✨ Use the directive waf_priority to change the rule priority.

🐛 The statistics of CC protection are sometimes inaccurate.

💥 Deprecate the directive `waf_cc_deny_limit` and replace it all with `waf_cc_deny`.

CHANGES-ZH-CN.md

@@ -2,21 +2,31 @@
 
 ## [未发布]
 
+### **警告**
+
+**此版本包含不兼容的更新（breaking changes）。**
+
 ### 新增
 
 * 新增了模式 `CACHE`，启用此模式后会缓存每次检查的结果，提高性能。
-* 新增了配置项 `waf_cache` 用于设置缓存相关的参数。
+* 新增了配置 `waf_cache` 用于设置缓存相关的参数。
+* 新增了配置 `waf_cc_deny`，用于设置 CC 防护相关的参数。
+* 新增了配置 `waf_priority`，用来设置除了 POST 检查以外所有的检查项目的优先级。
 
 ### 移除
 
+* 废弃了配置 `waf_cc_deny_limit`，使用新的配置 `waf_cc_deny` 替代。
+
 ### 变动
 
-* 互换了 CC 防护和 IP 白名单检查的优先级。
+* 互换了 CC 防护和 IP 白名单检查的默认优先级。
 
 ### 修复
 
 * 修复了当 worker 进程数量大于一时的段错误。
 
+* 修复了 CC 防护统计有时不准的错误。
+
 ***
 
 ## [4.0.0] - 2021-03-22 GMT+0800

CHANGES.md

@@ -2,22 +2,34 @@
 
 ## [Unreleased]
 
+### **WARNING**
+
+**This version contains breaking changes.**
+
 ### Added
 
 * A new mode `CACHE` has been added, enabling this mode will cache the results of each inspection to improve performance.
 
 * New configuration `waf_cache` has been added to set parameters related to cache.
 
+* Added directive `waf_cc_deny` to set CC protection related parameters.
+
+* New directive `waf_priority` has been added to set the priority of all checks except for POST checks.
+
 ### Removed
 
+* The directive `waf_cc_deny_limit` is deprecated and replaced with the new directive `waf_cc_deny`.
+
 ### Changed
 
-* Swaps the priority of CC protection and IP whitelist inspection.
+* Swaps the default priority of CC protection and IP whitelist inspection.
 
 ### Fixed
 
 * Fixed a segmentation fault when the number of worker processes is greater than one.
 
+* Fixed a bug where CC protection statistics were sometimes inaccurate.
+
 ***
 
 ## [4.0.0] - 2021-03-22 GMT+0800

docs/advance/changes.md

@@ -7,22 +7,34 @@ lang: en
 
 ## [Unreleased]
 
+### **WARNING**
+
+**This version contains breaking changes.**
+
 ### Added
 
 * A new mode `CACHE` has been added, enabling this mode will cache the results of each inspection to improve performance.
 
 * New configuration `waf_cache` has been added to set parameters related to cache.
 
+* Added directive `waf_cc_deny` to set CC protection related parameters.
+
+* New directive `waf_priority` has been added to set the priority of all checks except for POST checks.
+
 ### Removed
 
+* The directive `waf_cc_deny_limit` is deprecated and replaced with the new directive `waf_cc_deny`.
+
 ### Changed
 
-* Swaps the priority of CC protection and IP whitelist inspection.
+* Swaps the default priority of CC protection and IP whitelist inspection.
 
 ### Fixed
 
 * Fixed a segmentation fault when the number of worker processes is greater than one.
 
+* Fixed a bug where CC protection statistics were sometimes inaccurate.
+
 ***
 
 ## [4.0.0] - 2021-03-22 GMT+0800

docs/advance/priority.md

@@ -5,7 +5,7 @@ lang: en
 
 # Rule Priority
 
-There are many inspection items in this module, so it is important to specify the inspection priority of each inspection item to avoid illogical inspection results.
+There are many inspection process in this module, so it is important to specify the inspection priority of each inspection process to avoid illogical inspection results.
 
 The following is a list of all the tests in order of priority, from top to bottom.
 
@@ -21,8 +21,16 @@ The following is a list of all the tests in order of priority, from top to botto
 10. Cookie blacklist inspection
 11. Post request body blacklist
 
+
+::: tip Change priority
+
+You can modify the priority through the configuration file, but the priority of the POST request body detection is not allowed to be modified, it will always have the lowest priority. See [waf_priority](syntax.md#waf-priority) for details
+
+:::
+
+
 ::: tip CHANGES IN THE DEVELOPMENT VERSION
 
-Swaps the priority of CC protection and IP whitelist inspection.
+Swaps the default priority of CC protection and IP whitelist inspection.
 
 :::

docs/advance/syntax.md

@@ -7,23 +7,23 @@ lang: en
 
 ## `waf`
 
-* syntax: `waf <on|off>;`
-* default: `waf off;`
+* syntax: waf \<*on* | *off*\>
+* default: waf *off*
 * context: server
 
 Whether to enable this module.
 
 ## `waf_rule_path`
 
-* syntax: `waf_rule_path <dir>;`
+* syntax: waf_rule_path \<*dir*\>
 * default: —
 * context: server
 
 The absolute path to the directory where the rule file is located, and must end with `/`.
 
 ## `waf_mode`
 
-* syntax: `waf_mode <mode_type> ...;`
+* syntax: waf_mode \<*mode_type*\> ...
 * default: —
 * context: server
 
@@ -90,7 +90,7 @@ The following modes have changed:
 
 ## `waf_cc_deny_limit`
 
-* syntax: `waf_cc_deny_limit <rate> <duration> [buffer_size];`
+* syntax: waf_cc_deny_limit \<*rate*\> \<*duration*\> \[*buffer_size*\]
 * default: ——
 * context: server
 
@@ -101,17 +101,43 @@ Set the parameters related to CC protection.
 * `buffer_size`: used to set the size of the memory for recording IP accesses, such as `10m`, `10240k`, must not be less than `10m`, if not specified then the default is `10m`.
 
 
+::: tip CHANGES IN DEVELOPMENT
+
+* syntax: waf_cc_deny \<rate=*n*r/m\> \[duration=*1h*\] \[buffer_size=*20m*\]
+* default: ——
+* context: server
+
+Set the parameters related to CC protection.
+
+* `rate`: indicates the maximum number of requests per minute, e.g. `60r/m` means the maximum number of requests per minute is 60.
+* `duration`: indicates the IP band oh after exceeding the limit of the first parameter `rate`, such as `60s`, `60m`, `60h` and `60d`, if not specified, the default is `1h`.
+* `buffer_size`: Used to set the size of the memory for recording IP accesses, such as `20m`, `2048k`, must not be less than `20m`, if not specified, the default is `20m`.
+
+
+:::
+
+
+
 ## `waf_cache`
 
-* syntax: `waf_cache <capacity> [interval] [percent];`
+* syntax: waf_cache \<capacity=*n*\> \[interval=*1h*\] \[percent=*50*\]
 * default: ——
 * context: server
 
-Set parameters related to caching rule inspection results.
+Set the parameters related to cache rule inspection results.
 
-* `capacity`: For some inspections with the caching mechanism enabled, the maximum number of inspection results for each inspection target is cached.
-* `interval`: Used to set the period of batch cache cleaning in minutes. If not specified, the default is `60`, which is 60 minutes.
-* `percent`: what percentage of the cache will be eliminated each time the cache is eliminated in bulk. You need to specify an integer greater than 0 and less than or equal to 100. A setting of 50 means that half of the cache is eliminated. If not specified, the default is `50`.
+* `capacity`: for some inspection items with caching mechanism enabled, the maximum number of inspection results per inspection item to be cached for each inspection target.
+* `interval`: set the period of the batch cull cache in minutes, such as `60s`, `60m`, `60h` and `60d`, or `1h` if not specified. If not specified, the default is `1h`, which is one hour.
+* `percent`: what percentage of the cache is eliminated each time the batch eliminates the cache. Specify an integer greater than 0 and less than or equal to 100. A setting of 50 means that half of the cache is eliminated. If not specified, the default is `50`.
+
+
+::: warning WARNING
+
+This configuration is a new feature in the development version, 
+and can only be used in the development version, 
+and will be merged into the stable version when it is stable.
+
+:::
 
 
 ::: tip Cache-enabled inspections
@@ -131,11 +157,35 @@ So please set it reasonably according to your actual needs.
 :::
 
 
-::: warning WARNING
+## `waf_priority`
 
-This configuration is a new feature in the development version, 
-and can only be used in the development version, 
-and will be merged into the stable version when it is stable.
+* syntax: waf_priority "*str*"
+* default: waf_priority "W-IP B-IP CC W-URL URL ARGS UA W-REFERER REFERER COOKIE"
+* context: server
+
+Set the priority of each inspection process, except for POST detection, which always has the lowest priority.
+
+* `W-IP`: IP whitelist inspection
+* `IP`: IP Blacklist inspection
+* `CC`: CC protection
+* `W-URL`: URL whitelist inspection
+* `URL`: URL blacklist inspection
+* `ARGS`: URL parameter (query string) blacklist inspection
+* `UA`: User-Agent blacklist inspection
+* `W-REFERER`: Referer whitelist inspection
+* `REFERER`: Referer blacklist inspection
+* `COOKIE`: Cookie blacklist inspection
+
+
+::: warning warning
+
+This configuration is a new feature in the development version, and can only be used in the development version, and will be merged into the stable version when it is stable.
+
+:::
+
+::: warning warning
+
+`str` must be wrapped in single or double quotes, and `str` must contain all of the inspection process.
 
 :::
 

docs/guide/configuration.md

@@ -21,20 +21,24 @@ http {
         ...
         # on means enabled, off means disabled.
         waf on;
+
         # The absolute path to the directory where the rule file is located, must end with /.
         waf_rule_path /usr/local/src/ngx_waf/rules/;
+
         # Firewall working mode, STD indicates standard mode.
         waf_mode STD;
-        # CC protection parameter, 1000 maximum number of requests per minute, 
-        # 60 means the corresponding ip is blocked for 60 minutes after exceeding the limit.
-        waf_cc_deny_limit 1000 60;
+
+        # CC defense parameter, 1000 requests per minute limit, 
+        # block the corresponding ip for 60 minutes after exceeding the limit.
+        waf_cc_deny rate=1000r/m duration=60m;
+
 
         # The following directives are for the development version only.
 
-        # Cache the results of up to as many inspection targets as possible, 
-        # effective for all inspections 
-        # except IP black and white list inspection, CC protection and POST inspection.
-        waf_cache 60;
+        # Cache detection results for up to 50 detection targets, 
+        # effective for all detections 
+        # except IP black and white list detection, CC protection and POST detection.
+        waf_cache capacity=50;
         ...
     }
     ...

docs/guide/overview.md

@@ -22,7 +22,7 @@ When the number of worker processes in nginx is greater than one, the current st
 * Block the specified request body.
 * Exceptional allow on specific URL.
 * Block the specified URL.
-* Block the specified request args.
+* Block the specified query string.
 * Block the specified UserAgent.
 * Block the specified Cookie.
 * Exceptional allow on specific Referer.

docs/zh-cn/advance/changes.md

@@ -7,21 +7,30 @@ lang: zh-CN
 
 ## [未发布]
 
+### **警告**
+
+**此版本包含不兼容的更新（breaking changes）。**
+
 ### 新增
 
 * 新增了模式 `CACHE`，启用此模式后会缓存每次检查的结果，提高性能。
-* 新增了配置项 `waf_cache` 用于设置缓存相关的参数。
+* 新增了配置 `waf_cache` 用于设置缓存相关的参数。
+* 新增了配置 `waf_cc_deny`，用于设置 CC 防护相关的参数。
+* 新增了配置 `waf_priority`，用来设置除了 POST 检查以外所有的检查项目的优先级。
 
 ### 移除
 
+* 废弃了配置 `waf_cc_deny_limit`，使用新的配置 `waf_cc_deny` 替代。
+
 ### 变动
 
-* 互换了 CC 防护和 IP 白名单检查的优先级。
+* 互换了 CC 防护和 IP 白名单检查的默认优先级。
 
 ### 修复
 
 * 修复了当 worker 进程数量大于一时的段错误。
 
+
 ***
 
 ## [4.0.0] - 2021-03-22 GMT+0800

docs/zh-cn/advance/priority.md

@@ -21,8 +21,15 @@ lang: zh-CN
 10. Cookie 黑名单检测
 11. Post 请求体黑名单
 
+
+::: tip 修改优先级
+
+您可以通过配置文件修改优先级，但是 POST 请求体检测的优先级不允许修改，它的优先级永远是最低的。详见 [waf_priority](syntax.md#waf-priority)。
+
+:::
+
 ::: tip 开发版中的变动
 
-互换了 CC 防护和 IP 白名单检测的优先级。
+互换了 CC 防护和 IP 白名单检测的默认优先级。
 
 :::