完成请求头以及一些其他代码的函数转换

localstring.lua

+----------------------------------------本地字符串截取Url--------------------------------
+
+
+
+
+local _Lstring= {}
+
+
+--------切分字符串
+function _Lstring.Split(self,szFullString, szSeparator)
+    local nFindStartIndex = 1  
+    local nSplitIndex = 1  
+    local nSplitArray = {}  
+    while true do  
+       local nFindLastIndex = string.find(szFullString, szSeparator, nFindStartIndex)  
+       if not nFindLastIndex then  
+        nSplitArray[nSplitIndex] = string.sub(szFullString, nFindStartIndex, string.len(szFullString))  
+        break  
+       end  
+       nSplitArray[nSplitIndex] = string.sub(szFullString, nFindStartIndex, nFindLastIndex - 1)  
+       nFindStartIndex = nFindLastIndex + string.len(szSeparator)  
+       nSplitIndex = nSplitIndex + 1  
+    end  
+    return nSplitArray  
+end
+
+
+return _Lstring
\ No newline at end of file

readme.md

+##lua/config.lua 已忽略上传
+里面的配置需要自己根据实际情况去修改
+##mac/cjson.so  ./cjson.so
+.so的文件，不同的环境，.so的内容是不同的，所以记得在config.lua里面设置目录使用相应的.so
\ No newline at end of file

reqhandle.lua

+----------------------------------------网络请求数据处理包--------------------------------
+
+
+
+
+local _Reqhandle= {}
+
+
+--------去除一些网站自己的白名单
+function _Reqhandle.Selfwhiteurl(self)
+
+    local l_str = string.reverse(ngx.var.request_uri)
+    local l_a,l_b = string.find(l_str,'?')
+    if l_a ~= nil then
+        l_str = string.sub(l_str,l_a+1,-1)
+    end
+
+    -- 去除包含Activity/tg的请求
+    local temp_uri = string.reverse(l_str)
+    l_a,l_b = string.find(temp_uri,'Activity/tg')
+    if l_a ~= nil then
+        return 'ok',''
+    end
+
+    --去除图片、js、css请求
+    l_a,l_b = string.find(l_str,'%.')
+    if l_a ~= nil then
+        l_str = string.sub(l_str,1,l_a)
+        l_str = string.reverse(l_str)
+        l_aa,l_bb = string.find('.gif.jpg.jpeg.png.bmp.swf.css.js',l_str)
+        if l_aa ~= nil then
+            return 'ok',''
+        end
+    end 
+
+    return "continue",temp_uri
+end
+
+
+
+
+--------获取真实ip
+function _Reqhandle.GetRealIp(self)
+
+    if tonumber(ngx.var.server_name_id) == 1 then
+        local user_ip = ngx.var.remote_addr
+    else
+        local user_ip = ngx.var.remote_addr
+    
+        if user_ip == nil then
+            user_ip = ngx.req.get_headers()["X-Real-IP"]
+        end
+        if user_ip == nil then
+            user_ip = ngx.req.get_headers()["x_forwarded_for"]
+        end
+        if user_ip == nil then
+            user_ip = ngx.var.remote_addr
+        end
+        if user_ip == nil then
+            user_ip = "unknown"
+        end
+    end
+
+    return user_ip
+end
+
+
+
+
+
+
+return _Reqhandle
\ No newline at end of file

waf.lua

+------获取当前文件夹目录
 function script_path()
     local str = debug.getinfo(2, "S").source:sub(2)
     return str:match("(.*/)")
@@ -5,12 +6,16 @@ end
 current_dir = script_path()
 
 
+------加载lua扩展包
 package.path = current_dir.."?.lua;"
 local config = require "config"
 local redis = require "resty.redis"
 local redirect = require "redirect"
+local localstring = require "localstring"
+local wafcheck = require "wafcheck"
+local reqhandle = require "reqhandle"
 
-
+-------加载.so扩展包
 package.cpath = current_dir..config.so_path.."?.so;"
 local cjson = require "cjson"
 
@@ -18,54 +23,17 @@ local cjson = require "cjson"
 
 
 
--- 切分字符串
-function Split(szFullString, szSeparator)
-local nFindStartIndex = 1  
-local nSplitIndex = 1  
-local nSplitArray = {}  
-while true do  
-   local nFindLastIndex = string.find(szFullString, szSeparator, nFindStartIndex)  
-   if not nFindLastIndex then  
-    nSplitArray[nSplitIndex] = string.sub(szFullString, nFindStartIndex, string.len(szFullString))  
-    break  
-   end  
-   nSplitArray[nSplitIndex] = string.sub(szFullString, nFindStartIndex, nFindLastIndex - 1)  
-   nFindStartIndex = nFindLastIndex + string.len(szSeparator)  
-   nSplitIndex = nSplitIndex + 1  
-end  
-return nSplitArray  
-end
-
-
-
---去除图片、js、css请求
-l_str = string.reverse(ngx.var.request_uri)
-
-
-l_a,l_b = string.find(l_str,'?')
-if l_a ~= nil then
-	l_str = string.sub(l_str,l_a+1,-1)
-end
-
--- 去除包含Activity/tg的请求
-temp_uri = string.reverse(l_str)
-l_a,l_b = string.find(temp_uri,'Activity/tg')
-if l_a ~= nil then
-	return
+-------去除一些不要验证的请求并获取url
+local urlok,temp_uri = reqhandle.Selfwhiteurl()
+if urlok == "ok" then
+	red:close()
+	return 
 end
 
-l_a,l_b = string.find(l_str,'%.')
-if l_a ~= nil then
-	l_str = string.sub(l_str,1,l_a)
-	l_str = string.reverse(l_str)
-	l_aa,l_bb = string.find('.gif.jpg.jpeg.png.bmp.swf.css.js',l_str)
-	if l_aa ~= nil then
-		return
-	end
-end
 
 
 
+-------链接redis------------
 local red = redis:new()
 red:set_timeout(1000) 
 
@@ -85,32 +53,17 @@ if not ok then
   return
 end
 
--- 开关
+
+
+--防火墙开关
 spider_config_button , err = red:get('spider_config_button')
 if spider_config_button ~= ngx.null and tonumber(spider_config_button)==1 then
+	red:close()
 	return
 end
 
--- 获取ip
-if tonumber(ngx.var.server_name_id) == 1 then
-	user_ip = ngx.var.remote_addr
-else
-	user_ip = ngx.var.remote_addr
-
-	if user_ip == nil then
-		user_ip = ngx.req.get_headers()["X-Real-IP"]
-	end
-	if user_ip == nil then
-		user_ip = ngx.req.get_headers()["x_forwarded_for"]
-	end
-	if user_ip == nil then
-		user_ip = ngx.var.remote_addr
-	end
-	if user_ip == nil then
-		user_ip = "unknown"
-	end
-end
-
+-- 获取真实ip
+local user_ip = reqhandle.GetRealIp()
 
 spider_config_user_ip_button , err = red:get('spider_config_user_ip_button')
 if spider_config_user_ip_button ~= ngx.null and tonumber(spider_config_user_ip_button)==1 then
@@ -126,11 +79,23 @@ if spider_config_user_ip_button ~= ngx.null and tonumber(spider_config_user_ip_b
 	end
 end
 
--- 白名单
-is_white ,err = red:sismember('spider_white_list', user_ip)
-if is_white == 1 then
-  red:close()
-  return
+
+-- 获取请求头
+local u_agent = ngx.req.get_headers().user_agent
+
+
+
+
+-- 白名单存在直接跳过
+if wafcheck.WhiteIp(user_ip) == 'exist' or wafcheck.WhiteUrl(temp_uri) == 'exist' or wafcheck.WhiteHeader(user_ip) == 'exist' then
+	red:close()
+	return 
+end
+
+
+-- 黑名单存在直接302
+if wafcheck.BlackIp(user_ip) == 'exist' or wafcheck.BlackUrl(temp_uri) == 'exist' or wafcheck.BlackHeader(user_ip) == 'exist' then
+	return 
 end
 
 -- 黑名单
@@ -144,50 +109,6 @@ end
 
 
 
-u_agent = ngx.req.get_headers().user_agent
--- 过滤指定userAgent
-re_user_agent , err = red:get('spider_config_user_agent')
-if re_user_agent ~= ngx.null and u_agent then
-	user_agent_list = cjson.decode(re_user_agent)
-	for i, v in ipairs(user_agent_list) do
-		u_agent_lower = string.lower(u_agent)
-		v_lower = string.lower(v)
-		ra,rb,rc = string.find(u_agent_lower,v_lower,1,true)
-		if ra then
-			red:close()
-			return
-		end
-	end 
-end
-
--- 过滤指定ip
-re_user_ip , err = red:get('spider_config_user_ip')
-if re_user_ip ~= ngx.null then
-	user_ip_list = cjson.decode(re_user_ip)
-	for i, v in ipairs(user_ip_list) do
-		ra,rb,rc = string.find(user_ip,v,1,true)
-		if ra then
-			red:close()
-			ngx.exit(ngx.HTTP_FORBIDDEN)
-			return
-		end
-	end 
-end
-
--- 过滤指定url
-re_user_url , err = red:get('spider_config_user_url')
-if re_user_url ~= ngx.null then
-	user_url_list = cjson.decode(re_user_url)
-	for i, v in ipairs(user_url_list) do
-		ra,rb,rc = string.find(temp_uri,v,1,true)
-		if ra then
-			red:close()
-			return
-		end
-	end 
-end
-
-
 -------s------------------------20200923新增对用户特定URL，IP时间段内的限制-------s------------------------
 --[[
 	1 设置需要的请求网址  redis 集合  waf_urldesc_limit
@@ -217,12 +138,20 @@ if  tonumber(ngx.var.server_name_id) == 1 and checkuri ~= nil  and red:sismember
 
 	--如果超过次数就跳转至google验证页面，并且带上网址
 	if tonumber(red:get(checkuriip)) > checkuricount then
+		red:close()
 		redirect.checkgoogle()
 	end
 end
 
 -------e------------------------20200923新增对用户特定URL，IP时间段内的限制-------e------------------------
 
+
+
+
+
+
+
+
 -- 先循环检查url路径是否匹配,再检查该ip是否在非蜘蛛名单里面 没有的话就跳转到认证
 re_path , err = red:hkeys('spider_ip_path')
 if re_path ~= ngx.null then
@@ -244,78 +173,6 @@ end
 
 
 
-------------------------请求头黑名单
-u_agent = ngx.req.get_headers().user_agent
--- 过滤指定userAgent
-re_user_agent , err = red:get('spider_config_ip_ban')
-if re_user_agent ~= ngx.null and u_agent then
-	user_agent_list = cjson.decode(re_user_agent)
-	for i, v in ipairs(user_agent_list) do
-		
-		u_agent_lower = string.lower(u_agent)
-
-		v['info']     = string.lower(v['info'])
-		
-		ra,rb,rc = string.find(u_agent_lower,v['info'],1,true)
-
-		if ra then
-			ngx.header['Content-Type']  = 'text/html; charset=utf-8';
-			ngx.say('<html><h1>请求正在处理中</h1></html>');
-			ngx.exit(ngx.OK)
-			return
-		end
-
-	end 
-end
-
--- -- 拦截指定ip
-re_user_ip , err = red:get('spider_config_ip_ban')
-
-if re_user_ip ~= ngx.null then
-	user_ip_list = cjson.decode(re_user_ip)
-	for i, v in ipairs(user_ip_list) do
-		
-		ra,rb,rc = string.find(user_ip,v['info'],1,true)
-
-		if ra then
-			ngx.header['Content-Type']  = 'text/html; charset=utf-8';
-			ngx.say('<html><h1>您的请求正在处理中</h1></html>');
-			ngx.exit(ngx.OK)
-			return
-		end
-	end 
-end
-
--- -- 拦截指定url
-re_user_url , err = red:get('spider_config_ip_ban')
-if re_user_url ~= ngx.null then
-	user_url_list = cjson.decode(re_user_url)
-	for i, v in ipairs(user_url_list) do
-
-		v['info'] = string.lower(v['info'])
-		temp_uri  = string.lower(temp_uri)
-
-		ra,rb,rc = string.find(temp_uri,v['info'],1,true);
-
-		if ra then
-			ngx.header['Content-Type']  = 'text/html; charset=utf-8';
-			ngx.say('<html><h1>url请求正在处理中</h1></html>');
-			ngx.exit(ngx.OK)
-			return
-		end
-	end 
-end
-
-
-
-
-
-
-
-
-
-
-
 ------------------------------------------------------------s之前的代码，作用不是很大，仅供参考s------------------------------------
 
 url_address = string.lower(ngx.var.request_uri)
@@ -341,7 +198,7 @@ if (is_sensitive ~= nil) then
 	is_page =  string.find(url_address,'?')
 
 	if(is_page ~= nil) then
-		is_page =  Split(url_address,'?')
+		is_page =  localstring.Split(url_address,'?')
 		is_page = is_page[1]
 	else
 		is_page = url_address
@@ -354,8 +211,8 @@ if (is_sensitive ~= nil) then
 
 	if (is_page_true ~= nil) then
 		-- 切割页码出来
-		is_page =  Split(is_page,'product')
-		is_page =  Split(is_page[2],'_')
+		is_page =  localstring.Split(is_page,'product')
+		is_page =  localstring.Split(is_page[2],'_')
 		
 
 

wafcheck.lua

+----------------------------------------waf检测包--------------------------------
+
+
+
+
+local _Wafcheck= {}
+
+
+--------白名单ip-----------
+function _Wafcheck.WhiteIp(self,user_ip)
+    local is_exist ,err = red:sismember('ichunt_waf_white_ip', user_ip)
+    if is_exist == 1 then
+      return "exist"
+    end
+    return "continue"
+end
+
+
+--------白名单url-----------
+function _Wafcheck.WhiteUrl(self,url)
+    local is_exist ,err = red:sismember('ichunt_waf_white_url', url)
+    if is_exist == 1 then
+      return "exist"
+    end
+    return "continue"
+end
+
+
+--------白名单header-----------
+function _Wafcheck.WhiteHeader(self,header)
+    local is_exist ,err = red:sismember('ichunt_waf_white_header', header)
+    if is_exist == 1 then
+      return "exist"
+    end
+    return "continue"
+end
+
+
+
+-------黑名单Ip
+function _Wafcheck.BlackIp(self,user_ip)
+    is_exist ,err = red:sismember('ichunt_waf_black_ip', user_ip)
+    if is_exist == 1 then
+        return "exist"
+    end
+    return "continue"
+end
+
+
+-------黑名单Url
+function _Wafcheck.BlackUrl(self,url)
+    is_exist ,err = red:sismember('ichunt_waf_black_url', url)
+    if is_exist == 1 then
+        return "exist"
+    end
+    return "continue"
+end
+
+
+-------黑名单header
+function _Wafcheck.BlackHeader(self,header)
+    is_exist ,err = red:sismember('ichunt_waf_black_header', header)
+    if is_exist == 1 then
+        return "exist"
+    end
+    return "continue"
+end
+
+return _Wafcheck
\ No newline at end of file