Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

修复bug,新增CC攻击Token校验 #19

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

修复bug,新增CC攻击Token校验 #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,3 +133,18 @@ HelloWorld
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx –t
[root@openstack-compute-node5 ~]# /usr/local/openresty/nginx/sbin/nginx
</pre>

###2019-02-02提交

<pre>
###1.修复post验证错误日志报出bad argument #1 to 'pairs' (table expected, got nil)和no request body found; maybe you should turn on lua_need_request_body?的bug
###2.新增CC攻击防御使用Redis做Token校验;
###3.新增访问时返回一个Cookie作为Token的值,默认为每一个uri,用Token的值做访问次数的校验,修改redis配置在init.lua文件中

修改Redis配置:
local RedisIP = '127.0.0.1'
local RedisPORT = 6379
local blackseconds = 7200
修改uri:
(string.find(uri,'/.*'))
</pre>
78 changes: 62 additions & 16 deletions waf/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,24 +59,69 @@ end
--deny cc attack
function cc_attack_check()
if config_cc_check == "on" then
local ATTACK_URI=ngx.var.uri
local CC_TOKEN = get_client_ip()..ATTACK_URI
local limit = ngx.shared.limit
CCcount=tonumber(string.match(config_cc_rate,'(.*)/'))
CCseconds=tonumber(string.match(config_cc_rate,'/(.*)'))
local req,_ = limit:get(CC_TOKEN)
if req then
if req > CCcount then
log_record('CC_Attack',ngx.var.request_uri,"-","-")
if config_waf_enable == "on" then
ngx.exit(403)
local get_headers = ngx.req.get_headers
local ua = ngx.var.http_user_agent
local uri = ngx.var.request_uri
local url = ngx.var.host .. uri
local redis = require 'redis'
local red = redis.new()
local RedisIP = '127.0.0.1'
local RedisPORT = 6379
local blackseconds = 7200
if ua == nil then
ua = "unknown"
end
if (string.find(uri,'/.*')) then
CCcount=tonumber(string.match(config_cc_rate,'(.*)/'))
CCseconds=tonumber(string.match(config_cc_rate,'/(.*)'))
end
red:set_timeout(100)
local ok, err = red.connect(red, RedisIP, RedisPORT)
if ok then
red.connect(red, RedisIP, RedisPORT)
function getClientIp()
IP = ngx.req.get_headers()["x_forwarded_for"]
if IP == nil then
IP = ngx.req.get_headers()["X-Real-IP"]
end
if IP == nil then
IP = ngx.var.remote_addr
end
if IP == nil then
IP = "unknown"
end
return IP
end
function getToken()
clientToken = ngx.var.cookie_Token
return clientToken
end
local token = getClientIp() .. "." .. ngx.md5(uri .. url .. ua)
if red:exists(token) == 0 then
ngx.header['Set-Cookie'] = 'Token=' .. token
red:incr(token)
red:expire(token,CCseconds)
else
limit:incr(CC_TOKEN,1)
local clientToken = getToken()
if red:exists(clientToken) == 0 then
ngx.exit(503)
end
local times = tonumber(red:get(token))
if times >= CCcount then
local blackReq = red:exists("black." .. token)
if (blackReq == 0) then
red:set("black." .. token,1)
red:expire("black." .. token,blackseconds)
red:expire(token,blackseconds)
ngx.exit(503)
else
ngx.exit(503)
end
else
red:incr(token)
end
end
else
limit:set(CC_TOKEN,1,CCseconds)
end
end
end
return false
end
Expand Down Expand Up @@ -167,7 +212,8 @@ end
function post_attack_check()
if config_post_check == "on" then
local POST_RULES = get_rule('post.rule')
for _,rule in pairs(ARGS_RULES) do
for _,rule in pairs(POST_RULES) do
ngx.req.read_body()
local POST_ARGS = ngx.req.get_post_args()
end
return true
Expand Down