midoks
/
mdserver-web
mirror of https://github.com/midoks/mdserver-web
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

优化

Browse Source
pull/109/head
Mr Chen 6 years ago
parent 34f8ef702d
commit ccee062c80
3 changed files with 138 additions and 18 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      plugins/op_waf/index.py
  2. 151
      plugins/op_waf/waf/lua/init.lua
  3. 2
      plugins/op_waf/waf/site.json

3
plugins/op_waf/index.py
Unescape View File

@ -135,8 +135,7 @@ def stop():
def restart():
stop()
start()
public.restartWeb()
return 'ok'

151
plugins/op_waf/waf/lua/init.lua
Unescape View File

@ -1,5 +1,5 @@
local cpath = "{$WAF_PATH}/"
local logdir = "{$ROOT_PATH}/wwwlogs/waf/"
local cpath = "/Users/midoks/Desktop/fwww/server/openresty/nginx/conf/waf/"
local logdir = "/Users/midoks/Desktop/fwww/wwwlogs/waf/"
local json = require "cjson"
function return_message(status,msg)
@ -31,20 +31,141 @@ function read_file_body(filename)
end
-- local config = read_file_body(cpath .. 'config.json')
local config = json.decode(read_file_body(cpath .. 'config.json'))
-- local site_config = json.decode(read_file_body(cpath .. 'site.json'))
-- function args()
-- if not config['get']['open'] or not is_site_config('get') then return false end
-- if is_ngx_match(args_rules,uri_request_args,'args') then
-- write_log('args','regular')
-- return_html(config['get']['status'],get_html)
-- return true
-- end
-- return false
-- end
local site_config = json.decode(read_file_body(cpath .. 'site.json'))
function is_ngx_match(rules,sbody,rule_name)
if rules == nil or sbody == nil then return false end
if type(sbody) == "string" then
sbody = {sbody}
end
if type(rules) == "string" then
rules = {rules}
end
for k,body in pairs(sbody)
do
if continue_key(k) then
for i,rule in ipairs(rules)
do
if site_config[server_name] and rule_name then
local n = i - 1
for _,j in ipairs(site_config[server_name]['disable_rule'][rule_name])
do
if n == j then
rule = ""
end
end
end
if body and rule ~="" then
if type(body) == "string" then
if ngx_match(ngx.unescape_uri(body),rule,"isjo") then
error_rule = rule .. ' >> ' .. k .. ':' .. body
return true
end
end
if type(k) == "string" then
if ngx_match(ngx.unescape_uri(k),rule,"isjo") then
error_rule = rule .. ' >> ' .. k
return true
end
end
end
end
end
end
return false
end
function write_log(name,rule)
local count,_ = ngx.shared.drop_ip:get(ip)
if count then
ngx.shared.drop_ip:incr(ip,1)
else
ngx.shared.drop_ip:set(ip,1,retry_cycle)
end
if config['log'] ~= true or is_site_config('log') ~= true then return false end
local method = ngx.req.get_method()
if error_rule then
rule = error_rule
error_rule = nil
end
local logtmp = {ngx.localtime(),ip,method,request_uri,ngx.var.http_user_agent,name,rule}
local logstr = json.encode(logtmp) .. "\n"
local count,_ = ngx.shared.drop_ip:get(ip)
if count > retry and name ~= 'cc' then
local safe_count,_ = ngx.shared.drop_sum:get(ip)
if not safe_count then
ngx.shared.drop_sum:set(ip,1,86400)
safe_count = 1
else
ngx.shared.drop_sum:incr(ip,1)
end
local lock_time = retry_time * safe_count
if lock_time > 86400 then lock_time = 86400 end
logtmp = {ngx.localtime(),ip,method,request_uri,ngx.var.http_user_agent,name,retry_cycle .. '秒以内累计超过'..retry..'次以上非法请求,封锁'.. lock_time ..''}
logstr = logstr .. json.encode(logtmp) .. "\n"
ngx.shared.drop_ip:set(ip,retry+1,lock_time)
write_drop_ip('inc',lock_time)
end
write_to_file(logstr)
inc_log(name,rule)
end
function inc_log(name,rule)
local total_path = cpath .. 'total.json'
local tbody = ngx.shared.btwaf:get(total_path)
if not tbody then
tbody = read_file_body(total_path)
if not tbody then return false end
end
local total = json.decode(tbody)
if not total['sites'] then total['sites'] = {} end
if not total['sites'][server_name] then total['sites'][server_name] = {} end
if not total['sites'][server_name][name] then total['sites'][server_name][name] = 0 end
if not total['rules'] then total['rules'] = {} end
if not total['rules'][name] then total['rules'][name] = 0 end
if not total['total'] then total['total'] = 0 end
total['total'] = total['total'] + 1
total['sites'][server_name][name] = total['sites'][server_name][name] + 1
total['rules'][name] = total['rules'][name] + 1
local total_log = json.encode(total)
if not total_log then return false end
ngx.shared.btwaf:set(total_path,total_log)
if not ngx.shared.btwaf:get('b_btwaf_timeout') then
write_file(total_path,total_log)
ngx.shared.btwaf:set('b_btwaf_timeout',1,5)
end
end
function write_to_file(logstr)
local filename = config["logs_path"] .. '/' .. server_name .. '_' .. ngx.today() .. '.log'
local fp = io.open(filename,'ab')
if fp == nil then return false end
fp:write(logstr)
fp:flush()
fp:close()
return true
end
function args()
if not config['get']['open'] or not is_site_config('get') then return false end
if is_ngx_match(args_rules,uri_request_args,'args') then
write_log('args','regular')
return_html(config['get']['status'],get_html)
return true
end
return false
end
function waf()
-- return_html(200,cpath .. 'config.json')

2
plugins/op_waf/waf/site.json
Unescape View File

@ -1 +1 @@
{{"www.khxs.org": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}, "gae.cachecha.com": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}}}
{"www.khxs.org": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}, "gae.cachecha.com": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}}
Write Preview
Loading…
Cancel
Save