-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinit.lua
202 lines (189 loc) · 4.47 KB
/
init.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
require 'config'
function option(args)
if args == on then
return true
end
if args == off then
return false
end
return true
end
ngxmatch=ngx.re.match
unescape=ngx.unescape_uri
all_switch = option(All_switch)
cc_switch = option(Cc_switch)
rule_path = Rule_path
attack_log = option(Attack_log)
log_dir = Log_dir
http_x_forwarded_for = option(Http_x_forwarded_for)
function split(s, delim)
if type(delim) ~= "string" or string.len(delim) <= 0 then
return
end
local start = 1
local t = {}
while true do
local pos = string.find (s, delim, start, true) -- plain find
if not pos then
break
end
table.insert (t, string.sub (s, start, pos - 1))
start = pos + string.len (delim)
end
table.insert (t, string.sub (s, start))
return t
end
function GetClientIp()
local Ip=""
if http_x_forwarded_for == false then
Ip = ngx.var.remote_addr
end
if http_x_forwarded_for == true and ngx.var.http_x_forwarded_for ~= nil and ngx.var.http_x_forwarded_for ~= "" then
Ip = split(ngx.var.http_x_forwarded_for,",")[1]
else
Ip = ngx.var.remote_addr
end
return Ip
end
function Log(method,url,data,ruletag)
if attack_log then
local Ip = GetClientIp()
local Ua = ngx.var.http_user_agent
local ServerName=""
local Line=""
if ngx.var.server_name ~= nil and ngx.var.server_name ~= "" then
ServerName=ngx.var.server_name
else
ServerName=ngx.var.server_addr
end
local Time=ngx.localtime()
if Ua then
Line = "["..Time.."]`"..Ip.."`"..ServerName.."`"..url.."`"..method.."`"..Ua.."`"..data.."`"..ruletag.."\"\n"
else
Line = "["..Time.."]`"..Ip.."`"..ServerName.."`"..url.."`"..method.."`".."".."`"..data.."`"..ruletag.."\"\n"
end
local filename = log_dir..ServerName.."_"..ngx.today()..".log"
local fd = io.open(filename,"ab")
if fd == nil then return end
fd:write(Line)
fd:flush()
fd:close()
return true
end
return false
end
function ReadRule(var)
local file = io.open(rule_path..var,"r")
if file==nil then
return
end
local t = {}
for line in file:lines() do
table.insert(t,line)
end
file:close()
return(t)
end
urlrules=ReadRule('deny_rule')
uarules=ReadRule('user-agent')
wturlrules=ReadRule('whiteurl')
postrules=ReadRule('deny_rule')
ckrules=ReadRule('deny_rule')
function Say_html()
ngx.header.content_type = "text/html"
ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(html)
ngx.exit(ngx.status)
end
function WhiteUrl()
if all_switch and wturlrules ~=nil then
local rule
for _,rule in pairs(wturlrules) do
if ngxmatch(ngx.var.uri,rule,"isjo") then
return true
end
end
end
return false
end
function DenyUrl()
if all_switch then
local rule
for _,rule in pairs(urlrules) do
if rule ~="" and ngxmatch(unescape(ngx.var.request_uri),rule,"isjo") then
Log(ngx.var.request_method,ngx.var.request_uri,"-",rule)
Say_html()
return true
end
end
end
return false
end
function DenyUa()
if all_switch then
local ua = ngx.var.http_user_agent
local rule
if ua ~= nil then
for _,rule in pairs(uarules) do
if rule ~="" and ngxmatch(ua,rule,"isjo") then
Log('UA',ngx.var.request_uri,"-",rule)
Say_html()
return true
end
end
end
end
return false
end
function DenyCookie()
local ck = ngx.var.http_cookie
if all_switch and ck~= nil then
for _,rule in pairs(ckrules) do
if rule ~="" and ngxmatch(ck,rule,"isjo") then
Log('Cookie',ngx.var.request_uri,"-",rule)
Say_html()
return true
end
end
end
return false
end
function WhiteIp()
if all_switch and next(ipWhitelist) ~= nil then
local ip
for _,ip in pairs(ipWhitelist) do
if GetClientIp()==ip then
return true
end
end
end
return false
end
function BlockIp()
if all_switch and next(ipBlocklist) ~= nil then
local ip
for _,ip in pairs(ipBlocklist) do
if GetClientIp()==ip then
ngx.exit(403)
return true
end
end
end
return false
end
function DenyPost()
if all_switch and ngx.var.request_method == "POST" then
ngx.req.read_body()
local rule
if ngx.req.get_body_data() ~= "" and ngx.req.get_body_data() ~= nil then
for _,rule in pairs(postrules) do
if rule ~="" and ngxmatch(ngx.req.get_body_data(),rule,"isjo") then
Log('POST',ngx.var.request_uri,"-",rule)
Say_html()
return true
end
end
end
end
return false
end