2024-02-28 14:34:09 +08:00
|
|
|
local utils = require "utils"
|
|
|
|
local config = require "config"
|
|
|
|
local redis_util = require "redis_util"
|
|
|
|
local action = require "action"
|
2024-03-01 13:53:02 +08:00
|
|
|
local uuid = require"resty.uuid"
|
2024-02-28 14:34:09 +08:00
|
|
|
|
|
|
|
local upper_str = string.upper
|
|
|
|
local tonumber = tonumber
|
2024-03-01 13:53:02 +08:00
|
|
|
local pairs = pairs
|
2024-03-12 20:34:07 +08:00
|
|
|
local type = type
|
|
|
|
local concat_table = table.concat
|
2024-02-28 14:34:09 +08:00
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
local function write_req_log(attack)
|
|
|
|
local wafdb = utils.get_wafdb(config.waf_log_db_path)
|
|
|
|
if not wafdb then
|
|
|
|
ngx.log(ngx.ERR, "get log db failed")
|
|
|
|
return
|
2024-02-28 14:34:09 +08:00
|
|
|
end
|
|
|
|
|
2024-03-01 13:53:02 +08:00
|
|
|
local real_ip = ngx.ctx.ip
|
2024-03-12 20:34:07 +08:00
|
|
|
local ip_location = ngx.ctx.ip_location
|
2024-03-02 22:45:02 +08:00
|
|
|
local country
|
|
|
|
local province
|
|
|
|
local longitude = 0.0
|
|
|
|
local latitude = 0.0
|
|
|
|
local iso = "CN"
|
2024-03-12 20:34:07 +08:00
|
|
|
if ip_location then
|
|
|
|
country = ip_location.country or {
|
2024-03-02 22:45:02 +08:00
|
|
|
["zh"] = "unknown",
|
|
|
|
["en"] = "unknown"
|
|
|
|
}
|
2024-03-12 20:34:07 +08:00
|
|
|
province = ip_location.province or {
|
|
|
|
["zh"] = "",
|
|
|
|
["en"] = ""
|
2024-03-02 22:45:02 +08:00
|
|
|
}
|
2024-03-12 20:34:07 +08:00
|
|
|
longitude = ip_location.longitude
|
|
|
|
latitude = ip_location.latitude
|
|
|
|
iso = ip_location.iso
|
2024-03-01 13:53:02 +08:00
|
|
|
end
|
2024-02-28 14:34:09 +08:00
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
local exec_rule = {}
|
|
|
|
local rule_action = ""
|
|
|
|
local exec_rule_type = ""
|
|
|
|
local match_rule_detail = ""
|
|
|
|
local match_rule_type = ""
|
|
|
|
local is_attack = 0
|
|
|
|
local is_block = 0
|
|
|
|
local blocking_time = 0
|
|
|
|
|
|
|
|
local method = ""
|
|
|
|
local uri = ""
|
|
|
|
local ua = ""
|
|
|
|
local host = ""
|
|
|
|
local protocol = ""
|
|
|
|
local website_key = ""
|
|
|
|
local logs_str = ""
|
|
|
|
|
|
|
|
if attack then
|
|
|
|
exec_rule = ngx.ctx.exec_rule
|
|
|
|
rule_action = exec_rule.action
|
|
|
|
exec_rule_type = exec_rule.type
|
|
|
|
is_attack = 1
|
|
|
|
method = ngx.req.get_method()
|
|
|
|
uri = ngx.var.request_uri
|
|
|
|
ua = ngx.ctx.ua
|
|
|
|
host = ngx.var.server_name
|
|
|
|
protocol = ngx.var.server_protocol or ""
|
|
|
|
website_key = ngx.ctx.website_key
|
|
|
|
|
|
|
|
if exec_rule.match_rule then
|
|
|
|
match_rule_detail = exec_rule.match_rule.rule
|
|
|
|
match_rule_type = exec_rule.match_rule.type
|
|
|
|
end
|
|
|
|
|
|
|
|
if ngx.ctx.ip_blocked then
|
|
|
|
is_block = 1
|
|
|
|
blocking_time = tonumber(exec_rule.ipBlockTime)
|
|
|
|
end
|
|
|
|
|
|
|
|
logs_str = method .. " " .. uri .. " "..protocol.."\n"
|
|
|
|
local headers = ngx.req.get_headers(20000)
|
|
|
|
for k, v in pairs(headers) do
|
|
|
|
local value = ""
|
|
|
|
if v then
|
|
|
|
if type(v) == "table" then
|
|
|
|
value = concat_table(v, ",")
|
|
|
|
else
|
|
|
|
value = v
|
|
|
|
end
|
2024-03-04 16:53:06 +08:00
|
|
|
end
|
2024-03-12 20:34:07 +08:00
|
|
|
logs_str = logs_str .. upper_str(k) .. ": " .. value .. "\n"
|
2024-03-01 13:53:02 +08:00
|
|
|
end
|
2024-02-28 14:34:09 +08:00
|
|
|
end
|
|
|
|
|
2024-03-01 13:53:02 +08:00
|
|
|
local log_id = uuid()
|
2024-02-28 14:34:09 +08:00
|
|
|
local insertQuery = [[
|
2024-03-02 22:45:02 +08:00
|
|
|
INSERT INTO req_logs (
|
2024-03-01 13:53:02 +08:00
|
|
|
id, ip, ip_iso, ip_country_zh, ip_country_en,
|
|
|
|
ip_province_zh, ip_province_en, ip_longitude, ip_latitude,
|
2024-03-12 20:34:07 +08:00
|
|
|
localtime, server_name, website_key, host, method,
|
|
|
|
uri, user_agent, exec_rule, rule_type, match_rule, match_value,
|
2024-03-02 22:45:02 +08:00
|
|
|
nginx_log, blocking_time, action, is_block,is_attack
|
2024-02-28 14:34:09 +08:00
|
|
|
) VALUES (
|
2024-03-01 13:53:02 +08:00
|
|
|
:id, :real_ip, :iso, :country_zh, :country_en,
|
|
|
|
:province_zh, :province_en,:longitude, :latitude,
|
2024-03-12 20:34:07 +08:00
|
|
|
DATETIME('now'), :server_name,:host, :website_key, :method,
|
|
|
|
:uri, :ua, :exec_rule, :rule_type, :match_rule, :match_value,
|
2024-03-02 22:45:02 +08:00
|
|
|
:logs_str, :blocking_time, :action, :is_block, :is_attack
|
2024-02-28 14:34:09 +08:00
|
|
|
)
|
|
|
|
]]
|
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
wafdb:execute([[BEGIN TRANSACTION]])
|
|
|
|
|
2024-02-28 14:34:09 +08:00
|
|
|
local stmt = wafdb:prepare(insertQuery)
|
|
|
|
stmt:bind_names {
|
2024-03-01 13:53:02 +08:00
|
|
|
id = log_id,
|
|
|
|
iso = iso,
|
|
|
|
real_ip = real_ip,
|
|
|
|
country_zh = country["zh"],
|
|
|
|
country_en = country["en"],
|
|
|
|
province_zh = province["zh"],
|
|
|
|
province_en = province["en"],
|
2024-02-28 14:34:09 +08:00
|
|
|
longitude = longitude,
|
|
|
|
latitude = latitude,
|
|
|
|
host = host,
|
2024-03-01 13:53:02 +08:00
|
|
|
server_name = host,
|
2024-02-28 14:34:09 +08:00
|
|
|
website_key = website_key,
|
|
|
|
method = method,
|
|
|
|
uri = uri,
|
|
|
|
ua = ua,
|
2024-03-12 20:34:07 +08:00
|
|
|
exec_rule = exec_rule_type,
|
|
|
|
rule_type = match_rule_type,
|
|
|
|
match_rule = match_rule_detail,
|
2024-03-01 13:53:02 +08:00
|
|
|
match_value = "",
|
|
|
|
logs_str = logs_str,
|
2024-02-28 14:34:09 +08:00
|
|
|
blocking_time = blocking_time or 0,
|
2024-03-12 20:34:07 +08:00
|
|
|
action = rule_action,
|
2024-03-02 22:45:02 +08:00
|
|
|
is_block = is_block,
|
|
|
|
is_attack = is_attack
|
2024-02-28 14:34:09 +08:00
|
|
|
}
|
|
|
|
local code = stmt:step()
|
|
|
|
stmt:finalize()
|
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
local code2 = 101
|
|
|
|
if ngx.ctx.ip_blocked then
|
|
|
|
local insertBlockIp = [[
|
|
|
|
INSERT INTO block_ips (ip, is_block, blocking_time, req_log_id,create_date)
|
|
|
|
VALUES (:ip, :is_block, :blocking_time, :req_log_id, DATETIME('now'))
|
|
|
|
]]
|
|
|
|
stmt = wafdb:prepare(insertBlockIp)
|
|
|
|
stmt:bind_names {
|
|
|
|
ip=real_ip,
|
|
|
|
is_block = is_block,
|
|
|
|
blocking_time = blocking_time or 0,
|
|
|
|
req_log_id = log_id
|
|
|
|
}
|
|
|
|
code2 = stmt:step()
|
|
|
|
stmt:finalize()
|
|
|
|
end
|
|
|
|
|
|
|
|
wafdb:execute([[COMMIT]])
|
|
|
|
|
|
|
|
if code ~= 101 or code2 ~= 101 then
|
|
|
|
local error_msg = wafdb:errmsg()
|
|
|
|
if error_msg then
|
|
|
|
ngx.log(ngx.ERR, "insert attack_log error ", error_msg .. " ")
|
2024-02-28 14:34:09 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
local function count_not_found()
|
|
|
|
if ngx.status ~= 404 then
|
|
|
|
return
|
|
|
|
end
|
|
|
|
if config.is_global_state_on("notFoundCount") then
|
|
|
|
local ip = ngx.ctx.ip
|
|
|
|
local not_found_config = config.get_global_config("notFoundCount")
|
|
|
|
local key = ip
|
|
|
|
|
|
|
|
if config.is_redis_on() then
|
|
|
|
key = "cc_attack_count:" .. key
|
|
|
|
local count, _ = redis_util.incr(key, not_found_config.duration)
|
|
|
|
if not count then
|
|
|
|
redis_util.set(key, 1, not_found_config.duration)
|
|
|
|
elseif count >= not_found_config.threshold then
|
|
|
|
action.block_ip(ip, not_found_config)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
else
|
|
|
|
key = ip .. "not_found"
|
|
|
|
local limit = ngx.shared.waf_limit
|
|
|
|
local count, _ = limit:incr(key, 1, 0, not_found_config.duration)
|
|
|
|
if not count then
|
|
|
|
limit:set(key, 1, not_found_config.duration)
|
|
|
|
elseif count >= not_found_config.threshold then
|
|
|
|
action.block_ip(ip, not_found_config)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
local function count_req_status(is_attack)
|
|
|
|
local wafdb = utils.get_wafdb(config.waf_db_path)
|
|
|
|
if not wafdb then
|
|
|
|
ngx.log(ngx.ERR, "get log db failed")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2024-03-02 22:45:02 +08:00
|
|
|
local today = ngx.today()
|
|
|
|
local status = ngx.status
|
|
|
|
|
|
|
|
local stmt_exist = wafdb:prepare("SELECT COUNT(*) FROM waf_stat WHERE day = ?")
|
|
|
|
stmt_exist:bind_values(today)
|
|
|
|
stmt_exist:step()
|
|
|
|
local count = stmt_exist:get_uvalues()
|
2024-03-12 20:34:07 +08:00
|
|
|
stmt_exist:finalize()
|
|
|
|
|
2024-03-02 22:45:02 +08:00
|
|
|
local req_count_update = 1
|
|
|
|
local count_4xx_update = (status >= 400 and status < 500) and 1 or 0
|
|
|
|
local count_5xx_update = (status >= 500) and 1 or 0
|
|
|
|
local attack_count_update = is_attack and 1 or 0
|
|
|
|
local code = 0
|
|
|
|
|
|
|
|
if count > 0 then
|
|
|
|
local stmt = wafdb:prepare("UPDATE waf_stat SET req_count = req_count + ?, count4xx = count4xx + ?, count5xx = count5xx + ?, attack_count = attack_count + ? WHERE day = ?")
|
|
|
|
stmt:bind_values(req_count_update, count_4xx_update, count_5xx_update, attack_count_update, today)
|
|
|
|
code = stmt:step()
|
|
|
|
stmt:finalize()
|
|
|
|
else
|
|
|
|
local stmt = wafdb:prepare("INSERT INTO waf_stat (day, req_count, count4xx, count5xx, attack_count,create_date) VALUES (?, ?, ?, ?, ?,DATETIME('now'))")
|
|
|
|
stmt:bind_values(today, req_count_update, count_4xx_update, count_5xx_update, attack_count_update)
|
|
|
|
code = stmt:step()
|
|
|
|
stmt:finalize()
|
|
|
|
end
|
|
|
|
|
|
|
|
if code ~= 101 then
|
2024-03-12 20:34:07 +08:00
|
|
|
local error_msg = wafdb:errmsg()
|
|
|
|
if error_msg then
|
|
|
|
ngx.log(ngx.ERR, "update waf_stat error ", error_msg .. " ")
|
2024-03-02 22:45:02 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-02-28 14:34:09 +08:00
|
|
|
if config.is_waf_on() then
|
|
|
|
count_not_found()
|
2024-03-02 22:45:02 +08:00
|
|
|
local is_attack = ngx.ctx.is_attack
|
|
|
|
|
2024-03-06 18:16:08 +08:00
|
|
|
if not ngx.ctx.ip then
|
|
|
|
ngx.ctx.ip = utils.get_real_ip()
|
2024-03-12 20:34:07 +08:00
|
|
|
ngx.ctx.ip_location = utils.get_ip_location(ngx.ctx.ip)
|
2024-03-06 18:16:08 +08:00
|
|
|
local ua = utils.get_header("user-agent")
|
|
|
|
if not ua then
|
|
|
|
ua = ""
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2024-03-12 20:34:07 +08:00
|
|
|
count_req_status(is_attack)
|
|
|
|
write_req_log(is_attack)
|
2024-02-28 14:34:09 +08:00
|
|
|
end
|