diff --git a/README.md b/README.md index b32c6dd..67f322e 100644 --- a/README.md +++ b/README.md @@ -1196,6 +1196,12 @@ Default value : Context : *global*, *multisite* Whitelist user agent from being blocked by `BLOCK_USER_AGENT`. +`WHITELIST_URI` +Values : *\* +Default value : +Context : *global*, *multisite* +URI listed here have security checks like bad user-agents, bad IP, ... disabled. Useful when using callbacks for example. + ### Custom blacklisting `USE_BLACKLIST_IP` diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index c2e9c2c..4ef8a5d 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -19,7 +19,6 @@ local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% -- include LUA code - local whitelist = require "whitelist" local blacklist = require "blacklist" local dnsbl = require "dnsbl" @@ -31,11 +30,7 @@ local recaptcha = require "recaptcha" -- user variables local antibot_uri = "%ANTIBOT_URI%" local whitelist_user_agent = {%WHITELIST_USER_AGENT%} - --- check if it's let's encrypt bot -if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then - ngx.exit(ngx.OK) -end +local whitelist_uri = {%WHITELIST_URI%} -- check if already in whitelist cache if use_whitelist_ip and whitelist.ip_cached_ok() then @@ -72,6 +67,19 @@ if use_whitelist_reverse and not whitelist.reverse_cached() then end end +-- check if URI is whitelisted +for k, v in pairs(whitelist_uri) do + if ngx.var.request_uri == v then + ngx.log(ngx.WARN, "[WHITELIST] URI " .. v .. " is whitelisted") + ngx.exit(ngx.OK) + end +done + +-- check if it's certbot +if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then + ngx.exit(ngx.OK) +end + -- check if IP is blacklisted (only if not in cache) if use_blacklist_ip and not blacklist.ip_cached() then if blacklist.check_ip() then diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index bcef00b..a6ad4f3 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -288,6 +288,14 @@ else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "" fi +# whitelist URI +if [ "$WHITELIST_URI" != "" ] ; then + list=$(spaces_to_lua "$WHITELIST_URI") + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "$list" +else + replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "" +fi + # block bad referrer if [ "$BLOCK_REFERRER" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "true"