jx-sec / jxwaf Goto Github PK
View Code? Open in Web Editor NEWJXWAF(锦衣盾)是一款开源web应用防火墙
Home Page: https://www.jxwaf.com/
License: GNU General Public License v2.0
JXWAF(锦衣盾)是一款开源web应用防火墙
Home Page: https://www.jxwaf.com/
License: GNU General Public License v2.0
日志报表如何查看,配置阿里云or腾讯云。这个参数填什么
近期在选型测试开源waf,打算给公司内网的web系统使用(内网不支持外连),然后在开源waf的基础上二次开发,研究jxwaf有一段时间,jxwaf是比较符合需求且功能丰富的开源waf,也知道有朋友之前提过类似的issues。还是希望作者可以考虑下是否可提供离线版的规则,满足中小型公司内部隔离网的使用需求,说白了本身不考虑商业版waf而考虑开源waf也是基于内网隔离网段的考虑。
如何卸载?
如题。
节点无法接入控制端,出现错误
failed to request: update2.jxwaf.com could not be resolved (110: Operation timed out), context: ngx.timer
服务器位于美国 ping与curl均正常
lua_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
lua_ssl_verify_depth 3;
/admin/login/ 这个后台的账号密码在哪里配置?默认是多少?
类似 ' or 1=1#这种万能密码的注入无法防御
执行安装后显示
[100%] Built target video_frame_producer_sample
nginx: the configuration file /opt/jxwaf/nginx/conf/nginx.conf syntax is ok
nginx: [error] [lua] waf.lua:323: init(): init geoip success
nginx: configuration file /opt/jxwaf/nginx/conf/nginx.conf test is successful
启动openresty报错
[root@localhost jxwaf]# /opt/jxwaf/nginx/sbin/nginx
nginx: [error] [lua] waf.lua:323: init(): init geoip success
【需求】建议开放API调用和微信、钉钉等开放API IM机器人集成,攻击动态推送通知
原因:API开放和大数据是现在的主流趋势
报如下错误,不知道怎么解决
make[2]: 离开目录“/home/axin/下载/jxwaf-master/libmaxminddb-1.3.2”
make[1]: 离开目录“/home/axin/下载/jxwaf-master/libmaxminddb-1.3.2”
cp: 无法创建普通文件'/opt/jxwaf/lualib/libmaxminddb.so': 没有那个文件或目录
install_waf.sh: 25: install_waf.sh: cmake: not found
make: *** 没有指明目标并且找不到 makefile。 停止。
cp: 无法获取'build/lib/liblog_c_sdk.so.2.0.0' 的文件状态(stat): 没有那个文件或目录
install_waf.sh: 28: install_waf.sh: /opt/jxwaf/nginx/sbin/nginx: not found
emmmm,在centos7上安装不成功,一开始是缺各种依赖文件,安装了就好了,但是后面报的这个错我就不知道怎么解决了
cp: 无法创建普通文件"/opt/jxwaf/lualib/libmaxminddb.so": 没有那个文件或目录
CMake Error: The following variables are used in this project, but they are set to NOTFOUND.
Please set them or make sure they are set and tested correctly in the CMake files:
CRYPTO_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
SSL_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
ZLIB_LIBRARY
linked by target "log_post_logs_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_benchmark" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "log_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
linked by target "video_frame_producer_sample" in directory /tmp/jxwaf/aliyun-log-c-sdk-lite/sample
-- Configuring incomplete, errors occurred!
See also "/tmp/jxwaf/aliyun-log-c-sdk-lite/CMakeFiles/CMakeOutput.log".
make: *** 没有指明目标并且找不到 makefile。 停止。
cp: 无法获取"build/lib/liblog_c_sdk.so.2.0.0" 的文件状态(stat): 没有那个文件或目录
install_waf.sh:行28: /opt/jxwaf/nginx/sbin/nginx: 没有那个文件或目录
请问域名配置里协议类型选择https时公私钥如何填写?我配置后一直没有效果,后台日志报错如下:
2021/09/01 19:25:02 [error] 4456#0: 10248423 [lua] ssl.lua:37: failed to convert certificate chain from PEM to DER: PEM_read_bio_X509_AUX() failed,server_name is www.xx.link, context: ssl_certificate_by_lua, client: xxx, server: 0.0.0.0:443
2021/09/01 19:25:02 [crit] 4456#0: *10248422 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: xxx, server: 0.0.0.0:443
[root@shiyan tools]# python jxwaf_local_init.py --api_key=3022fcbf-0748-41e0-930f-a00ca9dcf676 --api_password=79131799-b4b9-4b8b-a11a-fa0f3f1fb105 --waf_server=http://192.168.253.100
config file: /opt/jxwaf/nginx/conf/jxwaf/jxwaf_config.json
config result:
init success,access_id is 3022fcbf-0748-41e0-930f-a00ca9dcf676,access_secret is 79131799-b4b9-4b8b-a11a-fa0f3f1fb105
auth result:
try to connect jxwaf server auth api_key and api_password,result is False
用lua-zlib-1.2.tar.gz编译得到是zlib.so,ffi-zlib.lua里面用的是local zlib = ffi.load(ffi.os == "Windows" and "zlib1" or "z"),所以你应该是依赖了/usr/lib64/libz.so吧,全局grep没有发现lua调用zlib.so,所以这个东西没啥用把?
https://api.jxwaf.com/ api证书过期了,导致获取不了语义引擎,麻烦请更新,谢谢。
自主研发的区块链人机识别算法适合防护海量 IP 慢速请求攻击,快速识别恶意流量,相比其他人机识别算法(滑块,点击识别等)拥有并发高,占用资源小,对抗性强等优点,目前已在实战中防护住 30 万 qps 的 cc 攻击。
可否简要解释一下文档中所提到的「区块链人机识别算法」是如何工作的?可否提供一下相关的文献呢?
日志报表功能需求收集
关于 https://github.com/starjun/openstar 这个有没有对jxwaf有帮助的地方。
2020/10/09 17:34:22 [notice] 18055#0: signal process started
2020/10/09 17:34:23 [alert] 14209#0: [lua] waf.lua:647: init(): jxwaf init success,waf node uuid is 27a8bcca-5c60-424a-9e25-682264c6ac14
2020/10/09 17:34:23 [alert] 18058#0: *2106 [lua] waf.lua:401: monitor report success, context: ngx.timer
2020/10/09 17:34:23 [error] 18058#0: *2108 lua entry thread aborted: runtime error: /opt/jxwaf/lualib/resty/jxwaf/waf.lua:452: attempt to call a nil value
stack traceback:
coroutine 0:
/opt/jxwaf/lualib/resty/jxwaf/waf.lua: in function </opt/jxwaf/lualib/resty/jxwaf/waf.lua:406>, context: ngx.timer
对接阿里云日志,提供日志服务
之前看到freebuf上chenjc放的钓鱼网站实现,自己想试试jxwaf,但是发现文章中有一些细节没有被提及.希望早日看到使用文档
现有服务器已经运行nginx了如何进行检测部署呢希望出一个教程
json
local function _process_json_args(json_args,t)
local t = t or {}
local i =0
for k,v in pairs(json_args) do
if type(v) == 'table' then
for _k,_v in pairs(v) do
if type(_v) == "table" then
t = _process_json_args(_v,t)
else
if type(t[k]) == "table" then
table.insert(t[k],_v)
elseif type(t[k]) == "string" then
local tmp = {}
table.insert(tmp,t[k.."_".._k])
table.insert(tmp,_v)
t[k.."_".._k] = tmp
else
t[k] = _v
end
end
end
else
if type(t[k]) == "table" then
table.insert(t[k],v)
elseif type(t[k]) == "string" then
local tmp = {}
table.insert(tmp,t[k.."_"..i])
table.insert(tmp,v)
t[k.."_"..i] = tmp
i = i+1
else
t[k] = v
end
end
end
return t
end
GET数组
local function _parse_request_uri()
local t = ngx.req.get_uri_args()
local _t = {}
for k,v in pairs(t) do
if type(v) == "table" then
for _k,_v in pairs(t) do
if type(_v)=="table" then
for _key,_value in pairs(_v) do
_t[_k.."-".._key] = _value
end
end
end
else
_t[k] = v
end
end
ngx.req.set_uri_args(t)
ngx.ctx.parse_request_uri = _t
return _t
end
post body plain
local function _parse_request_body()
local content_type = ngx.req.get_headers()["Content-type"]
if (type(content_type) == "table") then
local error_info = {}
error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
error_info['log_type'] = "error_log"
error_info['error_type'] = "parse_request_body"
error_info['error_info'] = "Request contained multiple content-type headers"
error_info['remote_addr'] = ngx.var.remote_addr
ngx.ctx.error_log = error_info
ngx.log(ngx.ERR,"Request contained multiple content-type headers")
exit_code.return_exit()
end
if ngx.ctx.upload_request then
ngx.ctx.parse_request_body = {}
return {}
end
if ngx.req.get_body_file() then
local error_info = {}
error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
error_info['log_type'] = "error_log"
error_info['error_type'] = "parse_request_body"
error_info['error_info'] = "request body size larger than client_body_buffer_size, refuse request "
error_info['remote_addr'] = ngx.var.remote_addr
ngx.ctx.error_log = error_info
ngx.log(ngx.ERR,"request body size larger than client_body_buffer_size, refuse request ")
exit_code.return_error()
end
if content_type and ngx.re.find(content_type, [=[^application/json;]=],"oij") and ngx.req.get_headers()["Content-Length"] and tonumber(ngx.req.get_headers()["Content-Length"]) ~= 0 then
local json_args_raw = ngx.req.get_body_data()
if not json_args_raw then
ngx.ctx.parse_request_body = {}
return {}
end
local json_args,err = cjson.decode(json_args_raw)
if json_args == nil then
local error_info = {}
error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
error_info['log_type'] = "error_log"
error_info['error_type'] = "parse_request_body"
error_info['error_info'] = "failed to decode json args :"..err
error_info['remote_addr'] = ngx.var.remote_addr
ngx.ctx.error_log = error_info
ngx.log(ngx.ERR,"failed to decode json args :",err)
exit_code.return_error()
end
local t = {}
t = _process_json_args(json_args)
ngx.ctx.parse_request_body = t
return t
end
local post_args,err = ngx.req.get_post_args(210)
if not post_args then
local error_info = {}
error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
error_info['log_type'] = "error_log"
error_info['error_type'] = "parse_request_body"
error_info['error_info'] = "failed to get post args: "..err
error_info['remote_addr'] = ngx.var.remote_addr
ngx.ctx.error_log = error_info
ngx.log(ngx.ERR,"failed to get post args: ", err)
exit_code.return_error()
end
if #_table_keys(post_args) > 200 then
local error_info = {}
error_info['headers'] = ngx.ctx.request_get_headers or _get_headers()
error_info['log_type'] = "error_log"
error_info['error_type'] = "parse_request_body"
error_info['error_info'] = "post args count error,is attack!"
error_info['remote_addr'] = ngx.var.remote_addr
ngx.ctx.error_log = error_info
ngx.log(ngx.ERR,"post args count error,is attack!")
exit_code.return_error()
end
local json_check = cjson.decode(ngx.req.get_body_data())
if json_check then
local _tmp = {}
_tmp = _process_json_args(json_check)
ngx.ctx.parse_request_body = _tmp
return _tmp
end
local _t = {}
for _k, _v in pairs(post_args) do
if type(_v) == "table" then
for _key, _value in pairs(_v) do
_t[_k .. "_" .. _key] = _value
end
else
_t[_k] = _v
end
end
ngx.ctx.parse_request_body = _t
return _t
end
地区屏蔽移除了?可惜了这么好的功能,强烈建议恢复回去,这个需求和场景还是很多的,有些情况下需要,不然总感觉缺少点什么似的,没那么完整了,mini版有些功能还是很好的
攻击没有提示页面吗?我测试直接返回了webserver 自带的页面
jxwaf有自学习的能力吗?我在https://cloud.tencent.com/developer/news/249663 这个帖子里看到有涉及,不知道里面的jxwaf是不是咱这个项目
官方文档并没有 jxlog 和 jxwaf 的对接操作,请问这一步如何实现?
另外是否有社区?
上传文件,nginx日志报错:
2023/05/15 18:20:55 [error] 21691#0: *122 [lua] access.lua:5: /opt/jxwaf/lualib/resty/jxwaf/waf.lua:750: attempt to call local '_file_content_disposition' (a table value)
修复办法:
修改/opt/jxwaf/lualib/resty/jxwaf/waf.lua文件750行
ngx.ctx.file_content_disposition = table.concat(_file_content_disposition" ")
改成:
ngx.ctx.file_content_disposition = table.concat(_file_content_disposition," ")
能用镜像部署吗? 环境搞的我裂开了
请问自定义规则是否有全局管理的地方,目前后台功能了解到似乎只能针对指定站点配置自定义规则。
如果有新加站点想复用其他站点的规则应该怎么操作呢?
$ /opt/jxwaf/nginx/sbin/nginx 启动openresty,openresty会在启动或者reload的时候自动到jxwaf管理中心拉取用户配置的最新规则
->
这里有点问题,每次更新规则都要reload配置是不是不太友好?而且如果真的放到业务环境,reload其实也是不建议的。能不能做成动态更新,通过crontab自动拉取自动更新,不用reload?
when I trying to install on the Centos 8,
when run #sudo sh install.sh
error:
No match for argument: python-devel
No match for argument: phtyon-pip
when run # pip3 install -r requirements.txt
error:
python setup.py egg-info failed with error code 1 in /tmp/pip-build-529e745d/mysqlclient
can advise how to resolve it?
thank you.
$ /opt/jxwaf/nginx/sbin/nginx 启动openresty,openresty会在启动或者reload的时候自动到jxwaf管理中心拉取用户配置的最新规则
且不说服务器能不能主动外连,这个本事就相当于一个后门吧,建议开放本地规则管理,提供离线版本,希望采纳,谢谢
您好,看了一下您的代码,_rule_match函数会对rules进行遍历,执行
_process_request、_process_transform,_process_request每次循环都会调用,而_process_transform中rule_transform里面可能出现函数重复运行,如uriDecode,这样是不是会影响性能呢?
local cjson = require "cjson.safe"
local function split(str, dv)
local resultStrList = {}
local ok, e = pcall(function()
string.gsub(str, '[^&]+', function(w)
table.insert(resultStrList, w)
end)
end)
if not ok then
return str
end
local rs = {}
for _k, _v in pairs(resultStrList) do
local i
b = string.gsub(_v, '[^=]+', function(w)
if i == nil then
rs[w] = nil
else
rs[i] = w
end
i = w
end)
end
local r = {}
for _key, _value in pairs(rs) do
for _, _d in pairs(dv) do
if _key == _d then
_value = "****"
end
r[_key] = _value
end
end
local _t = ""
for _k, _v in pairs(r) do
_t = _t .. _k .. "=" .. _v .. "&"
end
if _t == "" then
return str
end
return _t
end
function serialize(obj)
local lua = ""
local t = type(obj)
if t == "number" then
lua = lua .. obj
elseif t == "boolean" then
lua = lua .. tostring(obj)
elseif t == "string" then
lua = lua .. string.format("%q", obj)
elseif t == "table" then
lua = lua .. "{"
for k, v in pairs(obj) do
lua = lua .. serialize(k) .. ":" .. serialize(v) .. ","
end
local metatable = getmetatable(obj)
if metatable ~= nil and type(metatable.__index) == "table" then
for k, v in pairs(metatable.__index) do
lua = lua .. serialize(k) .. ":" .. serialize(v) .. ","
end
end
lua = lua .. "}"
elseif t == "nil" then
return nil
else
error("can not serialize a " .. t .. " type.")
end
return lua
end
local function decodetable(t, dv)
local _t = t or {}
for _k, _v in pairs(t) do
for _key, _value in pairs(dv) do
if _value == _k then
_v = "***"
end
end
if type(_v) ~= "table" then
_t[_k] = _v
return _t
else
decodetable(_v, dv)
end
end
end
local function desensitization(body)
local dv = { "password" ,"order_id"}
local rs = rs or {}
local json_body, err = cjson.decode(body)
if json_body ~= nil then
for _k, _v in pairs(json_body) do
for _, value in pairs(dv) do
if value == _k then
_v = "***"
elseif type(_v) == 'table' then
dt = decodetable(_v, dv)
rs[_k] = dt
end
rs[_k] = _v
end
end
_tmp = serialize(rs)
return _tmp
else
_t = split(body, dv)
return _t
end
end
能否实现静态资源缓存功能
您好,您的说明中“内置的语义分析引擎配合机器学习引擎可以避免传统WAF规则叠加太多导致速度变慢的问题”。见简要介绍下实现这块逻辑的实现架构以及具体代码位置吗?
不胜感激。。。
代码内下载规则的地址:https://update2.jxwaf.com/waf_update
无法正常工作,修改为http后正常
awvs测试的,payload:/index.php?PathToDocument=documentation/how-to-access-Mutillidae-over-Virtual-Box-network.php&page=/etc/passwd
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.