lua - move global vars from lua to site config (untested)
This commit is contained in:
bunkerity
10
lua/api.lua
10
lua/api.lua
@@ -1,19 +1,19 @@
|
||||
local M = {}
|
||||
M.api_list = {}
|
||||
local api_list = {}
|
||||
local iputils = require "resty.iputils"
|
||||
|
||||
M.api_list["^/ping$"] = function ()
|
||||
api_list["^/ping$"] = function ()
|
||||
return true
|
||||
end
|
||||
|
||||
M.api_list["^/reload$"] = function ()
|
||||
api_list["^/reload$"] = function ()
|
||||
return os.execute("/usr/sbin/nginx -s reload") == 0
|
||||
end
|
||||
|
||||
function M.is_api_call (api_uri, api_whitelist_ip)
|
||||
local whitelist = iputils.parse_cidrs(api_whitelist_ip)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
|
||||
for uri, code in pairs(M.api_list) do
|
||||
for uri, code in pairs(api_list) do
|
||||
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
|
||||
return true
|
||||
end
|
||||
@@ -23,7 +23,7 @@ function M.is_api_call (api_uri, api_whitelist_ip)
|
||||
end
|
||||
|
||||
function M.do_api_call (api_uri)
|
||||
for uri, code in pairs(M.api_list) do
|
||||
for uri, code in pairs(api_list) do
|
||||
if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
|
||||
return code()
|
||||
end
|
||||
|
||||
@@ -1,14 +1,10 @@
|
||||
local M = {}
|
||||
local status_codes = {%STATUS_CODES%}
|
||||
local threshold = %THRESHOLD%
|
||||
local count_time = %COUNT_TIME%
|
||||
local ban_time = %BAN_TIME%
|
||||
local M = {}
|
||||
|
||||
function M.is_banned ()
|
||||
return ngx.shared.behavior_ban:get(ngx.var.remote_addr) == true
|
||||
end
|
||||
|
||||
function M.count ()
|
||||
function M.count (status_codes, threshold, count_time, ban_time)
|
||||
for k, v in ipairs(status_codes) do
|
||||
if v == tostring(ngx.status) then
|
||||
local count = ngx.shared.behavior_count:get(ngx.var.remote_addr)
|
||||
|
||||
@@ -1,53 +1,50 @@
|
||||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%BLACKLIST_IP_LIST%}
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
local reverse_list = {%BLACKLIST_REVERSE_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
|
||||
function M.ip_cached_ko ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
|
||||
return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.reverse_cached_ko ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
|
||||
return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
|
||||
return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
|
||||
return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check_ip ()
|
||||
function M.check_ip (ip_list)
|
||||
if #ip_list > 0 then
|
||||
if iputils.ip_in_cidrs(ip, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in blacklist")
|
||||
local blacklist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then
|
||||
ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
function M.check_reverse ()
|
||||
function M.check_reverse (reverse_list, resolvers)
|
||||
if #reverse_list > 0 then
|
||||
local rdns = dns.get_reverse()
|
||||
local rdns = dns.get_reverse(resolvers)
|
||||
if rdns ~= "" then
|
||||
for k, v in ipairs(reverse_list) do
|
||||
if rdns:sub(-#v) == v then
|
||||
ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
|
||||
local M = {}
|
||||
local session = require "resty.session"
|
||||
|
||||
|
||||
10
lua/dns.lua
10
lua/dns.lua
@@ -1,15 +1,13 @@
|
||||
local M = {}
|
||||
local resolver = require "resty.dns.resolver"
|
||||
local resolvers = {%DNS_RESOLVERS%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.get_reverse()
|
||||
function M.get_reverse(resolvers)
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
end
|
||||
local rdns = ""
|
||||
local answers, err = r:reverse_query(ip)
|
||||
local answers, err = r:reverse_query(ngx.var.remote_addr)
|
||||
if answers ~= nil and not answers.errcode then
|
||||
for ak, av in ipairs(answers) do
|
||||
if av.ptrdname then
|
||||
@@ -21,7 +19,7 @@ function M.get_reverse()
|
||||
return rdns
|
||||
end
|
||||
|
||||
function M.get_ips(fqdn)
|
||||
function M.get_ips(fqdn, resolvers)
|
||||
local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
|
||||
if not r then
|
||||
return ""
|
||||
@@ -39,7 +37,7 @@ function M.get_ips(fqdn)
|
||||
end
|
||||
|
||||
function M.ip_to_arpa()
|
||||
return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
|
||||
return resolver.arpa_str(ngx.var.remote_addr):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
|
||||
end
|
||||
|
||||
return M
|
||||
|
||||
@@ -1,31 +1,29 @@
|
||||
local M = {}
|
||||
local dns = require "dns"
|
||||
local dnsbls = {%DNSBL_LIST%}
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.cached_ko ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) == "ko"
|
||||
return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) == "ko"
|
||||
end
|
||||
|
||||
function M.cached ()
|
||||
return ngx.shared.dnsbl_cache:get(ip) ~= nil
|
||||
return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check ()
|
||||
function M.check (dnsbls, resolvers)
|
||||
local rip = dns.ip_to_arpa()
|
||||
for k, v in ipairs(dnsbls) do
|
||||
local req = rip .. "." .. v
|
||||
local ips = dns.get_ips(req)
|
||||
local ips = dns.get_ips(req, resolvers)
|
||||
for k2, v2 in ipairs(ips) do
|
||||
local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
|
||||
if a == "127" then
|
||||
ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in DNSBL " .. v)
|
||||
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v)
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
|
||||
ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
@@ -1,42 +1,39 @@
|
||||
local M = {}
|
||||
local dns = require "dns"
|
||||
local iputils = require "resty.iputils"
|
||||
local ip_list = {%WHITELIST_IP_LIST%}
|
||||
local reverse_list = {%WHITELIST_REVERSE_LIST%}
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
local ip = ngx.var.remote_addr
|
||||
|
||||
function M.ip_cached_ok ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
|
||||
return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) == "ok"
|
||||
end
|
||||
|
||||
function M.reverse_cached_ok ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
|
||||
return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) == "ok"
|
||||
end
|
||||
|
||||
function M.ip_cached ()
|
||||
return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
|
||||
return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.reverse_cached ()
|
||||
return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
|
||||
return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) ~= nil
|
||||
end
|
||||
|
||||
function M.check_ip ()
|
||||
function M.check_ip (ip_list)
|
||||
if #ip_list > 0 then
|
||||
if iputils.ip_in_cidrs(ip, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ip .. " is in whitelist")
|
||||
local whitelist = iputils.parse_cidrs(ip_list)
|
||||
if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then
|
||||
ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
end
|
||||
ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
function M.check_reverse ()
|
||||
function M.check_reverse (reverse_list, resolvers)
|
||||
if #reverse_list > 0 then
|
||||
local rdns = dns.get_reverse()
|
||||
local rdns = dns.get_reverse(resolvers)
|
||||
if rdns ~= "" then
|
||||
local whitelisted = false
|
||||
for k, v in ipairs(reverse_list) do
|
||||
@@ -46,10 +43,10 @@ function M.check_reverse ()
|
||||
end
|
||||
end
|
||||
if whitelisted then
|
||||
local ips = dns.get_ips(rdns)
|
||||
local ips = dns.get_ips(rdns, resolvers)
|
||||
for k, v in ipairs(ips) do
|
||||
if v == ip then
|
||||
ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
|
||||
if v == ngx.var.remote_addr then
|
||||
ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
|
||||
ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist")
|
||||
return true
|
||||
end
|
||||
@@ -57,7 +54,7 @@ function M.check_reverse ()
|
||||
end
|
||||
end
|
||||
end
|
||||
ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
|
||||
ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user