Update init.lua

pull/4/head
lj2007331@gmail.com 2018-07-23 12:01:25 +08:00
parent 1b4dc7cbd3
commit 855064926c
3 changed files with 13 additions and 8 deletions

View File

@ -1,7 +1,12 @@
### ngx_lua_waf
ngx_lua_waf是一个基于lua-nginx-module的web应用防火墙
### 安装
### OneinStack启用ngx_lua_waf
```
~/oneinstack/addons.sh
#install ngx_lua_waf
```
### 手工安装
```
cd /root/oneinstack/src
wget http://luajit.org/download/LuaJIT-2.1.0-beta3.tar.gz #推荐2.1版本
@ -18,12 +23,12 @@ make && make install
cd ..
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
sed -i "s@^nginx_modules_options=.*@nginx_modules_options='--add-module=../lua-nginx-module --add-module=../ngx_devel_kit'@" options.conf
sed -i "s@^nginx_modules_options=.*@nginx_modules_options='--with-ld-opt=-Wl,-rpath,/usr/local/lib --add-module=../lua-nginx-module --add-module=../ngx_devel_kit'@" options.conf
./install.sh --nginx_option 1
cat > /usr/local/nginx/conf/waf.conf << EOF
lua_shared_dict limit 20m;
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_package_path "/usr/local/nginx/conf/waf/?.lua;;";
init_by_lua_file "/usr/local/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/nginx/conf/waf/access.lua";
EOF

View File

@ -23,7 +23,7 @@ config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "20/60"
config_cc_rate = "120/120"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html

View File

@ -14,7 +14,7 @@ function white_ip_check()
if IP_WHITE_RULE ~= nil then
for _,rule in pairs(IP_WHITE_RULE) do
if rule ~= "" and rulematch(WHITE_IP,rule,"jo") then
log_record('White_IP',ngx.var_request_uri,"_","_")
--log_record('White_IP',ngx.var_request_uri,"_","_")
return true
end
end
@ -45,7 +45,7 @@ end
function white_url_check()
if config_white_url_check == "on" then
local URL_WHITE_RULES = get_rule('whiteurl')
local REQ_URI = ngx.var.request_uri
local REQ_URI = string.lower(ngx.var.request_uri)
if URL_WHITE_RULES ~= nil then
for _,rule in pairs(URL_WHITE_RULES) do
if rule ~= "" and rulematch(REQ_URI,rule,"jo") then
@ -62,7 +62,7 @@ function cc_attack_check()
local USER_AGENT = get_user_agent()
--local ATTACK_URL = ngx.var.host .. ngx.var.request_uri
local ATTACK_URL = ngx.var.host .. ngx.var.uri
local CC_TOKEN = get_client_ip() .. "." .. ngx.md5(ATTACK_URL .. USER_AGENT)
local CC_TOKEN = get_client_ip() .. "." .. ngx.md5(string.lower(ATTACK_URL) .. USER_AGENT)
local limit = ngx.shared.limit
local CCcount=tonumber(string.match(config_cc_rate,'(.*)/'))
local CCseconds=tonumber(string.match(config_cc_rate,'/(.*)'))
@ -108,7 +108,7 @@ end
function url_attack_check()
if config_url_check == "on" then
local URL_RULES = get_rule('blackurl')
local REQ_URI = ngx.var.request_uri
local REQ_URI = string.lower(ngx.var.request_uri)
for _,rule in pairs(URL_RULES) do
if rule ~="" and rulematch(REQ_URI,rule,"jo") then
log_record('Deny_URL',REQ_URI,"-",rule)