unixhot / waf Goto Github PK

View Code? Open in Web Editor NEW

1.4K 79.0 504.0 36 KB

使用Nginx+Lua实现的WAF（版本v1.0）

License: Apache License 2.0

Lua 100.00%

waf's Introduction

WAF

使用Nginx+Lua实现自定义WAF（Web application firewall）
最近发现使用的人越来越多了，计划开始维护和增加新功能 2020.7.29 赵班长

项目背景介绍

需求产生

由于原生态的Nginx的一些安全防护功能有限，就研究能不能自己编写一个WAF，参考Kindle大神的ngx_lua_waf，自己尝试写一个了，使用两天时间，边学Lua，边写。不过不是安全专业，只实现了一些比较简单的功能：

功能列表：

支持IP白名单和黑名单功能，直接将黑名单的IP访问拒绝。
支持URL白名单，将不需要过滤的URL进行定义。
支持User-Agent的过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
支持CC攻击防护，单个URL指定时间的访问次数，超过设定值，直接返回403。
支持Cookie过滤，匹配自定义规则中的条目，然后进行处理（返回403）。
支持URL过滤，匹配自定义规则中的条目，如果用户请求的URL包含这些，返回403。
支持URL参数过滤，原理同上。
支持日志记录，将所有拒绝的操作，记录到日志中去。
日志记录为JSON格式，便于日志分析，例如使用ELK进行攻击日志收集、存储、搜索和展示。

WAF实现

WAF一句话描述，就是解析HTTP请求（协议解析模块），规则检测（规则模块），做不同的防御动作（动作模块），并将防御过程（日志模块）记录下来。所以本文中的WAF的实现由五个模块(配置模块、协议解析模块、规则模块、动作模块、错误处理模块）组成。

安装部署

以下方案选择其中之一即可：

选择1: 可以选择使用原生的Nginx，增加Lua模块实现部署。
选择2: 直接使用OpenResty

OpenResty安装

1 Yum安装OpenResty（推荐）

源码安装和Yum安装选择其一即可，默认均安装在/usr/local/openresty目录下。

[root@opsany ~]# wget https://openresty.org/package/centos/openresty.repo
[root@opsany ~]# sudo mv openresty.repo /etc/yum.repos.d/
[root@opsany ~]# sudo yum install -y openresty

测试OpenResty和运行Lua

[root@opsany ~]# vim /usr/local/openresty/nginx/conf/nginx.conf
#在默认的server配置中增加
        location /hello {
            default_type text/html;
            content_by_lua_block {
                ngx.say("<p>hello, world</p>")
            }
        }
[root@opsany ~]# /usr/local/openresty/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/openresty-1.17.8.2/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/openresty-1.17.8.2/nginx/conf/nginx.conf test is successful
[root@opsany ~]# /usr/local/openresty/nginx/sbin/nginx

测试访问

[root@opsany ~]# curl http://127.0.0.1/hello
<p>hello, world</p>

WAF部署

[root@opsany ~]# git clone https://github.com/unixhot/waf.git
[root@opsany ~]# cp -r ./waf/waf /usr/local/openresty/nginx/conf/
[root@opsany ~]# vim /usr/local/openresty/nginx/conf/nginx.conf
#在http{}中增加，注意路径，同时WAF日志默认存放在/tmp/日期_waf.log
#WAF
    lua_shared_dict limit 50m;
    lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
    init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
    access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
[root@opsany ~]# ln -s /usr/local/openresty/lualib/resty/ /usr/local/openresty/nginx/conf/waf/resty
[root@opsany ~]# /usr/local/openresty/nginx/sbin/nginx -t
[root@opsany ~]# /usr/local/openresty/nginx/sbin/nginx -s reload

附录

Nginx + Lua源码编译部署(不推荐)

Nginx安装必备的Nginx和PCRE软件包。

[root@nginx-lua ~]# cd /usr/local/src
[root@nginx-lua src]# wget http://nginx.org/download/nginx-1.12.1.tar.gz
[root@nginx-lua src]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.41/pcre-8.41.tar.gz
#其次，下载当前最新的luajit和ngx_devel_kit (NDK)，以及春哥（章）编写的lua-nginx-module
[root@nginx-lua src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
[root@nginx-lua src]# wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz
[root@nginx-lua src]# wget wget https://github.com/chaoslawful/lua-nginx-module/archive/v0.10.10.zip

最后，创建Nginx运行的普通用户

[root@nginx-lua src]# useradd -s /sbin/nologin -M www

解压NDK和lua-nginx-module

[root@openstack-compute-node5 src]# tar zxvf v0.3.0.tar.gz
[root@openstack-compute-node5 src]# unzip -q v0.10.10.zip

安装LuaJIT Luajit是Lua即时编译器。

[root@webs-ebt src]# tar zxvf LuaJIT-2.0.5.tar.gz 
[root@webs-ebt src]# cd LuaJIT-2.0.5
[root@webs-ebt LuaJIT-2.0.5]# make && make install

安装Nginx并加载模块

[root@webs-ebt src]# tar zxf nginx-1.12.1.tar.gz
[root@webs-ebt src]# tar zxvf pcre-8.41.tar.gz 
[root@webs-ebt src]# cd nginx-1.12.1
[root@webs-ebt nginx-1.12.1]# export LUAJIT_LIB=/usr/local/lib
[root@webs-ebt nginx-1.12.1]# export LUAJIT_INC=/usr/local/include/luajit-2.0
[root@webs-ebt nginx-1.12.1]#./configure --user=www --group=www --prefix=/usr/local/nginx-1.12.1/ --with-pcre=/usr/local/src/pcre-8.41 --with-http_stub_status_module --with-http_sub_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module  --add-module=../ngx_devel_kit-0.3.0/ --add-module=../lua-nginx-module-0.10.10/
[root@webs-ebt nginx-1.12.1]# make -j2 && make install
[root@webs-ebt nginx-1.12.1]# ln -s /usr/local/nginx-1.12.1 /usr/local/nginx
[root@webs-ebt nginx-1.12.1]# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2

如果不创建符号链接，可能出现以下异常：

error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory

测试安装

安装完毕后，下面可以测试安装了，修改nginx.conf 增加第一个配置。

        location /hello {
                default_type 'text/plain';
                content_by_lua 'ngx.say("hello,lua")';
        }
 
[root@webs-ebt src]# /usr/local/nginx/sbin/nginx -t
[root@webs-ebt src]# /usr/local/nginx/sbin/nginx -t

然后访问http://xxx.xxx.xxx.xxx/hello 如果出现hello,lua。表示安装完成,然后就可以。

OpenResty源码编译部署（不推荐）

安装依赖软件包

[root@opsany ~]# yum install -y readline-devel pcre-devel openssl-devel

安装OpenResty

2.1 下载并编译安装OpenResty

[root@opsany ~]# cd /usr/local/src
[root@opsany src]# wget https://openresty.org/download/openresty-1.17.8.2.tar.gz
[root@opsany src]# tar zxf openresty-1.17.8.2.tar.gz
[root@opsany src]# cd openresty-1.17.8.2
[root@opsany openresty-1.17.8.2]# ./configure --prefix=/usr/local/openresty-1.17.8.2 \
--with-luajit --with-http_stub_status_module \
--with-pcre --with-pcre-jit \
--with-file-aio --with-threads
[root@opsany openresty-1.17.8.2]# gmake && gmake install
[root@opsany openresty-1.17.8.2]# cd
[root@opsany ~]# ln -s /usr/local/openresty-1.17.8.2/ /usr/local/openresty

waf's People

Contributors

Stargazers

Watchers

Forkers

dongtata sdgdsffdsfff no2key lue828 heartshare lilidd zeus911 xiamujun wqintel mycollectresp lizardcn guozi058 cloudxtreme dutianbo yirenzui8 sosojustdo cn27001 wisonzhu phantoscope flyr4nk alexwang2015 sforce100 faquiir wanyinglong davidmr001 diluga bruceleo1969 hujinyong uunvnet nonamexz xianlimei cake654326 skylei xxoxx ren-i logonmy young-0 kongjc infinityhacks webvul ahlfors kakakacool davidleeux ecore2018 sgpf ljb-2000 pylarva sunmmi 1052419956 fangweidujian linuxme orright hms58 w796933 duzhanyuan totemofwolf freegit9527 drizzlerisk melbshark idreamsoft lgcf strongit huaibaobao youyou2018 maliciouskr ymero 15310944349 sec-u 845049351 jijicanyu iboxpay zhechu dev-kang weiyanwei412 forest11 randall2030 alviszh xietalent lovecppp yeweit6 windzzp jokpermp needf xonze bbs-ld kensunp mfmwmsj wyfaq lfsadamn halokid zlsvn tinywup yejq netkey nbsky depth- nuadaandre ti-yoyo demon89 wuyouzi

waf's Issues

666

跟这个https://github.com/loveshell/ngx_lua_waf.git 好像

access.lua顺序问题

白名单ip
白名单url
这俩个应该放在前面，避免cc规则拦住就到不了白名单url规则

用的 nginx/1.20.1，不产生日志

[root@localhost nginx]# nginx -V

nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1k  25 Mar 2021
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/lnmp1.8/src/openssl-1.1.1k --with-openssl-opt='enable-weak-ssl-ciphers' --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib --add-module=/root/src/lua-nginx-module-0.10.14 --add-module=/root/src/ngx_devel_kit-0.3.1 --with-ld-opt='-ljemalloc'

pcre的下载地址可以使用这个

wget http://ftp.pcre.org/pub/pcre/pcre-8.41.tar.gz

2017/08/02 19:29:01 [error] 18148#0: *14 lua entry thread aborted: runtime error: /usr/local/nginx/conf/waf/init.
lua:152: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/nginx/conf/waf/init.lua:152: in function 'user_agent_attack_check'
/usr/local/nginx/conf/waf/access.lua:6: in function 'waf_main'
/usr/local/nginx/conf/waf/access.lua:18: in function </usr/local/nginx/conf/waf/access.lua:1>, client: 12
5.39.239.6, server: localhost, request: "GET //index.php/api/index/imgcode HTTP/1.1", host: "gd.lo-x.cc", referre
r: "http://www.baidu.com/s?wd=www"

这种疯狂的被扫描应该怎么写规则？

1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?rAV7w.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?id=fuiW3 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?5C8RZ28.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?6n0pJ52.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?20E46h5.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?N2ea4/0OVS7.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?O13tN.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?28W6634.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?aZlUA16.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?550d51N.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?DRu4Q.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?29eWj=T9CO0.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?id=irp69 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=3TnGu HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=CHb16 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?G9n73.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?V8m7g.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"

太嚣张了，疯狂的扫描。请教下怎么写对应的拦截正则？

請問有沒有規則編寫的說明？

比如我要編寫一個ip或一個ip段到ip白名單應該怎麼寫？

如何将日志配置成json并用elk收集呢？

你好，如何将日志配置成json并用elk收集呢？

waf 白名单检查函数由问题

对，加载白名单写真write_rule了。
改下吧

请问下您有没有用过modsecurity；如果都用modsecurity的secRule可以做到这些功能吗

就是在 nginx+modsecurity的基础上直接开发; 能不能达到您这个效果; 如果可以，思路又是怎么样的。

恳请赵班长继续维护WAF规则

赵班长可以加入一些当下最新的URL漏洞规则吗？

去掉access.lua里面被注释的代码后报错了

`require 'init'

function waf_main()
if white_ip_check() then
elseif black_ip_check() then
elseif user_agent_attack_check() then
elseif cc_attack_check() then
elseif cookie_attack_check() then
elseif white_url_check() then
elseif url_attack_check() then
elseif url_args_attack_check() then
elseif post_attack_check() then
else
return
end
end

waf_main()

错误日志

2020/01/07 18:15:53 [error] 165#0: *40 lua entry thread aborted: runtime error: /usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: in function 'post_attack_check'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:12: in function 'waf_main'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:18: in main chunk, client: 10.211.55.2, server: localhost, request: "GET /abcdef/core/notification/count.do HTTP/1.1", host: "10.211.55.9", referrer: "http://10.211.55.9/abcdef/index.do"

请问该系统性能怎么样，有相关性能指标参考吗？

请问该系统性能怎么样，有相关性能指标参考吗？
比如接入镜像流量用于流量清洗，大概能抗住多少流量。

关于cc限制的ip时长配置

你好，cc限制比如配置为config_cc_rate = "10/60"，默认比如触发报警，限制的ip有效期为多长，在哪里可以配置呢

如果用户访问使用代理,WAF能解析出真实IP不

RT,这样的场景有没有问题

.

。。

记录日志这里使用的IO模块会造成阻塞么？

RT，谢谢

conf/waf/init.lua:170: bad argu ment #1 to 'pairs' (table expected, got nil)

url_args_attack_check功能报错，请大神帮忙解决

waf的url_args_attack_check功能报错，请大神帮忙解决。
报错详细如下：

[C]: in function 'concat'
/usr/local/openresty1.11/nginx/conf/waf/init.lua:130: in function 'url_args_attack_check'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:11: in function 'waf_main'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:18: in function </usr/local/openresty1.11/nginx/conf/waf/access.lua:1>, client: 118.91.92.132, server: g.share.com, request: "GET /gamepage/egg.php?lxt&&cd=0&lt=d96628e0ads&vs=0 HTTP/1.1", host: "g.share.com"

使用openresty/openresty:alpine镜像集成waf后启动报错

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

修改config_log_dir后无日志产生

修改了config.lua下的config_log_dir，重载nginx后未生效，原/tmp目录下也无日志
环境说明
CentOS Linux release 7.6.1810
nginx-1.18.0
openresty-1.17.8.2
ngx_devel_kit-0.3.0
LuaJIT-2.0.5
lua-nginx-module-0.10.10

%0A绕过如何修复？

将空格替换为%0A可以绕过waf，请问这种情况下如何修复？

竟然一个问题没有，最近我在测试ngx_lua_waf，日志分析确实很重要。

竟然一个问题没有，最近我在测试ngx_lua_waf，看到这个我打算再测试下这个，看看这两个到底有什么区别，目前ngx_lua_waf日志格式不是json的，费了九牛二虎之力才用grok切分得马马虎虎，能在ELK上展示了。

如何弄只记录不拦截的方式？

你好：
我想只进行记录日志，不进行拦截，请问如何设置呢？

请问为什么我开了url check和post check，但是却没有生效呢？

我可以正常使用ip黑名单和白名单，但是url check和post check不生效，请问是怎么回事呢？
我使用的是openresty-1.11.2.5版本来实现waf的，下面是我的nginx.conf和config.lua文件，请参考。
nginx.conf

`#user nobody;

worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
worker_connections 1024;
}

http {
#WAF
lua_shared_dict limit 50m; #防cc使用字典，大小50M
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";

include       mime.types;
default_type  application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
    listen       4880;
    server_name  localhost;

    #charset koi8-r;

    #access_log  logs/host.access.log  main;
location /hi {
	default_type text/html;
	content_by_lua_block{
		ngx.say('hello openrastry')
	}
}
    location / {
        root   html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

}
`

config.lua
`--WAF config file,enable = "on",disable = "off"

--waf status
config_waf_enable = "on"
--log dir
config_log_dir = "/tmp"
--rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "10/60"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
--if config_waf_output ,setting url
config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[

<title>网站防火墙</title>

你的行为已经违反网站相关规定 ]]
`

url访问ip白名单怎么配置

赵班长给某个路径指定访问ip 需要怎么配谢谢？

我多域名配置时，waf_logs里面server_name只记录了第一个域名

我conf文件server_name行配置多域名时，waf_logs里面只记录了第一个域名，其他域名记录不了，不知道是什么原因？

writing a global Lua variable ('waf_main') 报错怎么解决

请问这个报错怎么解决
021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/usr/local/openresty/nginx/conf/waf/access.lua:4: in main chunk, client: 192.168.121.188, server: localhost, request: "GET /hello HTTP/1.1", host: "192.168.123.179"
2021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables

你这少写一个cc的白名单url

配置了URL白名单怎么不生效？

启动后应用一直500

2020/12/16 10:11:23 [warn] 6630#0: *36 [lua] _G write guard:12: __newindex(): writing a global lua variable ('CLIENT_IP') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/home/openresty/openresty/waf/lib.lua:11: in function 'get_client_ip'
/home/openresty/openresty/waf/init.lua:63: in function 'cc_attack_check'
/home/openresty/openresty/waf/access.lua:7: in function 'waf_main'
/home/openresty/openresty/waf/access.lua:18: in main chunk, client:

POST检查函数有问题

post_attack_check()错误且不完整，无法校验post参数