various fixes - ttl on /bans api, dnsbl undercover bug, greylist, whitelist and wrong path in realip job
This commit is contained in:
parent
3dde3ac0aa
commit
5c415afa18
|
@ -18,6 +18,7 @@ RUN apk add --no-cache --virtual .build-deps py3-pip && \
|
|||
pip install --no-cache-dir --upgrade pip && \
|
||||
pip install wheel && \
|
||||
mkdir -p /usr/share/bunkerweb/deps/python && \
|
||||
export MAKEFLAGS="-j$(nproc)" && \
|
||||
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
|
||||
apk del .build-deps
|
||||
|
||||
|
|
|
@ -141,12 +141,12 @@ api.global.GET["^/bans$"] = function(self)
|
|||
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error",
|
||||
"can't access " .. k .. " from datastore : " + reason)
|
||||
end
|
||||
local ttl, err = self.datastore:ttl(k)
|
||||
if not ttl then
|
||||
local ok, ttl = self.datastore:ttl(k)
|
||||
if not ok then
|
||||
return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error",
|
||||
"can't access ttl " .. k .. " from datastore : " .. err)
|
||||
"can't access ttl " .. k .. " from datastore : " .. ttl)
|
||||
end
|
||||
local ban = { ip = k:sub(9, #k), reason = reason, exp = ttl }
|
||||
local ban = { ip = k:sub(9, #k), reason = reason, exp = math.floor(ttl) }
|
||||
table.insert(data, ban)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -383,7 +383,7 @@ utils.get_ips = function(fqdn)
|
|||
local ips = {}
|
||||
for i, answer in ipairs(answers) do
|
||||
if answer.address then
|
||||
table.insert(ips, answer.addres)
|
||||
table.insert(ips, answer.address)
|
||||
end
|
||||
end
|
||||
return ips, "success"
|
||||
|
|
|
@ -26,7 +26,7 @@ def format_remaining_time(seconds):
|
|||
if minutes > 0:
|
||||
time_parts.append(f"{int(minutes)} minute{'' if minutes == 1 else 's'}")
|
||||
if seconds > 0:
|
||||
time_parts.append(f"{seconds:.2f} second{'' if seconds == 1 else 's'}")
|
||||
time_parts.append(f"{seconds} second{'' if seconds == 1 else 's'}")
|
||||
|
||||
if len(time_parts) > 1:
|
||||
time_parts[-1] = f"and {time_parts[-1]}"
|
||||
|
|
|
@ -22,6 +22,7 @@ function blacklist:initialize()
|
|||
local lists, err = self.datastore:get("plugin_blacklist_lists")
|
||||
if not lists then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
self.lists = {}
|
||||
else
|
||||
self.lists = cjson.decode(lists)
|
||||
end
|
||||
|
@ -39,6 +40,9 @@ function blacklist:initialize()
|
|||
}
|
||||
for kind, _ in pairs(kinds) do
|
||||
for data in self.variables["BLACKLIST_" .. kind]:gmatch("%S+") do
|
||||
if not self.lists[kind] then
|
||||
self.lists[kind] = {}
|
||||
end
|
||||
table.insert(self.lists[kind], data)
|
||||
end
|
||||
end
|
||||
|
@ -116,7 +120,7 @@ function blacklist:access()
|
|||
elseif cached and cached ~= "ok" then
|
||||
return self:ret(true, k .. " is in cached blacklist (info : " .. cached .. ")", utils.get_deny_status())
|
||||
end
|
||||
if cached then
|
||||
if ok and cached then
|
||||
already_cached[k] = true
|
||||
end
|
||||
end
|
||||
|
|
|
@ -27,6 +27,10 @@ function dnsbl:access()
|
|||
if self.variables["DNSBL_LIST"] == "" then
|
||||
return self:ret(true, "dnsbl list is empty")
|
||||
end
|
||||
-- Don't go further if IP is not global
|
||||
if not ngx.ctx.bw.ip_is_global then
|
||||
return self:ret(true, "client IP is not global, skipping DNSBL check")
|
||||
end
|
||||
-- Check if IP is in cache
|
||||
local ok, cached = self:is_in_cache(ngx.ctx.bw.remote_addr)
|
||||
if not ok then
|
||||
|
@ -37,14 +41,6 @@ function dnsbl:access()
|
|||
end
|
||||
return self:ret(true, "client IP " .. ngx.ctx.bw.remote_addr .. " is in DNSBL cache (server = " .. cached .. ")", utils.get_deny_status())
|
||||
end
|
||||
-- Don't go further if IP is not global
|
||||
if not ngx.ctx.bw.ip_is_global then
|
||||
local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, "ok")
|
||||
if not ok then
|
||||
return self:ret(false, "error while adding element to cache : " .. err)
|
||||
end
|
||||
return self:ret(true, "client IP is not global, skipping DNSBL check")
|
||||
end
|
||||
-- Loop on DNSBL list
|
||||
for server in self.variables["DNSBL_LIST"]:gmatch("%S+") do
|
||||
local result, err = self:is_in_dnsbl(ngx.ctx.bw.remote_addr, server)
|
||||
|
@ -52,7 +48,7 @@ function dnsbl:access()
|
|||
self.logger:log(ngx.ERR, "error while sending DNS request to " .. server .. " : " .. err)
|
||||
end
|
||||
if result then
|
||||
local ok, err self:add_to_cache(ngx.ctx.bw.remote_addr, server)
|
||||
local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, server)
|
||||
if not ok then
|
||||
return self:ret(false, "error while adding element to cache : " .. err)
|
||||
end
|
||||
|
@ -72,7 +68,7 @@ function dnsbl:preread()
|
|||
end
|
||||
|
||||
function dnsbl:is_in_cache(ip)
|
||||
local ok, data = self.cachestore:get("plugin_dnsbl_" .. ip)
|
||||
local ok, data = self.cachestore:get("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip)
|
||||
if not ok then
|
||||
return false, data
|
||||
end
|
||||
|
@ -80,7 +76,7 @@ function dnsbl:is_in_cache(ip)
|
|||
end
|
||||
|
||||
function dnsbl:add_to_cache(ip, value)
|
||||
local ok, err = self.cachestore:set("plugin_dnsbl_" .. ip, value, 86400)
|
||||
local ok, err = self.cachestore:set("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip, value, 86400)
|
||||
if not ok then
|
||||
return false, err
|
||||
end
|
||||
|
@ -88,14 +84,13 @@ function dnsbl:add_to_cache(ip, value)
|
|||
end
|
||||
|
||||
function dnsbl:is_in_dnsbl(ip, server)
|
||||
local request = resolver.arpa_str(ip) .. "." .. server
|
||||
local request = resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") .. "." .. server
|
||||
local ips, err = utils.get_ips(request)
|
||||
if not ips then
|
||||
return nil, err
|
||||
end
|
||||
for i, ip in ipairs(ips) do
|
||||
local a, b, c, d = ip:match("([%d]+).([%d]+).([%d]+).([%d]+)")
|
||||
if a == "127" then
|
||||
if ip:find("^127%.0%.0%.") then
|
||||
return true, "success"
|
||||
end
|
||||
end
|
||||
|
|
|
@ -21,6 +21,7 @@ function greylist:initialize()
|
|||
local lists, err = self.datastore:get("plugin_greylist_lists")
|
||||
if not lists then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
self.lists = {}
|
||||
else
|
||||
self.lists = cjson.decode(lists)
|
||||
end
|
||||
|
@ -33,6 +34,9 @@ function greylist:initialize()
|
|||
}
|
||||
for kind, _ in pairs(kinds) do
|
||||
for data in self.variables["GREYLIST_" .. kind]:gmatch("%S+") do
|
||||
if not self.lists[kind] then
|
||||
self.lists[kind] = {}
|
||||
end
|
||||
table.insert(self.lists[kind], data)
|
||||
end
|
||||
end
|
||||
|
@ -98,13 +102,13 @@ function greylist:access()
|
|||
["UA"] = false
|
||||
}
|
||||
for k, v in pairs(checks) do
|
||||
local cached, err = self:is_in_cache(v)
|
||||
if not cached and err ~= "success" then
|
||||
self.logger:log(ngx.ERR, "error while checking cache : " .. err)
|
||||
elseif cached and cached ~= "ok" then
|
||||
return self:ret(true, k .. " is in cached greylist", utils.get_deny_status())
|
||||
local ok, cached = self:is_in_cache(v)
|
||||
if not ok then
|
||||
self.logger:log(ngx.ERR, "error while checking cache : " .. cached)
|
||||
elseif cached and cached ~= "ko" then
|
||||
return self:ret(true, k .. " is in cached greylist (info : " .. cached .. ")")
|
||||
end
|
||||
if cached then
|
||||
if ok and cached then
|
||||
already_cached[k] = true
|
||||
end
|
||||
end
|
||||
|
@ -115,23 +119,23 @@ function greylist:access()
|
|||
-- Perform checks
|
||||
for k, v in pairs(checks) do
|
||||
if not already_cached[k] then
|
||||
local greylisted, err = self:is_greylisted(k)
|
||||
if greylisted == nil then
|
||||
self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. err)
|
||||
local ok, greylisted = self:is_greylisted(k)
|
||||
if ok == nil then
|
||||
self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. greylisted)
|
||||
else
|
||||
local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted or "ok")
|
||||
local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted)
|
||||
if not ok then
|
||||
self.logger:log(ngx.ERR, "error while adding element to cache : " .. err)
|
||||
end
|
||||
if greylisted == "ko" then
|
||||
return self:ret(true, k .. " is not in greylist", utils.get_deny_status())
|
||||
if greylisted ~= "ko" then
|
||||
return self:ret(true, k .. " is in greylist")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Return
|
||||
return self:ret(true, "greylisted")
|
||||
return self:ret(true, "not in greylist", utils.get_deny_status())
|
||||
end
|
||||
|
||||
function greylist:preread()
|
||||
|
|
|
@ -119,7 +119,7 @@ try:
|
|||
|
||||
# Put file in cache
|
||||
cached, err = cache_file(
|
||||
"/var/tmp/bunkerweb/realip-combined.list",
|
||||
"/var/tmp/bunkerweb/realip/combined.list",
|
||||
"/var/cache/bunkerweb/realip/combined.list",
|
||||
new_hash,
|
||||
db,
|
||||
|
|
|
@ -23,6 +23,7 @@ function whitelist:initialize()
|
|||
local lists, err = self.datastore:get("plugin_whitelist_lists")
|
||||
if not lists then
|
||||
self.logger:log(ngx.ERR, err)
|
||||
self.lists = {}
|
||||
else
|
||||
self.lists = cjson.decode(lists)
|
||||
end
|
||||
|
@ -35,6 +36,9 @@ function whitelist:initialize()
|
|||
}
|
||||
for kind, _ in pairs(kinds) do
|
||||
for data in self.variables["WHITELIST_" .. kind]:gmatch("%S+") do
|
||||
if not self.lists[kind] then
|
||||
self.lists[kind] = {}
|
||||
end
|
||||
table.insert(self.lists[kind], data)
|
||||
end
|
||||
end
|
||||
|
@ -166,7 +170,7 @@ function whitelist:check_cache()
|
|||
checks["URI"] = "uri" .. ngx.ctx.bw.uri
|
||||
end
|
||||
local already_cached = {}
|
||||
for i, k in ipairs(checks) do
|
||||
for k, v in pairs(checks) do
|
||||
already_cached[k] = false
|
||||
end
|
||||
for k, v in pairs(checks) do
|
||||
|
@ -176,7 +180,7 @@ function whitelist:check_cache()
|
|||
elseif cached and cached ~= "ok" then
|
||||
return true, k .. " is in cached whitelist (info : " .. cached .. ")"
|
||||
end
|
||||
if cached then
|
||||
if ok and cached then
|
||||
already_cached[k] = true
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue