demo

plugins/op_waf/index.py

@@ -107,7 +107,7 @@ def initSiteInfo():
             site_contents_new[name] = site_contents[name]
         else:
             tmp = {}
-            tmp['cdn'] = False
+            tmp['cdn'] = True
             tmp['log'] = True
             tmp['get'] = True
             tmp['post'] = True

plugins/op_waf/t/index.py

@@ -48,6 +48,19 @@ def httpGet__UA(url, ua, timeout=10):
         return str(e)
 
 
+def httpGet__cdn(url, ip, timeout=10):
+    import urllib.request
+    headers = {'x-forwarded-for': ip}
+    try:
+        req = urllib.request.Request(url, headers=headers)
+        response = urllib.request.urlopen(req)
+        result = response.read().decode('utf-8')
+        return result
+
+    except Exception as e:
+        return str(e)
+
+
 def httpPost(url, data, timeout=10):
     """
     发送POST请求
@@ -109,6 +122,17 @@ def test_UA():
     print("user-agent test end")
 
 
+def test_cdn():
+    '''
+    user-agent 过滤
+    '''
+    url = TEST_URL
+    print("cdn test start")
+    url_val = httpGet__cdn(url, '2409:8a62:e20:95f0:45b7:233e:f003:c0ab')
+    print(url_val)
+    print("cdn test end")
+
+
 def test_POST():
     '''
     user-agent 过滤
@@ -165,6 +189,7 @@ def test_start():
     # test_scan()
     # test_CC()
     test_url_ext()
+    # test_cdn()
 
 
 if __name__ == "__main__":

plugins/op_waf/waf/lua/common.lua

@@ -255,7 +255,7 @@ function _M.array_len(self, arr)
 end
 
 function _M.is_ipaddr(self, client_ip)
-    local cipn = split(client_ip,'.')
+    local cipn = self:split_bylog(client_ip,'.')
     if self:array_len(cipn) < 4 then return false end
     for _,v in ipairs({1,2,3,4})
     do
@@ -515,59 +515,38 @@ function _M.write_log(self, name, rule)
     self:inc_log(name,rule)
 end
 
+function _M.split_bylog(self,str,reps )
+    local resultStrList = {}
+    string.gsub(str,'[^'..reps..']+',function(w) table.insert(resultStrList,w) end)
+    return resultStrList
+end
+
 
 function _M.get_real_ip(self, server_name)
     local client_ip = "unknown"
-    self:D("client_ip[0]:"..client_ip)
     if self.site_config[server_name] then
         if self.site_config[server_name]['cdn'] then
             local request_header = ngx.req.get_headers()
-            self:D("ipheader[rr]:"..self:to_json(request_header))
             for _,v in ipairs(self.site_config[server_name]['cdn_header'])
             do
-                self:D("client_ip[for]:"..tostring(request_header[v]))
                 if request_header[v] ~= nil and request_header[v] ~= "" then
                     local header_tmp = request_header[v]
                     if type(header_tmp) == "table" then header_tmp = header_tmp[1] end
-                    client_ip = split(header_tmp,',')[1]
+                    client_ip = self:split_bylog(header_tmp,',')[1]
                     break;
                 end
             end 
         end
     end
 
-    self:D("client_ip[cf]:"..client_ip)
-    if string.match(client_ip,"%d+%.%d+%.%d+%.%d+") == nil or not self:is_ipaddr(client_ip) then
-        client_ip = ngx.var.remote_addr
-        self:D("client_ip[2]:"..client_ip)
-        if client_ip == nil then
-            client_ip = "unknown"
-        end
+    -- ipv6
+    if type(client_ip) == 'table' then client_ip = "" end
+    if client_ip ~= "unknown" and string.match(client_ip,"^[%w:]+$") then
+        return client_ip
     end
 
-    self:D("client_ip:"..client_ip)
-    return client_ip
-end
-
-function _M.get_client_ip(self)
-    local client_ip = "unknown"
-    local server_name = self.params['server_name']
-    if self.site_config[server_name] then
-        if self.site_config[server_name]['cdn'] then
-            request_header = self.params["request_header"]
-            for _,v in ipairs(self.site_config[server_name]['cdn_header'])
-            do
-                -- C:D("vv:"..v..tostring(request_header[v]))
-                if request_header[v] ~= nil and request_header[v] ~= "" then
-                    local header_tmp = request_header[v]
-                    if type(header_tmp) == "table" then header_tmp = header_tmp[1] end
-                    client_ip = split(header_tmp,',')[1]
-                    break;
-                end
-            end 
-        end
-    end
-    if string.match(client_ip,"%d+%.%d+%.%d+%.%d+") == nil or not self:is_ipaddr(client_ip) then
+    -- ipv4
+    if  string.match(client_ip,"%d+%.%d+%.%d+%.%d+") == nil or not self:is_ipaddr(client_ip) then
         client_ip = ngx.var.remote_addr
         if client_ip == nil then
             client_ip = "unknown"

plugins/op_waf/waf/lua/init.lua

@@ -27,13 +27,9 @@ local cookie_rules = C:read_file('cookie')
 local server_name = string.gsub(C:get_server_name(),'_','.')
 
 
-C:D("server_name:"..server_name)
-C:D("ipheader:".. C:to_json(ngx.req.get_headers()))
-
 function initParams()
     local data = {}
     data['server_name'] = server_name
-    C:D("server_name:init")
     data['ip'] = C:get_real_ip(server_name)
     data['ipn'] = C:arrip(data['ip'])
     data['request_header'] = ngx.req.get_headers()
@@ -48,10 +44,6 @@ end
 local params = initParams()
 C:setParams(params)
 
-
-
-C:D("ip demo:".. params['ip'])
-
 function get_return_state(rstate,rmsg)
     result = {}
     result['status'] = rstate
@@ -61,9 +53,6 @@ end
 
 function get_waf_drop_ip()
     local data =  ngx.shared.drop_ip:get_keys(0)
-
-    C:D("[get_waf_drop_ip]data:"..data)
-
     return data
 end