up

3 years ago · 0fd966ca65
parent 172dde2794
commit 0fd966ca65
7 changed files with 54 additions and 29 deletions
--- a/plugins/op_waf/conf/luawaf.conf
+++ b/plugins/op_waf/conf/luawaf.conf
@ -1,6 +1,6 @@
 lua_shared_dict limit 30m;
-lua_shared_dict drop_ip 30m;
-lua_shared_dict drop_sum 30m;
+lua_shared_dict drop_ip 10m;
+lua_shared_dict drop_sum 10m;
 lua_package_path "{$WAF_PATH}/lua/?.lua;{$ROOT_PATH}/openresty/lualib/?.lua;;";
 access_by_lua_file  {$WAF_PATH}/lua/init.lua;

--- a/plugins/op_waf/index.py
+++ b/plugins/op_waf/index.py
@ -111,7 +111,7 @@ def initSiteInfo():
            tmp['log'] = True
            tmp['get'] = True
            tmp['post'] = True
-            tmp['open'] = False
+            tmp['open'] = True

            tmp['cc'] = config_contents['cc']
            tmp['retry'] = config_contents['retry']
--- a/plugins/op_waf/t/cc.py
+++ b/plugins/op_waf/t/cc.py
@ -1,7 +0,0 @@
-# coding:utf-8
-
-import sys
-import io
-import os
-import time
-import json
--- a/plugins/op_waf/t/index.py
+++ b/plugins/op_waf/t/index.py
@ -20,6 +20,7 @@ from random import Random


 TEST_URL = "http://t1.cn/"
+# TEST_URL = "https://www.zzzvps.com/"


 def httpGet(url, timeout=10):
@ -131,11 +132,26 @@ def test_scan():
    print("scan test end")


+def test_CC():
+    '''
+    目录保存
+    '''
+    url = TEST_URL + 'ok.txt'
+    print("CC test start")
+
+    for x in range(122):
+        url_val = httpGet(url, 10)
+        print(url_val)
+
+    print("CC test end")
+
+
 def test_start():
-    test_Dir()
-    test_UA()
-    test_POST()
-    test_scan()
+    # test_Dir()
+    # test_UA()
+    # test_POST()
+    # test_scan()
+    test_CC()


 if __name__ == "__main__":
--- a/plugins/op_waf/waf/config.json
+++ b/plugins/op_waf/waf/config.json
@ -1 +1 @@
-{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/btwaf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true}
+{"reqfile_path": "{$WAF_PATH}/html", "retry": {"retry_time": 180, "is_open_global": 0, "retry": 6, "retry_cycle": 60}, "log": true, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/waf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true}
--- a/plugins/op_waf/waf/lua/common.lua
+++ b/plugins/op_waf/waf/lua/common.lua
@ -208,7 +208,8 @@ end


 function _M.write_drop_ip(self, is_drop, drop_time)
-    local filename = self.cpath .. 'drop_ip.log'
+    local filename = self.logdir .. 'drop_ip.log'
+
    local fp = io.open(filename,'ab')
    local server_name = self.params["server_name"]
    local ip = self.params["server_name"]
@ -378,6 +379,7 @@ end


 function _M.ngx_match_string(self, rules, content,sign)
+
    local t = self:is_ngx_match_orgin(rules, content, sign)
    if t then
        return true
--- a/plugins/op_waf/waf/lua/init.lua
+++ b/plugins/op_waf/waf/lua/init.lua
@ -191,17 +191,31 @@ function waf_user_agent()
    return false
 end

-function cc()
+function waf_cc()
    local ip = params['ip']
    local request_uri = params['request_uri']
    local endtime = config['cc']['endtime']

-    if not config['cc']['open'] or not site_cc then return false end
+    if not config['cc']['open'] or not C:is_site_config('cc') then return false end
+
+    local ip_lock = ngx.shared.drop_ip:get(ip)
+    if ip_lock then
+        if ip_lock > 0 then
+            ngx.exit(config['cc']['status'])
+            return true
+        end
+    end
+
    local token = ngx.md5(ip .. '_' .. request_uri)
-    local count,_ = ngx.shared.limit:get(token)
+    local count = ngx.shared.limit:get(token)
+
+    local limit = config['cc']['limit']
+    local cycle = config['cc']['cycle']
+
    if count then
-        if count > limit then
-            local safe_count,_ = ngx.shared.drop_sum:get(ip)
+        if count > limit then 
+
+            local safe_count, _ = ngx.shared.drop_sum:get(ip)
            if not safe_count then
                ngx.shared.drop_sum:set(ip,1,86400)
                safe_count = 1
@ -210,22 +224,19 @@ function cc()
            end
            local lock_time = (endtime * safe_count)
            if lock_time > 86400 then lock_time = 86400 end
-            ngx.shared.drop_ip:set(ip,retry+1,lock_time)
+
+            ngx.shared.drop_ip:set(ip,1,lock_time)
+
            C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '秒')
            C:write_drop_ip('cc',lock_time)
-            if not server_name then
-                insert_ip_list(ip,lock_time,os.time(),'1111')
-            else
-                insert_ip_list(ip,lock_time,os.time(),server_name)
-            end
-            
+
            ngx.exit(config['cc']['status'])
            return true
        else
            ngx.shared.limit:incr(token,1)
        end
    else
-        ngx.shared.limit:set(token,1,cycle)
+        ngx.shared.limit:set(token, 1, cycle)
    end
 end

@ -575,6 +586,9 @@ function waf()
    -- black ip
    waf_ip_black()

+    -- cc setting
+    waf_cc()
+

    waf_drop()
    waf_user_agent()