various fixes and lua logging

2020-10-10 15:19:35 +02:00
parent fc3d911ff7
commit f27d80e0d5
11 changed files with 49 additions and 30 deletions
--- a/lua/blacklist.lua
+++ b/lua/blacklist.lua
@@ -1,28 +1,30 @@
+local M			= {}
 local dns		= require "dns"
 local ip_list 		= {%BLACKLIST_IP_LIST%}
 local reverse_list	= {%BLACKLIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr

-function ip_cached_ko ()
+function M.ip_cached_ko ()
 	return ngx.shared.blacklist_ip_cache:get(ip) == "ko"
 end

-function reverse_cached_ko ()
+function M.reverse_cached_ko ()
 	return ngx.shared.blacklist_reverse_cache:get(ip) == "ko"
 end

-function ip_cached ()
+function M.ip_cached ()
 	return ngx.shared.blacklist_ip_cache:get(ip) ~= nil
 end

-function reverse_cached ()
+function M.reverse_cached ()
 	return ngx.shared.blacklist_reverse_cache:get(ip) ~= nil
 end

-function check_ip ()
+function M.check_ip ()
 	for k, v in ipairs(ip_list) do
 		if v == ip then
 			ngx.shared.blacklist_ip_cache:set(ip, "ko", 86400)
+			ngx.log(ngx.WARN, "ip " .. ip .. " is in blacklist")
 			return true
 		end
 	end
@@ -30,12 +32,13 @@ function check_ip ()
 	return false
 end

-function check_reverse ()
+function M.check_reverse ()
 	local rdns = dns.get_reverse()
 	if rdns ~= "" then
 		for k, v in ipairs(reverse_list) do
 			if rdns:sub(-#v) == v then
 				ngx.shared.blacklist_reverse_cache:set(ip, "ko", 86400)
+				ngx.log(ngx.WARN, "reverse " .. rdns .. " is in blacklist")
 				return true
 			end
 		end
@@ -43,3 +46,5 @@ function check_reverse ()
 	ngx.shared.blacklist_reverse_cache:set(ip, "ok", 86400)
 	return false
 end
+
+return M
--- a/lua/dns.lua
+++ b/lua/dns.lua
@@ -1,8 +1,9 @@
+local M		= {}
 local resolver	= require "resty.dns.resolver"
 local resolvers	= {%DNS_RESOLVERS%}
 local ip	= ngx.var.remote_addr

-function get_reverse()
+function M.get_reverse()
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
@@ -20,7 +21,7 @@ function get_reverse()
 	return rdns
 end

-function get_ips(fqdn)
+function M.get_ips(fqdn)
 	local r, err = resolver:new{nameservers=resolvers, retrans=2, timeout=2000}
 	if not r then
 		return ""
@@ -35,6 +36,8 @@ function get_ips(fqdn)
 	return ips
 end

-function ip_to_arpa()
+function M.ip_to_arpa()
 	return resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "")
 end
+
+return M
--- a/lua/dnsbl.lua
+++ b/lua/dnsbl.lua
@@ -1,24 +1,26 @@
+local M		= {}
 local dns	= require "dns"
 local dnsbls	= {%DNSBL_LIST%}
 local ip	= ngx.var.remote_addr

-function cached_ko ()
+function M.cached_ko ()
 	return ngx.shared.dnsbl_cache:get(ip) == "ko"
 end

-function cached ()
+function M.cached ()
 	return ngx.shared.dnsbl_cache:get(ip) ~= nil
 end

-function check ()
+function M.check ()
 	local rip = dns.ip_to_arpa()
 	for k, v in ipairs(dnsbls) do
 		local req = rip .. "." .. v
 		local ips = dns.get_ips(req)
 		for k2, v2 in ipairs(ips) do
-			a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
+			local a,b,c,d = v2:match("([%d]+).([%d]+).([%d]+).([%d]+)")
 			if a == "127" then
 				ngx.shared.dnsbl_cache:set(ip, "ko", 86400)
+				ngx.log(ngx.WARN, "ip " .. ip .. " is in DNSBL " .. v)
 				return true
 			end
 		end
@@ -26,3 +28,5 @@ function check ()
 	ngx.shared.dnsbl_cache:set(ip, "ok", 86400)
 	return false
 end
+
+return M
--- a/lua/whitelist.lua
+++ b/lua/whitelist.lua
@@ -1,28 +1,30 @@
+local M			= {}
 local dns		= require "dns"
 local ip_list 		= {%WHITELIST_IP_LIST%}
 local reverse_list	= {%WHITELIST_REVERSE_LIST%}
 local ip		= ngx.var.remote_addr

-function ip_cached_ok ()
+function M.ip_cached_ok ()
 	return ngx.shared.whitelist_ip_cache:get(ip) == "ok"
 end

-function reverse_cached_ok ()
+function M.reverse_cached_ok ()
 	return ngx.shared.whitelist_reverse_cache:get(ip) == "ok"
 end

-function ip_cached ()
+function M.ip_cached ()
 	return ngx.shared.whitelist_ip_cache:get(ip) ~= nil
 end

-function reverse_cached ()
+function M.reverse_cached ()
 	return ngx.shared.whitelist_reverse_cache:get(ip) ~= nil
 end

-function check_ip ()
+function M.check_ip ()
 	for k, v in ipairs(ip_list) do
 		if v == ip then
 			ngx.shared.whitelist_ip_cache:set(ip, "ok", 86400)
+			ngx.log(ngx.WARN, "ip " .. ip .. " is in whitelist")
 			return true
 		end
 	end
@@ -30,7 +32,7 @@ function check_ip ()
 	return false
 end

-function check_reverse ()
+function M.check_reverse ()
 	local rdns = dns.get_reverse()
 	if rdns ~= "" then
 		local whitelisted = false
@@ -45,6 +47,7 @@ function check_reverse ()
 			for k, v in ipairs(ips) do
 				if v == ip then
 					ngx.shared.whitelist_reverse_cache:set(ip, "ok", 86400)
+					ngx.log(ngx.WARN, "reverse " .. rdns .. " is in whitelist")
 					return true
 				end
 			end
@@ -53,3 +56,5 @@ function check_reverse ()
 	ngx.shared.whitelist_reverse_cache:set(ip, "ko", 86400)
 	return false
 end
+
+return M