Skip to content

Commit

Permalink
🚩 Change the syntax of waf_under_attack.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ADD-SP
ADD-SP committed May 9, 2021
1 parent 65c7e36 commit 7554c1e
Show file tree
Hide file tree
Showing 10 changed files with 60 additions and 22 deletions.
2 changes: 2 additions & 0 deletions CHANGES-ZH-CN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@

### 修复

* CC 防护有时会失效。


***

Expand Down
1 change: 1 addition & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

### Fixed

* CC protection can sometimes not work.

***

Expand Down
1 change: 1 addition & 0 deletions docs/advance/changes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ lang: en

### Fixed

* CC protection can sometimes not work.

***

Expand Down
17 changes: 9 additions & 8 deletions docs/advance/priority.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,15 @@ The following is a list of all the tests in order of priority, from top to botto
1. IP whitelist inspection
2. IP blacklist inspection
3. CC protection
4. Url whitelist inspection
5. Url blacklist inspection
6. Get parameter blacklist inspection
7. User-Agent blacklist inspection
8. Referer whitelist inspection
9. Referer blacklist inspection
10. Cookie blacklist inspection
11. Post request body blacklist
4. Under attack mode
5. Url whitelist inspection
6. Url blacklist inspection
7. Get parameter blacklist inspection
8. User-Agent blacklist inspection
9. Referer whitelist inspection
10. Referer blacklist inspection
11. Cookie blacklist inspection
12. Post request body blacklist


::: tip Change priority
Expand Down
2 changes: 1 addition & 1 deletion docs/advance/syntax.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ So please set it reasonably according to your actual needs.

## `waf_under_attack`

* syntax: waf_under_attack \<*on* | *off*\> *uri*
* syntax: waf_under_attack \<*on* | *off*\> \[uri=*str*\]
* default: waf_under_attack off ""
* context: server

Expand Down
1 change: 1 addition & 0 deletions docs/zh-cn/advance/changes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ lang: zh-CN

### 修复

* CC 防护有时会失效。

***

Expand Down
2 changes: 1 addition & 1 deletion docs/zh-cn/advance/syntax.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ waf_mode STD !UA;

## `waf_under_attack`

* 配置语法: waf_under_attack \<*on* | *off*\> *uri*
* 配置语法: waf_under_attack \<*on* | *off*\> \[uri=*str*\]
* 默认配置:waf_under_attack off ""
* 配置段: server

Expand Down
14 changes: 7 additions & 7 deletions inc/ngx_http_waf_module_check.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -442,7 +442,7 @@ static ngx_int_t ngx_http_waf_handler_check_white_url(ngx_http_request_t* r, ngx

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this detection is disabled in the configuration, no detection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -482,7 +482,7 @@ static ngx_int_t ngx_http_waf_handler_check_black_url(ngx_http_request_t* r, ngx

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -522,7 +522,7 @@ static ngx_int_t ngx_http_waf_handler_check_black_args(ngx_http_request_t* r, ng

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_ARGS) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_ARGS | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -592,7 +592,7 @@ static ngx_int_t ngx_http_waf_handler_check_black_user_agent(ngx_http_request_t*

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_UA) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_UA | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -636,7 +636,7 @@ static ngx_int_t ngx_http_waf_handler_check_white_referer(ngx_http_request_t* r,

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -681,7 +681,7 @@ static ngx_int_t ngx_http_waf_handler_check_black_referer(ngx_http_request_t* r,

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down Expand Up @@ -726,7 +726,7 @@ static ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r,

ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED;

if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_COOKIE) == NGX_HTTP_WAF_FALSE) {
if (NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_COOKIE | r->method) == NGX_HTTP_WAF_FALSE) {
ngx_log_debug(NGX_LOG_DEBUG_CORE, r->connection->log, 0,
"ngx_waf_debug: Because this Inspection is disabled in the configuration, no Inspection is performed.");
ret_value = NGX_HTTP_WAF_NOT_MATCHED;
Expand Down
39 changes: 36 additions & 3 deletions inc/ngx_http_waf_module_config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -731,15 +731,48 @@ static char* ngx_http_waf_under_attack_conf(ngx_conf_t* cf, ngx_command_t* cmd,
ngx_http_waf_srv_conf_t* srv_conf = conf;
ngx_str_t* p_str = cf->args->elts;

srv_conf->waf_under_attack = NGX_CONF_UNSET;

if (ngx_strncmp(p_str[1].data, "on", ngx_min(p_str[1].len, 2)) == 0) {
srv_conf->waf_under_attack = 1;
}

srv_conf->waf_under_attack_uri.data = ngx_pnalloc(srv_conf->ngx_pool, sizeof(u_char) * (p_str[2].len + 1));
ngx_memcpy(srv_conf->waf_under_attack_uri.data, p_str[2].data, sizeof(u_char) * p_str[2].len);
srv_conf->waf_under_attack_uri.len = p_str[2].len;
for (size_t i = 2; i < cf->args->nelts; i++) {
UT_array* array = NULL;
if (ngx_str_split(p_str + i, '=', 256, &array) != NGX_HTTP_WAF_SUCCESS) {
goto error;
}

if (utarray_len(array) != 2) {
goto error;
}

ngx_str_t* p = NULL;
p = (ngx_str_t*)utarray_next(array, p);

if (ngx_strcmp("uri", p->data) == 0) {
p = (ngx_str_t*)utarray_next(array, p);
if (p == NULL || p->data == NULL || p->len == 0) {
goto error;
}
srv_conf->waf_under_attack_uri.data = ngx_palloc(srv_conf->ngx_pool, sizeof(u_char) * (p->len + 1));
ngx_memzero(srv_conf->waf_under_attack_uri.data, sizeof(u_char) * (p->len + 1));
ngx_memcpy(srv_conf->waf_under_attack_uri.data, p->data, sizeof(u_char) * p->len);
srv_conf->waf_under_attack_uri.len = p->len;

} else {
goto error;
}

utarray_free(array);
}

return NGX_CONF_OK;

error:
ngx_conf_log_error(NGX_LOG_EMERG, cf, NGX_EINVAL,
"ngx_waf: invalid value");
return NGX_CONF_ERROR;
}


Expand Down
3 changes: 1 addition & 2 deletions src/ngx_http_waf_module_core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,8 +336,7 @@ static ngx_int_t check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) {
if (r->internal != 0
|| srv_conf->waf == 0
|| srv_conf->waf == NGX_CONF_UNSET
|| ctx->read_body_done == NGX_HTTP_WAF_TRUE
|| NGX_HTTP_WAF_CHECK_FLAG(srv_conf->waf_mode, r->method) == NGX_HTTP_WAF_FALSE) {
|| ctx->read_body_done == NGX_HTTP_WAF_TRUE) {
http_status = NGX_DECLINED;
}
else {
Expand Down

0 comments on commit 7554c1e

Please sign in to comment.