From 4f5b8d3c252da0664db47da3af2a9d5afc6aa9cb Mon Sep 17 00:00:00 2001 From: opswill <7550211+opswill@users.noreply.github.com> Date: Wed, 24 Feb 2021 21:34:44 +0800 Subject: [PATCH 1/5] Update lib.lua MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nginx一个virtual Host有多个域名时,$server_name 默认是取第一个,改为$host保证日志正确记录域名 --- waf/lib.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/waf/lib.lua b/waf/lib.lua index 8052d5b..a7ab7a1 100644 --- a/waf/lib.lua +++ b/waf/lib.lua @@ -48,7 +48,7 @@ function log_record(method,url,data,ruletag) local LOG_PATH = config_log_dir local CLIENT_IP = get_client_ip() local USER_AGENT = get_user_agent() - local SERVER_NAME = ngx.var.server_name + local SERVER_NAME = ngx.var.host local LOCAL_TIME = ngx.localtime() local log_json_obj = { client_ip = CLIENT_IP, From b9cc8f57f90ca21bdad009a2c337a2c957c6c9ed Mon Sep 17 00:00:00 2001 From: opswill <7550211+opswill@users.noreply.github.com> Date: Sun, 28 Feb 2021 15:00:02 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=E5=AE=8C=E5=96=84POST=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=EF=BC=8C=E9=98=B2=E6=AD=A2lua=E5=8F=82=E6=95=B0=E6=BA=A2?= =?UTF-8?q?=E5=87=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1,完善POST过滤 2.限制GET、POST最大参数,防止参数过多时导致的waf Bypass --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9bea433 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ + +.DS_Store From 24d41eaffc3141e5b85a301b3adf1d0ce36ce79f Mon Sep 17 00:00:00 2001 From: opswill <7550211+opswill@users.noreply.github.com> Date: Sun, 28 Feb 2021 15:04:35 +0800 Subject: [PATCH 3/5] =?UTF-8?q?Revert=20"=E5=AE=8C=E5=96=84POST=E8=BF=87?= =?UTF-8?q?=E6=BB=A4=EF=BC=8C=E9=98=B2=E6=AD=A2lua=E5=8F=82=E6=95=B0?= =?UTF-8?q?=E6=BA=A2=E5=87=BA"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit b9cc8f57f90ca21bdad009a2c337a2c957c6c9ed. --- .gitignore | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .gitignore diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 9bea433..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ - -.DS_Store From 55361a97059ba94fb1723a0e7367f622895930e0 Mon Sep 17 00:00:00 2001 From: opswill <7550211+opswill@users.noreply.github.com> Date: Sun, 28 Feb 2021 15:06:17 +0800 Subject: [PATCH 4/5] =?UTF-8?q?=E5=AE=8C=E5=96=84POST=E8=BF=87=E6=BB=A4?= =?UTF-8?q?=EF=BC=8C=E9=98=B2=E6=AD=A2lua=E5=8F=82=E6=95=B0=E6=BA=A2?= =?UTF-8?q?=E5=87=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. 完善POST过滤 2. 限制GET、POST最大参数,防止参数过多时导致的waf Bypass --- .gitignore | 2 ++ waf/init.lua | 31 ++++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9bea433 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ + +.DS_Store diff --git a/waf/init.lua b/waf/init.lua index d69c3df..7fb4b1b 100644 --- a/waf/init.lua +++ b/waf/init.lua @@ -122,9 +122,13 @@ end --deny url args function url_args_attack_check() if config_url_args_check == "on" then + local REQ_ARGS,ERR = ngx.req.get_uri_args() + -- limit max args to stop uri parameter overflow , return 403 if args larger than default(100) + if err == "truncated" then + ngx.exit(403) + end local ARGS_RULES = get_rule('args.rule') for _,rule in pairs(ARGS_RULES) do - local REQ_ARGS = ngx.req.get_uri_args() for key, val in pairs(REQ_ARGS) do if type(val) == 'table' then ARGS_DATA = table.concat(val, " ") @@ -166,9 +170,30 @@ end --deny post function post_attack_check() if config_post_check == "on" then + ngx.req.read_body() + local POST_ARGS,err = ngx.req.get_post_args() + -- limit max post args to stop uri parameter overflow , return 403 if post args larger than default(100) + if err == "truncated" then + ngx.exit(403) + end local POST_RULES = get_rule('post.rule') - for _,rule in pairs(ARGS_RULES) do - local POST_ARGS = ngx.req.get_post_args() + + for key, val in pairs(POST_ARGS) do + if type(val) == "table" then + ARGS_DATA = table.concat(key, ", ") + else + ARGS_DATA = key + end + end + + for _,rule in pairs(POST_RULES) do + if ARGS_DATA and type(ARGS_DATA) ~= "boolean" and rule ~="" and rulematch(unescape(ARGS_DATA),rule,"jo") then + log_record('Deny_POST_Args',ngx.var.request_uri,"-",rule) + if config_waf_enable == "on" then + waf_output() + return true + end + end end return true end From 941670eca8211c5c9ae2f3772132c6f7f9ce614a Mon Sep 17 00:00:00 2001 From: opswill <7550211+opswill@users.noreply.github.com> Date: Sun, 28 Feb 2021 15:10:10 +0800 Subject: [PATCH 5/5] =?UTF-8?q?=E8=B0=83=E6=95=B4=E7=AD=96=E7=95=A5?= =?UTF-8?q?=E4=BC=98=E5=85=88=E7=BA=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit waf策略改为先白后黑,同时开启post过滤 --- waf/access.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/waf/access.lua b/waf/access.lua index 54b5acc..34571a2 100644 --- a/waf/access.lua +++ b/waf/access.lua @@ -2,14 +2,14 @@ require 'init' function waf_main() if white_ip_check() then + elseif white_url_check() then elseif black_ip_check() then elseif user_agent_attack_check() then elseif cc_attack_check() then elseif cookie_attack_check() then - elseif white_url_check() then elseif url_attack_check() then elseif url_args_attack_check() then - --elseif post_attack_check() then + elseif post_attack_check() then else return end