up

6 years ago · 59dfad1ca2
parent 35204badf8
commit 59dfad1ca2
5 changed files with 363 additions and 0 deletions
--- a/plugins/op_firewall/ico.png
+++ b/plugins/op_firewall/ico.png
--- a/plugins/op_firewall/index.html
+++ b/plugins/op_firewall/index.html
@ -0,0 +1,17 @@
+<div class="bt-form">
+	<div class="bt-w-main">
+		<div class="bt-w-menu">
+			<p class="bgw" onclick="orPluginService('op_firewall');">服务</p>
+			<p onclick="pluginInitD('op_firewall');">自启动</p>
+			<p onclick="pluginConfig('op_firewall');">配置修改</p>
+			<!-- <p onclick="pluginLogs('op_firewall');">错误日志</p> -->
+		</div>
+		<div class="bt-w-con pd15">
+			<div class="soft-man-con"></div>
+		</div>
+	</div>
+
+</div>
+<script type="text/javascript">
+$.getScript( "/plugins/file?name=openrop_firewallesty&f=js/op_firewall.js");
+</script>
--- a/plugins/op_firewall/index.py
+++ b/plugins/op_firewall/index.py
@ -0,0 +1,299 @@
+# coding:utf-8
+
+import sys
+import io
+import os
+import time
+import subprocess
+
+sys.path.append(os.getcwd() + "/class/core")
+import public
+
+
+app_debug = False
+
+if public.isAppleSystem():
+    app_debug = True
+
+
+def getPluginName():
+    return 'op_firewall'
+
+
+def getPluginDir():
+    return public.getPluginDir() + '/' + getPluginName()
+
+
+def getServerDir():
+    return public.getServerDir() + '/' + getPluginName()
+
+
+def getInitDFile():
+    if app_debug:
+        return '/tmp/' + getPluginName()
+    return '/etc/init.d/' + getPluginName()
+
+
+def getArgs():
+    args = sys.argv[2:]
+    tmp = {}
+    args_len = len(args)
+
+    if args_len == 1:
+        t = args[0].strip('{').strip('}')
+        t = t.split(':')
+        tmp[t[0]] = t[1]
+    elif args_len > 1:
+        for i in range(len(args)):
+            t = args[i].split(':')
+            tmp[t[0]] = t[1]
+
+    return tmp
+
+
+def clearTemp():
+    path_bin = getServerDir() + "/nginx"
+    public.execShell('rm -rf ' + path_bin + '/client_body_temp')
+    public.execShell('rm -rf ' + path_bin + '/fastcgi_temp')
+    public.execShell('rm -rf ' + path_bin + '/proxy_temp')
+    public.execShell('rm -rf ' + path_bin + '/scgi_temp')
+    public.execShell('rm -rf ' + path_bin + '/uwsgi_temp')
+
+
+def getConf():
+    path = getServerDir() + "/nginx/conf/nginx.conf"
+    return path
+
+
+def getConfTpl():
+    path = getPluginDir() + '/conf/nginx.conf'
+    return path
+
+
+def getOs():
+    data = {}
+    data['os'] = public.getOs()
+    ng_exe_bin = getServerDir() + "/nginx/sbin/nginx"
+    if checkAuthEq(ng_exe_bin, 'root'):
+        data['auth'] = True
+    else:
+        data['auth'] = False
+    return public.getJson(data)
+
+
+def getInitDTpl():
+    path = getPluginDir() + "/init.d/nginx.tpl"
+    return path
+
+
+def makeConf():
+    vhost = getServerDir() + '/nginx/conf/vhost'
+    if not os.path.exists(vhost):
+        os.mkdir(vhost)
+    php_status = getServerDir() + '/nginx/conf/php_status'
+    if not os.path.exists(php_status):
+        os.mkdir(php_status)
+
+
+def getFileOwner(filename):
+    import pwd
+    stat = os.lstat(filename)
+    uid = stat.st_uid
+    pw = pwd.getpwuid(uid)
+    return pw.pw_name
+
+
+def checkAuthEq(file, owner='root'):
+    fowner = getFileOwner(file)
+    if (fowner == owner):
+        return True
+    return False
+
+
+def confReplace():
+    service_path = os.path.dirname(os.getcwd())
+    content = public.readFile(getConfTpl())
+    content = content.replace('{$SERVER_PATH}', service_path)
+
+    user = 'www'
+    user_group = 'www'
+
+    if public.getOs() == 'darwin':
+        # macosx do
+        user = public.execShell(
+            "who | sed -n '2, 1p' |awk '{print $1}'")[0].strip()
+        # user = 'root'
+        user_group = 'staff'
+        content = content.replace('{$EVENT_MODEL}', 'kqueue')
+    else:
+        content = content.replace('{$EVENT_MODEL}', 'epoll')
+
+    content = content.replace('{$OS_USER}', user)
+    content = content.replace('{$OS_USER_GROUP}', user_group)
+
+    public.writeFile(getServerDir() + '/nginx/conf/nginx.conf', content)
+
+    # give nginx root permission
+    ng_exe_bin = getServerDir() + "/nginx/sbin/nginx"
+    if not checkAuthEq(ng_exe_bin, 'root'):
+        args = getArgs()
+        sudoPwd = args['pwd']
+        cmd_own = 'chown -R ' + 'root:' + user_group + ' ' + ng_exe_bin
+        os.system('echo %s|sudo -S %s' % (sudoPwd, cmd_own))
+        cmd_mod = 'chmod 755 ' + ng_exe_bin
+        os.system('echo %s|sudo -S %s' % (sudoPwd, cmd_mod))
+        cmd_s = 'chmod u+s ' + ng_exe_bin
+        os.system('echo %s|sudo -S %s' % (sudoPwd, cmd_s))
+
+
+def initDreplace():
+
+    file_tpl = getInitDTpl()
+    service_path = os.path.dirname(os.getcwd())
+
+    initD_path = getServerDir() + '/init.d'
+    if not os.path.exists(initD_path):
+        os.mkdir(initD_path)
+    file_bin = initD_path + '/' + getPluginName()
+
+    # initd replace
+    content = public.readFile(file_tpl)
+    content = content.replace('{$SERVER_PATH}', service_path)
+    public.writeFile(file_bin, content)
+    public.execShell('chmod +x ' + file_bin)
+
+    # config replace
+    confReplace()
+
+    # make nginx vhost or other
+    makeConf()
+
+    return file_bin
+
+
+def status():
+    data = public.execShell(
+        "ps -ef|grep nginx |grep -v grep | grep -v python | awk '{print $2}'")
+    if data[0] == '':
+        return 'stop'
+    return 'start'
+
+
+def start():
+    file = initDreplace()
+    data = public.execShell(file + ' start')
+    if data[1] == '':
+        return 'ok'
+    return data[1]
+
+
+def stop():
+    file = initDreplace()
+    data = public.execShell(file + ' stop')
+    clearTemp()
+    if data[1] == '':
+        return 'ok'
+    return data[1]
+
+
+def restart():
+    file = initDreplace()
+    data = public.execShell(file + ' restart')
+    if data[1] == '':
+        return 'ok'
+    return data[1]
+
+
+def reload():
+    file = initDreplace()
+    data = public.execShell(file + ' reload')
+    if data[1] == '':
+        return 'ok'
+    return data[1]
+
+
+def initdStatus():
+    if not app_debug:
+        if public.isAppleSystem():
+            return "Apple Computer does not support"
+    initd_bin = getInitDFile()
+    if os.path.exists(initd_bin):
+        return 'ok'
+    return 'fail'
+
+
+def initdInstall():
+    import shutil
+    if not app_debug:
+        if public.isAppleSystem():
+            return "Apple Computer does not support"
+
+    source_bin = initDreplace()
+    initd_bin = getInitDFile()
+    shutil.copyfile(source_bin, initd_bin)
+    public.execShell('chmod +x ' + initd_bin)
+    public.execShell('chkconfig --add ' + getPluginName())
+    return 'ok'
+
+
+def initdUinstall():
+    if not app_debug:
+        if public.isAppleSystem():
+            return "Apple Computer does not support"
+
+    public.execShell('chkconfig --del ' + getPluginName())
+    initd_bin = getInitDFile()
+    os.remove(initd_bin)
+    return 'ok'
+
+
+def runInfo():
+    # 取Openresty负载状态
+    try:
+        result = public.httpGet('http://127.0.0.1/nginx_status')
+        tmp = result.split()
+        data = {}
+        data['active'] = tmp[2]
+        data['accepts'] = tmp[9]
+        data['handled'] = tmp[7]
+        data['requests'] = tmp[8]
+        data['Reading'] = tmp[11]
+        data['Writing'] = tmp[13]
+        data['Waiting'] = tmp[15]
+        return public.getJson(data)
+    except Exception as e:
+        return 'oprenresty not started'
+
+
+def errorLogPath():
+    return getServerDir() + '/nginx/logs/error.log'
+
+
+if __name__ == "__main__":
+    func = sys.argv[1]
+    if func == 'status':
+        print status()
+    elif func == 'start':
+        print start()
+    elif func == 'stop':
+        print stop()
+    elif func == 'restart':
+        print restart()
+    elif func == 'reload':
+        print reload()
+    elif func == 'initd_status':
+        print initdStatus()
+    elif func == 'initd_install':
+        print initdInstall()
+    elif func == 'initd_uninstall':
+        print initdUinstall()
+    elif func == 'conf':
+        print getConf()
+    elif func == 'get_os':
+        print getOs()
+    elif func == 'run_info':
+        print runInfo()
+    elif func == 'error_log':
+        print errorLogPath()
+    else:
+        print 'error'
--- a/plugins/op_firewall/info.json
+++ b/plugins/op_firewall/info.json
@ -0,0 +1,15 @@
+{
+	"title":"OP防火墙[dev]",
+	"tip":"soft",
+	"name":"op_firewall",
+	"type":"其他插件",
+	"ps":"有效防止sql注入/xss/一句话木马等常见渗透攻击",
+	"shell":"install.sh",
+	"checks":"server/op_firewall",
+	"path":"server/op_firewall",
+	"author":"loveshell",
+	"home":"https://github.com/loveshell/ngx_lua_waf",
+	"date":"2019-04-21",
+	"pid": "1",
+	"versions": ["0.1"]
+}
--- a/plugins/op_firewall/install.sh
+++ b/plugins/op_firewall/install.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
+export PATH
+
+curPath=`pwd`
+rootPath=$(dirname "$curPath")
+rootPath=$(dirname "$rootPath")
+serverPath=$(dirname "$rootPath")
+
+
+action=$1
+type=$2
+
+if id www &> /dev/null ;then 
+    echo "www UID is `id -u www`"
+    echo "www Shell is `grep "^www:" /etc/passwd |cut -d':' -f7 `"
+else
+    groupadd www
+	useradd -g www -s /sbin/nologin www
+fi
+
+if [ "${2}" == "" ];then
+	echo '缺少安装脚本...' > $install_tmp
+	exit 0
+fi 
+
+if [ ! -d $curPath/versions/$2 ];then
+	echo '缺少安装脚本2...' > $install_tmp
+	exit 0
+fi
+
+sh -x $curPath/versions/$2/install.sh $1