diff --git a/plugins/op_waf/conf/luawaf.conf b/plugins/op_waf/conf/luawaf.conf index 55ab32ff9..1e196d8d9 100755 --- a/plugins/op_waf/conf/luawaf.conf +++ b/plugins/op_waf/conf/luawaf.conf @@ -1,9 +1,8 @@ -lua_shared_dict limit 30m; -lua_shared_dict drop_ip 10m; -lua_shared_dict drop_sum 10m; +lua_shared_dict waf_limit 30m; +lua_shared_dict waf_drop_ip 10m; +lua_shared_dict waf_drop_sum 10m; lua_package_path "{$WAF_PATH}/html/?.lua;{$WAF_PATH}/conf/?.lua;{$WAF_PATH}/lua/?.lua;{$ROOT_PATH}/openresty/lualib/?.lua;;"; - init_worker_by_lua_file {$WAF_PATH}/lua/init_worker.lua; access_by_lua_file {$WAF_PATH}/lua/init.lua; diff --git a/plugins/op_waf/waf/lua/common.lua b/plugins/op_waf/waf/lua/common.lua index 5616f7db5..292df94cc 100644 --- a/plugins/op_waf/waf/lua/common.lua +++ b/plugins/op_waf/waf/lua/common.lua @@ -178,7 +178,7 @@ end function _M.read_file_body(self, filename) local key = "file_config_"..filename - local fbody = ngx.shared.limit:get(key, fbody) + local fbody = ngx.shared.waf_limit:get(key, fbody) if fbody then return fbody end @@ -192,14 +192,14 @@ function _M.read_file_body(self, filename) if fbody == '' then return nil end - ngx.shared.limit:set(key,fbody) + ngx.shared.waf_limit:set(key,fbody) return fbody end function _M.read_file(self, name) f = self.rpath .. name .. '.json' local key = "read_file_"..name - local fbody = ngx.shared.limit:get(key, fbody) + local fbody = ngx.shared.waf_limit:get(key, fbody) if fbody then return fbody end @@ -209,19 +209,19 @@ function _M.read_file(self, name) end local data = json.decode(fbody) - ngx.shared.limit:set(key,data) + ngx.shared.waf_limit:set(key,data) return data end function _M.read_file_table( self, name ) local key = "read_file_table"..name - fbody = ngx.shared.limit:get(key, fbody) + fbody = ngx.shared.waf_limit:get(key, fbody) if fbody then return fbody end local data = self:select_rule(self:read_file(name)) - ngx.shared.limit:set(key,data) + ngx.shared.waf_limit:set(key,data) return data end @@ -242,8 +242,8 @@ function _M.write_file_clear(self, filename, body) end -function _M.write_drop_ip(self, is_drop, drop_time) - local filename = self.logdir .. 'drop_ip.log' +function _M.write_waf_waf_drop_ip(self, is_drop, drop_time) + local filename = self.logdir .. 'waf_waf_drop_ip.log' local fp = io.open(filename,'ab') local server_name = self.params["server_name"] @@ -304,12 +304,12 @@ end function _M.read_file_body_decode(self, name) local key = "read_file_body_decode"..name - local fbody = ngx.shared.limit:get(key, fbody) + local fbody = ngx.shared.waf_limit:get(key, fbody) if fbody then return fbody end local data = json.decode(self:read_file_body(name)) - ngx.shared.limit:set(key,data) + ngx.shared.waf_limit:set(key,data) return data end @@ -327,7 +327,7 @@ end local function timer_at_inc_log(premature) local total_path = cpath .. 'total.json' - local tbody = ngx.shared.limit:get(total_path) + local tbody = ngx.shared.waf_limit:get(total_path) if not tbody then return false end @@ -338,7 +338,7 @@ function _M.inc_log(self, name, rule) local server_name = self.params['server_name'] local total_path = self.cpath .. 'total.json' - local tbody = ngx.shared.limit:get(total_path) + local tbody = ngx.shared.waf_limit:get(total_path) if not tbody then tbody = self:read_file_body(total_path) if not tbody then return false end @@ -360,7 +360,7 @@ function _M.inc_log(self, name, rule) local total_log = json.encode(total) if not total_log then return false end - ngx.shared.limit:set(total_path,total_log) + ngx.shared.waf_limit:set(total_path,total_log) -- 异步执行 -- 现在改再init_workder.lua 定时执行 @@ -372,7 +372,7 @@ end function _M.get_server_name(self) local c_name = ngx.var.server_name - local my_name = ngx.shared.limit:get(c_name) + local my_name = ngx.shared.waf_limit:get(c_name) if my_name then return my_name end local tmp = self:read_file_body(self.cpath .. 'domains.json') if not tmp then return c_name end @@ -382,7 +382,7 @@ function _M.get_server_name(self) for _,d_name in ipairs(v['domains']) do if c_name == d_name then - ngx.shared.limit:set(c_name,v['name'],3600) + ngx.shared.waf_limit:set(c_name,v['name'],3600) return v['name'] end end @@ -526,11 +526,11 @@ function _M.write_log(self, name, rule) local retry_time = config['retry']['retry_time'] local retry_cycle = config['retry']['retry_cycle'] - local count, _ = ngx.shared.drop_ip:get(ip) + local count, _ = ngx.shared.waf_waf_drop_ip:get(ip) if count then - ngx.shared.drop_ip:incr(ip,1) + ngx.shared.waf_waf_drop_ip:incr(ip,1) else - ngx.shared.drop_ip:set(ip,1,retry_cycle) + ngx.shared.waf_waf_drop_ip:set(ip,1,retry_cycle) end if config['log'] ~= true or self:is_site_config('log') ~= true then return false end @@ -542,21 +542,21 @@ function _M.write_log(self, name, rule) local logtmp = {ngx.localtime(), ip, method, ngx.var.request_uri, ngx.var.http_user_agent, name, rule} local logstr = json.encode(logtmp) .. "\n" - local count,_ = ngx.shared.drop_ip:get(ip) + local count,_ = ngx.shared.waf_waf_drop_ip:get(ip) if count > retry and name ~= 'cc' then - local safe_count,_ = ngx.shared.drop_sum:get(ip) + local safe_count,_ = ngx.shared.waf_drop_sum:get(ip) if not safe_count then - ngx.shared.drop_sum:set(ip,1,86400) + ngx.shared.waf_drop_sum:set(ip,1,86400) safe_count = 1 else - ngx.shared.drop_sum:incr(ip,1) + ngx.shared.waf_drop_sum:incr(ip,1) end local lock_time = retry_time * safe_count if lock_time > 86400 then lock_time = 86400 end logtmp = {ngx.localtime(),ip,method,ngx.var.request_uri, ngx.var.http_user_agent,name,retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒'} logstr = logstr .. json.encode(logtmp) .. "\n" - ngx.shared.drop_ip:set(ip,retry+1,lock_time) - self:write_drop_ip('inc',lock_time) + ngx.shared.waf_waf_drop_ip:set(ip,retry+1,lock_time) + self:write_waf_waf_drop_ip('inc',lock_time) end self:write_to_file(logstr) self:inc_log(name,rule) @@ -581,9 +581,9 @@ function _M.current_time_millis() end -function _M.bench(self, limit, sign, call) +function _M.bench(self, waf_limit, sign, call) local func_start = self.current_time_millis() - for i=1,limit do + for i=1,waf_limit do call() end local func_end = self.current_time_millis() diff --git a/plugins/op_waf/waf/lua/init.lua b/plugins/op_waf/waf/lua/init.lua index 0eede8d9d..0bc13fae0 100644 --- a/plugins/op_waf/waf/lua/init.lua +++ b/plugins/op_waf/waf/lua/init.lua @@ -31,14 +31,14 @@ local cookie_rules = require "rule_cookie" function get_server_name() local request_name = ngx.var.server_name - local cache_name = ngx.shared.limit:get(request_name) + local cache_name = ngx.shared.waf_limit:get(request_name) if cache_name then return cache_name end for _,v in ipairs(config_domains) do for _,cd_name in ipairs(v['domains']) do if request_name == cd_name then - ngx.shared.limit:set(cd_name,v['name'], 86400) + ngx.shared.waf_limit:set(cd_name,v['name'], 86400) return v['name'] end end @@ -65,7 +65,7 @@ end local params = initParams() C:setParams(params) -local cpu_percent = ngx.shared.limit:get("cpu_usage") +local cpu_percent = ngx.shared.waf_limit:get("cpu_usage") local function get_return_state(rstate,rmsg) result = {} @@ -74,8 +74,8 @@ local function get_return_state(rstate,rmsg) return result end -local function get_waf_drop_ip() - local data = ngx.shared.drop_ip:get_keys(0) +local function get_waf_waf_waf_drop_ip() + local data = ngx.shared.waf_waf_drop_ip:get_keys(0) return data end @@ -107,7 +107,7 @@ local function save_ip_on(data) end end -local function remove_waf_drop_ip() +local function remove_waf_waf_waf_drop_ip() if not uri_request_args['ip'] or not C:is_ipaddr(uri_request_args['ip']) then return get_return_state(true,'格式错误') end if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then ret=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') @@ -126,11 +126,11 @@ local function remove_waf_drop_ip() end save_ip_on(ip_data2) end - ngx.shared.drop_ip:delete(uri_request_args['ip']) + ngx.shared.waf_waf_drop_ip:delete(uri_request_args['ip']) return get_return_state(true,uri_request_args['ip'] .. '已解封') end -local function clean_waf_drop_ip() +local function clean_waf_waf_waf_drop_ip() if ngx.shared.btwaf:get(cpath2 .. 'stop_ip') then ret2=ngx.shared.btwaf:get(cpath2 .. 'stop_ip') ip_data2=json.decode(ret2) @@ -141,22 +141,22 @@ local function clean_waf_drop_ip() save_ip_on(ip_data2) os.execute("sleep " .. 2) end - local data = get_btwaf_drop_ip() + local data = get_btwaf_waf_waf_drop_ip() for _,value in ipairs(data) do - ngx.shared.drop_ip:delete(value) + ngx.shared.waf_waf_drop_ip:delete(value) end return get_return_state(true,'已解封所有封锁IP') end local function min_route() if ngx.var.remote_addr ~= '127.0.0.1' then return false end - if uri == '/get_waf_drop_ip' then - return_message(200,get_waf_drop_ip()) - elseif uri == '/remove_waf_drop_ip' then - return_message(200,remove_waf_drop_ip()) - elseif uri == '/clean_waf_drop_ip' then - return_message(200,clean_waf_drop_ip()) + if uri == '/get_waf_waf_waf_drop_ip' then + return_message(200,get_waf_waf_waf_drop_ip()) + elseif uri == '/remove_waf_waf_waf_drop_ip' then + return_message(200,remove_waf_waf_waf_drop_ip()) + elseif uri == '/clean_waf_waf_waf_drop_ip' then + return_message(200,clean_waf_waf_waf_drop_ip()) end end @@ -217,7 +217,7 @@ end local function waf_drop() - local count , _ = ngx.shared.drop_ip:get(ip) + local count , _ = ngx.shared.waf_drop_ip:get(ip) if not count then return false end if count > config['retry'] then ngx.exit(config['cc']['status']) @@ -229,7 +229,7 @@ end local function waf_cc() local ip = params['ip'] - local ip_lock = ngx.shared.drop_ip:get(ip) + local ip_lock = ngx.shared.waf_drop_ip:get(ip) if ip_lock then if ip_lock > 0 then ngx.exit(config['cc']['status']) @@ -244,37 +244,37 @@ local function waf_cc() local endtime = config['cc']['endtime'] local token = ngx.md5(ip .. '_' .. request_uri) - local count = ngx.shared.limit:get(token) + local count = ngx.shared.waf_limit:get(token) - local limit = config['cc']['limit'] + local waf_limit = config['cc']['waf_limit'] local cycle = config['cc']['cycle'] if count then - if count > limit then + if count > waf_limit then - local safe_count, _ = ngx.shared.drop_sum:get(ip) + local safe_count, _ = ngx.shared.waf_drop_sum:get(ip) if not safe_count then - ngx.shared.drop_sum:set(ip,1,86400) + ngx.shared.waf_drop_sum:set(ip,1,86400) safe_count = 1 else - ngx.shared.drop_sum:incr(ip,1) + ngx.shared.waf_drop_sum:incr(ip,1) end local lock_time = (endtime * safe_count) if lock_time > 86400 then lock_time = 86400 end -- lock_time = 10 - ngx.shared.drop_ip:set(ip,1,lock_time) + ngx.shared.waf_waf_drop_ip:set(ip,1,lock_time) - C:write_log('cc',cycle..'秒内累计超过'..limit..'次请求,封锁' .. lock_time .. '秒') - C:write_drop_ip('cc',lock_time) + C:write_log('cc',cycle..'秒内累计超过'..waf_limit..'次请求,封锁' .. lock_time .. '秒') + C:write_waf_waf_drop_ip('cc',lock_time) ngx.exit(config['cc']['status']) return true else - ngx.shared.limit:incr(token,1) + ngx.shared.waf_limit:incr(token,1) end else - ngx.shared.drop_sum:set(ip,1,86400) - ngx.shared.limit:set(token, 1, cycle) + ngx.shared.waf_drop_sum:set(ip,1,86400) + ngx.shared.waf_limit:set(token, 1, cycle) end return false end @@ -311,13 +311,13 @@ local function waf_cc_increase() local cache_token = ngx.md5(ip .. '_' .. server_name) --判断是否已经通过验证 - if ngx.shared.limit:get(cache_token) then return false end + if ngx.shared.waf_limit:get(cache_token) then return false end local cache_rand_key = ip..':rand' - local cache_rand = ngx.shared.limit:get(cache_rand_key) + local cache_rand = ngx.shared.waf_limit:get(cache_rand_key) if not cache_rand then cache_rand = C:get_random(8) - ngx.shared.limit:set(cache_rand_key,cache_rand,30) + ngx.shared.waf_limit:set(cache_rand_key,cache_rand,30) end make_token = "waf_unbind_"..cache_rand.."_"..cache_token @@ -327,7 +327,7 @@ local function waf_cc_increase() if params['uri_request_args']['token'] then local args_token = params['uri_request_args']['token'] if args_token == make_token then - ngx.shared.limit:set(cache_token,1, config['safe_verify']['time']) + ngx.shared.waf_limit:set(cache_token,1, config['safe_verify']['time']) C:return_message(200, get_return_state(0,'ok')) end end diff --git a/plugins/op_waf/waf/lua/init_worker.lua b/plugins/op_waf/waf/lua/init_worker.lua index 70f428105..25a9b3f6f 100644 --- a/plugins/op_waf/waf/lua/init_worker.lua +++ b/plugins/op_waf/waf/lua/init_worker.lua @@ -1,4 +1,5 @@ +local json = require "cjson" local waf_root = "{$WAF_ROOT}" local cpath = waf_root.."/waf/" @@ -19,27 +20,21 @@ end local function timer_at_inc_log(premature) local total_path = cpath .. 'total.json' - local tbody = ngx.shared.limit:get(total_path) + local tbody = ngx.shared.waf_waf_limit:get(total_path) if not tbody then return false end - return write_file_clear(total_path,tbody) + return write_file_clear(total_path, tbody) end - -ngx.shared.limit:set("cpu_usage", 0, 10) - -local function excute_cmd(cmd) - local t = io.popen(cmd) - local ret = t:read("*all") - return ret -end +ngx.shared.waf_waf_limit:set("cpu_usage", 0, 10) function timer_every_get_cpu(premature) cpu_percent = 80 - ngx.shared.limit:set("cpu_usage", cpu_percent, 10) + ngx.shared.waf_waf_limit:set("cpu_usage", cpu_percent, 10) end + if 0 == ngx.worker.id() then ngx.timer.every(5, timer_every_get_cpu)