Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CnChunfeng
/
ichunt_lua_waf
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Snippets
Settings
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
9a4392ac
authored
Jan 26, 2021
by
Joneq
Browse files
Options
_('Browse Files')
Download
Email Patches
Plain Diff
去除老罗之前的代码
parent
86acf842
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
0 additions
and
261 deletions
waf.lua
waf.lua
View file @
9a4392ac
...
...
@@ -150,269 +150,8 @@ end
-- 先循环检查url路径是否匹配,再检查该ip是否在非蜘蛛名单里面 没有的话就跳转到认证
re_path
,
err
=
red
:
hkeys
(
'spider_ip_path'
)
if
re_path
~=
ngx
.
null
then
for
i
,
v
in
ipairs
(
re_path
)
do
ra
,
rb
,
rc
=
string.find
(
temp_uri
,
v
,
1
,
true
)
if
ra
then
-- 检查是否有在蜘蛛名单
ra
,
rb
,
rc
=
red
:
get
(
'spider_ip_not:'
..
user_ip
)
if
type
(
ra
)
~=
'string'
then
redirect
.
checkgoogle
(
red
)
end
end
end
end
------------------------------------------------------------s老罗之前的代码,作用不是很大,仅供参考s------------------------------------
url_address
=
string.lower
(
ngx
.
var
.
request_uri
)
-- 请求这种字符串的 统统要进行验证(屏蔽文件扫描和注入点扫描)
is_scan_asp
=
string.find
(
url_address
,
'.asp'
,
1
,
true
)
is_scan_jsp
=
string.find
(
url_address
,
'.jsp'
,
1
,
true
)
is_scan_action
=
string.find
(
url_address
,
'.action'
,
1
,
true
)
-- 屏蔽注入
if
tonumber
(
ngx
.
var
.
server_name_id
)
==
1
then
-- 在调用ichunt3.0的时候 屏蔽注入扫描
is_scan_select
=
string.find
(
url_address
,
'select'
)
else
is_scan_select
=
nil
end
-- 策略 规则2:第一次进入敏感页面(product-10_15.html),页码超过15 则记录ip并跳转到验证码页面,验证成功后.继续浏览(10分钟内规则2失效,但是规则1仍然生效)
is_sensitive
=
string.find
(
url_address
,
'product'
)
if
(
is_sensitive
~=
nil
)
then
-- 先切割url参数,然后查看是否有分页的页码
is_page
=
string.find
(
url_address
,
'?'
)
if
(
is_page
~=
nil
)
then
is_page
=
localstring
.
Split
(
url_address
,
'?'
)
is_page
=
is_page
[
1
]
else
is_page
=
url_address
end
is_page_true
=
string.find
(
is_page
,
'_'
)
if
(
is_page_true
~=
nil
)
then
-- 切割页码出来
is_page
=
localstring
.
Split
(
is_page
,
'product'
)
is_page
=
localstring
.
Split
(
is_page
[
2
],
'_'
)
-- 查找是否有.html
is_page_true
=
string.find
(
is_page
[
2
],
'html'
)
if
(
is_page_true
~=
nil
)
then
is_page
=
string.gsub
(
is_page
[
2
],
'.html'
,
''
)
else
is_page
=
is_page
[
2
]
end
-- 拿着页码判断是否大于15
if
(
tonumber
(
is_page
)
>=
15
)
then
-- 记录ip 并让其302到验证码
spider_sensitive_ip
=
"spider_sensitive_ip:"
..
user_ip
spider_sensitive_ip_result
=
tostring
(
red
:
get
(
spider_sensitive_ip
))
spider_sensitive_ip_result
=
string.find
(
spider_sensitive_ip_result
,
'NULL'
)
-- 如果为空则表明该ip未验证.进行验证,并且把这个ip加入记录
if
spider_sensitive_ip_result
==
11
then
red
:
sadd
(
'spider_ban'
,
user_ip
)
red
:
set
(
spider_sensitive_ip
,
user_ip
)
red
:
expire
(
spider_sensitive_ip
,
600
)
end
end
end
end
if
(
is_scan_asp
~=
nil
or
is_scan_jsp
~=
nil
or
is_scan_action
~=
nil
or
is_scan_select
~=
nil
)
then
red
:
sadd
(
'spider_ban'
,
user_ip
)
-- 记录这次请求是否是扫描 供跳转时使用
is_scan
=
1
else
is_scan
=
0
end
--redis的键名前缀
str_id
=
tostring
(
ngx
.
var
.
server_name_id
)
spider_time
=
'spider_time:'
..
str_id
..
':'
spider_count
=
'spider_count:'
..
str_id
..
':'
spider_config
=
'spider_config_info'
member_ip_time_out
=
'ip_time_out:'
..
str_id
member_connect_count
=
'spider_count:'
..
str_id
member_key_exit_time
=
'key_exit_time:'
..
str_id
--根据某个ip设定链接数量
spider_connect_count_alg
=
'spider_connect_count_alg'
--读取配置在redis上的信息
-- ip访问频率时间段
ip_time_out
,
err
=
red
:
hget
(
spider_config
,
member_ip_time_out
)
if
ip_time_out
==
ngx
.
null
or
tonumber
(
ip_time_out
)
<=
0
then
ip_time_out
=
60
end
ip_time_out
=
tonumber
(
ip_time_out
)
-- ip访问频率计数最大值
connect_count
,
err
=
red
:
hget
(
spider_config
,
member_connect_count
)
if
connect_count
==
ngx
.
null
or
tonumber
(
connect_count
)
<=
0
then
connect_count
=
45
end
connect_count
=
tonumber
(
connect_count
)
-- ip访问频率按照解禁次数递增数
count_alg
,
err
=
red
:
hget
(
spider_connect_count_alg
,
user_ip
)
if
count_alg
==
ngx
.
null
or
count_alg
==
false
or
tonumber
(
count_alg
)
<=
0
then
count_alg
=
0
end
connect_count
=
connect_count
+
tonumber
(
count_alg
)
-- ip有效时间一个小时没有访问则自动失效
spider_key_exit_time
,
err
=
red
:
hget
(
spider_config
,
member_key_exit_time
)
if
spider_key_exit_time
==
ngx
.
null
or
tonumber
(
spider_key_exit_time
)
<=
0
then
spider_key_exit_time
=
300
end
spider_key_exit_time
=
tonumber
(
spider_key_exit_time
)
-- 查询ip是否在封禁时间段内,若在则跳转到验证码页面
is_ban
,
err
=
red
:
sismember
(
'spider_ban'
,
user_ip
)
if
is_ban
==
1
then
if
tonumber
(
ngx
.
var
.
server_name_id
)
==
1
then
local
dest
-- source携带了之前用户请求的地址信息,方便验证成功后返回原用户请求地址
if
is_scan
==
1
then
-- 如果是扫描 再次跳转的时候就不带参数,以防止跳转后又被鉴定为扫描.循环鉴定
source_url
=
ngx
.
encode_base64
(
ngx
.
var
.
scheme
..
'://'
..
ngx
.
var
.
host
..
':'
..
ngx
.
var
.
server_port
)
else
-- 不是扫描 就带全地址
source_url
=
ngx
.
encode_base64
(
ngx
.
var
.
scheme
..
'://'
..
ngx
.
var
.
host
..
':'
..
ngx
.
var
.
server_port
..
ngx
.
var
.
request_uri
)
end
dest
=
'http://passport.ichunt.com/static/login.html'
..
'?continue='
..
source_url
ngx
.
redirect
(
dest
,
302
)
end
if
tonumber
(
ngx
.
var
.
server_name_id
)
==
2
then
local
res
=
{
err_code
=
302302
,
err_msg
=
""
,
data
=
{}}
ngx
.
say
(
cjson
.
encode
(
res
));
ngx
.
exit
(
ngx
.
OK
)
end
if
tonumber
(
ngx
.
var
.
server_name_id
)
==
3
then
local
res
=
{
error_code
=
302302
,
error_msg
=
""
,
data
=
{}}
ngx
.
say
(
cjson
.
encode
(
res
));
ngx
.
exit
(
ngx
.
OK
)
end
return
end
--把对应的ip信息存放在队列
arr
=
{}
arr
[
'ip'
]
=
user_ip
arr
[
'user_agent'
]
=
ngx
.
req
.
get_headers
().
user_agent
-- 1为www 2为api 3为so
arr
[
'server_name_id'
]
=
ngx
.
var
.
server_name_id
arr
[
'url'
]
=
temp_uri
arr
[
'create_time'
]
=
os.time
()
arr
[
'type'
]
=
1
-- 特定接口列表
speciel_api_list
=
'speciel_api_list'
;
-- 接口与服务拼接作为哈希member
speciel_api_member
=
'member_'
..
temp_uri
..
'_'
..
str_id
-- 接口、服务与ip拼接作为key
speciel_api_string_count
=
'speciel_api_count'
..
temp_uri
..
str_id
..
user_ip
-- 接口的时间段设置
speciel_api_string_time
=
'speciel_api_time'
..
temp_uri
..
str_id
..
user_ip
-- 针对特定接口,限制相同ip的访问次数
speciel_api_obj
,
err
=
red
:
hget
(
speciel_api_list
,
speciel_api_member
)
if
speciel_api_obj
~=
ngx
.
null
then
speciel_api_info
=
cjson
.
decode
(
speciel_api_obj
)
if
tonumber
(
speciel_api_info
[
'button'
])
==
1
then
start_time
,
err
=
red
:
get
(
speciel_api_string_time
)
speciel_api_config_time
=
tonumber
(
speciel_api_info
[
'expire_time'
])
speciel_api_config_count
=
tonumber
(
speciel_api_info
[
'count'
])
if
start_time
==
ngx
.
null
or
os.time
()
-
tonumber
(
start_time
)
>
speciel_api_config_time
then
res
,
err
=
red
:
set
(
speciel_api_string_time
,
os.time
())
res
,
err
=
red
:
set
(
speciel_api_string_count
,
1
)
else
res
,
err
=
red
:
incr
(
speciel_api_string_count
)
ip_count
=
tonumber
(
res
);
if
ip_count
>=
speciel_api_config_count
then
res
,
err
=
red
:
sadd
(
'spider_ban'
,
user_ip
)
res
,
err
=
red
:
set
(
speciel_api_string_count
,
0
)
arr
[
'type'
]
=
2
end
end
res
,
err
=
red
:
expire
(
speciel_api_string_time
,
speciel_api_config_time
)
res
,
err
=
red
:
expire
(
speciel_api_string_count
,
speciel_api_config_time
)
end
end
-- ip记录时间key
start_time
,
err
=
red
:
get
(
spider_time
..
user_ip
)
-- 如果ip记录时间的key不存在或者当前时间减去ip记录时间大于指定时间间隔,则重置时间key和计数key
-- 如果当前时间减去ip记录时间小于指定时间间隔,则ip计数+1,
-- 并且ip计数大于指定ip访问频率,则设置ip的封禁key为1,同时设置封禁key的过期时间为封禁ip时间
if
start_time
==
ngx
.
null
or
os.time
()
-
tonumber
(
start_time
)
>
ip_time_out
then
res
,
err
=
red
:
set
(
spider_time
..
user_ip
,
os.time
())
res
,
err
=
red
:
set
(
spider_count
..
user_ip
,
1
)
else
res
,
err
=
red
:
incr
(
spider_count
..
user_ip
)
ip_count
=
tonumber
(
res
);
-- 统计当日访问ip集合
--res , err = red:sadd('spider_statistic_total_ip:' .. os.date('%x'), user_ip)
if
ip_count
>=
connect_count
then
res
,
err
=
red
:
sadd
(
'spider_ban'
,
user_ip
)
arr
[
'type'
]
=
2
end
end
-- red:lpush('spider_ip_info_list',cjson.encode(arr))
--设置有效时间
res
,
err
=
red
:
expire
(
spider_time
..
user_ip
,
spider_key_exit_time
)
res
,
err
=
red
:
expire
(
spider_count
..
user_ip
,
spider_key_exit_time
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment