disable bad behavior if client is whitelisted and fix redmine/reverse-proxy-multisite examples

2022-08-05 15:01:11 +02:00 · 2022-08-05 15:01:11 +02:00 · a642761366
parent 115d517c71
commit a642761366
5 changed files with 17 additions and 5 deletions
--- a/core/badbehavior/badbehavior.lua
+++ b/core/badbehavior/badbehavior.lua
@ -23,6 +23,9 @@ function _M:log()
 	if not self.status_codes:match(tostring(ngx.status)) then
 		return true, "not increasing counter"
 	end
+	if ngx.var.is_whitelisted == "yes" then
+		return true, "client is whitelisted"
+	end
 	local count, err = datastore:get("plugin_badbehavior_count_" .. ngx.var.remote_addr)
 	if not count and err ~= "not found" then
 		return false, "can't get counts from the datastore : " .. err
--- a/core/whitelist/confs/server-http/whitelist.conf
+++ b/core/whitelist/confs/server-http/whitelist.conf
@ -0,0 +1 @@
+set $is_whitelisted '';
--- a/core/whitelist/whitelist.lua
+++ b/core/whitelist/whitelist.lua
@ -52,25 +52,28 @@ function _M:access()
 	-- Check if access is needed
 	local access_needed, err = utils.get_variable("USE_WHITELIST")
 	if access_needed == nil then
-		return false, err
+		return false, err, nil, nil
 	end
 	if access_needed ~= "yes" then
-		return true, "Whitelist not activated"
+		return true, "Whitelist not activated", nil, nil
 	end

 	-- Check the cache
 	local cached_ip, err = self:is_in_cache("ip" .. ngx.var.remote_addr)
 	if cached_ip and cached_ip ~= "ok" then
+		ngx.var.is_whitelisted = "yes"
 		return true, "IP is in whitelist cache (info = " .. cached_ip .. ")", true, ngx.OK
 	end
 	local cached_uri, err = self:is_in_cache("uri" .. ngx.var.uri)
 	if cached_uri and cached_uri ~= "ok" then
+		ngx.var.is_whitelisted = "yes"
 		return true, "URI is in whitelist cache (info = " .. cached_uri .. ")", true, ngx.OK
 	end
 	local cached_ua = true
 	if ngx.var.http_user_agent then
 		cached_ua, err = self:is_in_cache("ua" .. ngx.var.http_user_agent)
 		if cached_ua and cached_ua ~= "ok" then
+			ngx.var.is_whitelisted = "yes"
 			return true, "User-Agent is in whitelist cache (info = " .. cached_ua .. ")", true, ngx.OK
 		end
 	end
@ -106,6 +109,7 @@ function _M:access()
 		else
 			if ipm:match(ngx.var.remote_addr) then
 				self:add_to_cache("ip" .. ngx.var.remote_addr, "ip/net")
+				ngx.var.is_whitelisted = "yes"
 				return ret, "client IP " .. ngx.var.remote_addr .. " is in whitelist", true, ngx.OK
 			end
 		end
@ -137,6 +141,7 @@ function _M:access()
 			for i, suffix in ipairs(whitelists["RDNS"]) do
 				if rdns:sub(-#suffix) == suffix then
 					self:add_to_cache("ip" .. ngx.var.remote_addr, "rDNS " .. suffix)
+					ngx.var.is_whitelisted = "yes"
 					return ret, "client IP " .. ngx.var.remote_addr .. " is in whitelist (info = rDNS " .. suffix .. ")", true, ngx.OK
 				end
 			end
@ -160,6 +165,7 @@ function _M:access()
 				for i, asn_bl in ipairs(whitelists["ASN"]) do
 					if tostring(asn) == asn_bl then
 						self:add_to_cache("ip" .. ngx.var.remote_addr, "ASN " .. tostring(asn))
+						ngx.var.is_whitelisted = "yes"
 						return ret, "client IP " .. ngx.var.remote_addr .. " is in whitelist (kind = ASN " .. tostring(asn) .. ")", true, ngx.OK
 					end
 				end
@ -185,6 +191,7 @@ function _M:access()
 		for i, ua_bl in ipairs(whitelists["USER_AGENT"]) do
 			if ngx.var.http_user_agent:match(ua_bl) then
 				self:add_to_cache("ua" .. ngx.var.http_user_agent, "UA " .. ua_bl)
+				ngx.var.is_whitelisted = "yes"
 				return ret, "client User-Agent " .. ngx.var.http_user_agent .. " is in whitelist (matched " .. ua_bl .. ")", true, ngx.OK
 			end
 		end
@ -207,6 +214,7 @@ function _M:access()
 		for i, uri_bl in ipairs(whitelists["URI"]) do
 			if ngx.var.uri:match(uri_bl) then
 				self:add_to_cache("uri" .. ngx.var.uri, "URI " .. uri_bl)
+				ngx.var.is_whitelisted = "yes"
 				return ret, "client URI " .. ngx.var.uri .. " is in whitelist (matched " .. uri_bl .. ")", true, ngx.OK
 			end
 		end
--- a/examples/redmine/kubernetes.yml
+++ b/examples/redmine/kubernetes.yml
@ -9,7 +9,7 @@ spec:
  - host: www.example.com
    http:
      paths:
-        path: /
+      - path: /
        pathType: Prefix
        backend:
          service:
--- a/examples/reverse-proxy-multisite/kubernetes.yml
+++ b/examples/reverse-proxy-multisite/kubernetes.yml
@ -9,7 +9,7 @@ spec:
  - host: app1.example.com
    http:
      paths:
-        path: /
+      - path: /
        pathType: Prefix
        backend:
          service:
@ -19,7 +19,7 @@ spec:
  - host: app2.example.com
    http:
      paths:
-        path: /
+      - path: /
        pathType: Prefix
        backend:
          service: