midoks
/
mdserver-web
mirror of https://github.com/midoks/mdserver-web
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Simple Linux Panel
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5135 Commits
8 Branches
70 Tags
40 MiB
Tag: Branch: Tree: 0fd966ca65
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0fd966ca65'
${ noResults }
mdserver-web/plugins/op_waf/waf/lua/init.lua

629 lines
18 KiB
Raw Normal View History Unescape

update
6 years ago
local json = require "cjson"
uu
6 years ago
local ngx_match = ngx.re.find
update
6 years ago
op防火墙更新1
3 years ago
local __C = require "common"
local C = __C:new()
local waf_root = "{$WAF_ROOT}"
uu
6 years ago
op防火墙更新1
3 years ago
config = C:read_file_body_decode(waf_root.."/waf/"..'config.json')
local site_config = C:read_file_body_decode(waf_root.."/waf/"..'site.json')
uu
6 years ago
C:setConfData(config, site_config)
up
6 years ago
waf 修复
3 years ago
op防火墙更新1
3 years ago
local get_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["get"]["reqfile"])
local post_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["post"]["reqfile"])
local user_agent_html = C:read_file_body(config["reqfile_path"] .. '/' .. config["user-agent"]["reqfile"])
local args_rules = C:read_file_table('args')
local ip_white_rules = C:read_file('ip_white')
local ip_black_rules = C:read_file('ip_black')
local scan_black_rules = C:read_file('scan_black')
local user_agent_rules = C:read_file('user_agent')
local post_rules = C:read_file('post')
waf 修复
3 years ago
uu
6 years ago
function initParams()
local data = {}
data['ip'] = C:get_client_ip()
update
6 years ago
data['ipn'] = C:arrip(data['ip'])
uu
6 years ago
data['request_header'] = ngx.req.get_headers()
data['uri'] = ngx.unescape_uri(ngx.var.uri)
data['server_name'] = string.gsub(C:get_server_name(),'_','.')
data['uri_request_args'] = ngx.req.get_uri_args()
优化
6 years ago
data['method'] = ngx.req.get_method()
update
6 years ago
data['request_uri'] = ngx.var.request_uri
op防火墙更新1
3 years ago
data['cookie'] = ngx.var.http_cookie
uu
6 years ago
return data
end
优化
6 years ago
uu
6 years ago
local params = initParams()
C:setParams(params)
ii
6 years ago
op防火墙更新1
3 years ago
C:setDebug(true)
update
6 years ago
update
6 years ago
function get_return_state(rstate,rmsg)
result = {}
result['status'] = rstate
result['msg'] = rmsg
return result
end
function get_waf_drop_ip()
local data = ngx.shared.drop_ip:get_keys(0)
return data
end
function is_chekc_table(data,strings)
if type(data) ~= 'table' then return 1 end
if not data then return 1 end
data=chekc_ip_timeout(data)
for k,v in pairs(data)
do
if strings ==v['ip'] then
return 3
end
end
return 2
end
function save_ip_on(data)
locak_file=read_file_body(cpath2 .. 'stop_ip.lock')
if not locak_file then
C:write_file(cpath2 .. 'stop_ip.lock','1')
end
name='stop_ip'
local extime=18000
data=json.encode(data)
ngx.shared.btwaf:set(cpath2 .. name,data,extime)
if not ngx.shared.btwaf:get(cpath2 .. name .. '_lock') then
ngx.shared.btwaf:set(cpath2 .. name .. '_lock',1,0.5)
C:write_file(cpath2 .. name .. '.json',data)
end
end
op防火墙更新1
3 years ago
function remove_waf_drop_ip()
update
6 years ago
if not uri_request_args['ip'] or not C:is_ipaddr(uri_request_args['ip']) then return get_return_state(true,'格式错误') end
if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then
ret=ngx.shared.btwaf:get(cpath2 .. 'stop_ip')
ip_data=json.decode(ret)
result=is_chekc_table(ip_data,uri_request_args['ip'])
os.execute("sleep " .. 0.6)
ret2=ngx.shared.btwaf:get(cpath2 .. 'stop_ip')
ip_data2=json.decode(ret2)
if result == 3 then
for k,v in pairs(ip_data2)
do
if uri_request_args['ip'] == v['ip'] then
v['time']=0
end
end
end
save_ip_on(ip_data2)
end
ngx.shared.drop_ip:delete(uri_request_args['ip'])
return get_return_state(true,uri_request_args['ip'] .. '已解封')
end
op防火墙更新1
3 years ago
function clean_waf_drop_ip()
update
6 years ago
if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then
ret2=ngx.shared.btwaf:get(cpath2 .. 'stop_ip')
ip_data2=json.decode(ret2)
for k,v in pairs(ip_data2)
do
v['time']=0
end
save_ip_on(ip_data2)
os.execute("sleep " .. 2)
end
local data = get_btwaf_drop_ip()
for _,value in ipairs(data)
do
ngx.shared.drop_ip:delete(value)
end
return get_return_state(true,'已解封所有封锁IP')
end
function min_route()
if ngx.var.remote_addr ~= '127.0.0.1' then return false end
if uri == '/get_waf_drop_ip' then
return_message(200,get_waf_drop_ip())
elseif uri == '/remove_waf_drop_ip' then
return_message(200,remove_waf_drop_ip())
elseif uri == '/clean_waf_drop_ip' then
return_message(200,clean_waf_drop_ip())
end
end
up
6 years ago
uu
6 years ago
function waf_args()
if not config['get']['open'] or not C:is_site_config('get') then return false end
uu
6 years ago
if C:is_ngx_match(args_rules, params['uri_request_args'],'args') then
C:write_log('args','regular')
C:return_html(config['get']['status'], get_html)
优化
6 years ago
return true
end
return false
end
waf init
6 years ago
update
6 years ago
function waf_ip_white()
for _,rule in ipairs(ip_white_rules)
do
if C:compare_ip(rule) then
return true
end
end
return false
end
function waf_ip_black()
for _,rule in ipairs(ip_black_rules)
do
if C:compare_ip(rule) then
ngx.exit(config['cc']['status'])
return true
end
end
return false
end
function waf_drop()
local count,_ = ngx.shared.drop_ip:get(ip)
if not count then return false end
if count > config['retry'] then
ngx.exit(config['cc']['status'])
return true
end
return false
end
function waf_user_agent()
op防火墙更新1
3 years ago
-- user_agent 过滤
if not config['user-agent']['open'] or not C:is_site_config('user-agent') then return false end
if C:is_ngx_match_ua(user_agent_rules,params['request_header']['user-agent']) then
update
6 years ago
C:write_log('user_agent','regular')
C:return_html(config['user-agent']['status'],user_agent_html)
return true
end
return false
end
up
3 years ago
function waf_cc()
up
3 years ago
local ip = params['ip']
local request_uri = params['request_uri']
local endtime = config['cc']['endtime']
up
3 years ago
if not config['cc']['open'] or not C:is_site_config('cc') then return false end
local ip_lock = ngx.shared.drop_ip:get(ip)
if ip_lock then
if ip_lock > 0 then
ngx.exit(config['cc']['status'])
return true
end
end
up
3 years ago
local token = ngx.md5(ip .. '_' .. request_uri)
up
3 years ago
local count = ngx.shared.limit:get(token)
local limit = config['cc']['limit']
local cycle = config['cc']['cycle']
up
3 years ago
if count then
up
3 years ago
if count > limit then
local safe_count, _ = ngx.shared.drop_sum:get(ip)
up
3 years ago
if not safe_count then
ngx.shared.drop_sum:set(ip,1,86400)
safe_count = 1
else
ngx.shared.drop_sum:incr(ip,1)
end
local lock_time = (endtime * safe_count)
if lock_time > 86400 then lock_time = 86400 end
up
3 years ago
ngx.shared.drop_ip:set(ip,1,lock_time)
up
3 years ago
C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '')
C:write_drop_ip('cc',lock_time)
up
3 years ago
Update init.lua
3 years ago
ngx.exit(config['cc']['status'])
return true
else
ngx.shared.limit:incr(token,1)
up
3 years ago
end
Update init.lua
3 years ago
else
up
3 years ago
ngx.shared.limit:set(token, 1, cycle)
Update init.lua
3 years ago
end
end
update
6 years ago
--强制验证是否使用正常浏览器访问网站
function waf_cc_increase()
if not config['cc']['open'] or not site_cc then return false end
if not site_config[server_name] then return false end
if not site_config[server_name]['cc']['increase'] then return false end
local cache_token = ngx.md5(ip .. '_' .. server_name)
--判断是否已经通过验证
if ngx.shared.btwaf:get(cache_token) then return false end
if cc_uri_white() then
ngx.shared.btwaf:delete(cache_token .. '_key')
ngx.shared.btwaf:set(cache_token,1,60)
return false
end
if security_verification() then return false end
send_check_heml(cache_token)
end
function waf_url()
if not config['get']['open'] or not C:is_site_config('get') then return false end
--正则--
if C:is_ngx_match(url_rules,params["uri"],'url') then
C:write_log('url','regular')
C:return_html(config['get']['status'],get_html)
return true
end
return false
end
function waf_scan_black()
op防火墙更新1
3 years ago
-- 扫描软件禁止
update
6 years ago
if not config['scan']['open'] or not C:is_site_config('scan') then return false end
op防火墙更新1
3 years ago
if not params["cookie"] then
if C:ngx_match_string(scan_black_rules['cookie'], tostring(params["cookie"]),'scan') then
C:write_log('scan','regular')
ngx.exit(config['scan']['status'])
return true
end
update
6 years ago
end
op防火墙更新1
3 years ago
if C:ngx_match_string(scan_black_rules['args'], params["request_uri"], 'scan') then
update
6 years ago
C:write_log('scan','regular')
ngx.exit(config['scan']['status'])
return true
end
op防火墙更新1
3 years ago
update
6 years ago
for key,value in pairs(params["request_header"])
update
6 years ago
do
op防火墙更新1
3 years ago
if C:ngx_match_string(scan_black_rules['header'], key, 'scan') then
update
6 years ago
C:write_log('scan','regular')
ngx.exit(config['scan']['status'])
return true
end
end
return false
end
function waf_post_referer()
优化
6 years ago
if params['method'] ~= "POST" then return false end
update
6 years ago
if C:is_ngx_match(referer_local, params['request_header']['Referer'],'post') then
update
6 years ago
C:write_log('post_referer','regular')
update
6 years ago
C:return_html(config['post']['status'],post_html)
update
6 years ago
return true
end
return false
end
function waf_post()
update
6 years ago
if not config['post']['open'] or not C:is_site_config('post') then return false end
优化
6 years ago
if params['method'] ~= "POST" then return false end
update
6 years ago
if waf_post_referer() then return true end
update
6 years ago
content_length = tonumber(params["request_header"]['content-length'])
update
6 years ago
max_len = 640 * 1020000
if content_length > max_len then return false end
Update init.lua
6 years ago
if C:get_boundary() then return false end
update
6 years ago
ngx.req.read_body()
request_args = ngx.req.get_post_args()
if not request_args then
return false
end
op防火墙更新1
3 years ago
for key, val in pairs(request_args) do
if type(val) == "table" then
if type(val[1]) == "boolean" then
return false
end
data = table.concat(val, ", ")
else
data = val
end
end
if C:is_ngx_match_post(post_rules,data) then
update
6 years ago
C:write_log('post','regular')
C:return_html(config['post']['status'],post_html)
return true
end
return false
end
function post_data_chekc()
优化
6 years ago
if params['method'] =="POST" then
Update init.lua
6 years ago
if C:return_post_data() then return false end
waf 修复
3 years ago
ngx.req.read_body()
update
6 years ago
request_args = ngx.req.get_post_args()
if not request_args then return false end
避免phpmyadmin无法登录
3 years ago
if request_header then
if not request_header['Content-Type'] then return false end
av = string.match(request_header['Content-Type'],"=.+")
end
update
6 years ago
if not av then return false end
避免phpmyadmin无法登录
3 years ago
ac = split(av,'=')
update
6 years ago
if not ac then return false end
避免phpmyadmin无法登录
3 years ago
update
6 years ago
list_list=nil
for i,v in ipairs(ac)
do
list_list='--'..v
end
避免phpmyadmin无法登录
3 years ago
update
6 years ago
if not list_list then return false end
op防火墙更新1
3 years ago
aaa = nil
update
6 years ago
for k,v in pairs(request_args)
do
op防火墙更新1
3 years ago
aaa = v
update
6 years ago
end
避免phpmyadmin无法登录
3 years ago
update
6 years ago
if not aaa then return false end
if tostring(aaa) == 'true' then return false end
if type(aaa) ~= "string" then return false end
data_len=split(aaa,list_list)
避免phpmyadmin无法登录
3 years ago
update
6 years ago
--return return_message(200,data_len)
if not data_len then return false end
if arrlen(data_len) ==0 then return false end
op防火墙更新1
3 years ago
if C:is_ngx_match_post(post_rules , data_len) then
优化
6 years ago
C:write_log('post','regular')
C:return_html(config['post']['status'],post_html)
update
6 years ago
return true
end
end
end
function X_Forwarded()
优化
6 years ago
if params['method'] ~= "GET" then return false end
if not config['get']['open'] or not C:is_site_config('get') then return false end
if C:is_ngx_match(args_rules,params["request_header"]['X-forwarded-For'],'args') then
update
6 years ago
C:write_log('args','regular')
C:return_html(config['get']['status'],get_html)
update
6 years ago
return true
end
return false
end
function post_X_Forwarded()
优化
6 years ago
if not config['post']['open'] or not C:is_site_config('post') then return false end
if params['method'] ~= "POST" then return false end
Update init.lua
3 years ago
if C:is_ngx_match_post(post_rules,params["request_header"]['X-forwarded-For']) then
update
6 years ago
C:write_log('post','regular')
C:return_html(config['post']['status'],post_html)
update
6 years ago
return true
end
return false
end
function php_path()
if site_config[server_name] == nil then return false end
for _,rule in ipairs(site_config[server_name]['disable_php_path'])
do
if ngx_match(uri,rule .. "/?.*\\.php$","isjo") then
优化
6 years ago
C:write_log('php_path','regular')
C:return_html(config['other']['status'],other_html)
return C:return_message(200,uri)
update
6 years ago
end
end
return false
end
function url_path()
if site_config[server_name] == nil then return false end
for _,rule in ipairs(site_config[server_name]['disable_path'])
do
if ngx_match(uri,rule,"isjo") then
优化
6 years ago
C:write_log('path','regular')
C:return_html(config['other']['status'],other_html)
update
6 years ago
return true
end
end
return false
end
function url_ext()
if site_config[server_name] == nil then return false end
for _,rule in ipairs(site_config[server_name]['disable_ext'])
do
if ngx_match(uri,"\\."..rule.."$","isjo") then
优化
6 years ago
C:write_log('url_ext','regular')
C:return_html(config['other']['status'],other_html)
update
6 years ago
return true
end
end
return false
end
function url_rule_ex()
if site_config[server_name] == nil then return false end
if method == "POST" and not request_args then
content_length=tonumber(request_header['content-length'])
max_len = 640 * 102400000
request_args = nil
if content_length < max_len then
ngx.req.read_body()
request_args = ngx.req.get_post_args()
end
end
for _,rule in ipairs(site_config[server_name]['url_rule'])
do
if ngx_match(uri,rule[1],"isjo") then
优化
6 years ago
if C:is_ngx_match(rule[2],uri_request_args,false) then
C:write_log('url_rule','regular')
C:return_html(config['other']['status'],other_html)
update
6 years ago
return true
end
优化
6 years ago
if params['method'] == "POST" and request_args ~= nil then
if C:is_ngx_match(rule[2],request_args,'post') then
C:write_log('post','regular')
C:return_html(config['other']['status'],other_html)
update
6 years ago
return true
end
end
end
end
return false
end
function url_tell()
if site_config[server_name] == nil then return false end
for _,rule in ipairs(site_config[server_name]['url_tell'])
do
if ngx_match(uri,rule[1],"isjo") then
if uri_request_args[rule[2]] ~= rule[3] then
优化
6 years ago
C:write_log('url_tell','regular')
C:return_html(config['other']['status'],other_html)
update
6 years ago
return true
end
end
end
return false
end
优化
6 years ago
function disable_upload_ext(ext)
if not ext then return false end
ext = string.lower(ext)
if is_key(site_config[server_name]['disable_upload_ext'],ext) then
C:write_log('upload_ext','上传扩展名黑名单')
C:return_html(config['other']['status'],other_html)
return true
end
end
function data_in_php(data)
if not data then
return false
else
if C:is_ngx_match('php',data,'post') then
C:write_log('upload_ext','上传扩展名黑名单')
C:return_html(config['other']['status'],other_html)
return true
else
return false
end
end
end
function post_data()
if params["method"] ~= "POST" then return false end
content_length = tonumber(params["request_header"]['content-length'])
if not content_length then return false end
max_len = 2560 * 1024000
if content_length > max_len then return false end
local boundary = C:get_boundary()
if boundary then
ngx.req.read_body()
local data = ngx.req.get_body_data()
if not data then return false end
local tmp = ngx.re.match(data,[[filename=\"(.+)\.(.*)\"]])
if not tmp then return false end
if not tmp[2] then return false end
local tmp2=ngx.re.match(ngx.req.get_body_data(),[[Content-Type:[^\+]{45}]])
--return return_message(200,tmp2[0])
disable_upload_ext(tmp[2])
if tmp2 == nil then return false end
data_in_php(tmp2[0])
end
return false
end
Update init.lua
6 years ago
function waf_cookie()
if not config['cookie']['open'] or not C:is_site_config('cookie') then return false end
if not params["request_header"]['cookie'] then return false end
if type(params["request_header"]['cookie']) ~= "string" then return false end
request_cookie = string.lower(params["request_header"]['cookie'])
if C:is_ngx_match(cookie_rules,request_cookie,'cookie') then
C:write_log('cookie','regular')
C:return_html(config['cookie']['status'],cookie_html)
return true
end
return false
end
function waf_referer()
if params["method"] ~= "GET" then return false end
if not config['get']['open'] or not C:is_site_config('get') then return false end
if C:is_ngx_match(referer_local,params["request_header"]['Referer'],'args') then
C:write_log('get_referer','regular')
C:return_html(config['get']['status'], get_html)
return true
end
return false
end
update
6 years ago
function waf()
update
6 years ago
min_route()
update
6 years ago
Update init.lua
3 years ago
-- white ip
update
6 years ago
if waf_ip_white() then return true end
Update init.lua
3 years ago
-- black ip
update
6 years ago
waf_ip_black()
up
3 years ago
-- cc setting
waf_cc()
update
6 years ago
waf_drop()
waf_user_agent()
waf_url()
Update init.lua
6 years ago
if params["method"] == "GET" then
Update init.lua
6 years ago
waf_referer()
waf_cookie()
update
6 years ago
end
Update init.lua
6 years ago
if params["method"] == "POST" then
Update init.lua
6 years ago
waf_referer()
waf_cookie()
update
6 years ago
end
uu
6 years ago
waf_args()
Update init.lua
3 years ago
op防火墙更新1
3 years ago
-- 扫描软件禁止
update
6 years ago
waf_scan_black()
update
6 years ago
waf_post()
post_data_chekc()
local server_name = params["server_name"]
if site_config[server_name] then
X_Forwarded()
post_X_Forwarded()
php_path()
url_path()
url_ext()
url_rule_ex()
url_tell()
post_data()
end
waf init
6 years ago
end
Update init.lua
6 years ago
waf()