From 3d366ee774f603444db5003693a0e2ad33b997ad Mon Sep 17 00:00:00 2001 From: midoks Date: Thu, 20 Oct 2022 23:40:28 +0800 Subject: [PATCH] up --- plugins/op_waf/conf/init.sql | 3 +- plugins/op_waf/index.py | 4 +- plugins/op_waf/t/index.py | 8 ++-- plugins/op_waf/t/test.sh | 2 +- plugins/op_waf/waf/lua/common.lua | 72 ++++++++++++++++++++----------- plugins/op_waf/waf/lua/init.lua | 13 ++++-- 6 files changed, 65 insertions(+), 37 deletions(-) diff --git a/plugins/op_waf/conf/init.sql b/plugins/op_waf/conf/init.sql index b0f0be0c7..cbd63c62f 100644 --- a/plugins/op_waf/conf/init.sql +++ b/plugins/op_waf/conf/init.sql @@ -3,7 +3,7 @@ PRAGMA page_size = 4096; PRAGMA journal_mode = wal; PRAGMA journal_size_limit = 1073741824; -CREATE TABLE IF NOT EXISTS `waf_history` ( +CREATE TABLE IF NOT EXISTS `logs` ( `time` INTEGER, `ip` TEXT, `domain` TEXT, @@ -11,5 +11,6 @@ CREATE TABLE IF NOT EXISTS `waf_history` ( `method` TEXT, `status_code` INTEGER, `uri` TEXT, + `rule_name` TEXT, `reason` TEXT ); diff --git a/plugins/op_waf/index.py b/plugins/op_waf/index.py index 822ca3c8c..c0b25df1e 100755 --- a/plugins/op_waf/index.py +++ b/plugins/op_waf/index.py @@ -72,7 +72,7 @@ def getConf(): return path -def pSqliteDb(dbname='waf_history'): +def pSqliteDb(dbname='logs'): name = "waf" db_dir = getServerDir() + '/logs/' @@ -261,7 +261,7 @@ def autoMakeLuaConfSingle(file): def autoMakeLuaImportSingle(file): path = getServerDir() + "/waf/" + file + ".json" - to_path = getServerDir() + "/waf/conf/" + file + ".lua" + to_path = getServerDir() + "/waf/conf/waf_" + file + ".lua" content = mw.readFile(path) # print(content) content = json.loads(content) diff --git a/plugins/op_waf/t/index.py b/plugins/op_waf/t/index.py index 6b5d006dd..59f21996c 100644 --- a/plugins/op_waf/t/index.py +++ b/plugins/op_waf/t/index.py @@ -211,16 +211,16 @@ def test_OK(): def test_start(): # test_OK() # test_Dir() - # test_UA() + test_UA() # test_UA_for(1000) # test_POST() # test_scan() - test_CC() + # test_CC() # test_url_ext() # test_cdn() if __name__ == "__main__": - os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.2.2 && sh install.sh install 0.2.2') - os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/ && python3 plugins/openresty/index.py stop && python3 plugins/openresty/index.py start') + # os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.2.2 && sh install.sh install 0.2.2') + # os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/ && python3 plugins/openresty/index.py stop && python3 plugins/openresty/index.py start') test_start() diff --git a/plugins/op_waf/t/test.sh b/plugins/op_waf/t/test.sh index ce5c8a777..9bd875bf5 100755 --- a/plugins/op_waf/t/test.sh +++ b/plugins/op_waf/t/test.sh @@ -5,7 +5,7 @@ export PATH # apt -y install apache2-utils # yum -y install httpd-tools -# ab -c 30 -n 10000000 http://www.zzzvps.com/ +# ab -c 3000 -n 10000000 http://www.zzzvps.com/ # /cc https://www.zzzvps.com/ 120 # ab -c 10 -n 1000 http://t1.cn/wp-admin/index.php # ab -c 1000 -n 1000000 http://dev156.cachecha.com/ diff --git a/plugins/op_waf/waf/lua/common.lua b/plugins/op_waf/waf/lua/common.lua index 4ffa7aac0..c7d8a07c8 100644 --- a/plugins/op_waf/waf/lua/common.lua +++ b/plugins/op_waf/waf/lua/common.lua @@ -10,7 +10,7 @@ local debug_mode = false local waf_root = "{$WAF_ROOT}" local cpath = waf_root.."/waf/" -local logdir = waf_root.."/logs/" +local log_dir = waf_root.."/logs/" local rpath = cpath.."/rule/" function _M.new(self) @@ -19,7 +19,7 @@ function _M.new(self) waf_root = waf_root, cpath = cpath, rpath = rpath, - logdir = logdir, + logdir = log_dir, config = '', site_config = '', server_name = '', @@ -34,7 +34,6 @@ end function _M.getInstance(self) if rawget(self, "instance") == nil then rawset(self, "instance", self.new()) - self.initDB() end assert(self.instance ~= nil) return self.instance @@ -63,6 +62,40 @@ function _M.initDB(self) return db end +function _M.log(self, args, rule_name, reason) + local local_db = self:initDB() + local stmt2 = local_db:prepare[[INSERT INTO logs(time, ip, domain, server_name, method, status_code, uri, rule_name,reason) + VALUES(:time, :ip, :domain, :server_name, :method, :status_code, :uri, :rule_name, :reason)]] + + local_db:exec([[BEGIN TRANSACTION]]) + + stmt2:bind_names{ + time=args['time'], + ip=args['ip'], + domain=args['server_name'], + server_name=args['server_name'], + method=args['method'], + status_code=args['status_code'], + uri=args['request_uri'], + rule_name=rule_name, + reason=reason + } + + local res, err = stmt2:step() + self:D("LOG[1]:"..tostring(res)..":"..tostring(err)) + if tostring(res) == "5" then + self.D("waf the step database connection is busy, so it will be stored later.") + return false + end + stmt2:reset() + + local res, err = local_db:execute([[COMMIT]]) + + self:D("LOG[2]:"..tostring(res)..":"..tostring(err)) + if local_db and local_db:isopen() then + local_db:close() + end +end function _M.setDebug(self, mode) debug_mode = mode end @@ -517,8 +550,10 @@ end function _M.write_log(self, name, rule) local config = self.config + local params = self.params - local ip = self.params['ip'] + local ip = params['ip'] + local ngx_time = ngx.time() local retry = config['retry']['retry'] local retry_time = config['retry']['retry_time'] @@ -532,7 +567,7 @@ function _M.write_log(self, name, rule) end if config['log'] ~= true or self:is_site_config('log') ~= true then return false end - local method = self.params['method'] + local method = params['method'] if error_rule then rule = error_rule error_rule = nil @@ -550,30 +585,15 @@ function _M.write_log(self, name, rule) end local lock_time = retry_time * safe_count if lock_time > 86400 then lock_time = 86400 end - local logtmp = { - ngx.localtime(), - ip, - method,ngx.var.request_uri, - ngx.var.http_user_agent, - name, - retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒' - } - local logstr = json.encode(logtmp) .. "\n" + retry_times = retry + 1 ngx.shared.waf_drop_ip:set(ip, retry_times, lock_time) - self:write_to_file(logstr) + + local reason = retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒' + self:log(params, name, reason) else - local logtmp = { - ngx.localtime(), - ip, - method, - ngx.var.request_uri, - ngx.var.http_user_agent, - name, - rule - } - local logstr = json.encode(logtmp) .. "\n" - self:write_to_file(logstr) + + self:log(params, name, rule) end self:stats_total(name, rule) diff --git a/plugins/op_waf/waf/lua/init.lua b/plugins/op_waf/waf/lua/init.lua index 10957f173..0e2408256 100644 --- a/plugins/op_waf/waf/lua/init.lua +++ b/plugins/op_waf/waf/lua/init.lua @@ -4,9 +4,11 @@ local ngx_match = ngx.re.find local __C = require "common" local C = __C:getInstance() -local config = require "config" -local site_config = require "site" -local config_domains = require "domains" +local config = require "waf_config" +local site_config = require "waf_site" +local config_domains = require "waf_domains" + +-- C:D("config:"..C:to_json(config)) C:setConfData(config, site_config) C:setDebug(true) @@ -39,7 +41,9 @@ local function initParams() data['uri_request_args'] = ngx.req.get_uri_args() data['method'] = ngx.req.get_method() data['request_uri'] = ngx.var.request_uri + data['status_code'] = ngx.status data['cookie'] = ngx.var.http_cookie + data['time'] = ngx.time() return data end @@ -47,6 +51,9 @@ local params = initParams() C:setParams(params) local cpu_percent = ngx.shared.waf_limit:get("cpu_usage") +if not cpu_percent then + cpu_percent = 0 +end local function get_return_state(rstate,rmsg) result = {}