[openresty] cc,黑白名单防御配置

下载安装 openresty下载 https://github.com/unixhot/waf 配置注意事项在使用 unixhot 开源的 waf lua脚本时, 这里记录几个需要修改的地方修改nginx.conf新增以下到 http 块中，替换{path}为你自己的路径lua_shared_dict limit 50m;lua_package_path "{path}/openresty-1.

Dev.Queal

1394人浏览 · 2022-02-09 16:38:57

Dev.Queal · 2022-02-09 16:38:57 发布

下载安装 openresty

下载 https://github.com/unixhot/waf 配置

注意事项

在使用 unixhot 开源的 waf lua脚本时, 这里记录几个需要修改的地方

修改nginx.conf

新增以下到 http 块中，替换{path}为你自己的路径

	lua_shared_dict limit 50m;
	lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";
	init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";
	access_by_lua_file "{path}/conf/waf/access.lua";

修改waf/config.lua

	config_rule_dir = "{path}/openresty-1.19.9.1-win64/conf/waf/rule-config"

注意各项防御的开关变量

--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "20/60"
--enable/disable post filtering
config_post_check = "on"

杀后策略

--config waf output redirect/html
config_waf_output = "html"
-- 如果 config_waf_output 配置为 redirect, 需要配置 config_waf_redirect_url
--config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>WAF</title>
</head>
<body>
<h1 align="center"> 访问过于频繁，请稍后重试
</body>
</html>
]]

这里看lua代码，黑名单、cc是直接403了，如果有需求可以自己改一下

测试配置

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    gzip  on;
	
	lua_shared_dict limit 50m;
	lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";
	init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";
	access_by_lua_file "{path}/conf/waf/access.lua";

    server {
        listen       80;
        server_name  localhost;

        location / {
			lua_code_cache off; # 正式环境不开启, 缓存lua脚本到内存
            default_type text/html;
            content_by_lua_block {
                ngx.say("HelloWorld")     
            }
        }
    }

}