From d9bb97be505e937d774215d31890b0f77c7c1f0b Mon Sep 17 00:00:00 2001 From: bunkerity Date: Tue, 18 May 2021 17:29:00 +0200 Subject: [PATCH] lua - move global vars from lua to site config (untested) --- compile.sh | 7 +++--- confs/global/init-lua.conf | 2 +- confs/site/log-lua.conf | 12 ++++++---- confs/site/main-lua.conf | 45 +++++++++++++++++++++++++++-------- entrypoint/entrypoint.sh | 4 ---- entrypoint/global-config.sh | 3 +++ entrypoint/lua.sh | 47 ------------------------------------- entrypoint/site-config.sh | 19 +++++++++++++++ lua/api.lua | 10 ++++---- lua/behavior.lua | 8 ++----- lua/blacklist.lua | 37 ++++++++++++++--------------- lua/cookie.lua | 1 - lua/dns.lua | 10 ++++---- lua/dnsbl.lua | 16 ++++++------- lua/whitelist.lua | 35 +++++++++++++-------------- 15 files changed, 121 insertions(+), 135 deletions(-) delete mode 100644 entrypoint/lua.sh diff --git a/compile.sh b/compile.sh index 60d71f5..1560ab6 100644 --- a/compile.sh +++ b/compile.sh @@ -130,9 +130,10 @@ git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc cd lua-cs-bouncer mkdir /usr/local/lib/lua/crowdsec cp lib/*.lua /usr/local/lib/lua/crowdsec -cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf -sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf -sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf +mkdir /opt/crowdsec +cp template.conf /opt/crowdsec/crowdsec.conf +sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /opt/crowdsec/crowdsec.conf +sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /opt/crowdsec/crowdsec.conf sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua cd /tmp diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index 38e9350..9db9092 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -31,7 +31,7 @@ end if use_crowdsec then local cs = require "crowdsec.CrowdSec" - local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf") + local ok, err = cs.init("/etc/nginx/crowdsec.conf") if ok == nil then ngx.log(ngx.ERR, "[CROWDSEC] " .. err) error() diff --git a/confs/site/log-lua.conf b/confs/site/log-lua.conf index 7cad8ca..cd77739 100644 --- a/confs/site/log-lua.conf +++ b/confs/site/log-lua.conf @@ -1,11 +1,15 @@ log_by_lua_block { -local use_bad_behavior = %USE_BAD_BEHAVIOR% - -local behavior = require "behavior" +-- bad behavior +local use_bad_behavior = %USE_BAD_BEHAVIOR% +local behavior = require "behavior" +local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%} +local bad_behavior_threshold = %BAD_BEHAVIOR_THRESHOLD% +local bad_behavior_count_time = %BAD_BEHAVIOR_COUNT_TIME% +local bad_behavior_ban_time = %BAD_BEHAVIOR_BAN_TIME% if use_bad_behavior then - behavior.count() + behavior.count(bad_behavior_status_code, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time) end } diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 0506663..9db9caa 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -3,23 +3,48 @@ set $session_check_addr on; access_by_lua_block { +-- let's encrypt local use_lets_encrypt = %USE_LETS_ENCRYPT% -local use_whitelist_ip = %USE_WHITELIST_IP% -local use_whitelist_reverse = %USE_WHITELIST_REVERSE% + +-- external blacklists local use_user_agents = %USE_USER_AGENTS% local use_proxies = %USE_PROXIES% local use_abusers = %USE_ABUSERS% local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% local use_referrers = %USE_REFERRERS% + +-- countries local use_country = %USE_COUNTRY% -local use_blacklist_ip = %USE_BLACKLIST_IP% -local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% -local use_dnsbl = %USE_DNSBL% + +-- crowdsec local use_crowdsec = %USE_CROWDSEC% + +-- antibot local use_antibot_cookie = %USE_ANTIBOT_COOKIE% local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT% local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% local use_antibot_recaptcha = %USE_ANTIBOT_RECAPTCHA% + +-- resolvers +local dns_resolvers = %DNS_RESOLVERS% + +-- whitelist +local use_whitelist_ip = %USE_WHITELIST_IP% +local use_whitelist_reverse = %USE_WHITELIST_REVERSE% +local whitelist_ip_list = %WHITELIST_IP_LIST% +local whitelist_reverse_list = %WHITELIST_REVERSE_LIST% + +-- blacklist +local use_blacklist_ip = %USE_BLACKLIST_IP% +local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% +local blacklist_ip_list = %BLACKLIST_IP_LIST% +local blacklist_reverse_list = %BLACKLIST_REVERSE_LIST% + +-- dnsbl +local use_dnsbl = %USE_DNSBL% +local dnsbl_list = %DNSBL_LIST% + +-- bad behavior local use_bad_behavior = %USE_BAD_BEHAVIOR% -- include LUA code @@ -61,14 +86,14 @@ end -- check if IP is whitelisted (only if not in cache) if use_whitelist_ip and not whitelist.ip_cached() then - if whitelist.check_ip() then + if whitelist.check_ip(whitelist_ip_list) then ngx.exit(ngx.OK) end end -- check if reverse is whitelisted (only if not in cache) if use_whitelist_reverse and not whitelist.reverse_cached() then - if whitelist.check_reverse() then + if whitelist.check_reverse(whitelist_reverse_list) then ngx.exit(ngx.OK) end end @@ -88,14 +113,14 @@ end -- check if IP is blacklisted (only if not in cache) if use_blacklist_ip and not blacklist.ip_cached() then - if blacklist.check_ip() then + if blacklist.check_ip(blacklist_ip_list) then ngx.exit(ngx.HTTP_FORBIDDEN) end end -- check if reverse is blacklisted (only if not in cache) if use_blacklist_reverse and not blacklist.reverse_cached() then - if blacklist.check_reverse() then + if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then ngx.exit(ngx.HTTP_FORBIDDEN) end end @@ -197,7 +222,7 @@ end -- check if IP is in DNSBLs (only if not in cache) if use_dnsbl and not dnsbl.cached() then - if dnsbl.check() then + if dnsbl.check(dnsbl_list, dns_resolvers) then ngx.exit(ngx.HTTP_FORBIDDEN) end end diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh index 2c4a63b..7fe9a78 100644 --- a/entrypoint/entrypoint.sh +++ b/entrypoint/entrypoint.sh @@ -50,10 +50,6 @@ if [ ! -f "/opt/installed" ] ; then exit 1 fi - # lua config - # TODO : move variables from /usr/local/lib/lua + multisite support ? - /opt/entrypoint/lua.sh - # clamav config /opt/entrypoint/clamav.sh diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index a55051e..68fea84 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -230,6 +230,9 @@ fi # CrowdSec setup if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "true" + cp /opt/crowdsec/crowdsec.conf /etc/nginx + replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST" + replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY" else replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "false" fi diff --git a/entrypoint/lua.sh b/entrypoint/lua.sh deleted file mode 100644 index fc4eb1f..0000000 --- a/entrypoint/lua.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# load default values -. /opt/entrypoint/defaults.sh - -# load some functions -. /opt/entrypoint/utils.sh - -# copy stub LUA scripts -cp -r /opt/lua/* /usr/local/lib/lua - -# DNS resolvers -resolvers=$(spaces_to_lua "$DNS_RESOLVERS") -replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers" - -# whitelist IP -list=$(spaces_to_lua "$WHITELIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list" - -# whitelist rDNS -list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list" - -# blacklist IP -list=$(spaces_to_lua "$BLACKLIST_IP_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list" - -# blacklist rDNS -list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") -replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list" - -# DNSBL -list=$(spaces_to_lua "$DNSBL_LIST") -replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list" - -# bad behavior -list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES") -replace_in_file "/usr/local/lib/lua/behavior.lua" "%STATUS_CODES%" "$list" -replace_in_file "/usr/local/lib/lua/behavior.lua" "%THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD" -replace_in_file "/usr/local/lib/lua/behavior.lua" "%BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME" -replace_in_file "/usr/local/lib/lua/behavior.lua" "%COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME" - -# CrowdSec setup -if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then - replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST" - replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY" -fi diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 12e1468..09953a0 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -474,6 +474,8 @@ if [ "$USE_WHITELIST_IP" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false" fi +list=$(spaces_to_lua "$WHITELIST_IP_LIST") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_IP_LIST%" "$list" # whitelist rDNS if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then @@ -481,6 +483,8 @@ if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false" fi +list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_REVERSE_LIST%" "$list" # blacklist IP if [ "$USE_BLACKLIST_IP" = "yes" ] ; then @@ -488,6 +492,8 @@ if [ "$USE_BLACKLIST_IP" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false" fi +list=$(spaces_to_lua "$BLACKLIST_IP_LIST") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_IP_LIST%" "$list" # blacklist rDNS if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then @@ -495,6 +501,8 @@ if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false" fi +list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_REVERSE_LIST%" "$list" # DNSBL if [ "$USE_DNSBL" = "yes" ] ; then @@ -502,6 +510,8 @@ if [ "$USE_DNSBL" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false" fi +list=$(spaces_to_lua "$DNSBL_LIST") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNSBL_LIST%" "$list" # antibot uri and session secret replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI" @@ -570,6 +580,11 @@ else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BAD_BEHAVIOR%" "false" replace_in_file "${NGINX_PREFIX}log-lua.conf" "%USE_BAD_BEHAVIOR%" "false" fi +list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES") +replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_STATUS_CODES%" "$list" +replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD" +replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME" +replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME" # request limiting if [ "$USE_LIMIT_REQ" = "yes" ] ; then @@ -600,3 +615,7 @@ if [ "$USE_CROWDSEC" = "yes" ] ; then else replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false" fi + +# DNS resolvers +resolvers=$(spaces_to_lua "$DNS_RESOLVERS") +replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNS_RESOLVERS%" "$resolvers" diff --git a/lua/api.lua b/lua/api.lua index 4f6d9a4..f901639 100644 --- a/lua/api.lua +++ b/lua/api.lua @@ -1,19 +1,19 @@ local M = {} -M.api_list = {} +local api_list = {} local iputils = require "resty.iputils" -M.api_list["^/ping$"] = function () +api_list["^/ping$"] = function () return true end -M.api_list["^/reload$"] = function () +api_list["^/reload$"] = function () return os.execute("/usr/sbin/nginx -s reload") == 0 end function M.is_api_call (api_uri, api_whitelist_ip) local whitelist = iputils.parse_cidrs(api_whitelist_ip) if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then - for uri, code in pairs(M.api_list) do + for uri, code in pairs(api_list) do if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then return true end @@ -23,7 +23,7 @@ function M.is_api_call (api_uri, api_whitelist_ip) end function M.do_api_call (api_uri) - for uri, code in pairs(M.api_list) do + for uri, code in pairs(api_list) do if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then return code() end diff --git a/lua/behavior.lua b/lua/behavior.lua index d904d37..215308b 100644 --- a/lua/behavior.lua +++ b/lua/behavior.lua @@ -1,14 +1,10 @@ -local M = {} -local status_codes = {%STATUS_CODES%} -local threshold = %THRESHOLD% -local count_time = %COUNT_TIME% -local ban_time = %BAN_TIME% +local M = {} function M.is_banned () return ngx.shared.behavior_ban:get(ngx.var.remote_addr) == true end -function M.count () +function M.count (status_codes, threshold, count_time, ban_time) for k, v in ipairs(status_codes) do if v == tostring(ngx.status) then local count = ngx.shared.behavior_count:get(ngx.var.remote_addr) diff --git a/lua/blacklist.lua b/lua/blacklist.lua index a57163b..6ee954d 100644 --- a/lua/blacklist.lua +++ b/lua/blacklist.lua @@ -1,53 +1,50 @@ -local M = {} -local dns = require "dns" -local iputils = require "resty.iputils" -local ip_list = {%BLACKLIST_IP_LIST%} -local blacklist = iputils.parse_cidrs(ip_list) -local reverse_list = {%BLACKLIST_REVERSE_LIST%} -local ip = ngx.var.remote_addr +local M = {} +local dns = require "dns" +local iputils = require "resty.iputils" function M.ip_cached_ko () - return ngx.shared.blacklist_ip_cache:get(ip) == "ko" + return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) == "ko" end function M.reverse_cached_ko () - return ngx.shared.blacklist_reverse_cache:get(ip) == "ko" + return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) == "ko" end function M.ip_cached () - return ngx.shared.blacklist_ip_cache:get(ip) ~= nil + return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) ~= nil end function M.reverse_cached () - return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil + return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) ~= nil end -function M.check_ip () +function M.check_ip (ip_list) if #ip_list > 0 then - if iputils.ip_in_cidrs(ip, blacklist) then - ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400) - ngx.log(ngx.NOTICE, "ip " .. ip .. " is in blacklist") + local blacklist = iputils.parse_cidrs(ip_list) + if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then + ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ko", 86400) + ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in blacklist") return true end end - ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400) + ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ok", 86400) return false end -function M.check_reverse () +function M.check_reverse (reverse_list, resolvers) if #reverse_list > 0 then - local rdns = dns.get_reverse() + local rdns = dns.get_reverse(resolvers) if rdns ~= "" then for k, v in ipairs(reverse_list) do if rdns:sub(-#v) == v then - ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400) + ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400) ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist") return true end end end end - ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400) + ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400) return false end diff --git a/lua/cookie.lua b/lua/cookie.lua index 91fc68f..2525690 100644 --- a/lua/cookie.lua +++ b/lua/cookie.lua @@ -1,4 +1,3 @@ - local M = {} local session = require "resty.session" diff --git a/lua/dns.lua b/lua/dns.lua index a462757..60b1d28 100644 --- a/lua/dns.lua +++ b/lua/dns.lua @@ -1,15 +1,13 @@ local M = {} local resolver = require "resty.dns.resolver" -local resolvers = {%DNS_RESOLVERS%} -local ip = ngx.var.remote_addr -function M.get_reverse() +function M.get_reverse(resolvers) local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000} if not r then return "" end local rdns = "" - local answers, err = r:reverse_query(ip) + local answers, err = r:reverse_query(ngx.var.remote_addr) if answers ~= nil and not answers.errcode then for ak, av in ipairs(answers) do if av.ptrdname then @@ -21,7 +19,7 @@ function M.get_reverse() return rdns end -function M.get_ips(fqdn) +function M.get_ips(fqdn, resolvers) local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000} if not r then return "" @@ -39,7 +37,7 @@ function M.get_ips(fqdn) end function M.ip_to_arpa() - return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") + return resolver.arpa_str(ngx.var.remote_addr):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") end return M diff --git a/lua/dnsbl.lua b/lua/dnsbl.lua index 07ab4f2..a41626e 100644 --- a/lua/dnsbl.lua +++ b/lua/dnsbl.lua @@ -1,31 +1,29 @@ local M = {} local dns = require "dns" -local dnsbls = {%DNSBL_LIST%} -local ip = ngx.var.remote_addr function M.cached_ko () - return ngx.shared.dnsbl_cache:get(ip) == "ko" + return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) == "ko" end function M.cached () - return ngx.shared.dnsbl_cache:get(ip) ~= nil + return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) ~= nil end -function M.check () +function M.check (dnsbls, resolvers) local rip = dns.ip_to_arpa() for k, v in ipairs(dnsbls) do local req = rip .. "." .. v - local ips = dns.get_ips(req) + local ips = dns.get_ips(req, resolvers) for k2, v2 in ipairs(ips) do local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)") if a == "127" then - ngx.shared.dnsbl_cache:set(ip, "ko", 86400) - ngx.log(ngx.NOTICE, "ip " .. ip .. " is in DNSBL " .. v) + ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ko", 86400) + ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v) return true end end end - ngx.shared.dnsbl_cache:set(ip, "ok", 86400) + ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ok", 86400) return false end diff --git a/lua/whitelist.lua b/lua/whitelist.lua index 2b2292b..78e9961 100644 --- a/lua/whitelist.lua +++ b/lua/whitelist.lua @@ -1,42 +1,39 @@ local M = {} local dns = require "dns" local iputils = require "resty.iputils" -local ip_list = {%WHITELIST_IP_LIST%} -local reverse_list = {%WHITELIST_REVERSE_LIST%} -local whitelist = iputils.parse_cidrs(ip_list) -local ip = ngx.var.remote_addr function M.ip_cached_ok () - return ngx.shared.whitelist_ip_cache:get(ip) == "ok" + return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) == "ok" end function M.reverse_cached_ok () - return ngx.shared.whitelist_reverse_cache:get(ip) == "ok" + return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) == "ok" end function M.ip_cached () - return ngx.shared.whitelist_ip_cache:get(ip) ~= nil + return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) ~= nil end function M.reverse_cached () - return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil + return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) ~= nil end -function M.check_ip () +function M.check_ip (ip_list) if #ip_list > 0 then - if iputils.ip_in_cidrs(ip, whitelist) then - ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400) - ngx.log(ngx.NOTICE, "ip " .. ip .. " is in whitelist") + local whitelist = iputils.parse_cidrs(ip_list) + if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then + ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ok", 86400) + ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in whitelist") return true end end - ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400) + ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ko", 86400) return false end -function M.check_reverse () +function M.check_reverse (reverse_list, resolvers) if #reverse_list > 0 then - local rdns = dns.get_reverse() + local rdns = dns.get_reverse(resolvers) if rdns ~= "" then local whitelisted = false for k, v in ipairs(reverse_list) do @@ -46,10 +43,10 @@ function M.check_reverse () end end if whitelisted then - local ips = dns.get_ips(rdns) + local ips = dns.get_ips(rdns, resolvers) for k, v in ipairs(ips) do - if v == ip then - ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400) + if v == ngx.var.remote_addr then + ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400) ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist") return true end @@ -57,7 +54,7 @@ function M.check_reverse () end end end - ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400) + ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400) return false end