lua - move global vars from lua to site config (untested)

2021-05-18 17:29:00 +02:00 · 2021-05-18 17:29:00 +02:00 · d9bb97be50
commit d9bb97be50
parent 863283d090
15 changed files with 121 additions and 135 deletions
--- a/compile.sh
+++ b/compile.sh
@ -130,9 +130,10 @@ git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc
 cd lua-cs-bouncer
 mkdir /usr/local/lib/lua/crowdsec
 cp lib/*.lua /usr/local/lib/lua/crowdsec
-cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
+mkdir /opt/crowdsec
-sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+cp template.conf /opt/crowdsec/crowdsec.conf
-sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /usr/local/lib/lua/crowdsec/crowdsec.conf
+sed -i 's/^API_URL=.*/API_URL=%CROWDSEC_HOST%/' /opt/crowdsec/crowdsec.conf
 sed -i 's/^API_KEY=.*/API_KEY=%CROWDSEC_KEY%/' /opt/crowdsec/crowdsec.conf
 sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
 cd /tmp
--- a/confs/global/init-lua.conf
+++ b/confs/global/init-lua.conf
@ -31,7 +31,7 @@ end
 if use_crowdsec then
 	local cs = require "crowdsec.CrowdSec"
-	local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
+	local ok, err = cs.init("/etc/nginx/crowdsec.conf")
 	if ok == nil then
 		ngx.log(ngx.ERR, "[CROWDSEC] " .. err)
 		error()
--- a/confs/site/log-lua.conf
+++ b/confs/site/log-lua.conf
@ -1,11 +1,15 @@
 log_by_lua_block {
 -- bad behavior
 local use_bad_behavior		= %USE_BAD_BEHAVIOR%
 local behavior			= require "behavior"
 local bad_behavior_status_codes = {%BAD_BEHAVIOR_STATUS_CODES%}
 local bad_behavior_threshold    = %BAD_BEHAVIOR_THRESHOLD%
 local bad_behavior_count_time   = %BAD_BEHAVIOR_COUNT_TIME%
 local bad_behavior_ban_time     = %BAD_BEHAVIOR_BAN_TIME%
 if use_bad_behavior then
-	behavior.count()	
+	behavior.count(bad_behavior_status_code, bad_behavior_threshold, bad_behavior_count_time, bad_behavior_ban_time)
 end
 }
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@ -3,23 +3,48 @@ set $session_check_addr on;
 access_by_lua_block {
 -- let's encrypt
 local use_lets_encrypt		= %USE_LETS_ENCRYPT%
-local use_whitelist_ip		= %USE_WHITELIST_IP%
+
-local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
+-- external blacklists
 local use_user_agents		= %USE_USER_AGENTS%
 local use_proxies		= %USE_PROXIES%
 local use_abusers		= %USE_ABUSERS%
 local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
 local use_referrers		= %USE_REFERRERS%
 -- countries
 local use_country		= %USE_COUNTRY%
-local use_blacklist_ip		= %USE_BLACKLIST_IP%
+
-local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
+-- crowdsec
 local use_dnsbl			= %USE_DNSBL%
 local use_crowdsec		= %USE_CROWDSEC%
 -- antibot
 local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
 local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
 local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
 local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%
 -- resolvers
 local dns_resolvers		= %DNS_RESOLVERS%
 -- whitelist
 local use_whitelist_ip		= %USE_WHITELIST_IP%
 local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
 local whitelist_ip_list		= %WHITELIST_IP_LIST%
 local whitelist_reverse_list	= %WHITELIST_REVERSE_LIST%
 -- blacklist
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local blacklist_ip_list		= %BLACKLIST_IP_LIST%
 local blacklist_reverse_list	= %BLACKLIST_REVERSE_LIST%
 -- dnsbl
 local use_dnsbl			= %USE_DNSBL%
 local dnsbl_list		= %DNSBL_LIST%
 -- bad behavior
 local use_bad_behavior		= %USE_BAD_BEHAVIOR%
 -- include LUA code
@ -61,14 +86,14 @@ end
 -- check if IP is whitelisted (only if not in cache)
 if use_whitelist_ip and not whitelist.ip_cached() then
-	if whitelist.check_ip() then
+	if whitelist.check_ip(whitelist_ip_list) then
 		ngx.exit(ngx.OK)
 	end
 end
 -- check if reverse is whitelisted (only if not in cache)
 if use_whitelist_reverse and not whitelist.reverse_cached() then
-	if whitelist.check_reverse() then
+	if whitelist.check_reverse(whitelist_reverse_list) then
 		ngx.exit(ngx.OK)
 	end
 end
@ -88,14 +113,14 @@ end
 -- check if IP is blacklisted (only if not in cache)
 if use_blacklist_ip and not blacklist.ip_cached() then
-	if blacklist.check_ip() then
+	if blacklist.check_ip(blacklist_ip_list) then
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
 -- check if reverse is blacklisted (only if not in cache)
 if use_blacklist_reverse and not blacklist.reverse_cached() then
-	if blacklist.check_reverse() then
+	if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
@ -197,7 +222,7 @@ end
 -- check if IP is in DNSBLs (only if not in cache)
 if use_dnsbl and not dnsbl.cached() then
-	if dnsbl.check() then
+	if dnsbl.check(dnsbl_list, dns_resolvers) then
 		ngx.exit(ngx.HTTP_FORBIDDEN)
 	end
 end
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@ -50,10 +50,6 @@ if [ ! -f "/opt/installed" ] ; then
 		exit 1
 	fi
 	# lua config
 	# TODO : move variables from /usr/local/lib/lua + multisite support ?
 	/opt/entrypoint/lua.sh
 	# clamav config
 	/opt/entrypoint/clamav.sh
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -230,6 +230,9 @@ fi
 # CrowdSec setup
 if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
 	replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "true"
 	cp /opt/crowdsec/crowdsec.conf /etc/nginx
 	replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
 	replace_in_file "/etc/nginx/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
 else
 	replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "false"
 fi
--- a/entrypoint/lua.sh
+++ b/entrypoint/lua.sh
@ -1,47 +0,0 @@
 #!/bin/bash
 # load default values
 . /opt/entrypoint/defaults.sh
 # load some functions
 . /opt/entrypoint/utils.sh
 # copy stub LUA scripts
 cp -r /opt/lua/* /usr/local/lib/lua
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "/usr/local/lib/lua/dns.lua" "%DNS_RESOLVERS%" "$resolvers"
 # whitelist IP
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/whitelist.lua" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "/usr/local/lib/lua/blacklist.lua" "%BLACKLIST_REVERSE_LIST%" "$list"
 # DNSBL
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 # bad behavior
 list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES")
 replace_in_file "/usr/local/lib/lua/behavior.lua" "%STATUS_CODES%" "$list"
 replace_in_file "/usr/local/lib/lua/behavior.lua" "%THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD"
 replace_in_file "/usr/local/lib/lua/behavior.lua" "%BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME"
 replace_in_file "/usr/local/lib/lua/behavior.lua" "%COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME"
 # CrowdSec setup
 if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_HOST%" "$CROWDSEC_HOST"
 	replace_in_file "/usr/local/lib/lua/crowdsec/crowdsec.conf" "%CROWDSEC_KEY%" "$CROWDSEC_KEY"
 fi
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -474,6 +474,8 @@ if [ "$USE_WHITELIST_IP" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_IP%" "false"
 fi
 list=$(spaces_to_lua "$WHITELIST_IP_LIST")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_IP_LIST%" "$list"
 # whitelist rDNS
 if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
@ -481,6 +483,8 @@ if [ "$USE_WHITELIST_REVERSE" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_WHITELIST_REVERSE%" "false"
 fi
 list=$(spaces_to_lua "$WHITELIST_REVERSE_LIST")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%WHITELIST_REVERSE_LIST%" "$list"
 # blacklist IP
 if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
@ -488,6 +492,8 @@ if [ "$USE_BLACKLIST_IP" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_IP%" "false"
 fi
 list=$(spaces_to_lua "$BLACKLIST_IP_LIST")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_IP_LIST%" "$list"
 # blacklist rDNS
 if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
@ -495,6 +501,8 @@ if [ "$USE_BLACKLIST_REVERSE" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BLACKLIST_REVERSE%" "false"
 fi
 list=$(spaces_to_lua "$BLACKLIST_REVERSE_LIST")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%BLACKLIST_REVERSE_LIST%" "$list"
 # DNSBL
 if [ "$USE_DNSBL" = "yes" ] ; then
@ -502,6 +510,8 @@ if [ "$USE_DNSBL" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_DNSBL%" "false"
 fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNSBL_LIST%" "$list"
 # antibot uri and session secret
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
@ -570,6 +580,11 @@ else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_BAD_BEHAVIOR%" "false"
 	replace_in_file "${NGINX_PREFIX}log-lua.conf" "%USE_BAD_BEHAVIOR%" "false"
 fi
 list=$(spaces_to_lua "$BAD_BEHAVIOR_STATUS_CODES")
 replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_STATUS_CODES%" "$list"
 replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_THRESHOLD%" "$BAD_BEHAVIOR_THRESHOLD"
 replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_BAN_TIME%" "$BAD_BEHAVIOR_BAN_TIME"
 replace_in_file "${NGINX_PREFIX}log-lua.conf" "%BAD_BEHAVIOR_COUNT_TIME%" "$BAD_BEHAVIOR_COUNT_TIME"
 # request limiting
 if [ "$USE_LIMIT_REQ" = "yes" ] ; then
@ -600,3 +615,7 @@ if [ "$USE_CROWDSEC" = "yes" ] ; then
 else
 	replace_in_file "${NGINX_PREFIX}main-lua.conf" "%USE_CROWDSEC%" "false"
 fi
 # DNS resolvers
 resolvers=$(spaces_to_lua "$DNS_RESOLVERS")
 replace_in_file "${NGINX_PREFIX}main-lua.conf" "%DNS_RESOLVERS%" "$resolvers"
--- a/lua/api.lua
+++ b/lua/api.lua
@ -1,19 +1,19 @@
 local M		= {}
-M.api_list	= {}
+local api_list	= {}
 local iputils	= require "resty.iputils"
-M.api_list["^/ping$"] = function ()
+api_list["^/ping$"] = function ()
 	return true
 end
-M.api_list["^/reload$"] = function ()
+api_list["^/reload$"] = function ()
 	return os.execute("/usr/sbin/nginx -s reload") == 0
 end
 function M.is_api_call (api_uri, api_whitelist_ip)
 	local whitelist = iputils.parse_cidrs(api_whitelist_ip)
 	if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) and ngx.var.request_uri:sub(1, #api_uri) .. "/" == api_uri .. "/" then
-		for uri, code in pairs(M.api_list) do
+		for uri, code in pairs(api_list) do
 			if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 				return true
 			end
@ -23,7 +23,7 @@ function M.is_api_call (api_uri, api_whitelist_ip)
 end
 function M.do_api_call (api_uri)
-	for uri, code in pairs(M.api_list) do
+	for uri, code in pairs(api_list) do
 		if string.match(ngx.var.request_uri:sub(#api_uri + 1), uri) then
 			return code()
 		end
--- a/lua/behavior.lua
+++ b/lua/behavior.lua
@ -1,14 +1,10 @@
 local M	= {}
 local status_codes	= {%STATUS_CODES%}
 local threshold		= %THRESHOLD%
 local count_time	= %COUNT_TIME%
 local ban_time		= %BAN_TIME%
 function M.is_banned ()
 	return ngx.shared.behavior_ban:get(ngx.var.remote_addr) == true
 end
-function M.count ()
+function M.count (status_codes, threshold, count_time, ban_time)
 	for k, v in ipairs(status_codes) do
 		if v == tostring(ngx.status) then
 			local count = ngx.shared.behavior_count:get(ngx.var.remote_addr)
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@ -1,53 +1,50 @@
 local M		= {}
 local dns	= require "dns"
 local iputils	= require "resty.iputils"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
 local blacklist		= iputils.parse_cidrs(ip_list)
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr
 function M.ip_cached_ko ()
-	return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
+	return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) == "ko"
 end
 function M.reverse_cached_ko ()
-	return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
+	return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) == "ko"
 end
 function M.ip_cached ()
-	return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
+	return ngx.shared.blacklist_ip_cache:get(ngx.var.remote_addr) ~= nil
 end
 function M.reverse_cached ()
-	return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
+	return ngx.shared.blacklist_reverse_cache:get(ngx.var.remote_addr) ~= nil
 end
-function M.check_ip ()
+function M.check_ip (ip_list)
 	if #ip_list > 0 then
-		if iputils.ip_in_cidrs(ip, blacklist) then
+		local blacklist = iputils.parse_cidrs(ip_list)
-			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
+		if iputils.ip_in_cidrs(ngx.var.remote_addr, blacklist) then
-			ngx.log(ngx.NOTICE, "ip " .. ip .. " is in blacklist")
+			ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
 			ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in blacklist")
 			return true
 		end
 	end
-	ngx.shared.blacklist_ip_cache:set(ip, "ok", 86400)
+	ngx.shared.blacklist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
 	return false
 end
-function M.check_reverse ()
+function M.check_reverse (reverse_list, resolvers)
 	if #reverse_list > 0 then
-		local rdns = dns.get_reverse()
+		local rdns = dns.get_reverse(resolvers)
 		if rdns ~= "" then
 			for k, v in ipairs(reverse_list) do
 				if rdns:sub(-#v) == v then
-					ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
+					ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
 					ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in blacklist")
 					return true
 				end
 			end
 		end
 	end
-	ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
+	ngx.shared.blacklist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
 	return false
 end
--- a/lua/cookie.lua
+++ b/lua/cookie.lua
@ -1,4 +1,3 @@
 local M         = {}
 local session   = require "resty.session"
--- a/lua/dns.lua
+++ b/lua/dns.lua
@ -1,15 +1,13 @@
 local M		= {}
 local resolver	= require "resty.dns.resolver"
 local resolvers = {%DNS_RESOLVERS%}
 local ip	= ngx.var.remote_addr
-function M.get_reverse()
+function M.get_reverse(resolvers)
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
 	end
 	local rdns = ""
-	local answers, err = r:reverse_query(ip)
+	local answers, err = r:reverse_query(ngx.var.remote_addr)
 	if answers ~= nil and not answers.errcode then
 		for ak, av in ipairs(answers) do
 			if av.ptrdname then
@ -21,7 +19,7 @@ function M.get_reverse()
 	return rdns
 end
-function M.get_ips(fqdn)
+function M.get_ips(fqdn, resolvers)
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
@ -39,7 +37,7 @@ function M.get_ips(fqdn)
 end
 function M.ip_to_arpa()
-	return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
+	return resolver.arpa_str(ngx.var.remote_addr):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
 end
 return M
--- a/lua/dnsbl.lua
+++ b/lua/dnsbl.lua
@ -1,31 +1,29 @@
 local M		= {}
 local dns	= require "dns"
 local dnsbls	= {%DNSBL_LIST%}
 local ip	= ngx.var.remote_addr
 function M.cached_ko ()
-	return ngx.shared.dnsbl_cache:get(ip) == "ko"
+	return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) == "ko"
 end
 function M.cached ()
-	return ngx.shared.dnsbl_cache:get(ip) ~= nil
+	return ngx.shared.dnsbl_cache:get(ngx.var.remote_addr) ~= nil
 end
-function M.check ()
+function M.check (dnsbls, resolvers)
 	local rip = dns.ip_to_arpa()
 	for k, v in ipairs(dnsbls) do
 		local req = rip .. "." .. v
-		local ips = dns.get_ips(req)
+		local ips = dns.get_ips(req, resolvers)
 		for k2, v2 in ipairs(ips) do
 			local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
 			if a == "127" then
-				ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
+				ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ko", 86400)
-				ngx.log(ngx.NOTICE, "ip " .. ip .. " is in DNSBL " .. v)
+				ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in DNSBL " .. v)
 				return true
 			end
 		end
 	end
-	ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
+	ngx.shared.dnsbl_cache:set(ngx.var.remote_addr, "ok", 86400)
 	return false
 end
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@ -1,42 +1,39 @@
 local M			= {}
 local dns		= require "dns"
 local iputils		= require "resty.iputils"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
 local whitelist		= iputils.parse_cidrs(ip_list)
 local ip		= ngx.var.remote_addr
 function M.ip_cached_ok ()
-	return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
+	return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) == "ok"
 end
 function M.reverse_cached_ok ()
-	return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
+	return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) == "ok"
 end
 function M.ip_cached ()
-	return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
+	return ngx.shared.whitelist_ip_cache:get(ngx.var.remote_addr) ~= nil
 end
 function M.reverse_cached ()
-	return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
+	return ngx.shared.whitelist_reverse_cache:get(ngx.var.remote_addr) ~= nil
 end
-function M.check_ip ()
+function M.check_ip (ip_list)
 	if #ip_list > 0 then
-		if iputils.ip_in_cidrs(ip, whitelist) then
+		local whitelist	= iputils.parse_cidrs(ip_list)
-			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
+		if iputils.ip_in_cidrs(ngx.var.remote_addr, whitelist) then
-			ngx.log(ngx.NOTICE, "ip " .. ip .. " is in whitelist")
+			ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ok", 86400)
 			ngx.log(ngx.NOTICE, "ip " .. ngx.var.remote_addr .. " is in whitelist")
 			return true
 		end
 	end
-	ngx.shared.whitelist_ip_cache:set(ip, "ko", 86400)
+	ngx.shared.whitelist_ip_cache:set(ngx.var.remote_addr, "ko", 86400)
 	return false
 end
-function M.check_reverse ()
+function M.check_reverse (reverse_list, resolvers)
 	if #reverse_list > 0 then
-		local rdns = dns.get_reverse()
+		local rdns = dns.get_reverse(resolvers)
 		if rdns ~= "" then
 			local whitelisted = false
 			for k, v in ipairs(reverse_list) do
@ -46,10 +43,10 @@ function M.check_reverse ()
 				end
 			end
 			if whitelisted then
-				local ips = dns.get_ips(rdns)
+				local ips = dns.get_ips(rdns, resolvers)
 				for k, v in ipairs(ips) do
-					if v == ip then
+					if v == ngx.var.remote_addr then
-						ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
+						ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ok", 86400)
 						ngx.log(ngx.NOTICE, "reverse " .. rdns .. " is in whitelist")
 						return true
 					end
@ -57,7 +54,7 @@ function M.check_reverse ()
 			end
 		end
 	end
-	ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
+	ngx.shared.whitelist_reverse_cache:set(ngx.var.remote_addr, "ko", 86400)
 	return false
 end
`@ -1,4 +1,3 @@`

	`local M = {}`	`local M = {}`
	`local session = require "resty.session"`	`local session = require "resty.session"`