remote API - ban IP from distributed DB

confs/site/log-lua.conf

@@ -20,8 +20,9 @@ end
 -- remote API
 local use_remote_api            = {% if USE_REMOTE_API == "yes" %}true{% else %}false{% endif +%}
 local remoteapi			= require "remoteapi"
+local iputils			= require "resty.iputils"
 
-if use_remote_api and ngx.shared.remote_api:get("id") ~= "empty" then
+if use_remote_api and not iputils.ip_in_cidrs(ngx.var.remote_addr, ngx.shared.reserved_ips:get("data")) and ngx.shared.remote_api:get("id") ~= "empty" and ngx.shared.remote_api:get("ping") ~= "ko" then
 	if ngx.status == ngx.HTTP_FORBIDDEN then
 		local reason = "other"
 		if use_bad_behavior and new_bad_behavior_ban then
@@ -34,16 +35,13 @@ if use_remote_api and ngx.shared.remote_api:get("id") ~= "empty" then
 			local remoteapi = require "remoteapi"
 			local logger = require "logger"
 			local res, data = remoteapi.ip(ip, reason)
-			-- TODO : find a way to log ?
---			if res then
---				logger.log(ngx.ERR, "REMOTE API", "Successfully reported ip " .. ngx.var.remote_addr)			
---			else
---				logger.log(ngx.ERR, "REMOTE API", "Error while reporting ip " .. ngx.var.remote_addr .. " : " .. data)
---			end
+			-- TODO : find a way to log
 		end
 		local ok, err = ngx.timer.at(0, report_ip, ngx.var.remote_addr, reason)
 		if not ok then
 			logger.log(ngx.ERR, "REMOTE API", "Error while creating report timer " .. err)
+		else
+			logger.log(ngx.NOTICE, "REMOTE API", "Reporting " .. ngx.var.remote_addr .. "(reason: " .. reason .. ") to the remote API")
 		end
 	end
 end

confs/site/main-lua.conf

@@ -57,6 +57,9 @@ local dnsbl_list		= {% raw %}{{% endraw %}{% if DNSBL_LIST != "" %}{% set elemen
 -- bad behavior
 local use_bad_behavior		= {% if USE_BAD_BEHAVIOR == "yes" %}true{% else %}false{% endif +%}
 
+-- remote API
+local use_remote_api		= {% if USE_REMOTE_API == "yes" %}true{% else %}false{% endif +%}
+
 -- include LUA code
 local whitelist			= require "whitelist"
 local blacklist			= require "blacklist"
@@ -224,6 +227,15 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end
 
+-- check if IP is in distributed DB
+if use_remote_api then
+	local checker = checker:new("remote-api-db", ngx.shared.remote_api_db, redis_client, "simple")
+	if checker:check(iputils.ip2bin(ngx.var.remote_addr)) then
+		logger.log(ngx.WARN, "REMOTE API", "IP " .. ngx.var.remote_addr .. " is in the distributed DB")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
 -- cookie check
 if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("uri") then