jx-sec / jxwaf Goto Github PK

View Code? Open in Web Editor NEW

1.0K 54.0 251.0 26.41 MB

JXWAF(锦衣盾)是一款开源web应用防火墙

Home Page: https://www.jxwaf.com/

License: GNU General Public License v2.0

Shell 0.30% Lua 93.72% Python 1.45% Go 3.40% Perl 1.13%

waf openresty jxwaf nginx-lua

jxwaf's People

Contributors

Stargazers

Watchers

Forkers

huifeidexingyuner aaron0428 noshenxian lukw00heck lengyun123456 nexthacker xuacker stardustsky gprolog 5up3rc 12009 raul1718 linpengstc fendaq w2n1ck songofhack wangchangjiang chenpingzhao dangbeitech eniac888 binihao5bei qiyeboy 917428360 webvul crackpot hitstar haoirui secwsstest qiangbei xocoder scanz-zhn j-r-hacker flywithoutwings secsystem chencool zshell showsmall xunnun gogobook pirate-sapce hi-noikiy winter-hi msj905 sevck m31n99 zminjiao orf53975 webgamelinux shadowsocks-mu-python jinri vinsonzou flyr4nk itsuifeng gitboy123 jxliangby code4security excellenperson xcxzzx-1 lyxw avaudioplayer zhangjiantftc skymysky lhtest429 wilsonleeee shiliuxing hugoren junneyang zyn-sec zeus911 netkey ii0 infinityhacks superf0sh lfoder aisnnu xskh2007 k0reyoshi qianniaoge xiang-do chengfangang blockchainguard jangocheng tigerjibo shengxinking yeweit6 nmgliangwei yqyunjie wwd5613 shmilygit adomore ogli324 219liangyi xmen1860 whiledone foxhack dbsod yoyopie shenliehuozhi isgasho presleyhank

jxwaf's Issues

是否可以考虑支持提供离线版规则

近期在选型测试开源waf，打算给公司内网的web系统使用（内网不支持外连），然后在开源waf的基础上二次开发，研究jxwaf有一段时间，jxwaf是比较符合需求且功能丰富的开源waf，也知道有朋友之前提过类似的issues。还是希望作者可以考虑下是否可提供离线版的规则，满足中小型公司内部隔离网的使用需求，说白了本身不考虑商业版waf而考虑开源waf也是基于内网隔离网段的考虑。

节点无法接入

节点无法接入控制端，出现错误
failed to request: update2.jxwaf.com could not be resolved (110: Operation timed out), context: ngx.timer
服务器位于美国 ping与curl均正常

conf下的nginx.conf配置有两个参数重复了

lua_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
lua_ssl_verify_depth 3;

执行安装后显示
[100%] Built target video_frame_producer_sample
nginx: the configuration file /opt/jxwaf/nginx/conf/nginx.conf syntax is ok
nginx: [error] [lua] waf.lua:323: init(): init geoip success
nginx: configuration file /opt/jxwaf/nginx/conf/nginx.conf test is successful
启动openresty报错
[root@localhost jxwaf]# /opt/jxwaf/nginx/sbin/nginx
nginx: [error] [lua] waf.lua:323: init(): init geoip success

【需求】建议开放API调用和微信、钉钉等开放API IM机器人集成，攻击动态推送通知

【需求】建议开放API调用和微信、钉钉等开放API IM机器人集成，攻击动态推送通知
原因：API开放和大数据是现在的主流趋势

ubuntu下无法安装

报如下错误，不知道怎么解决
make[2]: 离开目录“/home/axin/下载/jxwaf-master/libmaxminddb-1.3.2”
make[1]: 离开目录“/home/axin/下载/jxwaf-master/libmaxminddb-1.3.2”
cp: 无法创建普通文件'/opt/jxwaf/lualib/libmaxminddb.so': 没有那个文件或目录
install_waf.sh: 25: install_waf.sh: cmake: not found
make: *** 没有指明目标并且找不到 makefile。停止。
cp: 无法获取'build/lib/liblog_c_sdk.so.2.0.0' 的文件状态(stat): 没有那个文件或目录
install_waf.sh: 28: install_waf.sh: /opt/jxwaf/nginx/sbin/nginx: not found

这个是不是不小心写错了？

centos7安装出错

emmmm,在centos7上安装不成功,一开始是缺各种依赖文件,安装了就好了,但是后面报的这个错我就不知道怎么解决了

cp: 无法创建普通文件"/opt/jxwaf/lualib/libmaxminddb.so": 没有那个文件或目录
CMake Error: The following variables are used in this project, but they are set to NOTFOUND.
Please set them or make sure they are set and tested correctly in the CMake files:
CRYPTO_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
SSL_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
ZLIB_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample

-- Configuring incomplete, errors occurred!
See also "/tmp/jxwaf/aliyun-log-c-sdk-lite/CMakeFiles/CMakeOutput.log".
make: *** 没有指明目标并且找不到 makefile。停止。
cp: 无法获取"build/lib/liblog_c_sdk.so.2.0.0" 的文件状态(stat): 没有那个文件或目录
install_waf.sh:行28: /opt/jxwaf/nginx/sbin/nginx: 没有那个文件或目录

没法改变节点监控周期，固定为60s

域名配置里协议类型选择https时公私钥如何填写

请问域名配置里协议类型选择https时公私钥如何填写？我配置后一直没有效果，后台日志报错如下：
2021/09/01 19:25:02 [error] 4456#0: 10248423 [lua] ssl.lua:37: failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed,server_name is www.xx.link, context: ssl_certificate_by_lua, client: xxx, server: 0.0.0.0:443
2021/09/01 19:25:02 [crit] 4456#0: *10248422 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: xxx, server: 0.0.0.0:443

在安装waf最后一步的时候出现问题

[root@shiyan tools]# python jxwaf_local_init.py --api_key=3022fcbf-0748-41e0-930f-a00ca9dcf676 --api_password=79131799-b4b9-4b8b-a11a-fa0f3f1fb105 --waf_server=http://192.168.253.100
config file: /opt/jxwaf/nginx/conf/jxwaf/jxwaf_config.json
config result:
init success,access_id is 3022fcbf-0748-41e0-930f-a00ca9dcf676,access_secret is 79131799-b4b9-4b8b-a11a-fa0f3f1fb105
auth result:
try to connect jxwaf server auth api_key and api_password,result is False

zlib.so 还是libz.so?

用lua-zlib-1.2.tar.gz编译得到是zlib.so，ffi-zlib.lua里面用的是local zlib = ffi.load(ffi.os == "Windows" and "zlib1" or "z")，所以你应该是依赖了/usr/lib64/libz.so吧，全局grep没有发现lua调用zlib.so，所以这个东西没啥用把？

必须配置使用阿里云存储日志？

配置了日志远程存储的，但是还是提示需要配置日志。

SSL 证书过期了

https://api.jxwaf.com/ api证书过期了，导致获取不了语义引擎，麻烦请更新，谢谢。

关于「CC 防护专用人机识别算法」功能的疑问

自主研发的区块链人机识别算法适合防护海量 IP 慢速请求攻击,快速识别恶意流量，相比其他人机识别算法（滑块，点击识别等）拥有并发高，占用资源小，对抗性强等优点，目前已在实战中防护住 30 万 qps 的 cc 攻击。

可否简要解释一下文档中所提到的「区块链人机识别算法」是如何工作的？可否提供一下相关的文献呢？

报表需求收集

日志报表功能需求收集

openstar, veryNginx 有没有可以移植的好功能？

关于 https://github.com/starjun/openstar 这个有没有对jxwaf有帮助的地方。

10-01版本报错

2020/10/09 17:34:22 [notice] 18055#0: signal process started
2020/10/09 17:34:23 [alert] 14209#0: [lua] waf.lua:647: init(): jxwaf init success,waf node uuid is 27a8bcca-5c60-424a-9e25-682264c6ac14
2020/10/09 17:34:23 [alert] 18058#0: *2106 [lua] waf.lua:401: monitor report success, context: ngx.timer
2020/10/09 17:34:23 [error] 18058#0: *2108 lua entry thread aborted: runtime error: /opt/jxwaf/lualib/resty/jxwaf/waf.lua:452: attempt to call a nil value
stack traceback:
coroutine 0:
	/opt/jxwaf/lualib/resty/jxwaf/waf.lua: in function </opt/jxwaf/lualib/resty/jxwaf/waf.lua:406>, context: ngx.timer

新增日志功能

对接阿里云日志,提供日志服务

多久才更新使用文档啊

之前看到freebuf上chenjc放的钓鱼网站实现,自己想试试jxwaf,但是发现文章中有一些细节没有被提及.希望早日看到使用文档

如何进行检测部署或者继承部署呢?

现有服务器已经运行nginx了如何进行检测部署呢希望出一个教程

网站分组内增加网站配置开启 https强制跳转功能无效配置完成https域名无法正常访问。

网站分组内增加网站配置开启 https强制跳转功能无效配置完成后https域名无法正常访问。
配置

完成后重新打开默认还是关闭状态

http功能正常 https无法正常提供服务

通过网站管理添加网站 http和https功能正常

新增request解析数组功能

json

local function _process_json_args(json_args,t)
        local t = t or {}
        local i =0
        for k,v in pairs(json_args) do
                if type(v) == 'table' then
                        for _k,_v in pairs(v) do

                                if type(_v) == "table" then
                                    t = _process_json_args(_v,t)

                                else
                                        if type(t[k]) == "table" then
                                                table.insert(t[k],_v)

                                        elseif type(t[k]) == "string" then
                                                local tmp = {}
                                                table.insert(tmp,t[k.."_".._k])
                                                table.insert(tmp,_v)
                                                t[k.."_".._k] = tmp

                                        else

                                        t[k] = _v
                                        end
                                end

                        end
                else
                                         if type(t[k]) == "table" then
                                                table.insert(t[k],v)
                                        elseif type(t[k]) == "string" then
                                                local tmp = {}
                                                table.insert(tmp,t[k.."_"..i])
                                                table.insert(tmp,v)
                                                t[k.."_"..i] = tmp
                                                i = i+1
                                        else

                                        t[k] = v
                                        end
                end
        end
        return t
end

GET数组

local function _parse_request_uri()
    local t = ngx.req.get_uri_args()
    local _t = {}

    for k,v in pairs(t) do
        if type(v) == "table" then
            for _k,_v in pairs(t) do
                if type(_v)=="table" then
                    for _key,_value in pairs(_v) do
                        _t[_k.."-".._key] = _value
                    end
                end
            end
        else
            _t[k] = v
        end
    end
    ngx.req.set_uri_args(t)
    ngx.ctx.parse_request_uri = _t
    return _t
end

post body plain

local function _parse_request_body()

	local content_type = ngx.req.get_headers()["Content-type"]
	if (type(content_type) == "table") then
    local error_info = {}
    error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
    error_info['log_type'] = "error_log"
    error_info['error_type'] = "parse_request_body"
    error_info['error_info'] = "Request contained multiple content-type headers"
    error_info['remote_addr'] = ngx.var.remote_addr
    ngx.ctx.error_log = error_info
		ngx.log(ngx.ERR,"Request contained multiple content-type headers")
		exit_code.return_exit()
	end

	if ngx.ctx.upload_request then
      ngx.ctx.parse_request_body = {}
      return {}
  end

  if  ngx.req.get_body_file() then
    local error_info = {}
    error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
    error_info['log_type'] = "error_log"
    error_info['error_type'] = "parse_request_body"
    error_info['error_info'] = "request body size larger than client_body_buffer_size, refuse request "
    error_info['remote_addr'] = ngx.var.remote_addr
    ngx.ctx.error_log = error_info
		ngx.log(ngx.ERR,"request body size larger than client_body_buffer_size, refuse request ")
		exit_code.return_error()
	end
	
	if content_type and  ngx.re.find(content_type, [=[^application/json;]=],"oij") and ngx.req.get_headers()["Content-Length"] and tonumber(ngx.req.get_headers()["Content-Length"]) ~= 0 then
	
		local json_args_raw = ngx.req.get_body_data()
		if not json_args_raw then
			ngx.ctx.parse_request_body = {}
			return {}
		end 

		local json_args,err = cjson.decode(json_args_raw)

		if json_args == nil then
      local error_info = {}
      error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
      error_info['log_type'] = "error_log"
      error_info['error_type'] = "parse_request_body"
      error_info['error_info'] = "failed to decode json args :"..err
      error_info['remote_addr'] = ngx.var.remote_addr
      ngx.ctx.error_log = error_info
      ngx.log(ngx.ERR,"failed to decode json args :",err)
      exit_code.return_error()
		end
		local t = {}
		t = _process_json_args(json_args)
		ngx.ctx.parse_request_body = t 
		return t 
	end

	local post_args,err = ngx.req.get_post_args(210)
	if not post_args then
    local error_info = {}
    error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
    error_info['log_type'] = "error_log"
    error_info['error_type'] = "parse_request_body"
    error_info['error_info'] = "failed to get post args: "..err
    error_info['remote_addr'] = ngx.var.remote_addr
    ngx.ctx.error_log = error_info
		ngx.log(ngx.ERR,"failed to get post args: ", err)
		exit_code.return_error()
	end
	if #_table_keys(post_args) > 200 then
    local error_info = {}
    error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
    error_info['log_type'] = "error_log"
    error_info['error_type'] = "parse_request_body"
    error_info['error_info'] = "post args count error,is attack!"
    error_info['remote_addr'] = ngx.var.remote_addr
    ngx.ctx.error_log = error_info
		ngx.log(ngx.ERR,"post args count error,is attack!")
		exit_code.return_error()
	end
	local json_check = cjson.decode(ngx.req.get_body_data())
	if json_check then
		local _tmp = {}
		_tmp = _process_json_args(json_check)
		ngx.ctx.parse_request_body = _tmp
		return _tmp
	end




local _t = {}
for _k, _v in pairs(post_args) do
    if type(_v) == "table" then
        for _key, _value in pairs(_v) do
            _t[_k .. "_" .. _key] = _value
        end

    else
        _t[_k] = _v

    end
end


	ngx.ctx.parse_request_body = _t
	return _t
end

地区屏蔽移除了？可惜了这么好的功能，强烈建议恢复回去，不然总感觉缺少点什么似的，没那么完整了，mini版有些功能还是很好的

地区屏蔽移除了？可惜了这么好的功能，强烈建议恢复回去，这个需求和场景还是很多的，有些情况下需要，不然总感觉缺少点什么似的，没那么完整了，mini版有些功能还是很好的

jxwaf-admin好像没有开源，另外从fb上看到的otp以及业务逻辑防护方面的配置，在当前开源版本都没找到对应配置方式哦

提示页面问题

攻击没有提示页面吗？我测试直接返回了webserver 自带的页面

ua里面包含类似(0x18000729)的内容就会报sql注入

自学习能力

jxwaf有自学习的能力吗？我在https://cloud.tencent.com/developer/news/249663 这个帖子里看到有涉及，不知道里面的jxwaf是不是咱这个项目

jxlog 和 jxwaf 对接

官方文档并没有 jxlog 和 jxwaf 的对接操作，请问这一步如何实现？
另外是否有社区？

上传文件时，nginx日志报错：attempt to call local '_file_content_disposition' (a table value)

上传文件,nginx日志报错：
2023/05/15 18:20:55 [error] 21691#0: *122 [lua] access.lua:5: /opt/jxwaf/lualib/resty/jxwaf/waf.lua:750: attempt to call local '_file_content_disposition' (a table value)

修复办法：
修改/opt/jxwaf/lualib/resty/jxwaf/waf.lua文件750行
ngx.ctx.file_content_disposition = table.concat(_file_content_disposition" ")
改成：
ngx.ctx.file_content_disposition = table.concat(_file_content_disposition," ")

部署

能用镜像部署吗？环境搞的我裂开了

自定义规则管理问题

请问自定义规则是否有全局管理的地方，目前后台功能了解到似乎只能针对指定站点配置自定义规则。
如果有新加站点想复用其他站点的规则应该怎么操作呢？

v2022 docker_source 部署

https://github.com/devops-utils-tools/jxwaf-dockerfile

关于规则更新模式的请教

$ /opt/jxwaf/nginx/sbin/nginx 启动openresty,openresty会在启动或者reload的时候自动到jxwaf管理中心拉取用户配置的最新规则
->
这里有点问题，每次更新规则都要reload配置是不是不太友好？而且如果真的放到业务环境，reload其实也是不建议的。能不能做成动态更新，通过crontab自动拉取自动更新，不用reload？

centos 8 test

when I trying to install on the Centos 8,

when run #sudo sh install.sh
error:
No match for argument: python-devel
No match for argument: phtyon-pip

when run # pip3 install -r requirements.txt
error:
python setup.py egg-info failed with error code 1 in /tmp/pip-build-529e745d/mysqlclient

can advise how to resolve it?

thank you.

local cjson = require "cjson.safe"

local function split(str, dv)

    local resultStrList = {}

    local ok, e = pcall(function()
        string.gsub(str, '[^&]+', function(w)
            table.insert(resultStrList, w)
        end)
    end)

    if not ok then
        return str
    end

    local rs = {}
    for _k, _v in pairs(resultStrList) do

        local i
        b = string.gsub(_v, '[^=]+', function(w)
            if i == nil then
                rs[w] = nil
            else
                rs[i] = w
            end
            i = w
        end)

    end
    local r = {}

    for _key, _value in pairs(rs) do
        for _, _d in pairs(dv) do
            if _key == _d then
                _value = "****"
            end
            r[_key] = _value
        end
    end
    local _t = ""
    for _k, _v in pairs(r) do
        _t = _t .. _k .. "=" .. _v .. "&"
    end
    if _t == "" then
        return str
    end
    return _t
end

function serialize(obj)
    local lua = ""
    local t = type(obj)
    if t == "number" then
        lua = lua .. obj
    elseif t == "boolean" then
        lua = lua .. tostring(obj)
    elseif t == "string" then
        lua = lua .. string.format("%q", obj)
    elseif t == "table" then
        lua = lua .. "{"
        for k, v in pairs(obj) do
            lua = lua .. serialize(k) .. ":" .. serialize(v) .. ","
        end
        local metatable = getmetatable(obj)
        if metatable ~= nil and type(metatable.__index) == "table" then
            for k, v in pairs(metatable.__index) do
                lua = lua .. serialize(k) .. ":" .. serialize(v) .. ","
            end
        end
        lua = lua .. "}"
    elseif t == "nil" then
        return nil
    else
        error("can not serialize a " .. t .. " type.")
    end
    return lua
end

local function decodetable(t, dv)
    local _t = t or {}
    for _k, _v in pairs(t) do
        for _key, _value in pairs(dv) do

            if _value == _k then
                _v = "***"
            end

        end
        if type(_v) ~= "table" then
                _t[_k] = _v
                return _t


            else
                decodetable(_v, dv)
            end
    end

end

local function desensitization(body)
    local dv = { "password" ,"order_id"}
    local rs = rs or {}
    local json_body, err = cjson.decode(body)

    if json_body ~= nil then
        for _k, _v in pairs(json_body) do

            for _, value in pairs(dv) do
                if value == _k then
                    _v = "***"

                elseif type(_v) == 'table' then

                    dt = decodetable(_v, dv)
                    rs[_k] = dt
                end

                rs[_k] = _v
            end
        end

        _tmp = serialize(rs)
        return _tmp


    else

        _t = split(body, dv)
        return _t
    end

end

该脚本针对post body，local dv表示需要脱敏的参数