12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- local t1k = require "resty.t1k"
- local t1k_constants = require "resty.t1k.constants"
- local ngx = ngx
- local fmt = string.format
- local blocked_message = [[{"code": %s, "success":false, ]] ..
- [["message": "blocked by Chaitin SafeLine Web Application Firewall", "event_id": "%s"}]]
- local _M = {}
- local mode = os.getenv("SAFELINE_MODE")
- local host = os.getenv("SAFELINE_HOST")
- local port = os.getenv("SAFELINE_PORT")
- local connect_timeout = os.getenv("SAFELINE_CONNECT_TIMEOUT")
- local send_timeout = os.getenv("SAFELINE_SEND_TIMEOUT")
- local read_timeout = os.getenv("SAFELINE_READ_TIMEOUT")
- local req_body_size = os.getenv("SAFELINE_REQ_BODY_SIZE")
- local keepalive_size = os.getenv("SAFELINE_KEEPALIVE_SIZE")
- local keepalive_timeout = os.getenv("SAFELINE_KEEPALIVE_TIMEOUT")
- local remote_addr = os.getenv("SAFELINE_REMOTE_ADDR")
- local function get_conf()
- local t = {
- mode = mode or "block",
- host = host,
- port = port,
- connect_timeout = connect_timeout or 1000,
- send_timeout = send_timeout or 1000,
- read_timeout = read_timeout or 1000,
- req_body_size = req_body_size or 1024,
- keepalive_size = keepalive_size or 256,
- keepalive_timeout = keepalive_timeout or 60000,
- remote_addr = remote_addr
- }
- return t
- end
- function _M.rewrite()
- local t = get_conf()
- if not t.host then
- ngx.log(ngx.ERR, "safeline host is required")
- return
- end
- local ok, err, result = t1k.do_access(t, false)
- if not ok then
- ngx.log(ngx.ERR, "failed to detector req: ", err)
- return
- end
- if result then
- if result.action == t1k_constants.ACTION_BLOCKED then
- local msg = fmt(blocked_message, result.status, result.event_id)
- ngx.log(ngx.ERR, "blocked by safeline waf: ",msg)
- ngx.status = tonumber(result.status,10)
- ngx.say(msg)
- return ngx.exit(ngx.HTTP_OK)
- end
- end
- end
- return _M
|