Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feature - whitelist URI

Browse Source
This commit is contained in:
bunkerity 2021-04-09 10:31:00 +02:00
parent e73c10fd80
commit b8105fc558
3 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -1196,6 +1196,12 @@ Default value :
Context : *global*, *multisite* Context : *global*, *multisite*
Whitelist user agent from being blocked by `BLOCK_USER_AGENT`. Whitelist user agent from being blocked by `BLOCK_USER_AGENT`.
`WHITELIST_URI`
Values : *\<list of URI separated with spaces\>*
Default value :
Context : *global*, *multisite*
URI listed here have security checks like bad user-agents, bad IP, ... disabled. Useful when using callbacks for example.
### Custom blacklisting ### Custom blacklisting
`USE_BLACKLIST_IP` `USE_BLACKLIST_IP`

20
confs/site/main-lua.conf
View File

@ -19,7 +19,6 @@ local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA%
-- include LUA code -- include LUA code
local whitelist = require "whitelist" local whitelist = require "whitelist"
local blacklist = require "blacklist" local blacklist = require "blacklist"
local dnsbl = require "dnsbl" local dnsbl = require "dnsbl"
@ -31,11 +30,7 @@ local recaptcha = require "recaptcha"
-- user variables -- user variables
local antibot_uri = "%ANTIBOT_URI%" local antibot_uri = "%ANTIBOT_URI%"
local whitelist_user_agent = {%WHITELIST_USER_AGENT%} local whitelist_user_agent = {%WHITELIST_USER_AGENT%}
local whitelist_uri = {%WHITELIST_URI%}
-- check if it's let's encrypt bot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
ngx.exit(ngx.OK)
end
-- check if already in whitelist cache -- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then if use_whitelist_ip and whitelist.ip_cached_ok() then
@ -72,6 +67,19 @@ if use_whitelist_reverse and not whitelist.reverse_cached() then
end end
end end
-- check if URI is whitelisted
for k, v in pairs(whitelist_uri) do
if ngx.var.request_uri == v then
ngx.log(ngx.WARN, "[WHITELIST] URI " .. v .. " is whitelisted")
ngx.exit(ngx.OK)
end
done
-- check if it's certbot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
ngx.exit(ngx.OK)
end
-- check if IP is blacklisted (only if not in cache) -- check if IP is blacklisted (only if not in cache)
if use_blacklist_ip and not blacklist.ip_cached() then if use_blacklist_ip and not blacklist.ip_cached() then
if blacklist.check_ip() then if blacklist.check_ip() then

8
entrypoint/site-config.sh
View File

@ -288,6 +288,14 @@ else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" "" replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_USER_AGENT%" ""
fi fi
# whitelist URI
if [ "$WHITELIST_URI" != "" ] ; then
list=$(spaces_to_lua "$WHITELIST_URI")
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" "$list"
else
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_URI%" ""
fi
# block bad referrer # block bad referrer
if [ "$BLOCK_REFERRER" = "yes" ] ; then if [ "$BLOCK_REFERRER" = "yes" ] ; then
replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "true" replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_REFERRER%" "true"