当前位置: 代码迷 >> 综合 >> [openresty] cc,黑白名单防御配置
  详细解决方案

[openresty] cc,黑白名单防御配置

热度:46   发布时间:2023-12-12 02:51:01.0

下载安装 openresty

下载 https://github.com/unixhot/waf 配置

注意事项

在使用 unixhot 开源的 waf lua脚本时, 这里记录几个需要修改的地方

修改nginx.conf

新增以下 到 http 块中,替换{path}为你自己的路径

	lua_shared_dict limit 50m;lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";access_by_lua_file "{path}/conf/waf/access.lua";

修改waf/config.lua

	config_rule_dir = "{path}/openresty-1.19.9.1-win64/conf/waf/rule-config"

注意各项防御的开关变量

--enable/disable white url
config_white_url_check = "on"
--enable/disable white ip
config_white_ip_check = "on"
--enable/disable block ip
config_black_ip_check = "on"
--enable/disable url filtering
config_url_check = "on"
--enalbe/disable url args filtering
config_url_args_check = "on"
--enable/disable user agent filtering
config_user_agent_check = "on"
--enable/disable cookie deny filtering
config_cookie_check = "on"
--enable/disable cc filtering
config_cc_check = "on"
--cc rate the xxx of xxx seconds
config_cc_rate = "20/60"
--enable/disable post filtering
config_post_check = "on"

杀后策略

--config waf output redirect/html
config_waf_output = "html"
-- 如果 config_waf_output 配置为 redirect, 需要配置 config_waf_redirect_url
--config_waf_redirect_url = "https://www.unixhot.com"
config_output_html=[[
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="zh-cn" />
<title>WAF</title>
</head>
<body>
<h1 align="center"> 访问过于频繁,请稍后重试
</body>
</html>
]]

这里看lua代码, 黑名单、cc是直接403了,如果有需求可以自己改一下

测试配置

http {
    include       mime.types;default_type  application/octet-stream;sendfile        on;keepalive_timeout  65;gzip  on;lua_shared_dict limit 50m;lua_package_path "{path}/openresty-1.19.9.1-win64/lualib/?.lua;{path}/openresty-1.19.9.1-win64/conf/waf/?.lua;";init_by_lua_file "{path}/openresty-1.19.9.1-win64/conf/waf/init.lua";access_by_lua_file "{path}/conf/waf/access.lua";server {
    listen       80;server_name  localhost;location / {
    lua_code_cache off; # 正式环境不开启, 缓存lua脚本到内存default_type text/html;content_by_lua_block {
    ngx.say("HelloWorld")     }}}}

本文只是一个采坑记录,这里感谢 unixhot 开源,github地址:https://github.com/unixhot/waf

  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.