lua - move global vars from lua to site config (untested)
This commit is contained in:
bunkerity
parent
863283d090
commit
d9bb97be50
|
|
@ -130,9 +130,10 @@ git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc
|
|||
cd lua-cs-bouncer
|
||||
mkdir /usr/local/lib/lua/crowdsec
|
||||
cp lib/*.lua /usr/local/lib/lua/crowdsec
|
||||
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
mkdir /opt/crowdsec
|
||||
cp template.conf /opt/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /opt/crowdsec/crowdsec.conf
|
||||
sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /opt/crowdsec/crowdsec.conf
|
||||
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
cd /tmp
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ end
|
|||
|
||||
if use_crowdsec then
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
|
||||
local ok, err = cs.init("/etc/nginx/crowdsec.conf")
|
||||
if ok == nil then
|
||||
ngx.log(ngx.ERR, "[CROWDSEC] " .. err)
|
||||
error()
|
||||
|
|
|
|||
|
|
@ -1,11 +1,15 @@
|
|||
log_by_lua_block {
|
||||
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
|
||||
local behavior = require "behavior"
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
local behavior = require "behavior"
|
||||
local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%}
|
||||
local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD%
|
||||
local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME%
|
||||
local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME%
|
||||
|
||||
if use_bad_behavior then
|
||||
behavior.count()
|
||||
behavior.count(bad_behavior_status_code, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
|
||||
end
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,23 +3,48 @@ set $session_check_addr on;
|
|||
|
||||
access_by_lua_block {
|
||||
|
||||
-- let's encrypt
|
||||
local use_lets_encrypt = %USE_LETS_ENCRYPT%
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
|
||||
-- external blacklists
|
||||
local use_user_agents = %USE_USER_AGENTS%
|
||||
local use_proxies = %USE_PROXIES%
|
||||
local use_abusers = %USE_ABUSERS%
|
||||
local use_tor_exit_nodes = %USE_TOR_EXIT_NODES%
|
||||
local use_referrers = %USE_REFERRERS%
|
||||
|
||||
-- countries
|
||||
local use_country = %USE_COUNTRY%
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
|
||||
-- crowdsec
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
|
||||
-- antibot
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
|
||||
|
||||
-- resolvers
|
||||
local dns_resolvers = %DNS_RESOLVERS%
|
||||
|
||||
-- whitelist
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local whitelist_ip_list = %WHITELIST_IP_LIST%
|
||||
local whitelist_reverse_list = %WHITELIST_REVERSE_LIST%
|
||||
|
||||
-- blacklist
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local blacklist_ip_list = %BLACKLIST_IP_LIST%
|
||||
local blacklist_reverse_list = %BLACKLIST_REVERSE_LIST%
|
||||
|
||||
-- dnsbl
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local dnsbl_list = %DNSBL_LIST%
|
||||
|
||||
-- bad behavior
|
||||
local use_bad_behavior = %USE_BAD_BEHAVIOR%
|
||||
|
||||
-- include LUA code
|
||||
|
|
@ -61,14 +86,14 @@ end
|
|||
|
||||
-- check if IP is whitelisted (only if not in cache)
|
||||
if use_whitelist_ip and not whitelist.ip_cached() then
|
||||
if whitelist.check_ip() then
|
||||
if whitelist.check_ip(whitelist_ip_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is whitelisted (only if not in cache)
|
||||
if use_whitelist_reverse and not whitelist.reverse_cached() then
|
||||
if whitelist.check_reverse() then
|
||||
if whitelist.check_reverse(whitelist_reverse_list) then
|
||||
ngx.exit(ngx.OK)
|
||||
end
|
||||
end
|
||||
|
|
@ -88,14 +113,14 @@ end
|
|||
|
||||
-- check if IP is blacklisted (only if not in cache)
|
||||
if use_blacklist_ip and not blacklist.ip_cached() then
|
||||
if blacklist.check_ip() then
|
||||
if blacklist.check_ip(blacklist_ip_list) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- check if reverse is blacklisted (only if not in cache)
|
||||
if use_blacklist_reverse and not blacklist.reverse_cached() then
|
||||
if blacklist.check_reverse() then
|
||||
if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
|
@ -197,7 +222,7 @@ end
|
|||
|
||||
-- check if IP is in DNSBLs (only if not in cache)
|
||||
if use_dnsbl and not dnsbl.cached() then
|
||||
if dnsbl.check() then
|
||||
if dnsbl.check(dnsbl_list, dns_resolvers) then
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -50,10 +50,6 @@ if [ ! -f "/opt/installed" ] ; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# lua config
|
||||
# TODO : move variables from /usr/local/lib/lua + multisite support ?
|
||||
/opt/entrypoint/lua.sh
|
||||
|
||||
# clamav config
|
||||
/opt/entrypoint/clamav.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -230,6 +230,9 @@ fi
|
|||
# CrowdSec setup
|
||||
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "true"
|
||||
cp /opt/crowdsec/crowdsec.conf /etc/nginx
|
||||
replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
|
||||
replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "false"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,47 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy stub LUA scripts
|
||||
cp -r /opt/lua/* /usr/local/lib/lua
|
||||
|
||||
# DNS resolvers
|
||||
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
|
||||
replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
|
||||
|
||||
# whitelist IP
|
||||
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
|
||||
|
||||
# whitelist rDNS
|
||||
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# blacklist IP
|
||||
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
|
||||
|
||||
# blacklist rDNS
|
||||
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# DNSBL
|
||||
list=$(spaces_to_lua "$DNSBL_LIST")
|
||||
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
||||
|
||||
# bad behavior
|
||||
list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES")
|
||||
replace_in_file "/usr/local/lib/lua/behavior.lua" "%STATUS_CODES%" "$list"
|
||||
replace_in_file "/usr/local/lib/lua/behavior.lua" "%THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD"
|
||||
replace_in_file "/usr/local/lib/lua/behavior.lua" "%BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME"
|
||||
replace_in_file "/usr/local/lib/lua/behavior.lua" "%COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME"
|
||||
|
||||
# CrowdSec setup
|
||||
if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
|
||||
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
|
||||
replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
|
||||
fi
|
||||
|
|
@ -474,6 +474,8 @@ if [ "$USE_WHITELIST_IP" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_IP_LIST")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_IP_LIST%" "$list"
|
||||
|
||||
# whitelist rDNS
|
||||
if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
|
||||
|
|
@ -481,6 +483,8 @@ if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# blacklist IP
|
||||
if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
|
||||
|
|
@ -488,6 +492,8 @@ if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_IP_LIST%" "$list"
|
||||
|
||||
# blacklist rDNS
|
||||
if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
|
||||
|
|
@ -495,6 +501,8 @@ if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_REVERSE_LIST%" "$list"
|
||||
|
||||
# DNSBL
|
||||
if [ "$USE_DNSBL" = "yes" ] ; then
|
||||
|
|
@ -502,6 +510,8 @@ if [ "$USE_DNSBL" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$DNSBL_LIST")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNSBL_LIST%" "$list"
|
||||
|
||||
# antibot uri and session secret
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
|
|
@ -570,6 +580,11 @@ else
|
|||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BAD_BEHAVIOR%" "false"
|
||||
replace_in_file "${NGINX_PREFIX}log-lua.conf" "%USE_BAD_BEHAVIOR%" "false"
|
||||
fi
|
||||
list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES")
|
||||
replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_STATUS_CODES%" "$list"
|
||||
replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD"
|
||||
replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME"
|
||||
replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME"
|
||||
|
||||
# request limiting
|
||||
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
|
||||
|
|
@ -600,3 +615,7 @@ if [ "$USE_CROWDSEC" = "yes" ] ; then
|
|||
else
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false"
|
||||
fi
|
||||
|
||||
# DNS resolvers
|
||||
resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
|
||||
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNS_RESOLVERS%" "$resolvers"
|
||||
|
|
|
|||
10
lua/api.lua
10
lua/api.lua
|
|
@ -1,19 +1,19 @@
|
|||
local M = {}
|
||||
M.api_list = {}
|
||||
local api_list = {}
|
||||
local iputils = require "resty.iputils"
|
||||
|
||||
M.api_list["^/ping$"] = function ()
|
||||
api_list["^/ping$"] = function ()
|
||||
return true
|
||||
end
|
||||
|
||||
M.api_list["^/reload$"] = function ()
|
||||
api_list["^/reload$"] = function ()
|
||||
return os.execute("/usr/sbin/nginx -s reload") == 0
|
||||
end
|
||||
|
||||
function M.is_api_call (api_uri, api_whitelist_ip)
|
||||
local whitelist = iputils.parse_cidrs(api_whitelist_ip)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
|
||||
for uri, code in pairs(M.api_list) do
|
||||
for uri, code in pairs(api_list) do
|
||||
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
|
||||
return true
|
||||
end
|
||||
|
|
@ -23,7 +23,7 @@ function M.is_api_call (api_uri, api_whitelist_ip)
|
|||
end
|
||||
|
||||
function M.do_api_call (api_uri)
|
||||
for uri, code in pairs(M.api_list) do
|
||||
for uri, code in pairs(api_list) do
|
||||
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
|
||||
return code()
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,14 +1,10 @@
|
|||
local M = {}
|
||||
local status_codes = {%STATUS_CODES%}
|
||||
local threshold = %THRESHOLD%
|
||||
local count_time = %COUNT_TIME%
|
||||
local ban_time = %BAN_TIME%
|
||||
local M = {}
|
||||
|
||||
function M.is_banned ()
|
||||
return ngx.shared.behavior_ban:get(ngx.var.remote_addr) == true
|
||||
end
|
||||
|
||||
function M.count ()
|
||||
function M.count (status_codes, threshold, count_time, ban_time)
|
||||
for k, v in ipairs(status_codes) do
|
||||
if v == tostring(ngx.status) then
|
||||
local count = ngx.shared.behavior_count:get(ngx.var.remote_addr)
|
||||
|
|
|
|||
|
|
@ -1,53 +1,50 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
|
||||
function M.ip_cached_ko ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
|
||||
return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.reverse_cached_ko ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
|
||||
return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
|
||||
return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
|
||||
return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check_ip ()
|
||||
function M.check_ip (ip_list)
|
||||
if #ip_list > 0 then
|
||||
if iputils.ip_in_cidrs(ip, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in blacklist")
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
function M.check_reverse ()
|
||||
function M.check_reverse (reverse_list, resolvers)
|
||||
if #reverse_list > 0 then
|
||||
local rdns = dns.get_reverse()
|
||||
local rdns = dns.get_reverse(resolvers)
|
||||
if rdns ~= "" then
|
||||
for k, v in ipairs(reverse_list) do
|
||||
if rdns:sub(-#v) == v then
|
||||
ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
local M = {}
|
||||
local session = require "resty.session"
|
||||
|
||||
|
|
|
|||
10
lua/dns.lua
10
lua/dns.lua
|
|
@ -1,15 +1,13 @@
|
|||
local M = {}
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local resolvers = {%DNS_RESOLVERS%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.get_reverse()
|
||||
function M.get_reverse(resolvers)
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
end
|
||||
local rdns = ""
|
||||
local answers, err = r:reverse_query(ip)
|
||||
local answers, err = r:reverse_query(ngx.var.remote_addr)
|
||||
if answers ~= nil and not answers.errcode then
|
||||
for ak, av in ipairs(answers) do
|
||||
if av.ptrdname then
|
||||
|
|
@ -21,7 +19,7 @@ function M.get_reverse()
|
|||
return rdns
|
||||
end
|
||||
|
||||
function M.get_ips(fqdn)
|
||||
function M.get_ips(fqdn, resolvers)
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
|
|
@ -39,7 +37,7 @@ function M.get_ips(fqdn)
|
|||
end
|
||||
|
||||
function M.ip_to_arpa()
|
||||
return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
|
||||
return resolver.arpa_str(ngx.var.remote_addr):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
|
|||
|
|
@ -1,31 +1,29 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local dnsbls = {%DNSBL_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.cached_ko ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) == "ko"
|
||||
return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.cached ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) ~= nil
|
||||
return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check ()
|
||||
function M.check (dnsbls, resolvers)
|
||||
local rip = dns.ip_to_arpa()
|
||||
for k, v in ipairs(dnsbls) do
|
||||
local req = rip .. "." .. v
|
||||
local ips = dns.get_ips(req)
|
||||
local ips = dns.get_ips(req, resolvers)
|
||||
for k2, v2 in ipairs(ips) do
|
||||
local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
|
||||
if a == "127" then
|
||||
ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in DNSBL " .. v)
|
||||
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v)
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -1,42 +1,39 @@
|
|||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%WHITELIST_IP_LIST%}
|
||||
local reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.ip_cached_ok ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
|
||||
return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) == "ok"
|
||||
end
|
||||
|
||||
function M.reverse_cached_ok ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
|
||||
return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) == "ok"
|
||||
end
|
||||
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
|
||||
return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
|
||||
return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check_ip ()
|
||||
function M.check_ip (ip_list)
|
||||
if #ip_list > 0 then
|
||||
if iputils.ip_in_cidrs(ip, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in whitelist")
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
function M.check_reverse ()
|
||||
function M.check_reverse (reverse_list, resolvers)
|
||||
if #reverse_list > 0 then
|
||||
local rdns = dns.get_reverse()
|
||||
local rdns = dns.get_reverse(resolvers)
|
||||
if rdns ~= "" then
|
||||
local whitelisted = false
|
||||
for k, v in ipairs(reverse_list) do
|
||||
|
|
@ -46,10 +43,10 @@ function M.check_reverse ()
|
|||
end
|
||||
end
|
||||
if whitelisted then
|
||||
local ips = dns.get_ips(rdns)
|
||||
local ips = dns.get_ips(rdns, resolvers)
|
||||
for k, v in ipairs(ips) do
|
||||
if v == ip then
|
||||
ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
|
||||
if v == ngx.var.remote_addr then
|
||||
ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
|
|
@ -57,7 +54,7 @@ function M.check_reverse ()
|
|||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue