-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Ling Samuel (WSL) <lingsamuelgrace@gmail.com>
- Loading branch information
1 parent
869e0e5
commit f328133
Showing
4 changed files
with
297 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
local _M = {} | ||
|
||
function _M.pass(sock) | ||
sock:send({ string.char(65), string.char(1), string.char(0), string.char(0), string.char(0) }) | ||
sock:send(".") | ||
sock:send({ string.char(165), string.char(77), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("{\"event_id\":\"1e902e84bf5a4ead8f7760a0fe2c7719\",\"request_hit_whitelist\":false}") | ||
end | ||
|
||
-- 返回值会被分为如下的形式 | ||
|
||
-- 长度为 5 bytes 的 packet | ||
-- 紧跟一段 body | ||
|
||
-- 其中: | ||
-- 第一个 packet 的 第一个 byte 需要 & 0x40 == 0x40 | ||
-- 最后一个 packet 的 第一个 byte 需要 & 0x80 == 0x80 | ||
|
||
-- tag 为 packet 的第一个 byte & !0x40 & !0x80 | ||
|
||
function _M.ip(sock) | ||
sock:send("HTTP/1.1 200\r\nserver:nginx\r\ncontent-type: application/json\r\ncontent-length: 27\r\n\r\n{\"origin\":\"122.231.76.178\"}") | ||
end | ||
|
||
|
||
function _M.reject(sock) | ||
sock:send({ string.char(65), string.char(1), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("?") | ||
sock:send({ string.char(2), string.char(3), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("403") | ||
sock:send({ string.char(37), string.char(77), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("{\"event_id\":\"b3c6ce574dc24f09a01f634a39dca83b\",\"request_hit_whitelist\":false}") | ||
sock:send({ string.char(35), string.char(79), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("Set-Cookie:sl-session=ulgbPfMSuWRNsi/u7Aj9aA==; Domain=; Path=/; Max-Age=86400\n") | ||
sock:send({ string.char(164), string.char(51), string.char(0), string.char(0), string.char(0) }) | ||
sock:send("<!-- event_id: b3c6ce574dc24f09a01f634a39dca83b -->") | ||
end | ||
|
||
function _M.go() | ||
local action = "pass" | ||
|
||
local timeout = ngx.var.arg_timeout | ||
if timeout then | ||
ngx.sleep(tonumber(timeout)) | ||
end | ||
|
||
--ngx.log(ngx.ERR, action .. ": waf recv request body size: ", ngx.var.http_content_length) | ||
|
||
ngx.flush(true) | ||
local sock, err = ngx.req.socket(true) | ||
if not sock then | ||
core.log.error("failed to get the request socket: ", err) | ||
return | ||
end | ||
|
||
_M[action](sock) | ||
ngx.exit(200) | ||
end | ||
|
||
return _M |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,178 @@ | ||
use t::APISIX 'no_plan'; | ||
|
||
repeat_each(1); | ||
no_long_string(); | ||
no_root_location(); | ||
|
||
add_block_preprocessor(sub { | ||
my ($block) = @_; | ||
|
||
my $stream_default_server = <<_EOC_; | ||
listen 8088; | ||
listen 8089; | ||
content_by_lua_block { | ||
require("apisix.chaitin_waf_server").go() | ||
} | ||
_EOC_ | ||
|
||
$block->set_value("stream_server_config", $stream_default_server); | ||
|
||
# setup default conf.yaml | ||
my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_; | ||
apisix: | ||
stream_proxy: # TCP/UDP L4 proxy | ||
only: true # Enable L4 proxy only without L7 proxy. | ||
tcp: | ||
- addr: 9100 # Set the TCP proxy listening ports. | ||
tls: true | ||
- addr: "127.0.0.1:9101" | ||
udp: # Set the UDP proxy listening ports. | ||
- 9200 | ||
- "127.0.0.1:9201" | ||
plugins: | ||
- chaitin-waf | ||
_EOC_ | ||
|
||
$block->set_value("extra_yaml_config", $extra_yaml_config); | ||
|
||
if (!$block->request) { | ||
# use /do instead of /t because stream server will inject a default /t location | ||
$block->set_value("request", "GET /do"); | ||
} | ||
|
||
if ((!defined $block->error_log) && (!defined $block->no_error_log)) { | ||
$block->set_value("no_error_log", "[error]"); | ||
} | ||
}); | ||
|
||
run_tests; | ||
|
||
__DATA__ | ||
=== TEST 1: wrong schema: nodes empty | ||
--- config | ||
location /do { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"nodes": [] | ||
} | ||
]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(body) | ||
} | ||
} | ||
--- error_code: 400 | ||
--- response_body | ||
{"error_msg":"invalid configuration: property \"nodes\" validation failed: expect array to have at least 1 items"} | ||
=== TEST 2: wrong schema: nodes misses host | ||
--- config | ||
location /do { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"nodes": [ | ||
{} | ||
] | ||
} | ||
]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(body) | ||
} | ||
} | ||
--- error_code: 400 | ||
--- response_body | ||
{"error_msg":"invalid configuration: property \"nodes\" validation failed: failed to validate item 1: property \"host\" is required"} | ||
=== TEST 4: sanity | ||
--- config | ||
location /do { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"nodes": [ | ||
{ | ||
"host": "127.0.0.1", | ||
"port": 8088 | ||
}, | ||
{ | ||
"host": "127.0.0.1", | ||
"port": 8089 | ||
} | ||
] | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
return ngx.print(body) | ||
end | ||
local code, body = t('/apisix/admin/routes/1', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"methods": ["GET"], | ||
"plugins": { | ||
"chaitin-waf": { | ||
"upstream": { | ||
"servers": ["httpbun.org"] | ||
} | ||
} | ||
}, | ||
"upstream": { | ||
"nodes": { | ||
"127.0.0.1:1980": 1 | ||
}, | ||
"type": "roundrobin" | ||
}, | ||
"uri": "/*" | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.say(body) | ||
} | ||
} | ||
--- response_body | ||
passed | ||
=== test 5: pass | ||
--- request | ||
GET /hello | ||
--- error_code: 200 | ||
--- response_body | ||
hello world | ||
--- error_log | ||
--- response_headers | ||
X-APISIX-CHAITIN-WAF: yes | ||
X-APISIX-CHAITIN-WAF-STATUS: 200 | ||
X-APISIX-CHAITIN-WAF-ACTION: pass | ||
--- response_headers_like | ||
X-APISIX-CHAITIN-WAF-TIME: | ||