diff --git a/compile.sh b/compile.sh index bcd8971..102b4e2 100644 --- a/compile.sh +++ b/compile.sh @@ -3,7 +3,7 @@ NTASK=$(nproc) # install build dependencies -apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev +apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev # compile and install ModSecurity library cd /tmp @@ -45,6 +45,24 @@ git clone https://github.com/openresty/lua-resty-dns.git cd lua-resty-dns make install cd /tmp +git clone https://github.com/bungle/lua-resty-session.git +cd lua-resty-session +cp -r lib/resty/* /usr/local/lib/lua/resty +cd /tmp +git clone https://github.com/bungle/lua-resty-random.git +cd lua-resty-random +make install +cd /tmp +git clone https://github.com/openresty/lua-resty-string.git +cd lua-resty-string +make install +cd /tmp +git clone https://github.com/openresty/lua-cjson.git +cd lua-cjson +make -j $NTASK +make install +make install-extra +cd /tmp git clone https://github.com/openresty/lua-nginx-module.git export LUAJIT_LIB=/usr/local/lib export LUAJIT_INC=/usr/local/include/luajit-2.1 diff --git a/confs/main-lua.conf b/confs/main-lua.conf index 57823f5..eedd4eb 100644 --- a/confs/main-lua.conf +++ b/confs/main-lua.conf @@ -5,11 +5,16 @@ local use_whitelist_reverse = %USE_WHITELIST_REVERSE% local use_blacklist_ip = %USE_BLACKLIST_IP% local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% local use_dnsbl = %USE_DNSBL% +local use_antibot_cookie = %USE_ANTIBOT_COOKIE% -- include LUA code local whitelist = require "whitelist" local blacklist = require "blacklist" local dnsbl = require "dnsbl" +local cookie = require "cookie" + +-- antibot +local antibot_uri = "%ANTIBOT_URI%" -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then @@ -67,6 +72,21 @@ if use_dnsbl and not dnsbl.cached() then end end +-- cookie check +if use_antibot_cookie then + if not cookie.is_set() then + if ngx.var.uri ~= antibot_uri then + cookie.set() + return ngx.redirect(antibot_uri) + end + return ngx.exit(ngx.HTTP_FORBIDDEN) + else + if ngx.var.uri == antibot_uri then + return ngx.redirect(cookie.get_uri()) + end + end +end + ngx.exit(ngx.OK) } diff --git a/entrypoint.sh b/entrypoint.sh index 4cb6c44..fc7afae 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -153,6 +153,8 @@ SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}" SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}" SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}" SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}" +ANTIBOT_URI="${ANTIBOT_URI-/challenge}" +USE_ANTIBOT_COOKIE="${USE_ANTIBOT_COOKIE-yes}" # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then @@ -493,6 +495,16 @@ fi list=$(spaces_to_lua "$DNSBL_LIST") replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" +# antibot uri +replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" + +# antibot via cookie +if [ "$USE_ANTIBOT_COOKIE" = "yes" ] ; then + replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true" +else + replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false" +fi + if [ "$USE_LIMIT_REQ" = "yes" ] ; then replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};" replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;" diff --git a/lua/cookie.lua b/lua/cookie.lua new file mode 100644 index 0000000..8bafc28 --- /dev/null +++ b/lua/cookie.lua @@ -0,0 +1,22 @@ +local M = {} +local session = require "resty.session" + +function M.is_set () + local s = session.open() + if s and s.data.uri then + return true + end + return false +end + +function M.set () + local s = session.start() + s.data.uri = ngx.var.request_uri + s:save() +end + +function M.get_uri () + return session.open().data.uri +end + +return M