Commit 6e1c43c4 authored by bunkerity's avatar bunkerity
Browse files

basic antibot feature through cookie

parent 652d8ac9
......@@ -3,7 +3,7 @@
NTASK=$(nproc)
# install build dependencies
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev
# compile and install ModSecurity library
cd /tmp
......@@ -45,6 +45,24 @@ git clone https://github.com/openresty/lua-resty-dns.git
cd lua-resty-dns
make install
cd /tmp
git clone https://github.com/bungle/lua-resty-session.git
cd lua-resty-session
cp -r lib/resty/* /usr/local/lib/lua/resty
cd /tmp
git clone https://github.com/bungle/lua-resty-random.git
cd lua-resty-random
make install
cd /tmp
git clone https://github.com/openresty/lua-resty-string.git
cd lua-resty-string
make install
cd /tmp
git clone https://github.com/openresty/lua-cjson.git
cd lua-cjson
make -j $NTASK
make install
make install-extra
cd /tmp
git clone https://github.com/openresty/lua-nginx-module.git
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
......
......@@ -5,11 +5,16 @@ local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
local use_blacklist_ip = %USE_BLACKLIST_IP%
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
local use_dnsbl = %USE_DNSBL%
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
-- include LUA code
local whitelist = require "whitelist"
local blacklist = require "blacklist"
local dnsbl = require "dnsbl"
local cookie = require "cookie"
-- antibot
local antibot_uri = "%ANTIBOT_URI%"
-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
......@@ -67,6 +72,21 @@ if use_dnsbl and not dnsbl.cached() then
end
end
-- cookie check
if use_antibot_cookie then
if not cookie.is_set() then
if ngx.var.uri ~= antibot_uri then
cookie.set()
return ngx.redirect(antibot_uri)
end
return ngx.exit(ngx.HTTP_FORBIDDEN)
else
if ngx.var.uri == antibot_uri then
return ngx.redirect(cookie.get_uri())
end
end
end
ngx.exit(ngx.OK)
}
......@@ -153,6 +153,8 @@ SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}"
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
USE_ANTIBOT_COOKIE="${USE_ANTIBOT_COOKIE-yes}"
# install additional modules if needed
if [ "$ADDITIONAL_MODULES" != "" ] ; then
......@@ -493,6 +495,16 @@ fi
list=$(spaces_to_lua "$DNSBL_LIST")
replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
# antibot uri
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
# antibot via cookie
if [ "$USE_ANTIBOT_COOKIE" = "yes" ] ; then
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
else
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
fi
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"
......
local M = {}
local session = require "resty.session"
function M.is_set ()
local s = session.open()
if s and s.data.uri then
return true
end
return false
end
function M.set ()
local s = session.start()
s.data.uri = ngx.var.request_uri
s:save()
end
function M.get_uri ()
return session.open().data.uri
end
return M
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment