librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

logs/lua - add logger tool

This commit is contained in:
bunkerity 2021-05-19 11:11:18 +02:00
parent de560490d3
commit 8260746fe1
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
13 changed files with 81 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
confs/global/api-temp.conf
View File

@ -10,14 +10,15 @@ rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {%API_WHITELIST_IP%}
local api_uri = "%API_URI%"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end

5
confs/global/api.conf
View File

@ -3,14 +3,15 @@ rewrite_by_lua_block {
local api = require "api"
local api_whitelist_ip = {%API_WHITELIST_IP%}
local api_uri = "%API_URI%"
local logger = require "logger"
if api.is_api_call(api_uri, api_whitelist_ip) then
ngx.header.content_type = 'text/plain'
if api.do_api_call(api_uri) then
ngx.log(ngx.NOTICE, "[API] API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
logger.log(ngx.NOTICE, "API", "API call " .. ngx.var.request_uri .. " successfull from " .. ngx.var.remote_addr)
ngx.say("ok")
else
ngx.log(ngx.WARN, "[API] API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "API", "API call " .. ngx.var.request_uri .. " failed from " .. ngx.var.remote_addr)
ngx.say("ko")
end

5
confs/global/init-lua.conf
View File

@ -1,6 +1,7 @@
init_by_lua_block {
local dataloader = require "dataloader"
local logger = require "logger"
local use_proxies = %USE_PROXIES%
local use_abusers = %USE_ABUSERS%
@ -33,10 +34,10 @@ if use_crowdsec then
local cs = require "crowdsec.CrowdSec"
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
if ok == nil then
ngx.log(ngx.ERR, "[CROWDSEC] " .. err)
logger.log(ngx.ERR, "CROWDSEC", err)
error()
end
ngx.log(ngx.ERR, "[CROWDSEC] *NOT AN ERROR* initialisation done")
logger.log(ngx.ERR, "CROWDSEC" "*NOT AN ERROR* initialisation done")
end
}

10
confs/site/antibot-captcha.conf
View File

@ -6,8 +6,9 @@ location = %ANTIBOT_URI% {
content_by_lua_block {
local cookie = require "cookie"
local captcha = require "captcha"
local logger = require "logger"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (1) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local img, res = captcha.get_challenge()
@ -21,20 +22,21 @@ location = %ANTIBOT_URI% {
access_by_lua_block {
local cookie = require "cookie"
local captcha = require "captcha"
local logger = require "logger"
if not cookie.is_set("captchares") then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (2) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["captcha"] then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (3) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local captcha_user = args["captcha"]
local check = captcha.check(captcha_user, cookie.get("captchares"))
if not check then
ngx.log(ngx.NOTICE, "[ANTIBOT] captcha fail (4) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "captcha fail (4) for " .. ngx.var.remote_addr)
return ngx.redirect("%ANTIBOT_URI%")
end
cookie.set({captcha = "ok"})

10
confs/site/antibot-javascript.conf
View File

@ -6,8 +6,9 @@ location = %ANTIBOT_URI% {
content_by_lua_block {
local cookie = require "cookie"
local javascript = require "javascript"
local logger = require "logger"
if not cookie.is_set("challenge") then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (1) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = cookie.get("challenge")
@ -20,20 +21,21 @@ location = %ANTIBOT_URI% {
content_by_lua_block {
local cookie = require "cookie"
local javascript = require "javascript"
local logger = require "logger"
if not cookie.is_set("challenge") then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (2) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["challenge"] then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (3) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local challenge = args["challenge"]
local check = javascript.check(cookie.get("challenge"), challenge)
if not check then
ngx.log(ngx.WARN, "[ANTIBOT] javascript fail (4) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "javascript fail (4) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({javascript = "ok"})

10
confs/site/antibot-recaptcha.conf
View File

@ -6,8 +6,9 @@ location = %ANTIBOT_URI% {
content_by_lua_block {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
local loggger = require "logger"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (1) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (1) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local code = recaptcha.get_code("%ANTIBOT_URI%", "%ANTIBOT_RECAPTCHA_SITEKEY%")
@ -19,20 +20,21 @@ location = %ANTIBOT_URI% {
access_by_lua_block {
local cookie = require "cookie"
local recaptcha = require "recaptcha"
local logger = require "logger"
if not cookie.is_set("uri") then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (2) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (2) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.read_body()
local args, err = ngx.req.get_post_args(1)
if err == "truncated" or not args or not args["token"] then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (3) for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (3) for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
local token = args["token"]
local check = recaptcha.check(token, "%ANTIBOT_RECAPTCHA_SECRET%")
if check < %ANTIBOT_RECAPTCHA_SCORE% then
ngx.log(ngx.NOTICE, "[ANTIBOT] recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
logger.log(ngx.WARN, "ANTIBOT", "recaptcha fail (4) for " .. ngx.var.remote_addr .. " (score = " .. tostring(check) .. ")")
return ngx.exit(ngx.HTTP_FORBIDDEN)
end
cookie.set({recaptcha = "ok"})

44
confs/site/main-lua.conf
View File

@ -48,15 +48,16 @@ local dnsbl_list = {%DNSBL_LIST%}
local use_bad_behavior = %USE_BAD_BEHAVIOR%
-- include LUA code
local whitelist = require "whitelist"
local blacklist = require "blacklist"
local dnsbl = require "dnsbl"
local cookie = require "cookie"
local javascript = require "javascript"
local captcha = require "captcha"
local recaptcha = require "recaptcha"
local iputils = require "resty.iputils"
local behavior = require "behavior"
local whitelist = require "whitelist"
local blacklist = require "blacklist"
local dnsbl = require "dnsbl"
local cookie = require "cookie"
local javascript = require "javascript"
local captcha = require "captcha"
local recaptcha = require "recaptcha"
local iputils = require "resty.iputils"
local behavior = require "behavior"
local logger = require "logger"
-- user variables
local antibot_uri = "%ANTIBOT_URI%"
@ -101,13 +102,14 @@ end
-- check if URI is whitelisted
for k, v in pairs(whitelist_uri) do
if ngx.var.request_uri == v then
ngx.log(ngx.NOTICE, "[WHITELIST] URI " .. v .. " is whitelisted")
logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
ngx.exit(ngx.OK)
end
end
-- check if it's certbot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
ngx.exit(ngx.OK)
end
@ -127,7 +129,7 @@ end
-- check if IP is banned because of "bad behavior"
if use_bad_behavior and behavior.is_banned() then
ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
@ -135,7 +137,7 @@ end
if use_proxies then
local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in proxies list")
logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@ -144,7 +146,7 @@ end
if use_abusers then
local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in abusers list")
logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@ -153,7 +155,7 @@ end
if use_tor_exit_nodes then
local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
if value ~= nil then
ngx.log(ngx.NOTICE, "[BLOCK] IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@ -163,7 +165,7 @@ if use_user_agents and ngx.var.http_user_agent ~= nil then
local whitelisted = false
for k, v in pairs(whitelist_user_agent) do
if string.match(ngx.var.http_user_agent, v) then
ngx.log(ngx.NOTICE, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
whitelisted = true
break
end
@ -185,7 +187,7 @@ if use_user_agents and ngx.var.http_user_agent ~= nil then
end
end
if value == "ko" then
ngx.log(ngx.NOTICE, "[BLOCK] User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@ -209,14 +211,14 @@ if use_referrer and ngx.var.http_referer ~= nil then
end
end
if value == "ko" then
ngx.log(ngx.NOTICE, "[BLOCK] Referrer " .. ngx.var.http_referer .. " is blacklisted")
logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
-- check if country is allowed
if use_country and ngx.var.allowed_country == "no" then
ngx.log(ngx.NOTICE, "[BLOCK] Country of " .. ngx.var.remote_addr .. " is blacklisted")
logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
@ -231,10 +233,10 @@ end
if use_crowdsec then
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
if ok == nil then
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
logger.log(ngx.ERR, "CROWDSEC", err)
end
if not ok then
ngx.log(ngx.NOTICE, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
@ -246,7 +248,7 @@ if use_antibot_cookie then
cookie.set({uri = ngx.var.request_uri})
return ngx.redirect(antibot_uri)
end
ngx.log(ngx.NOTICE, "[ANTIBOT] cookie fail for " .. ngx.var.remote_addr)
logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
return ngx.exit(ngx.HTTP_FORBIDDEN)
else
if ngx.var.request_uri == antibot_uri then

9
lua/behavior.lua
View File

@ -1,4 +1,5 @@
local M = {}
local M = {}
local logger = require "logger"
function M.is_banned ()
return ngx.shared.behavior_ban:get(ngx.var.remote_addr) == true
@ -14,14 +15,14 @@ function M.count (status_codes, threshold, count_time, ban_time)
count = count + 1
local ok, err = ngx.shared.behavior_count:set(ngx.var.remote_addr, count, count_time)
if not ok then
ngx.log(ngx.ERR, "[BEHAVIOR] not enough memory allocated to behavior_ip_count")
logger.log(ngx.ERR, "BEHAVIOR", "not enough memory allocated to behavior_ip_count")
return
end
if count >= threshold then
ngx.log(ngx.NOTICE, "[BEHAVIOR] threshold reached for " .. ngx.var.remote_addr .. " (" .. count .. " / " .. threshold .. ") : IP is banned for " .. ban_time .. " seconds")
logger.log(ngx.WARN, "BEHAVIOR", "threshold reached for " .. ngx.var.remote_addr .. " (" .. count .. " / " .. threshold .. ") : IP is banned for " .. ban_time .. " seconds")
local ok, err = ngx.shared.behavior_ban:safe_set(ngx.var.remote_addr, true, ban_time)
if not ok then
ngx.log(ngx.ERR, "[BEHAVIOR] not enough memory allocated to behavior_ip_ban")
logger.log(ngx.ERR, "BEHAVIOR", "not enough memory allocated to behavior_ip_ban")
return
end
end

5
lua/blacklist.lua
View File

@ -1,6 +1,7 @@
local M = {}
local dns = require "dns"
local iputils = require "resty.iputils"
local logger = require "logger"
function M.ip_cached_ko ()
return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) == "ko"
@ -23,7 +24,7 @@ function M.check_ip (ip_list)
local blacklist = iputils.parse_cidrs(ip_list)
if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then
ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in blacklist")
logger.log(ngx.WARN, "BLACKLIST", "ip " .. ngx.var.remote_addr .. " is in blacklist")
return true
end
end
@ -38,7 +39,7 @@ function M.check_reverse (reverse_list, resolvers)
for k, v in ipairs(reverse_list) do
if rdns:sub(-#v) == v then
ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist")
logger.log(ngx.WARN, "BLACKLIST", "reverse " .. rdns .. " is in blacklist")
return true
end
end

13
lua/dataloader.lua
View File

@ -1,5 +1,6 @@
local M = {}
local iputils = require "resty.iputils"
local logger = require "logger"
function M.flush_dict (dict)
local keys = dict:get_keys(0)
@ -12,7 +13,7 @@ function M.load_ip (path, dict)
M.flush_dict(dict)
local file = io.open(path, "r")
if not file then
ngx.log(ngx.ERR, "[INIT] can't open " .. path)
logger.log(ngx.ERR, "INIT", "can't open " .. path)
else
io.input(file)
local i = 0
@ -24,7 +25,7 @@ function M.load_ip (path, dict)
while bin_ip <= upper do
local ok, err = dict:safe_set(bin_ip, true, 0)
if not ok then
ngx.log(ngx.ERR, "[INIT] not enough memory allocated to load data from " .. path)
logger.log(ngx.ERR, "INIT", "not enough memory allocated to load data from " .. path)
continue = false
break
end
@ -40,7 +41,7 @@ function M.load_ip (path, dict)
break
end
end
ngx.log(ngx.ERR, "[INIT] *NOT AN ERROR* loaded " .. tostring(i) .. " IPs from " .. path)
logger.log(ngx.ERR, "INIT", "*NOT AN ERROR* loaded " .. tostring(i) .. " IPs from " .. path)
io.close(file)
end
end
@ -49,19 +50,19 @@ function M.load_raw (path, dict)
M.flush_dict(dict)
local file = io.open(path, "r")
if not file then
ngx.log(ngx.ERR, "[INIT] can't open " .. path)
logger.log(ngx.ERR, "INIT", "can't open " .. path)
else
io.input(file)
local i = 0
for line in io.lines() do
local ok, err = dict:safe_set(line, true, 0)
if not ok then
ngx.log(ngx.ERR, "[INIT] not enough memory allocated to load data from " .. path)
logger.log(ngx.ERR, "INIT", "not enough memory allocated to load data from " .. path)
break
end
i = i + 1
end
ngx.log(ngx.ERR, "[INIT] *NOT AN ERROR* loaded " .. tostring(i) .. " entries from " .. path)
logger.log(ngx.ERR, "INIT", "*NOT AN ERROR* loaded " .. tostring(i) .. " entries from " .. path)
io.close(file)
end
end

3
lua/dnsbl.lua
View File

@ -1,5 +1,6 @@
local M = {}
local dns = require "dns"
local logger = require "logger"
function M.cached_ko ()
return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) == "ko"
@ -18,7 +19,7 @@ function M.check (dnsbls, resolvers)
local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
if a == "127" then
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ko", 86400)
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v)
logger.log(ngx.WARN, "DNSBL", "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v)
return true
end
end

8
lua/logger.lua Normal file
View File

@ -0,0 +1,8 @@
local M = {}
local errlog = require "ngx.errlog"
function M.log (level, prefix, msg)
errlog.raw_log(level, "[" .. prefix .. "] " .. msg)
end
return M

11
lua/whitelist.lua
View File

@ -1,6 +1,7 @@
local M = {}
local dns = require "dns"
local iputils = require "resty.iputils"
local M = {}
local dns = require "dns"
local iputils = require "resty.iputils"
local logger = require "logger"
function M.ip_cached_ok ()
return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) == "ok"
@ -23,7 +24,7 @@ function M.check_ip (ip_list)
local whitelist = iputils.parse_cidrs(ip_list)
if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then
ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in whitelist")
logger.log(ngx.NOTICE, "WHITELIST", "ip " .. ngx.var.remote_addr .. " is in whitelist")
return true
end
end
@ -47,7 +48,7 @@ function M.check_reverse (reverse_list, resolvers)
for k, v in ipairs(ips) do
if v == ngx.var.remote_addr then
ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist")
logger.log(ngx.NOTICE, "WHITELIST", "reverse " .. rdns .. " is in whitelist")
return true
end
end