|
|
|
@ -21,6 +21,7 @@ local ip_black_rules = C:read_file('ip_black') |
|
|
|
local scan_black_rules = C:read_file('scan_black') |
|
|
|
local scan_black_rules = C:read_file('scan_black') |
|
|
|
local user_agent_rules = C:read_file('user_agent') |
|
|
|
local user_agent_rules = C:read_file('user_agent') |
|
|
|
local post_rules = C:read_file('post') |
|
|
|
local post_rules = C:read_file('post') |
|
|
|
|
|
|
|
local cookie_rules = C:read_file('cookie') |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function initParams() |
|
|
|
function initParams() |
|
|
|
@ -88,15 +89,15 @@ function remove_waf_drop_ip() |
|
|
|
if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then |
|
|
|
if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then |
|
|
|
ret=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') |
|
|
|
ret=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') |
|
|
|
ip_data=json.decode(ret) |
|
|
|
ip_data=json.decode(ret) |
|
|
|
result=is_chekc_table(ip_data,uri_request_args['ip']) |
|
|
|
result = is_chekc_table(ip_data,uri_request_args['ip']) |
|
|
|
os.execute("sleep " .. 0.6) |
|
|
|
os.execute("sleep " .. 0.6) |
|
|
|
ret2=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') |
|
|
|
ret2=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') |
|
|
|
ip_data2=json.decode(ret2) |
|
|
|
ip_data2 = json.decode(ret2) |
|
|
|
if result == 3 then |
|
|
|
if result == 3 then |
|
|
|
for k,v in pairs(ip_data2) |
|
|
|
for k,v in pairs(ip_data2) |
|
|
|
do |
|
|
|
do |
|
|
|
if uri_request_args['ip'] == v['ip'] then |
|
|
|
if uri_request_args['ip'] == v['ip'] then |
|
|
|
v['time']=0 |
|
|
|
v['time'] = 0 |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
@ -126,7 +127,7 @@ function clean_waf_drop_ip() |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
function min_route() |
|
|
|
function min_route() |
|
|
|
if ngx.var.remote_addr ~= '127.0.0.1' then return false end |
|
|
|
-- if ngx.var.remote_addr ~= '127.0.0.1' then return false end |
|
|
|
if uri == '/get_waf_drop_ip' then |
|
|
|
if uri == '/get_waf_drop_ip' then |
|
|
|
return_message(200,get_waf_drop_ip()) |
|
|
|
return_message(200,get_waf_drop_ip()) |
|
|
|
elseif uri == '/remove_waf_drop_ip' then |
|
|
|
elseif uri == '/remove_waf_drop_ip' then |
|
|
|
@ -136,7 +137,7 @@ function min_route() |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
function waf_args() |
|
|
|
function waf_get_args() |
|
|
|
if not config['get']['open'] or not C:is_site_config('get') then return false end |
|
|
|
if not config['get']['open'] or not C:is_site_config('get') then return false end |
|
|
|
if C:is_ngx_match(args_rules, params['uri_request_args'],'args') then |
|
|
|
if C:is_ngx_match(args_rules, params['uri_request_args'],'args') then |
|
|
|
C:write_log('args','regular') |
|
|
|
C:write_log('args','regular') |
|
|
|
@ -169,17 +170,6 @@ function waf_ip_black() |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function waf_drop() |
|
|
|
|
|
|
|
local count,_ = ngx.shared.drop_ip:get(ip) |
|
|
|
|
|
|
|
if not count then return false end |
|
|
|
|
|
|
|
if count > config['retry'] then |
|
|
|
|
|
|
|
ngx.exit(config['cc']['status']) |
|
|
|
|
|
|
|
return true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
return false |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function waf_user_agent() |
|
|
|
function waf_user_agent() |
|
|
|
-- user_agent 过滤 |
|
|
|
-- user_agent 过滤 |
|
|
|
if not config['user-agent']['open'] or not C:is_site_config('user-agent') then return false end |
|
|
|
if not config['user-agent']['open'] or not C:is_site_config('user-agent') then return false end |
|
|
|
@ -191,12 +181,19 @@ function waf_user_agent() |
|
|
|
return false |
|
|
|
return false |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function waf_drop() |
|
|
|
|
|
|
|
local count , _ = ngx.shared.drop_ip:get(ip) |
|
|
|
|
|
|
|
if not count then return false end |
|
|
|
|
|
|
|
if count > config['retry'] then |
|
|
|
|
|
|
|
ngx.exit(config['cc']['status']) |
|
|
|
|
|
|
|
return true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
return false |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
function waf_cc() |
|
|
|
function waf_cc() |
|
|
|
local ip = params['ip'] |
|
|
|
local ip = params['ip'] |
|
|
|
local request_uri = params['request_uri'] |
|
|
|
|
|
|
|
local endtime = config['cc']['endtime'] |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if not config['cc']['open'] or not C:is_site_config('cc') then return false end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
local ip_lock = ngx.shared.drop_ip:get(ip) |
|
|
|
local ip_lock = ngx.shared.drop_ip:get(ip) |
|
|
|
if ip_lock then |
|
|
|
if ip_lock then |
|
|
|
@ -206,6 +203,12 @@ function waf_cc() |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if not config['cc']['open'] or not C:is_site_config('cc') then return false end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
local request_uri = params['request_uri'] |
|
|
|
|
|
|
|
local endtime = config['cc']['endtime'] |
|
|
|
|
|
|
|
|
|
|
|
local token = ngx.md5(ip .. '_' .. request_uri) |
|
|
|
local token = ngx.md5(ip .. '_' .. request_uri) |
|
|
|
local count = ngx.shared.limit:get(token) |
|
|
|
local count = ngx.shared.limit:get(token) |
|
|
|
|
|
|
|
|
|
|
|
@ -225,19 +228,21 @@ function waf_cc() |
|
|
|
local lock_time = (endtime * safe_count) |
|
|
|
local lock_time = (endtime * safe_count) |
|
|
|
if lock_time > 86400 then lock_time = 86400 end |
|
|
|
if lock_time > 86400 then lock_time = 86400 end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- lock_time = 10 |
|
|
|
ngx.shared.drop_ip:set(ip,1,lock_time) |
|
|
|
ngx.shared.drop_ip:set(ip,1,lock_time) |
|
|
|
|
|
|
|
|
|
|
|
C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '秒') |
|
|
|
C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '秒') |
|
|
|
C:write_drop_ip('cc',lock_time) |
|
|
|
C:write_drop_ip('cc',lock_time) |
|
|
|
|
|
|
|
|
|
|
|
ngx.exit(config['cc']['status']) |
|
|
|
ngx.exit(config['cc']['status']) |
|
|
|
return true |
|
|
|
return true |
|
|
|
else |
|
|
|
else |
|
|
|
ngx.shared.limit:incr(token,1) |
|
|
|
ngx.shared.limit:incr(token,1) |
|
|
|
end |
|
|
|
end |
|
|
|
else |
|
|
|
else |
|
|
|
|
|
|
|
ngx.shared.drop_sum:set(ip,1,86400) |
|
|
|
ngx.shared.limit:set(token, 1, cycle) |
|
|
|
ngx.shared.limit:set(token, 1, cycle) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
return false |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
--强制验证是否使用正常浏览器访问网站 |
|
|
|
--强制验证是否使用正常浏览器访问网站 |
|
|
|
@ -299,16 +304,6 @@ function waf_scan_black() |
|
|
|
return false |
|
|
|
return false |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
function waf_post_referer() |
|
|
|
|
|
|
|
if params['method'] ~= "POST" then return false end |
|
|
|
|
|
|
|
if C:is_ngx_match(referer_local, params['request_header']['Referer'],'post') then |
|
|
|
|
|
|
|
C:write_log('post_referer','regular') |
|
|
|
|
|
|
|
C:return_html(config['post']['status'],post_html) |
|
|
|
|
|
|
|
return true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
return false |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function waf_post() |
|
|
|
function waf_post() |
|
|
|
if not config['post']['open'] or not C:is_site_config('post') then return false end |
|
|
|
if not config['post']['open'] or not C:is_site_config('post') then return false end |
|
|
|
if params['method'] ~= "POST" then return false end |
|
|
|
if params['method'] ~= "POST" then return false end |
|
|
|
@ -566,16 +561,6 @@ function waf_cookie() |
|
|
|
return false |
|
|
|
return false |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
function waf_referer() |
|
|
|
|
|
|
|
if params["method"] ~= "GET" then return false end |
|
|
|
|
|
|
|
if not config['get']['open'] or not C:is_site_config('get') then return false end |
|
|
|
|
|
|
|
if C:is_ngx_match(referer_local,params["request_header"]['Referer'],'args') then |
|
|
|
|
|
|
|
C:write_log('get_referer','regular') |
|
|
|
|
|
|
|
C:return_html(config['get']['status'], get_html) |
|
|
|
|
|
|
|
return true |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
return false |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function waf() |
|
|
|
function waf() |
|
|
|
min_route() |
|
|
|
min_route() |
|
|
|
@ -584,28 +569,23 @@ function waf() |
|
|
|
if waf_ip_white() then return true end |
|
|
|
if waf_ip_white() then return true end |
|
|
|
|
|
|
|
|
|
|
|
-- black ip |
|
|
|
-- black ip |
|
|
|
waf_ip_black() |
|
|
|
if waf_ip_black() then return true end |
|
|
|
|
|
|
|
|
|
|
|
-- cc setting |
|
|
|
|
|
|
|
waf_cc() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
waf_drop() |
|
|
|
-- cc setting |
|
|
|
waf_user_agent() |
|
|
|
if waf_drop() then return true end |
|
|
|
|
|
|
|
if waf_cc() then return true end |
|
|
|
waf_url() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if params["method"] == "GET" then |
|
|
|
|
|
|
|
waf_referer() |
|
|
|
|
|
|
|
waf_cookie() |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if params["method"] == "POST" then |
|
|
|
-- ua check |
|
|
|
waf_referer() |
|
|
|
if waf_user_agent() then return true end |
|
|
|
waf_cookie() |
|
|
|
if waf_url() then return true end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
waf_args() |
|
|
|
-- cookie检查 |
|
|
|
|
|
|
|
waf_cookie() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- args参数拦截 |
|
|
|
|
|
|
|
waf_get_args() |
|
|
|
|
|
|
|
|
|
|
|
-- 扫描软件禁止 |
|
|
|
-- 扫描软件禁止 |
|
|
|
waf_scan_black() |
|
|
|
waf_scan_black() |
|
|
|
|
