up

plugins/op_waf/t/bench/bench.sh

@@ -19,10 +19,11 @@ fi
 
 
 # test
-# $RUN_CMD a.lua
+# $RUN_CMD simple.lua
 # $RUN_CMD test_gsub.lua
 
 # $RUN_CMD --shdict 'limit 10m' test_find_server_name.lua
 # $RUN_CMD --stap --shdict 'limit 10m' test_find_server_name.lua
 
-$RUN_CMD  test_rand.lua
+# $RUN_CMD  test_rand.lua
+$RUN_CMD  test_ffi_time.lua

plugins/op_waf/t/bench/test_ffi_time.lua

@@ -0,0 +1,62 @@
+local function target()
+    ngx.re.find("hello, world.", [[\w+\.]], "jo")
+end
+for i = 1, 100 do
+    target()
+end
+
+-- 以上为预热操作
+collectgarbage()
+
+local ffi = require("ffi")
+ffi.cdef[[
+    struct timeval {
+        long int tv_sec;
+        long int tv_usec;
+    };
+    int gettimeofday(struct timeval *tv, void *tz);
+]];
+local tm = ffi.new("struct timeval");
+ 
+-- 返回微秒级时间戳
+local function current_time_millis()
+    ffi.C.gettimeofday(tm,nil);
+    local sec =  tonumber(tm.tv_sec);
+    local usec =  tonumber(tm.tv_usec);
+    return sec + usec * 10^-6;
+end
+
+
+ngx.update_time()
+local begin = ngx.now()
+local N = 1e7
+for i = 1, N do
+    target()
+end
+ngx.update_time()
+
+ngx.say("elapsed: ", (ngx.now() - begin) / N)
+
+
+ngx.update_time()
+local begin = ngx.now()
+local N = 1e7
+for i = 1, N do
+    target()
+end
+ngx.update_time()
+
+ngx.say("elapsed[1]: ", (ngx.now() - begin) / N)
+
+
+
+
+ngx.update_time()
+local begin = current_time_millis()
+local N = 1e7
+for i = 1, N do
+    target()
+end
+ngx.update_time()
+
+ngx.say("ffi elapsed: ", (current_time_millis() - begin) / N)

plugins/op_waf/t/index.py

@@ -122,6 +122,18 @@ def test_UA():
     print("user-agent test end")
 
 
+def test_UA_for(num):
+    '''
+    user-agent 过滤
+    '''
+    url = TEST_URL
+    print("user-agent test start")
+    for x in range(num):
+        url_val = httpGet__UA(url, 'ApacheBench')
+        print(url_val)
+    print("user-agent test end")
+
+
 def test_cdn():
     '''
     user-agent 过滤
@@ -200,14 +212,15 @@ def test_start():
     # test_OK()
     # test_Dir()
     # test_UA()
+    test_UA_for(1000)
     # test_POST()
     # test_scan()
     # test_CC()
     # test_url_ext()
-    test_cdn()
+    # test_cdn()
 
 
 if __name__ == "__main__":
-    os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.1 && sh install.sh install 0.1')
+    os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/plugins/op_waf && sh install.sh uninstall 0.2.2 && sh install.sh install 0.2.2')
     os.system('cd /Users/midoks/Desktop/mwdev/server/mdserver-web/ && python3 plugins/openresty/index.py stop && python3 plugins/openresty/index.py start')
     test_start()

plugins/op_waf/t/ngx_debug.sh

@@ -59,7 +59,7 @@ if [ ! -d /opt/FlameGraph ];then
 fi
  
 if [ $1 == "lua" ]; then
-    # /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p 45266 --luajit20 -t 30 >temp.bt
+    # /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p 377452 --luajit20 -t 30 >temp.bt
     /opt/openresty-systemtap-toolkit/ngx-sample-lua-bt -p $pid --luajit20 -t 30 >temp.bt
     # /opt/openresty-systemtap-toolkit/fix-lua-bt temp.bt >t1.bt
     /opt/openresty-systemtap-toolkit/fix-lua-bt temp.bt >${name}.bt

plugins/op_waf/waf/lua/common.lua

@@ -323,7 +323,7 @@ function _M.timer_stats_total(self)
     return self:write_file_clear(total_path,total)
 end
 
-function _M.add_log(self, name, rule)
+function _M.stats_total(self, name, rule)
     local server_name = self.params['server_name']
     local total_path = cpath .. 'total.json'
     local total = ngx.shared.waf_limit:get(total_path)
@@ -511,7 +511,7 @@ function _M.write_log(self, name, rule)
     local retry_time = config['retry']['retry_time']
     local retry_cycle = config['retry']['retry_cycle']
     
-    local count, _ = ngx.shared.waf_drop_ip:get(ip)
+    local count = ngx.shared.waf_drop_ip:get(ip)
     if count then
         ngx.shared.waf_drop_ip:incr(ip, 1)
     else
@@ -525,10 +525,10 @@ function _M.write_log(self, name, rule)
         error_rule = nil
     end
 
-    local logtmp = {ngx.localtime(), ip, method, ngx.var.request_uri, ngx.var.http_user_agent, name, rule}
-    local logstr = json.encode(logtmp) .. "\n"
-    local count,_ = ngx.shared.waf_drop_ip:get(ip)  
-    if count > retry and name ~= 'cc' then
+    local count = ngx.shared.waf_drop_ip:get(ip)
+
+    self:D("count:"..tostring(count))
+    if (count > retry) then
         local safe_count,_ = ngx.shared.waf_drop_sum:get(ip)
         if not safe_count then
             ngx.shared.waf_drop_sum:set(ip, 1, 86400)
@@ -538,71 +538,37 @@ function _M.write_log(self, name, rule)
         end
         local lock_time = retry_time * safe_count
         if lock_time > 86400 then lock_time = 86400 end
-        logtmp = {ngx.localtime(),ip,method,ngx.var.request_uri, ngx.var.http_user_agent,name,retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒'}
-        logstr = logstr .. json.encode(logtmp) .. "\n"
-        ngx.shared.waf_drop_ip:set(ip,retry+1,lock_time)
-        self:write_drop_ip('inc',lock_time)
-    end
-    self:write_to_file(logstr)
-    self:add_log(name,rule)
-end
+        local logtmp = {
+            ngx.localtime(),
+            ip,
+            method,ngx.var.request_uri, 
+            ngx.var.http_user_agent, 
+            name, 
+            retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..'秒'
+        }
+        local logstr = json.encode(logtmp) .. "\n"
+        retry_times = retry + 1
+        ngx.shared.waf_drop_ip:set(ip, retry_times, lock_time)
 
-local ffi = require("ffi")
-ffi.cdef[[
-    struct timeval {
-        long int tv_sec;
-        long int tv_usec;
-    };
-    int gettimeofday(struct timeval *tv, void *tz);
-]];
-local tm = ffi.new("struct timeval");
- 
--- 返回微秒级时间戳
-function _M.current_time_millis()   
-    ffi.C.gettimeofday(tm,nil);
-    local sec =  tonumber(tm.tv_sec);
-    local usec =  tonumber(tm.tv_usec);
-    return sec + usec * 10^-6;
-end
-
-
-function _M.bench(self, waf_limit, sign, call)
-    local func_start = self.current_time_millis()
-    for i=1,waf_limit do
-        call()
+        self:write_drop_ip('inc',lock_time)
+        self:write_to_file(logstr)
+    else
+        local logtmp = {
+            ngx.localtime(),
+            ip, 
+            method, 
+            ngx.var.request_uri, 
+            ngx.var.http_user_agent, 
+            name, 
+            rule
+        }
+        local logstr = json.encode(logtmp) .. "\n"
+        self:write_to_file(logstr)
     end
-    local func_end = self.current_time_millis()
-    local cos = func_end - func_start
-
-    self:D("["..sign.."][start]:"..tostring(func_start))
-    self:D("["..sign.."][end]:"..tostring(func_end))
-    self:D("cos["..sign.."]:"..tostring(cos))
+    
+    self:stats_total(name, rule)
 end
 
--- 测试方法保留
-function _M.split_bylog_debug(self, str,reps)
-    local resultStrList = {}
-
-    self:bench(1000000, "string.gsub",function()
-        string.gsub(str,'[^'..reps..']+', function(w)
-            table.insert(resultStrList,w)
-            return w 
-        end)
-    end)
-
-    -- string.gsub(str,'[^'..reps..']+', function(w)
-    --     table.insert(resultStrList,w) 
-    -- end)
-
-    self:bench(1000000, "ngx.re.gsub" ,function()
-        ngx.re.gsub(str,'[^'..reps..']+', function(w)
-            table.insert(resultStrList,w[0])
-            return w
-        end, "ijo")
-    end)
-
-    return resultStrList
-end
 
 function _M.get_real_ip(self, server_name)
     local client_ip = "unknown"

plugins/op_waf/waf/lua/init.lua

@@ -199,9 +199,11 @@ end
 
 
 local function waf_drop()
-    local count , _ = ngx.shared.waf_drop_ip:get(ip)
+    local ip = params['ip']
+    local count = ngx.shared.waf_drop_ip:get(ip)
     if not count then return false end
-    if count > config['retry'] then
+
+    if count > config['retry']['retry'] then
         ngx.exit(config['cc']['status'])
         return true
     end
@@ -244,11 +246,8 @@ local function waf_cc()
             local lock_time = (endtime * safe_count)
             if lock_time > 86400 then lock_time = 86400 end
 
-            -- lock_time = 10
             ngx.shared.waf_drop_ip:set(ip, 1, lock_time)
-
             C:write_log('cc',cycle..'秒内累计超过'..waf_limit..'次请求,封锁' .. lock_time .. '秒')
-            C:write_drop_ip('cc',lock_time)
             ngx.exit(config['cc']['status'])
             return true
         else
@@ -410,10 +409,10 @@ local function  post_data_chekc()
 
         if not ac then return false end 
 
-        list_list=nil
+        list_list = nil
         for i,v in ipairs(ac)
         do
-             list_list='--'..v
+             list_list = '--'..v
         end
         
         if not list_list then return false end 
@@ -443,8 +442,10 @@ end
 
 
 local function X_Forwarded()
+
     if params['method'] ~= "GET" then return false end
     if not config['get']['open'] or not C:is_site_config('get') then return false end 
+
     if C:is_ngx_match(args_rules,params["request_header"]['X-forwarded-For'],'args') then
         C:write_log('args','regular')
         C:return_html(config['get']['status'],get_html)
@@ -647,8 +648,8 @@ function waf()
     if post_data_chekc() then return true end
     
     if site_config[server_name] and site_config[server_name]['open'] then
-        if X_Forwarded() then return true end
-        if post_X_Forwarded() then return true end
+        -- if X_Forwarded() then return true end
+        -- if post_X_Forwarded() then return true end
         -- url_path()
         if url_ext() then return true end
         -- url_rule_ex()