Add captcha-waf.html

2018-12-06 15:21:54 +08:00 · 2018-12-06 15:21:54 +08:00 · 4f5382bb7c
parent d9198e1812
commit 4f5382bb7c
4 changed files with 105 additions and 6 deletions
--- a/access.lua
+++ b/access.lua
@ -1,5 +1,12 @@
 require "init"
 -- captcha url
 if ngx.re.match(ngx.var.request_uri,"^/captcha-waf.html","jo") then
    ngx.header.content_type = "text/html"
    ngx.say(config_waf_captcha_html)
    ngx.exit(200)
 end
 local function waf_main()
    if black_ip_check() then
    elseif white_ip_check() then
--- a/config.lua
+++ b/config.lua
@ -23,13 +23,103 @@ config_cookie_check = "on"
 --enable/disable cc filtering
 config_cc_check = "on"
 --cc rate the xxx of xxx seconds
-config_cc_rate = "120/120"
+config_cc_rate = "60/60"
 --enable/disable post filtering
 config_post_check = "on"
 --config waf output redirect/html
 config_waf_output = "html"
 --if config_waf_output ,setting url
 config_waf_redirect_url = "/captcha"
 config_waf_captcha_html=[[
 <html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
        <title data-sw-translate>Please enter verification code - OneinStack WAF</title>
        <style> body { font-family: Tahoma, Verdana, Arial, sans-serif; }
                        .head_title{margin-top:100px; font-family:"微软雅黑"; font-size:50px; font-weight:lighter;}
                        p{font-family:"微软雅黑"; font-size:16px; font-weight:lighter; color:#666666;}
                        .btn{ float:left;margin-left:15px; margin-top:5px; width:85px; height:30px; background:#56c458;font-family:"微软雅黑"; font-size:16px; color:#FFFFFF; border:0;}
                        .inp_s{ float:left; margin-left:15px; margin-top:5px; width:200px; height:30px;}
                        .yz{float:left; width:160px; height:40px;}
                        .fors{ margin:0 auto;width:500px; height:40px;}
                .form {width: 500px; margin: 2em auto;}
        </style>
    </head>
    <body>
        <div align="center">
                        <p><h1 class="head_title" data-sw-translate>Sorry...</h1></p>
                        <p data-sw-translate>Your query looks similar to an automated request from computer software. In order to protect our users, please forgive us for temporarily not processing your request.</p>
                        <p data-sw-translate>To continue accessing the webpage, please enter the characters shown below:</p>
                <div class="form">
                    <img id="captcha-img" class="yz" src="https://oneinstack.com/restapi/v1/captchas/038fb48d9f8170e9a7c67aee79106a31" alt="Captcha image"><input id="captcha-input" class="inp_s" type="text" name="response" /><input id="captcha-submit" class="btn" type="submit" data-sw-translate value="Submit" />
                </div>
        </div>
    <script src="https://cdn.bootcss.com/jquery/3.3.1/jquery.min.js"></script>
    <script>
        var url = 'https://oneinstack.com/restapi/v1/captchas'
        // 获取验证码 hash
        $.post(url).then((res) => {
                const {errno, errmsg, data} = JSON.parse(res)
                if (errno) {
                        return alert(errmsg)
                }
                // 更新验证码图片
                document.querySelector('#captcha-img').src = `${url}/${data}`
                // 提交验证码
                document.querySelector('#captcha-submit').addEventListener('click', e => {
                        $.post(`${url}/check`, {
                                key: data,
                                code: document.querySelector('#captcha-input').value,
                        }).then(res => {
                                const {errno, errmsg, data} = JSON.parse(res)
                                if (errno) {
                                        return location.reload()
                                }
                                var targetUrl = new URLSearchParams(location.search).get('continue')
                                targetUrl = atob(targetUrl)
                                location.href = targetUrl
                        })
                })
        })
        window.SwaggerTranslator = {
            _words: [],
            translate: function () {
                var $this = this;
                $('[data-sw-translate]').each(function () {
                    $(this).html($this._tryTranslate($(this).html()));
                    $(this).val($this._tryTranslate($(this).val()));
                    $(this).attr('title', $this._tryTranslate($(this).attr('title')));
                });
            },
            _tryTranslate: function (word) {
                return this._words[$.trim(word)] !== undefined ? this._words[$.trim(word)] : word;
            },
            learn: function (wordsMap) {
                this._words = wordsMap;
            }
        };
        window.SwaggerTranslator.learn({
            "Please enter verification code - OneinStack WAF": "输入验证码 - OneinStack防火墙",
            "Your query looks similar to an automated request from computer software. In order to protect our users, please forgive us for temporarily not processing your request.": "您的查询看起来类似于来自计算机软件的自动请求。为了保护我们的用户，请原谅我们现在暂时不能处理您的请求。",
            "To continue accessing the webpage, please enter the characters shown below:": "要继续访问网页，请输入下面所示字符：",
            "Sorry...": "很抱歉...",
            "Submit": "提交",
        });
        $(function () {
            window.SwaggerTranslator.translate();
        });
    </script>
    </body>
 </html>
 ]]
 config_output_html=[[
 <html xmlns="http://www.w3.org/1999/xhtml"><head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
--- a/init.lua
+++ b/init.lua
@ -14,7 +14,7 @@ function white_ip_check()
        if IP_WHITE_RULE ~= nil then
            for _,rule in pairs(IP_WHITE_RULE) do
                if rule ~= "" and rulematch(WHITE_IP,rule,"jo") then
-                    -- log_record("White_IP",ngx.var_request_uri,"_","_")
+                    -- log_record("White_IP",ngx.var.request_uri,"_","_")
                    return true
                end
            end
@ -30,7 +30,7 @@ function black_ip_check()
        if IP_BLACK_RULE ~= nil then
            for _,rule in pairs(IP_BLACK_RULE) do
                if rule ~= "" and rulematch(BLACK_IP,rule,"jo") then
-                    log_record('BlackList_IP',ngx.var_request_uri,"_","_")
+                    log_record('BlackList_IP',ngx.var.request_uri,"_","_")
                    if config_waf_enable == "on" then
                        ngx.header.content_type = "text/html"
                        ngx.say('Your IP blacklist, Please contact the administrator! ')
@ -75,10 +75,10 @@ function cc_attack_check()
        if req then
            -- write("/data/wwwlogs/info.log",CC_TOKEN .."\t".. ATTACK_URL .. "\t".. "req: " .. req .."\n")
            if req > CCcount then
-                log_record("CC_Attack",ATTACK_URL,"-","-")
+                log_record("CC_Attack",ngx.var.request_uri,"-","-")
                if config_waf_enable == "on" then
                    local source = ngx.encode_base64(ngx.var.scheme.."://"..ngx.var.host..ngx.var.request_uri)
-                    local dest = 'https://oneinstack.com/captcha.html' .. '?continue=' .. source
+                    local dest = '/captcha-waf.html' .. '?continue=' .. source
                    local CCcountcode,_ = math.modf(CCcount/2);
                    limit:set(CC_TOKEN,CCcountcode)
                    ngx.redirect(dest,302)
@ -155,6 +155,7 @@ function url_args_attack_check()
    end
    return false
 end
 -- deny user agent
 function user_agent_attack_check()
    if config_user_agent_check == "on" then
--- a/wafconf/whiteurl
+++ b/wafconf/whiteurl
@ -1,3 +1,4 @@
 \.(js|css)
-\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)
+\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|map)
 captcha-waf\.html
 403\.html