unixhot / waf Goto Github PK
View Code? Open in Web Editor NEW使用Nginx+Lua实现的WAF(版本v1.0)
License: Apache License 2.0
waf's People
Stargazers
Watchers
Forkers
dongtata sdgdsffdsfff no2key lue828 heartshare lilidd zeus911 xiamujun wqintel mycollectresp lizardcn guozi058 cloudxtreme dutianbo yirenzui8 sosojustdo cn27001 wisonzhu phantoscope flyr4nk alexwang2015 sforce100 faquiir wanyinglong davidmr001 diluga bruceleo1969 hujinyong uunvnet nonamexz xianlimei cake654326 skylei xxoxx ren-i logonmy young-0 kongjc infinityhacks webvul ahlfors kakakacool davidleeux ecore2018 sgpf ljb-2000 pylarva sunmmi 1052419956 fangweidujian linuxme orright hms58 w796933 duzhanyuan totemofwolf freegit9527 drizzlerisk melbshark idreamsoft lgcf strongit huaibaobao youyou2018 maliciouskr ymero 15310944349 sec-u 845049351 jijicanyu iboxpay zhechu dev-kang weiyanwei412 forest11 randall2030 alviszh xietalent lovecppp yeweit6 windzzp jokpermp needf xonze bbs-ld kensunp mfmwmsj wyfaq lfsadamn halokid zlsvn tinywup yejq netkey nbsky depth- nuadaandre ti-yoyo demon89 wuyouziwaf's Issues
請問有沒有規則編寫的說明?
比如我要編寫一個ip或一個ip段到ip白名單應該怎麼寫?
get_rule每次请求都重新读取rule文件?
性能测试过么
修改config_log_dir后无日志产生
修改了config.lua下的config_log_dir,重载nginx后未生效,原/tmp目录下也无日志
环境说明
CentOS Linux release 7.6.1810
nginx-1.18.0
openresty-1.17.8.2
ngx_devel_kit-0.3.0
LuaJIT-2.0.5
lua-nginx-module-0.10.10
请问为什么我开了url check和post check,但是却没有生效呢?
我可以正常使用ip黑名单和白名单,但是url check和post check不生效,请问是怎么回事呢?
我使用的是openresty-1.11.2.5版本来实现waf的,下面是我的nginx.conf和config.lua文件,请参考。
nginx.conf
`#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
#WAF
lua_shared_dict limit 50m; #防cc使用字典,大小50M
lua_package_path "/usr/local/openresty/nginx/conf/waf/?.lua";
init_by_lua_file "/usr/local/openresty/nginx/conf/waf/init.lua";
access_by_lua_file "/usr/local/openresty/nginx/conf/waf/access.lua";
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 4880;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location /hi {
default_type text/html;
content_by_lua_block{
ngx.say('hello openrastry')
}
}
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
`
config.lua
`--WAF config file,enable = "on",disable = "off"
--waf status
config_waf_enable = "on"
--log dir
config_log_dir = "/tmp"
--rule setting
config_rule_dir = "/usr/local/openresty/nginx/conf/waf/rule-config"
--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "10/60"
--enable/disable post filtering
config_post_check = "on"
--config waf output redirect/html
config_waf_output = "html"
--if config_waf_output ,setting url
config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
你的行为已经违反网站相关规定 ]]
`
使用openresty/openresty:alpine镜像集成waf后启动报错
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
%0A绕过如何修复?
将空格替换为%0A可以绕过waf,请问这种情况下如何修复?
我多域名配置时,waf_logs里面server_name只记录了第一个域名
我conf文件server_name行配置多域名时,waf_logs里面只记录了第一个域名,其他域名记录不了,不知道是什么原因?
这种疯狂的被扫描应该怎么写规则?
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?rAV7w.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?id=fuiW3 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?5C8RZ28.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?6n0pJ52.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:30 +0800] "GET /?20E46h5.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?N2ea4/0OVS7.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?O13tN.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?28W6634.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?aZlUA16.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?550d51N.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?DRu4Q.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?29eWj=T9CO0.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:31 +0800] "GET /?id=irp69 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=3TnGu HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?id=CHb16 HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?G9n73.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
1.45.28.97 - - [25/Nov/2020:16:25:32 +0800] "GET /?V8m7g.html HTTP/1.1" 200 1956 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2)"
太嚣张了,疯狂的扫描。请教下怎么写对应的拦截正则?
请问下您有没有用过modsecurity;如果都用modsecurity的secRule可以做到这些功能吗
就是在 nginx+modsecurity的基础上直接开发; 能不能达到您这个效果; 如果可以,思路又是怎么样的。
亲爱的赵班长,有空把post部分完成一下啊
亲爱的赵班长,有空把post部分完成一下啊,非常喜欢你的作品,感谢你的付出
pcre的下载地址可以使用这个
如果用户访问使用代理,WAF能解析出真实IP不
RT,这样的场景有没有问题
如何弄只记录不拦截的方式?
你好:
我想只进行记录日志,不进行拦截,请问如何设置呢?
.
。。
配置了URL白名单怎么不生效?
关于cc限制的ip时长配置
你好,cc限制比如配置为config_cc_rate = "10/60",默认比如触发报警,限制的ip有效期为多长,在哪里可以配置呢
为什么规则只有最后一条生效,其他不生效?
access.lua顺序问题
白名单ip
白名单url
这俩个应该放在前面,避免cc规则拦住就到不了白名单url规则
url访问ip白名单怎么配置
赵班长 给某个路径指定访问ip 需要怎么配 谢谢?
用的 nginx/1.20.1,不产生日志
[root@localhost nginx]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/lnmp1.8/src/openssl-1.1.1k --with-openssl-opt='enable-weak-ssl-ciphers' --with-ld-opt=-Wl,-rpath,/usr/local/luajit/lib --add-module=/root/src/lua-nginx-module-0.10.14 --add-module=/root/src/ngx_devel_kit-0.3.1 --with-ld-opt='-ljemalloc'
如何将日志配置成json并用elk收集呢?
你好,如何将日志配置成json并用elk收集呢?
请问该系统性能怎么样,有相关性能指标参考吗?
请问该系统性能怎么样,有相关性能指标参考吗?
比如接入镜像流量用于流量清洗,大概能抗住多少流量。
你这少写一个cc的白名单url
竟然一个问题没有,最近我在测试ngx_lua_waf,日志分析确实很重要。
竟然一个问题没有,最近我在测试ngx_lua_waf,看到这个我打算再测试下这个,看看这两个到底有什么区别,目前ngx_lua_waf日志格式不是json的,费了九牛二虎之力才用grok切分得马马虎虎,能在ELK上展示了。
去掉access.lua里面被注释的代码后报错了
`require 'init'
function waf_main()
if white_ip_check() then
elseif black_ip_check() then
elseif user_agent_attack_check() then
elseif cc_attack_check() then
elseif cookie_attack_check() then
elseif white_url_check() then
elseif url_attack_check() then
elseif url_args_attack_check() then
elseif post_attack_check() then
else
return
end
end
waf_main()
`
错误日志
2020/01/07 18:15:53 [error] 165#0: *40 lua entry thread aborted: runtime error: /usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/openresty/nginx/conf/myconf/waf/init.lua:170: in function 'post_attack_check'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:12: in function 'waf_main'
/usr/local/openresty/nginx/conf/myconf/waf/access.lua:18: in main chunk, client: 10.211.55.2, server: localhost, request: "GET /abcdef/core/notification/count.do HTTP/1.1", host: "10.211.55.9", referrer: "http://10.211.55.9/abcdef/index.do"
666
无法生成log文件
log文件无法生成,用的是openresty 1.17.8.2
waf 白名单检查函数由问题
对,加载白名单写真write_rule了。
改下吧
记录日志这里使用的IO模块会造成阻塞么?
RT,谢谢
writing a global Lua variable ('waf_main') 报错怎么解决
请问这个报错怎么解决
021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/usr/local/openresty/nginx/conf/waf/access.lua:4: in main chunk, client: 192.168.121.188, server: localhost, request: "GET /hello HTTP/1.1", host: "192.168.123.179"
2021/12/25 15:13:44 [warn] 2004#2004: *43 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('waf_main') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
恳请赵班长继续维护WAF规则
赵班长可以加入一些当下最新的URL漏洞规则吗?
url_args_attack_check功能报错,请大神帮忙解决
waf的url_args_attack_check功能报错,请大神帮忙解决。
报错详细如下:
[C]: in function 'concat'
/usr/local/openresty1.11/nginx/conf/waf/init.lua:130: in function 'url_args_attack_check'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:11: in function 'waf_main'
/usr/local/openresty1.11/nginx/conf/waf/access.lua:18: in function </usr/local/openresty1.11/nginx/conf/waf/access.lua:1>, client: 118.91.92.132, server: g.share.com, request: "GET /gamepage/egg.php?lxt&&cd=0<=d96628e0ads&vs=0 HTTP/1.1", host: "g.share.com"
启动后应用一直500
2020/12/16 10:11:23 [warn] 6630#0: *36 [lua] _G write guard:12: __newindex(): writing a global lua variable ('CLIENT_IP') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
/home/openresty/openresty/waf/lib.lua:11: in function 'get_client_ip'
/home/openresty/openresty/waf/init.lua:63: in function 'cc_attack_check'
/home/openresty/openresty/waf/access.lua:7: in function 'waf_main'
/home/openresty/openresty/waf/access.lua:18: in main chunk, client:
conf/waf/init.lua:170: bad argu ment #1 to 'pairs' (table expected, got nil)
为什么按照说明的操作提示这个错误,init_lua 第170行pairs的参数为空。
2017/09/11 20:29:28 [debug] 14548#0: *23152 regex "/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|in c|forumdata|upload|includes|cache|avatar)/(\w+).(php|jsp)" not matched on string "/testhello" starting from 0
157 2017/09/11 20:29:28 [debug] 14548#0: *23152 lua resume returned 2
158 2017/09/11 20:29:28 [error] 14548#0: *23152 lua entry thread aborted: runtime error: /liyang/openresty-test/conf/waf/init.lua:170: bad argu ment #1 to 'pairs' (table expected, got nil)
按照文档配置,lua模块报错,不知道是不是代码的问题。
2017/08/02 19:29:01 [error] 18148#0: *14 lua entry thread aborted: runtime error: /usr/local/nginx/conf/waf/init.
lua:152: bad argument #1 to 'pairs' (table expected, got nil)
stack traceback:
coroutine 0:
[C]: in function 'pairs'
/usr/local/nginx/conf/waf/init.lua:152: in function 'user_agent_attack_check'
/usr/local/nginx/conf/waf/access.lua:6: in function 'waf_main'
/usr/local/nginx/conf/waf/access.lua:18: in function </usr/local/nginx/conf/waf/access.lua:1>, client: 12
5.39.239.6, server: localhost, request: "GET //index.php/api/index/imgcode HTTP/1.1", host: "gd.lo-x.cc", referre
r: "http://www.baidu.com/s?wd=www"
POST检查函数有问题
post_attack_check()错误且不完整,无法校验post参数
使用最新版openresty启动报错
我这边部署了Openresty 1.15.8.1 ,把waf规则放到nginx/conf下,启动openresty报错
2019/05/28 15:05:23 [error] 8427#0: lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file '/usr/local/openresty/nginx/conf/waf/resty/core.lua'
no file '/usr/local/openresty/site/lualib/resty/core.so'
no file '/usr/local/openresty/lualib/resty/core.so'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file '/usr/local/openresty/site/lualib/resty.so'
no file '/usr/local/openresty/lualib/resty.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
可能是时间太久了,这个waf规则需要修改下才能使用呢。
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.