form {width: 500px; margin: 2em auto;}
+        </style>
+    </head>
+    <body>
+        <div align="center">
+                        <p><h1 class="head_title" data-sw-translate>Sorry...</h1></p>
+                        <p data-sw-translate>Your query looks similar to an automated request from computer software. In order to protect our users, please forgive us for temporarily not processing your request.</p>
+                        <p data-sw-translate>To continue accessing the webpage, please enter the characters shown below:</p>
+                <div class="form">
+                    <img id="captcha-img" class="yz" src="https://oneinstack.com/restapi/v1/captchas/038fb48d9f8170e9a7c67aee79106a31" alt="Captcha image"><input id="captcha-input" class="inp_s" type="text" name="response" /><input id="captcha-submit" class="btn" type="submit" data-sw-translate value="Submit" />
+                </div>
+        </div>
+    <script src="https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js"></script>
+    <script>
+        var url = 'https://oneinstack.com/restapi/v1/captchas'
+        // 获取验证码 hash
+        $.post(url).then((res) => {
+                const {errno, errmsg, data} = JSON.parse(res)
+                if (errno) {
+                        return alert(errmsg)
+                }
+
+                // 更新验证码图片
+                document.querySelector('#captcha-img').src = `${url}/${data}`
+
+                // 提交验证码
+                document.querySelector('#captcha-submit').addEventListener('click', e => {
+                        $.post(`${url}/check`, {
+                                key: data,
+                                code: document.querySelector('#captcha-input').value,
+                        }).then(res => {
+                                const {errno, errmsg, data} = JSON.parse(res)
+                                if (errno) {
+                                        return location.reload()
+                                }
+
+                                var targetUrl = new URLSearchParams(location.search).get('continue')
+                                targetUrl = atob(targetUrl)
+                                location.href = targetUrl
+                        })
+                })
+        })
+
+        window.SwaggerTranslator = {
+            _words: [],
+            translate: function () {
+                var $this = this;
+                $('[data-sw-translate]').each(function () {
+                    $(this).html($this._tryTranslate($(this).html()));
+                    $(this).val($this._tryTranslate($(this).val()));
+                    $(this).attr('title', $this._tryTranslate($(this).attr('title')));
+                });
+            },
+
+            _tryTranslate: function (word) {
+                return this._words[$.trim(word)] !== undefined ? this._words[$.trim(word)] : word;
+            },
+
+            learn: function (wordsMap) {
+                this._words = wordsMap;
+            }
+        };
+
+        window.SwaggerTranslator.learn({
+            "Please enter verification code - OneinStack WAF": "输入验证码 - OneinStack防火墙",
+            "Your query looks similar to an automated request from computer software. In order to protect our users, please forgive us for temporarily not processing your request.": "您的查询看起来类似于来自计算机软件的自动请求。为了保护我们的用户，请原谅我们现在暂时不能处理您的请求。",
+            "To continue accessing the webpage, please enter the characters shown below:": "要继续访问网页，请输入下面所示字符：",
+            "Sorry...": "很抱歉...",
+            "Submit": "提交",
+        });
+
+        $(function () {
+            window.SwaggerTranslator.translate();
+        });
+    </script>
+    </body>
+</html>
+]]
 config_output_html=[[
 <html xmlns="http://www.w3.org/1999/xhtml"><head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
--- a/init.lua
+++ b/init.lua
@ -14,7 +14,7 @@ function white_ip_check()
        if IP_WHITE_RULE ~= nil then
            for _,rule in pairs(IP_WHITE_RULE) do
                if rule ~= "" and rulematch(WHITE_IP,rule,"jo") then
-                    -- log_record("White_IP",ngx.var_request_uri,"_","_")
+                    -- log_record("White_IP",ngx.var.request_uri,"_","_")
                    return true
                end
            end
@ -30,7 +30,7 @@ function black_ip_check()
        if IP_BLACK_RULE ~= nil then
            for _,rule in pairs(IP_BLACK_RULE) do
                if rule ~= "" and rulematch(BLACK_IP,rule,"jo") then
-                    log_record('BlackList_IP',ngx.var_request_uri,"_","_")
+                    log_record('BlackList_IP',ngx.var.request_uri,"_","_")
                    if config_waf_enable == "on" then
                        ngx.header.content_type = "text/html"
                        ngx.say('Your IP blacklist, Please contact the administrator! ')
@ -75,10 +75,10 @@ function cc_attack_check()
        if req then
            -- write("/data/wwwlogs/info.log",CC_TOKEN .."\t".. ATTACK_URL .. "\t".. "req: " .. req .."\n")
            if req > CCcount then
-                log_record("CC_Attack",ATTACK_URL,"-","-")
+                log_record("CC_Attack",ngx.var.request_uri,"-","-")
                if config_waf_enable == "on" then
                    local source = ngx.encode_base64(ngx.var.scheme.."://"..ngx.var.host..ngx.var.request_uri)
-                    local dest = 'https://oneinstack.com/captcha.html' .. '?continue=' .. source
+                    local dest = '/captcha-waf.html' .. '?continue=' .. source
                    local CCcountcode,_ = math.modf(CCcount/2);
                    limit:set(CC_TOKEN,CCcountcode)
                    ngx.redirect(dest,302)
@ -155,6 +155,7 @@ function url_args_attack_check()
    end
    return false
 end
+
 -- deny user agent
 function user_agent_attack_check()
    if config_user_agent_check == "on" then
--- a/wafconf/whiteurl
+++ b/wafconf/whiteurl
@ -1,3 +1,4 @@
 \.(js|css)
-\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)
+\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|map)
+captcha-waf\.html
 403\.html