lua waf,nginx+lua,openresty,luajit,waf+,cdn,nginx
title: OpenStar() tags: OpenResty,OpenStar,waf+,waf,nginx lua grammar_cjkRuby: true
{OpenStar}(WAF+)OpenResty 1.11.0 ngx.var.request_id ** ~**
WIKI,
( https://github.com/cloudflare/lua-aho-corasick )
("aho") --
"host":[[
"^www.baidu",
".*.baidu.com$"
],
"aho"
]
("") ("in") ("list") ("dict") ("jio|jo|***")
("start_list") --
("ustart_list")
("end_list") --
("uend_list")
("in_list") --
("uin_list") --in_list()
json list
("len") [Min,Max] Min, Max
EG
"host":[[
"www.baidu.",
"img.baidu."
],
"start_list"
]
"referer":[[0,150],"len"] --- referer 0~150
https://www.kancloud.cn/openstar/install/1136671
["baidu","in"],["baidu","in",true];nilfalse,next
["post_form",["(;|-|/)","jio",["*",2],false]]
["www.test.com",""]
["www.test.com","="]
network_Mod: "network":{"maxReqs":30,"pTime":10,"blackTime":600,"guid":"cookie_userguid"}
ngx.var[%guid%]ngx.varcookieuserguidip
app_ext | network conf_json/host_json/101.200.122.200.json
listdict EG
"method":[
{
"POST":true,
"GET":true
},
"dict" --- list
]
"ips": [[
"101.254.241.149",
"106.37.236.170"],
"list" --- table
]
json......
redis, redis
urluriargsquery_stringapp_ModOR
urlset-cookiecookie
referer_Modactionallow
/js/cssnext
CSRFnext
CSRFbypass,
action
IPphpmyadmin
argsapiurl
2-4OpenStarredis
OpenStar[]API
luajson
ccwafmodsecurityloveshell
+set cookieurljs
CCDCDNIPHTTPipOpenStarurl[referer_Mod url_Mod allow]
0 IFTTTrefererbaidu cookieabc useragentspider(deny allow log refile rehtml relua*)
1
ngxupstreamhttps://github.com/starjun/dynamic_upstream-by-balancer hostIPDICTIPbalancerupstreamIPhttps
2(Master/Slave)
openstarapiredisredisdictredisapidictredisredis...
3ngx
geoipSQL()api
CC
CC
aurl([][cpu]url[])
burl(url[CPU]ajaxurl[])
c(APIWEBserviceSDK)
d(php dos)
ababcsdk
js
/urlopenstarurlgetargsjsurlcc=1ldldj
,
jsjs
jsjsjsjsjs
IPCC CC
http://123.57.220.116/fgjs2.html (ECS)
https://github.com/Valve/fingerprintjs2
/:
jsjs
PS
http://www.cc.com?cc=@{"api":"http://1.1.1.1/cc/api","key":"iodjdjkdldskl"}@
http://www.cc.com?cc=@{"api":"tcp://1.1.1.1:908","key":"iodjdjkdldskl"}@
http://www.cc.com?cc=@{"api":"local","key":"1:2345:44"}@
/@apikey
iset cookie,web
iiargsvalueweb
iiiPOSTvalueweb
OpenStarOpenRestyWAFWAF app_Mod or , doc/demo.md
OpenStarWAF*WAF......***** apiWEB1.0WEB2.090%+ WAF header,args,post,
WEB1.0 1.0IIS6WEBSQL
WEB2.0 XSSCSRF2.0
WEB3.0 3.0
``
CCwebCPU/IO/****
`` CC
1URLCPUIO
2URLajax
3APIWEBservice
4webPHP-dos
CCajaxjs/
ip
CDNIPHTTPIP
IPHTTPX-FOR-F
PS: 4
TAGSET COOKIEURLJS urlJS302CCurlset cookieCC****OpenStar JSflashJSflashjsflash
1
JSurlargs ie !-[1,]
JSJS
2 urlargstoken
3 PHP5.3http
1url
jsflash
2urlajax
urljsurljsurl
+iphttphttpip
tokentoken
jsagentJSJSjs
CCJSJSCC
+OpenStarjsOpenStarflash
~
wget
git clone
bash
OpenStarORngxngx.log
bash
3,nil
false
hostname["*",""]
= ["*","",false]
==>
hostname["*\\.game\\.com","jio"]
==>hostngx.re.find($host,12)
hostname[["127.0.0.1","127.0.0.1:8080"],"list"]
==>1 host
hostname[{"127.0.0.1":true,"127.0.0.1:5460":true},"dict"]
==> hosttruehost
uri["/admin","in"]
==>uri/adminuristring.find($uri,1,1,true)
ip[["127.0.0.1/32",""113.45.199.0/24""],"cidr"]
==>ipip/ip
args["*","",["args_name","all"],false]
args["*","",["args_name","end"]]
= ["*","",["args_name","end"],false]
args["*","",["args_name",1]]
3argstablekey32args[args_name]table(all)(end),()
==>GETargsargs_name,412
table
abase.jsonconfig_dict,host_dict,ip_dict
0realIpFrom_Mod ==> IPHTTP
1ip_Mod ==> ip/log
2host_method_Mod ==> hostmethod
3rewrite_Mod ==> set-cookie
4host_Mod ==> hosturi,referer,useragent
5app_Mod ==>
6referer_Mod ==> referer/log
7uri_Mod ==> uri/log
8header_Mod ==> header
9useragent_Mod ==> useragent/log
10cookie_Mod ==> cookie/log
11args_Mod ==> args[query_string]/log
12post_Mod ==> post[post]/log
13network_Mod ==>
14replace_Mod ==> app_Modrehtmlrefile2action
{"101.200.122.200:5460": {"ips": ["*",""],"realipset": "x-for-f"}}
id.game.com,ipsipipx-for-fipsips*ip
{"ip":"111.206.199.61","action":"allow"}
{"ip":"www.game.com-111.206.199.1","action":"deny"}
ip111.206.199.61http action[allowdeny]denyhostip/host
{"state":"on","method":[["GET","POST"],"list"],"hostname":[["id.game.com","127.0.0.1"],"list"]}
hostid.game.com127.0.0.1methodGETPOST state methodmethod21(list)(dict) hostnamehost
"method": [["GET","POST"],"list"]
==> methodGETPOST
"method": ["^(get|post)$","jio"]
==> method
"hostname": ["*",""]
==>host
{
"state": "on",
"action": ["set-cookie"],
"set_cookie":["asjldisdafpopliu8909jk34jk","token_name"],
"hostname": ["101.200.122.200",""],
"uri": ["^/rewrite$","jio"]
}
host101.200.122.200,url302/307cookietokenactionip+md5
hostconf_json/host_json/host host.state[on log off],logoff
{
"state":"on",
"action":["deny"],
"hostname":["127.0.0.1",""],
"uri":["^/([\w]{4}\.html|deny1\.do|\.html)$","jio"]
}
host127.0.0.1url
state action
1deny ==>
2allow ==>
3log ==>
4rehtml ==>
5refile ==>
6relua ==> luadofile
7relua_str ==> lua
hostnamehost
uriuri
hostname uri 21
demo
{"state":"on","uri":["\\.(gif|jpg|png|jpeg|bmp|ico)$","jio"],"hostname":["127.0.0.1",""],"referer":["*",""],"action":"allow"}
host127.0.0.1urirefererOpenStaraccess_by_lua_file nginxlocationactionallow
refererCSRF
state uriuri hostnamehost refererreferer action
referer
{"state":"on","hostname":["\*",""],"uri":["\\.(css|js|flv|swf|zip|txt)$","jio"],"action":"allow"}
hosturi state hostnamehost uriuri action[allowdenylog]
uri.svn
{"state":"on","uri":["\*",""],"hostname":["\*",""],"header":["Acunetix_Aspect","\*",""]}
hosturiheaderAcunetix_Aspectwvs state uriuri hostnamehost headerheader
{"state":"off","action":"deny","useragent":["HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench","jio"],"hostname":[["127.0.0.1:8080","127.0.0.1"],"list"]}
host127.0.0.1 127.0.0.1:8080 useragenthost"hostname":["*",""]
state
hostnamehost
useragentagent
action
{"state":"on","cookie":["\\.\\./","jio"],"hostname":["*",""],"action":"deny"}
hostcookies state cookiecookie hostnamehost action[denyallow]
actionactionaction
{"state":"on","hostname":["*",""],"args_data":["\\:\\$","jio"],"action":"deny"}
hostquery_string state hostnamehost query_stringargs action
{"state":"on","hostname":["*",""],"posts_data":["\\$\\{","jio"],"action":"deny"}
host,post_str state hostnamehost post_strpost action
{"state":"on","network":{"maxReqs":20,"pTime":10,"blackTime":600},"hostname":["id.game.com",""],"uri":["^/2.html$","jio"]}
hostid.game.com,url1020IPIP1060*10 state hostnamehost uriuri networkmaxReqs ==> pTime ==> blacktime ==> ip
ccurl
{"state":"on","uri":["^/$","jio"],"hostname":["passport.game.com",""],"replace_list":[["","","FUCK"],["","","POSS"],["lzcaptcha\\?key='\\s\*\\+ key","jio","lzcaptcha?keY='+key+'&keytoken=@token@'"]]}
hostpassport.game.com,url
1"""FUCK"
2"""POSS"
3ngx.re.gsub
@token@
state
hostnamehost
uriuri
replace_list1 ==> 2 ==> 2""3 ==>
docapi.md
OpenStar
uname -a :
Linux dpicsvr01 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:58:07 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
cat /proc/meminfo | grep MemTotal
MemTotal: 14360276 kB// 14GB
CPUcat /proc/cpuinfo | grep 'model name' |uniq
Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz
CPUcat /proc/cpuinfo | grep "cpu cores" | uniq
4
CPUcat /proc/cpuinfo | grep "physical id" | uniq | wc -l
1
ab
ab -c 1000 -n 100000 "http://10.0.0.4/test/a?a=b&c=d"
28542
appnetworkreplace8388``1.81%
replaceapprelua7959``6.83%
useragentab7116``16%
openstar 404Team 2.0 openstar https://github.com/knownsec/404StarLink2.0-Galaxy#community
openstar has joined 404Team 404StarLink 2.0 - Galaxy