feat: add waf support

WGrape · Feb 21, 2023 · eb8908b · eb8908b
1 parent 6358f9a
commit eb8908b
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 61 deletions.
diff --git a/conf/vhosts/vhosts.conf b/conf/vhosts/vhosts.conf
@@ -16,7 +16,10 @@ server {
         #    loadfile('/dist/ngxway/limiter/limit_traffic.lua')()
         #    loadfile('/dist/ngxway/auth/check_sign.lua')()
         # }
-        access_by_lua_file "/dist/ngxway/auth/check_sign.lua"; # access_by_lua_file can only load one lua file
+        access_by_lua_block {
+            loadfile('/dist/ngxway/waf/waf.lua')()
+            loadfile('/dist/ngxway/auth/check_sign.lua')()
+        }
 
         # 启用缓存
         proxy_cache my_cache;

diff --git a/conf/waf/cookie.conf b/conf/waf/cookie.conf
@@ -0,0 +1,20 @@
+\.\./
+\:\$
+\$\{
+select.+(from|limit)
+(?:(union(.*?)select))
+having|rongjitest
+sleep\((\s*)(\d*)(\s*)\)
+benchmark\((.*)\,(.*)\)
+base64_decode\(
+(?:from\W+information_schema\W)
+(?:(?:current_)user|database|schema|connection_id)\s*\(
+(?:etc\/\W*passwd)
+into(\s+)+(?:dump|out)file\s*
+group\s+by.+\(
+xwork.MethodAccessor
+(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
+xwork\.MethodAccessor
+(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
+java\.lang
+\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
diff --git a/conf/waf/post.conf b/conf/waf/post.conf
@@ -0,0 +1,20 @@
+\.\./
+select.+(from|limit)
+(?:(union(.*?)select))
+having|rongjitest
+sleep\((\s*)(\d*)(\s*)\)
+benchmark\((.*)\,(.*)\)
+base64_decode\(
+(?:from\W+information_schema\W)
+(?:(?:current_)user|database|schema|connection_id)\s*\(
+(?:etc\/\W*passwd)
+into(\s+)+(?:dump|out)file\s*
+group\s+by.+\(
+xwork.MethodAccessor
+(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
+xwork\.MethodAccessor
+(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
+java\.lang
+\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
+\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
+(onmouseover|onerror|onload)\=
diff --git a/conf/waf/url.conf b/conf/waf/url.conf
@@ -0,0 +1,6 @@
+\.(svn|htaccess|bash_history)
+\.(bak|inc|old|mdb|sql|backup|java|class)$
+(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
+(phpmyadmin|jmx-console|jmxinvokerservlet)
+java\.lang
+/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)
diff --git a/conf/waf/useragent.conf b/conf/waf/useragent.conf
diff --git a/conf/waf/waf.conf b/conf/waf/waf.conf
@@ -1,59 +1,4 @@
-post_rule {
-  \.\./
-  select.+(from|limit)
-  (?:(union(.*?)select))
-  having|rongjitest
-  sleep\((\s*)(\d*)(\s*)\)
-  benchmark\((.*)\,(.*)\)
-  base64_decode\(
-  (?:from\W+information_schema\W)
-  (?:(?:current_)user|database|schema|connection_id)\s*\(
-  (?:etc\/\W*passwd)
-  into(\s+)+(?:dump|out)file\s*
-  group\s+by.+\(
-  xwork.MethodAccessor
-  (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-  xwork\.MethodAccessor
-  (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
-  java\.lang
-  \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-  \<(iframe|script|body|img|layer|div|meta|style|base|object|input)
-  (onmouseover|onerror|onload)\=
-}
-
-url_rule {
-  \.(svn|htaccess|bash_history)
-  \.(bak|inc|old|mdb|sql|backup|java|class)$
-  (vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
-  (phpmyadmin|jmx-console|jmxinvokerservlet)
-  java\.lang
-  /(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)
-}
-
-cookie_rule {
-  \.\./
-  \:\$
-  \$\{
-  select.+(from|limit)
-  (?:(union(.*?)select))
-  having|rongjitest
-  sleep\((\s*)(\d*)(\s*)\)
-  benchmark\((.*)\,(.*)\)
-  base64_decode\(
-  (?:from\W+information_schema\W)
-  (?:(?:current_)user|database|schema|connection_id)\s*\(
-  (?:etc\/\W*passwd)
-  into(\s+)+(?:dump|out)file\s*
-  group\s+by.+\(
-  xwork.MethodAccessor
-  (?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
-  xwork\.MethodAccessor
-  (gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
-  java\.lang
-  \$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
-
-}
-
-useragent_rule {
-
-}
+waf_check_cookie=on
+waf_check_post=on
+waf_check_url=on
+waf_check_useragent=on
diff --git a/ngxway/common.lua b/ngxway/common.lua
@@ -1,4 +1,4 @@
-module = {}
+local module = {}
 
 -- Check the timestamp is valid.
 -- The params passed by the user.
@@ -38,4 +38,74 @@ function module:check_timestamp(now_timestamp, timestamp_number)
   return now_timestamp - timestamp_number < 3600
 end
 
+-- Provide the split function.
+function module:split(str, sep)
+  local result = {}
+  for token in string.gmatch(str, "([^" .. sep .. "]+)") do
+    table.insert(result, token)
+  end
+  return result
+end
+
+-- Read the rules of waf.
+function module:read_waf_rule(name)
+  local path = "/dist/conf/waf/" .. name .. ".conf"
+  local file = io.open(path, "r")
+  if file == nil then
+    return
+  end
+
+  local t = {}
+  for line in file:lines() do
+    table.insert(t, line)
+  end
+
+  file:close()
+  return t
+end
+
+-- Read the options of waf.
+function module:read_waf_option(key)
+  local path = "/dist/conf/waf/waf.conf"
+  local file = io.open(path, "r")
+  if file == nil then
+    return
+  end
+
+  for line in file:lines() do
+    local result = module:split(line, "=")
+    if result[1] == key then
+      return result[2]
+    end
+  end
+
+  file:close()
+  return ""
+end
+
+-- Check the url of waf.
+function module:waf_check_url(uri)
+  if module.waf_url_option ~= "on" then
+    return true
+  end
+
+  local ngx_match = ngx.re.match
+  for _, rule in pairs(module.waf_url_rule) do
+    if rule ~= "" and ngx_match(uri, rule, "isjo") then
+      return false
+    end
+  end
+  return true
+end
+
+module.waf_cookie_rule = module:read_waf_rule("cookie")
+module.waf_post_rule = module:read_waf_rule("post")
+module.waf_url_rule = module:read_waf_rule("url")
+module.waf_useragent_rule = module:read_waf_rule("useragent")
+
+module.waf_cookie_option = module:read_waf_option("waf_check_cookie")
+module.waf_post_option = module:read_waf_option("waf_check_post")
+module.waf_url_option = module:read_waf_option("waf_check_url")
+module.waf_useragent_option = module:read_waf_option("waf_check_useragent")
+
 return module
diff --git a/ngxway/waf/waf.lua b/ngxway/waf/waf.lua
@@ -0,0 +1,7 @@
+local method = ngx.req.get_method()
+local uri = ngx.var.uri
+local common_module = require("common_module")
+
+if common_module:waf_check_url(uri) == false then
+  return ngx.say('{"dm_error":4032,"error_msg":"waf check url failed"}')
+end