public/nginx_lua_waf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
admin
2026-05-06 17:36:25 +08:00
commit c9c2fa8185
6 changed files with 707 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
config/common_config.lua Normal file
View File

@@ -0,0 +1,88 @@
-- 公共配置文件
-- 集中管理所有模块的通用配置
local _M = {}
-- ============================================
-- IP速率限制配置
-- ============================================
_M.rate_limit = {
-- 是否启用
enabled = true,
-- 共享内存字典名称需在nginx.conf中定义
shared_dict = "ip_rate_limit",
-- 时间窗口(秒):统计多长时间内的请求
time_window = 60,
-- 最大请求次数:时间窗口内允许的最大请求数
max_requests = 100,
-- 处置策略allow / rate_limit / block
action = "rate_limit",
-- HTTP状态码根据action自动设置也可手动指定
status_code = nil,
-- 拒绝访问时的响应消息
message = nil
}
-- ============================================
-- User-Agent限制配置
-- ============================================
_M.ua_limit = {
-- 是否启用
enabled = false,
-- 处置策略allow / rate_limit / block
action = "block",
-- HTTP状态码
status_code = 403,
-- 拒绝访问时的响应消息
message = "Access denied",
-- 黑名单User-Agent列表匹配到的UA会被阻止
blacklist = {
-- "BadBot",
-- "Scraper",
-- "Spider"
},
-- 白名单User-Agent列表匹配到的UA总是放行
whitelist = {
-- "Googlebot",
-- "Bingbot"
}
}
-- ============================================
-- 域名配置IP速率限制模块使用
-- ============================================
_M.domains = {
-- 在此添加需要启用限流的域名
-- 留空表示对所有域名生效
-- 示例:
-- "example.com",
-- "api.example.com",
}
-- ============================================
-- 日志配置(所有模块共用)
-- ============================================
_M.log_config = {
-- 是否启用日志
enabled = true,
-- 日志级别DEBUG, INFO, WARN, ERROR
log_level = "INFO",
log_path = "/usr/local/openresty/nginx/logs/waf.log",
log_request_details = true,
log_allowed = true
}
return _M

117
config/rate_limit_config.lua Normal file
View File

@@ -0,0 +1,117 @@
-- IP速率限制统一配置模块
-- 从公共配置加载,提供便捷的访问接口
local _M = {}
local common_config = require "config.common_config"
-- 处置策略枚举
_M.ACTION_ALLOW = "allow" -- 放行
_M.ACTION_RATE_LIMIT = "rate_limit" -- 限制速率返回429
_M.ACTION_BLOCK = "block" -- 封禁返回403
-- ============================================
-- 预设配置模板(可选使用)
-- ============================================
_M.presets = {
-- 宽松模式:放行
allow_all = {
time_window = 60,
max_requests = 10000,
action = _M.ACTION_ALLOW
},
-- 标准模式:限制速率
standard = {
time_window = 60,
max_requests = 100,
action = _M.ACTION_RATE_LIMIT
},
-- 严格模式:封禁
strict = {
time_window = 60,
max_requests = 50,
action = _M.ACTION_BLOCK
},
-- API接口保护
api_protection = {
time_window = 60,
max_requests = 30,
action = _M.ACTION_RATE_LIMIT,
status_code = 429,
message = "API rate limit exceeded"
},
-- 登录防暴力破解
login_protection = {
time_window = 300,
max_requests = 10,
action = _M.ACTION_BLOCK,
message = "Too many login attempts"
}
}
-- ============================================
-- 配置管理函数
-- ============================================
-- 获取配置(从公共配置读取)
function _M.get_config()
return common_config.rate_limit
end
-- 更新配置
function _M.update_config(new_config)
local cfg = common_config.rate_limit
for k, v in pairs(new_config) do
cfg[k] = v
end
-- 如果没有手动指定状态码根据action自动设置
if not new_config.status_code then
if cfg.action == _M.ACTION_RATE_LIMIT then
cfg.status_code = 429
elseif cfg.action == _M.ACTION_BLOCK then
cfg.status_code = 403
else
cfg.status_code = 200
end
end
-- 如果没有手动指定消息根据action自动设置
if not new_config.message then
if cfg.action == _M.ACTION_RATE_LIMIT then
cfg.message = "Rate limit exceeded. Please try again later."
elseif cfg.action == _M.ACTION_BLOCK then
cfg.message = "Access denied."
else
cfg.message = ""
end
end
end
-- 应用预设配置
function _M.apply_preset(preset_name)
local preset = _M.presets[preset_name]
if preset then
_M.update_config(preset)
return true
end
return false
end
-- 快速配置函数
-- @param time_window: 时间窗口(秒)
-- @param max_requests: 最大请求次数
-- @param action: 处置策略allow/rate_limit/block
function _M.configure(time_window, max_requests, action)
_M.update_config({
time_window = time_window,
max_requests = max_requests,
action = action
})
end
return _M