1 Star 1 Fork 0

Miracle Qi / openwaf_access_rule

Create your Gitee Account
Explore and code with more than 12 million developers,Free private repositories !:)
Sign up
This repository doesn't specify license. Please pay attention to the specific project description and its upstream code dependency when using it.
Clone or Download
contribute
Sync branch
Cancel
Notice: Creating folder will generate an empty file .keep, because not support in Git
Loading...
README

Name

access_rule 是 openwaf 项目的接入规则模块

通过分析请求的域名和路径等信息,将请求转发至指定的后端服务器

Table of Contents

Synopsis

#nginx.conf

upstream server_1 {
    server 0.0.0.1; #just an invalid address as a place holder
    balancer_by_lua_file twaf_balancer.lua;
}

server {
    listen 443 ssl;
    server_name _;
    
    set $twaf_https 1;
    set $twaf_upstream_server "";
    
    ssl_certificate nginx.crt;
    ssl_certificate_key nginx.key;
    ssl_certificate_by_lua_file twaf_ssl_cert.lua;
    
    location / {
        proxy_pass $twaf_upstream_server;
    }
}

server {
    listen 80;
    server_name _;
    
    set $twaf_upstream_server "";
    
    location / {
        proxy_pass $twaf_upstream_server;
    }
}

#Configuration
{
    "twaf_access_rule": [
        "rules": [
            {
                "ngx_ssl": true,
                "ngx_ssl_cert": "ngx_a.crt",
                "ngx_ssl_key": "ngx_a.key",
                "host": "test_a.com", 
                "path": "/", 
                "server_ssl": false,
                "forward": "server_1", 
                "forward_addr": "1.1.1.1",
                "forward_port": "8080",
                "uuid": "access_567b067ff2060",
                "policy": "policy_1"
            },
            {   
                "host": "test_c.com", 
                "path": "/", 
                "server_ssl": true,
                "forward": "server_1", 
                "forward_addr": "1.1.1.3",
                "uuid": "access_567b067ff2062",
                "policy": "policy_default"
            }
        ]
    }
}

Back to TOC

TODO

  • proxy ssl 客户端认证
  • proxy 支持域名

Back to TOC

Modules Configuration Directives

{
    "twaf_access_rule": [
        "rules": [                                 -- 注意先后顺序
            {                                      
                "ngx_ssl": false,                  -- nginx 认证的开关
                "ngx_ssl_cert": "path",            -- nginx 认证所需 PEM 证书地址
                "ngx_ssl_key": "path",             -- nginx 认证所需 PEM 私钥地址
                "host": "^1\\.1\\.1\\.1$",         -- 域名,正则匹配
                "path": "\/",                      -- 路径,正则匹配
                "port": 80,                        -- 端口,默认 80
                "server_ssl": false,               -- 后端服务器 ssl 开关
                "forward": "server_5",             -- 后端服务器 upstream 名称
                "forward_addr": "1.1.1.2",         -- 后端服务器 ip 地址
                "forward_port": "8080",            -- 后端服务器端口号(缺省80)
                "uuid": "access_567b067ff2060",    -- 用来标记此规则的 uuid
                "policy": "policy_uuid"            -- 安全策略 ID
            }
        ]
    }
}

rules

syntax: "rules": table

default: none

context: twaf_access_rule

table 类型,接入规则,顺序匹配

ngx_ssl

syntax: "ngx_ssl": true|false

default: false

context: twaf_access_rule

boolean 类型,服务器端(nginx)认证开关,与 client_ssl 组成双向认证,默认关闭

ngx_ssl_cert

syntax: "ngx_ssl_cert": "path"

default: none

context: twaf_access_rule

string 类型,服务器端(nginx)认证所需 PEM 证书地址,目前仅支持绝对地址

ngx_ssl_key

syntax: "ngx_ssl_key": "path"

default: none

context: twaf_access_rule

string 类型,服务器端(nginx)认证所需 PEM 私钥地址,目前仅支持绝对地址

host

syntax: "host": "ip|domain name regex"

default: none

context: twaf_access_rule

string 类型,域名,正则匹配

例如:

    "host": "^1\\.1\\.1\\.1$"
    "host": "test\\.com"
    "host": "^.*\\.com$"
    "host": "www.baidu.com"

path

syntax: "path": "regex"

default: none

context: twaf_access_rule

string 类型,路径,正则匹配

例如:

    "path": "/"
    "path": "/images"
    "path": "/[a|b]test"

port

syntax: "port": number

default: 80

context: twaf_access_rule

number 类型,端口,对应 nginx 中 listen 的端口,默认 80

server_ssl

syntax: "server_ssl": true|false

default: false

context: twaf_access_rule

boolean 类型,OpenWAF 向后端服务器连接的 ssl 开关

例如:

    upstream test {
    	server 1.1.1.1;
    }
    
    http {
    	server {
    	    listen 80;
    	    server_name _;
    	    
    	    location / {
    	        # server_ssl 为 true,相当于 proxy_pass 后为 https
    	    	proxy_pass https://test;
    	        # server_ssl 为 false,相当于 proxy_pass 后为 http
    	    	# proxy_pass http://test;
    	    }
    	}
    }

forward

syntax: "forward": "upstream_uuid"

default: none

context: twaf_access_rule

string 类型,forward 表示后端服务器的 uuid,即 upstream 的名称

    #如:forward 值为 test
    upstream test {
        server 1.1.1.1;
    }

forward_addr

syntax: "forward_addr": "ip"

default: none

context: twaf_access_rule

string 类型,forward_addr 表示后端服务器的 ip 地址(TODO:支持域名)

    upstream test {
        #如:forward_addr 值为 1.1.1.1
    	server 1.1.1.1;
    }

forward_port

syntax: "forward_port": port

default: 80

context: twaf_access_rule

number 类型,forward_port 表示后端服务器端口号,默认 80

    upstream test {
    	#如:forward_port 值为 50001
    	server 1.1.1.1:50001;
    }

uuid

syntax: "uuid": "string"

default: none

context: twaf_access_rule

string 类型,接入规则的唯一标识

policy

syntax: "policy": "policy_uuid"

default: none

context: twaf_access_rule

string 类型,满足此接入规则的请求,所使用安全策略的 uuid

Back to TOC

Nginx Variables

$twaf_https

syntax: set $twaf_https 0|1

default: 0

context: server

用于标记请求是否通过 ssl 加密

"set $twaf_https 1",则表示请求通过ssl加密

"set $twaf_https 1",则表示请求未通过ssl加密

server {
    listen 443 ssl;
    set $twaf_https 1;
    ...
}

server {
    listen 80;
    set $twaf_https 0;
    ...
}

$twaf_upstream_server

syntax: set $twaf_upstream_server ""

default: none

context: server

用于指定后端服务器地址,只需初始化为空字符串即可,其值由 "server_ssl" 和 "forward" 确定

upstream server_1 {
    ...
}

upstream server_2 {
    ...
}

server {
    ...
    
    set $twaf_upstream_server "";
    location / {
        ...
        proxy_pass $twaf_upstream_server;
    }
}

若 "server_ssl" 值为 true, "forward" 值为 "server_1"
等价于proxy_pass https://server_1;

若 "server_ssl" 值为 false, "forward" 值为 "server_2"
等价于 proxy_pass http://server_2;

Back to TOC

Empty file

About

Cancel

Releases

No release

Contributors

All

Activities

Load More
can not load any more
Lua
1
https://gitee.com/miracleqi/openwaf_access_rule.git
git@gitee.com:miracleqi/openwaf_access_rule.git
miracleqi
openwaf_access_rule
openwaf_access_rule
master

Search

53164aa7 5694891 3bd8fe86 5694891