2022-01-05 11:10:54 -03:00
|
|
|
package.path = package.path .. ";./?.lua"
|
|
|
|
|
|
|
|
|
|
local config = require "plugins.crowdsec.config"
|
2022-01-13 05:48:05 -03:00
|
|
|
local iputils = require "plugins.crowdsec.iputils"
|
2022-01-05 11:10:54 -03:00
|
|
|
local http = require "resty.http"
|
|
|
|
|
local cjson = require "cjson"
|
2023-03-29 06:07:30 -03:00
|
|
|
local captcha = require "plugins.crowdsec.captcha"
|
2022-01-26 14:41:57 -03:00
|
|
|
local utils = require "plugins.crowdsec.utils"
|
2022-01-30 13:07:51 -03:00
|
|
|
local ban = require "plugins.crowdsec.ban"
|
2022-01-05 11:10:54 -03:00
|
|
|
|
|
|
|
|
-- contain runtime = {}
|
|
|
|
|
local runtime = {}
|
2022-01-24 07:08:41 -03:00
|
|
|
-- remediations are stored in cache as int (shared dict tags)
|
|
|
|
|
-- we need to translate IDs to text with this.
|
2022-01-13 05:48:05 -03:00
|
|
|
runtime.remediations = {}
|
|
|
|
|
runtime.remediations["1"] = "ban"
|
|
|
|
|
runtime.remediations["2"] = "captcha"
|
2022-01-05 11:10:54 -03:00
|
|
|
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
runtime.timer_started = false
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
local csmod = {}
|
|
|
|
|
|
2022-01-25 07:40:05 -03:00
|
|
|
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
-- init function
|
|
|
|
|
function csmod.init(configFile, userAgent)
|
|
|
|
|
local conf, err = config.loadConfig(configFile)
|
|
|
|
|
if conf == nil then
|
|
|
|
|
return nil, err
|
|
|
|
|
end
|
|
|
|
|
runtime.conf = conf
|
|
|
|
|
runtime.userAgent = userAgent
|
2022-01-05 14:33:41 -03:00
|
|
|
runtime.cache = ngx.shared.crowdsec_cache
|
2022-01-31 09:25:07 -03:00
|
|
|
runtime.fallback = runtime.conf["FALLBACK_REMEDIATION"]
|
|
|
|
|
|
2022-02-22 01:33:05 -03:00
|
|
|
if runtime.conf["ENABLED"] == "false" then
|
|
|
|
|
return "Disabled", nil
|
|
|
|
|
end
|
2022-01-26 14:15:09 -03:00
|
|
|
|
2022-01-31 09:10:13 -03:00
|
|
|
if runtime.conf["REDIRECT_LOCATION"] == "/" then
|
2022-01-31 09:12:29 -03:00
|
|
|
ngx.log(ngx.ERR, "redirect location is set to '/' this will lead into infinite redirection")
|
2022-01-31 09:10:13 -03:00
|
|
|
end
|
|
|
|
|
|
2022-02-01 07:51:10 -03:00
|
|
|
local captcha_ok = true
|
2023-03-29 06:07:30 -03:00
|
|
|
local err = captcha.New(runtime.conf["SITE_KEY"], runtime.conf["SECRET_KEY"], runtime.conf["CAPTCHA_TEMPLATE_PATH"], runtime.conf["CAPTCHA_PROVIDER"])
|
2022-01-26 14:15:09 -03:00
|
|
|
if err ~= nil then
|
2023-03-29 06:07:30 -03:00
|
|
|
ngx.log(ngx.ERR, "error loading captcha plugin: " .. err)
|
2022-01-26 14:41:57 -03:00
|
|
|
captcha_ok = false
|
2022-01-26 14:15:09 -03:00
|
|
|
end
|
2022-01-28 13:29:13 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set("captcha_ok", captcha_ok)
|
|
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add captcha state key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
2022-01-31 09:26:31 -03:00
|
|
|
|
|
|
|
|
|
2022-02-01 12:11:05 -03:00
|
|
|
local err = ban.new(runtime.conf["BAN_TEMPLATE_PATH"], runtime.conf["REDIRECT_LOCATION"], runtime.conf["RET_CODE"])
|
2022-01-31 09:26:31 -03:00
|
|
|
if err ~= nil then
|
|
|
|
|
ngx.log(ngx.ERR, "error loading ban plugins: " .. err)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if runtime.conf["REDIRECT_LOCATION"] ~= "" then
|
|
|
|
|
table.insert(runtime.conf["EXCLUDE_LOCATION"], runtime.conf["REDIRECT_LOCATION"])
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
-- if stream mode, add callback to stream_query and start timer
|
|
|
|
|
if runtime.conf["MODE"] == "stream" then
|
2022-01-28 13:29:13 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set("startup", true)
|
|
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add startup key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
local succ, err, forcible = runtime.cache:set("first_run", true)
|
|
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add first_run key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-25 13:22:01 -03:00
|
|
|
|
2023-03-29 06:07:30 -03:00
|
|
|
function csmod.validateCaptcha(captcha_res, remote_ip)
|
|
|
|
|
return captcha.Validate(captcha_res, remote_ip)
|
2022-01-25 13:22:01 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function get_http_request(link)
|
2022-01-05 11:10:54 -03:00
|
|
|
local httpc = http.new()
|
|
|
|
|
httpc:set_timeout(runtime.conf['REQUEST_TIMEOUT'])
|
|
|
|
|
local res, err = httpc:request_uri(link, {
|
|
|
|
|
method = "GET",
|
|
|
|
|
headers = {
|
|
|
|
|
['Connection'] = 'close',
|
|
|
|
|
['X-Api-Key'] = runtime.conf["API_KEY"],
|
|
|
|
|
['User-Agent'] = runtime.userAgent
|
|
|
|
|
},
|
|
|
|
|
})
|
2022-02-09 11:37:06 -03:00
|
|
|
httpc:close()
|
2022-01-05 11:10:54 -03:00
|
|
|
return res, err
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function parse_duration(duration)
|
2022-01-13 05:48:05 -03:00
|
|
|
local match, err = ngx.re.match(duration, "^((?<hours>[0-9]+)h)?((?<minutes>[0-9]+)m)?(?<seconds>[0-9]+)")
|
2022-01-05 11:10:54 -03:00
|
|
|
local ttl = 0
|
|
|
|
|
if not match then
|
|
|
|
|
if err then
|
|
|
|
|
return ttl, err
|
|
|
|
|
end
|
|
|
|
|
end
|
2022-01-05 14:27:17 -03:00
|
|
|
if match["hours"] ~= nil and match["hours"] ~= false then
|
2022-01-05 11:10:54 -03:00
|
|
|
local hours = tonumber(match["hours"])
|
|
|
|
|
ttl = ttl + (hours * 3600)
|
|
|
|
|
end
|
2022-01-05 14:27:17 -03:00
|
|
|
if match["minutes"] ~= nil and match["minutes"] ~= false then
|
2022-01-05 11:10:54 -03:00
|
|
|
local minutes = tonumber(match["minutes"])
|
|
|
|
|
ttl = ttl + (minutes * 60)
|
|
|
|
|
end
|
2022-01-05 14:27:17 -03:00
|
|
|
if match["seconds"] ~= nil and match["seconds"] ~= false then
|
2022-01-05 11:10:54 -03:00
|
|
|
local seconds = tonumber(match["seconds"])
|
|
|
|
|
ttl = ttl + seconds
|
|
|
|
|
end
|
|
|
|
|
return ttl, nil
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function get_remediation_id(remediation)
|
2022-01-13 05:48:05 -03:00
|
|
|
for key, value in pairs(runtime.remediations) do
|
|
|
|
|
if value == remediation then
|
|
|
|
|
return tonumber(key)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function item_to_string(item, scope)
|
2022-01-21 12:51:40 -03:00
|
|
|
local ip, cidr, ip_version
|
2022-01-17 14:17:43 -03:00
|
|
|
if scope:lower() == "ip" then
|
|
|
|
|
ip = item
|
|
|
|
|
end
|
|
|
|
|
if scope:lower() == "range" then
|
|
|
|
|
ip, cidr = iputils.splitRange(item, scope)
|
2022-01-13 05:48:05 -03:00
|
|
|
end
|
|
|
|
|
|
2022-01-21 17:31:23 -03:00
|
|
|
local ip_network_address, is_ipv4 = iputils.parseIPAddress(ip)
|
|
|
|
|
if is_ipv4 then
|
2022-01-13 05:48:05 -03:00
|
|
|
ip_version = "ipv4"
|
2022-01-17 14:17:43 -03:00
|
|
|
if cidr == nil then
|
|
|
|
|
cidr = 32
|
|
|
|
|
end
|
2022-01-21 12:51:40 -03:00
|
|
|
else
|
2022-01-13 05:48:05 -03:00
|
|
|
ip_version = "ipv6"
|
2022-01-21 17:31:23 -03:00
|
|
|
ip_network_address = ip_network_address.uint32[3]..":"..ip_network_address.uint32[2]..":"..ip_network_address.uint32[1]..":"..ip_network_address.uint32[0]
|
2022-01-17 14:17:43 -03:00
|
|
|
if cidr == nil then
|
|
|
|
|
cidr = 128
|
|
|
|
|
end
|
2022-01-13 05:48:05 -03:00
|
|
|
end
|
2022-01-21 12:51:40 -03:00
|
|
|
|
2022-01-17 14:17:43 -03:00
|
|
|
if ip_version == nil then
|
|
|
|
|
return "normal_"..item
|
2022-01-13 05:48:05 -03:00
|
|
|
end
|
2022-01-17 14:17:43 -03:00
|
|
|
local ip_netmask = iputils.cidrToInt(cidr, ip_version)
|
2022-01-13 05:48:05 -03:00
|
|
|
return ip_version.."_"..ip_netmask.."_"..ip_network_address
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function set_refreshing(value)
|
|
|
|
|
local succ, err, forcible = runtime.cache:set("refreshing", value)
|
|
|
|
|
if not succ then
|
|
|
|
|
error("Failed to set refreshing key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local function stream_query(premature)
|
|
|
|
|
-- As this function is running inside coroutine (with ngx.timer.at),
|
2022-01-05 11:10:54 -03:00
|
|
|
-- we need to raise error instead of returning them
|
2022-11-25 10:02:56 -03:00
|
|
|
|
|
|
|
|
|
|
|
|
|
ngx.log(ngx.DEBUG, "running timers: " .. tostring(ngx.timer.running_count()) .. " | pending timers: " .. tostring(ngx.timer.pending_count()))
|
|
|
|
|
|
|
|
|
|
if premature then
|
|
|
|
|
ngx.log(ngx.DEBUG, "premature run of the timer, returning")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local refreshing = runtime.cache:get("refreshing")
|
|
|
|
|
|
|
|
|
|
if refreshing == true then
|
|
|
|
|
ngx.log(ngx.DEBUG, "another worker is refreshing the data, returning")
|
|
|
|
|
local ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
|
|
|
|
if not ok then
|
|
|
|
|
error("Failed to create the timer: " .. (err or "unknown"))
|
|
|
|
|
end
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local last_refresh = runtime.cache:get("last_refresh")
|
|
|
|
|
if last_refresh ~= nil then
|
|
|
|
|
-- local last_refresh_time = tonumber(last_refresh)
|
|
|
|
|
local now = ngx.time()
|
|
|
|
|
if now - last_refresh < runtime.conf["UPDATE_FREQUENCY"] then
|
|
|
|
|
ngx.log(ngx.DEBUG, "last refresh was less than " .. runtime.conf["UPDATE_FREQUENCY"] .. " seconds ago, returning")
|
|
|
|
|
local ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
|
|
|
|
if not ok then
|
|
|
|
|
error("Failed to create the timer: " .. (err or "unknown"))
|
|
|
|
|
end
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
set_refreshing(true)
|
|
|
|
|
|
2022-01-13 05:48:05 -03:00
|
|
|
local is_startup = runtime.cache:get("startup")
|
2022-11-25 10:02:56 -03:00
|
|
|
ngx.log(ngx.DEBUG, "Stream Query from worker : " .. tostring(ngx.worker.id()) .. " with startup "..tostring(is_startup) .. " | premature: " .. tostring(premature))
|
2022-01-13 05:48:05 -03:00
|
|
|
local link = runtime.conf["API_URL"] .. "/v1/decisions/stream?startup=" .. tostring(is_startup)
|
2022-01-25 13:22:01 -03:00
|
|
|
local res, err = get_http_request(link)
|
2022-01-05 11:10:54 -03:00
|
|
|
if not res then
|
2022-11-25 10:02:56 -03:00
|
|
|
local ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
|
|
|
|
if not ok then
|
|
|
|
|
set_refreshing(false)
|
|
|
|
|
error("Failed to create the timer: " .. (err or "unknown"))
|
|
|
|
|
end
|
|
|
|
|
set_refreshing(false)
|
2022-01-05 11:10:54 -03:00
|
|
|
error("request failed: ".. err)
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set("last_refresh", ngx.time())
|
|
|
|
|
if not succ then
|
|
|
|
|
error("Failed to set last_refresh key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
local status = res.status
|
|
|
|
|
local body = res.body
|
2022-11-25 10:02:56 -03:00
|
|
|
|
|
|
|
|
ngx.log(ngx.DEBUG, "Response:" .. tostring(status) .. " | " .. tostring(body))
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
if status~=200 then
|
2022-11-25 10:02:56 -03:00
|
|
|
local ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
|
|
|
|
if not ok then
|
|
|
|
|
set_refreshing(false)
|
|
|
|
|
error("Failed to create the timer: " .. (err or "unknown"))
|
2022-01-07 14:07:11 -03:00
|
|
|
end
|
2022-11-25 10:02:56 -03:00
|
|
|
set_refreshing(false)
|
2022-02-08 12:24:09 -03:00
|
|
|
error("HTTP error while request to Local API '" .. status .. "' with message (" .. tostring(body) .. ")")
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local decisions = cjson.decode(body)
|
|
|
|
|
-- process deleted decisions
|
|
|
|
|
if type(decisions.deleted) == "table" then
|
2022-01-13 05:48:05 -03:00
|
|
|
for i, decision in pairs(decisions.deleted) do
|
2022-01-28 08:26:31 -03:00
|
|
|
if decision.type == "captcha" then
|
|
|
|
|
runtime.cache:delete("captcha_" .. decision.value)
|
|
|
|
|
end
|
2022-01-17 14:17:43 -03:00
|
|
|
local key = item_to_string(decision.value, decision.scope)
|
2022-01-13 05:48:05 -03:00
|
|
|
runtime.cache:delete(key)
|
|
|
|
|
ngx.log(ngx.DEBUG, "Deleting '" .. key .. "'")
|
|
|
|
|
end
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
-- process new decisions
|
|
|
|
|
if type(decisions.new) == "table" then
|
|
|
|
|
for i, decision in pairs(decisions.new) do
|
|
|
|
|
if runtime.conf["BOUNCING_ON_TYPE"] == decision.type or runtime.conf["BOUNCING_ON_TYPE"] == "all" then
|
|
|
|
|
local ttl, err = parse_duration(decision.duration)
|
|
|
|
|
if err ~= nil then
|
|
|
|
|
ngx.log(ngx.ERR, "[Crowdsec] failed to parse ban duration '" .. decision.duration .. "' : " .. err)
|
|
|
|
|
end
|
2022-01-13 05:48:05 -03:00
|
|
|
local remediation_id = get_remediation_id(decision.type)
|
|
|
|
|
if remediation_id == nil then
|
2022-03-09 11:18:13 -03:00
|
|
|
remediation_id = get_remediation_id(runtime.fallback)
|
2022-01-13 05:48:05 -03:00
|
|
|
end
|
2022-01-17 14:17:43 -03:00
|
|
|
local key = item_to_string(decision.value, decision.scope)
|
2022-01-13 05:48:05 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set(key, false, ttl, remediation_id)
|
2022-01-05 11:10:54 -03:00
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add ".. decision.value .." : "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
2022-01-13 05:48:05 -03:00
|
|
|
ngx.log(ngx.DEBUG, "Adding '" .. key .. "' in cache for '" .. ttl .. "' seconds")
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
-- not startup anymore after first callback
|
2022-01-28 13:29:13 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set("startup", false)
|
|
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to set startup key in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
|
|
|
|
|
local ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
|
|
|
|
if not ok then
|
|
|
|
|
set_refreshing(false)
|
|
|
|
|
error("Failed to create the timer: " .. (err or "unknown"))
|
2022-01-07 12:25:23 -03:00
|
|
|
end
|
2022-11-25 10:02:56 -03:00
|
|
|
|
|
|
|
|
set_refreshing(false)
|
|
|
|
|
ngx.log(ngx.DEBUG, "end of stream_query")
|
2022-01-05 11:10:54 -03:00
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
2022-11-25 10:02:56 -03:00
|
|
|
local function live_query(ip)
|
2022-01-05 11:10:54 -03:00
|
|
|
local link = runtime.conf["API_URL"] .. "/v1/decisions?ip=" .. ip
|
2022-01-25 13:22:01 -03:00
|
|
|
local res, err = get_http_request(link)
|
2022-01-05 11:10:54 -03:00
|
|
|
if not res then
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, "request failed: ".. err
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
local status = res.status
|
|
|
|
|
local body = res.body
|
|
|
|
|
if status~=200 then
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, "Http error " .. status .. " while talking to LAPI (" .. link .. ")"
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
if body == "null" then -- no result from API, no decision for this IP
|
|
|
|
|
-- set ip in cache and DON'T block it
|
2022-02-22 14:50:11 -03:00
|
|
|
local key = item_to_string(ip, "ip")
|
2022-02-22 14:41:30 -03:00
|
|
|
local succ, err, forcible = runtime.cache:set(key, true, runtime.conf["CACHE_EXPIRATION"], 1)
|
2022-01-28 13:29:13 -03:00
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add ip '" .. ip .. "' in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, nil
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
local decision = cjson.decode(body)[1]
|
|
|
|
|
|
|
|
|
|
if runtime.conf["BOUNCING_ON_TYPE"] == decision.type or runtime.conf["BOUNCING_ON_TYPE"] == "all" then
|
2022-01-24 07:32:01 -03:00
|
|
|
local remediation_id = get_remediation_id(decision.type)
|
|
|
|
|
if remediation_id == nil then
|
2022-03-09 11:18:13 -03:00
|
|
|
remediation_id = get_remediation_id(runtime.fallback)
|
2022-01-24 07:32:01 -03:00
|
|
|
end
|
|
|
|
|
local key = item_to_string(decision.value, decision.scope)
|
|
|
|
|
local succ, err, forcible = runtime.cache:set(key, false, runtime.conf["CACHE_EXPIRATION"], remediation_id)
|
|
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add ".. decision.value .." : "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
ngx.log(ngx.DEBUG, "Adding '" .. key .. "' in cache for '" .. runtime.conf["CACHE_EXPIRATION"] .. "' seconds")
|
|
|
|
|
return false, decision.type, nil
|
2022-01-05 11:10:54 -03:00
|
|
|
else
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, nil
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2022-01-25 13:22:01 -03:00
|
|
|
function csmod.GetCaptchaTemplate()
|
2023-03-29 06:07:30 -03:00
|
|
|
return captcha.GetTemplate()
|
2022-01-25 13:22:01 -03:00
|
|
|
end
|
|
|
|
|
|
2023-03-29 06:07:30 -03:00
|
|
|
function csmod.GetCaptchaBackendKey()
|
|
|
|
|
return captcha.GetCaptchaBackendKey()
|
|
|
|
|
end
|
2022-01-25 13:22:01 -03:00
|
|
|
|
2022-02-22 14:41:30 -03:00
|
|
|
function csmod.SetupStream()
|
2022-01-05 11:10:54 -03:00
|
|
|
-- if it stream mode and startup start timer
|
2022-11-25 10:02:56 -03:00
|
|
|
ngx.log(ngx.DEBUG, "timer started: " .. tostring(runtime.timer_started) .. " in worker " .. tostring(ngx.worker.id()))
|
|
|
|
|
if runtime.timer_started == false and runtime.conf["MODE"] == "stream" then
|
2022-01-07 13:38:47 -03:00
|
|
|
local ok, err
|
2022-11-25 10:02:56 -03:00
|
|
|
ok, err = ngx.timer.at(runtime.conf["UPDATE_FREQUENCY"], stream_query)
|
2022-01-07 13:38:47 -03:00
|
|
|
if not ok then
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, "Failed to create the timer: " .. (err or "unknown")
|
2022-01-07 13:29:33 -03:00
|
|
|
end
|
2022-11-25 10:02:56 -03:00
|
|
|
runtime.timer_started = true
|
2022-01-05 11:10:54 -03:00
|
|
|
ngx.log(ngx.DEBUG, "Timer launched")
|
|
|
|
|
end
|
2022-02-22 14:41:30 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
function csmod.allowIp(ip)
|
|
|
|
|
if runtime.conf == nil then
|
|
|
|
|
return true, nil, "Configuration is bad, cannot run properly"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
csmod.SetupStream()
|
2022-01-05 11:10:54 -03:00
|
|
|
|
2022-01-17 14:17:43 -03:00
|
|
|
local key = item_to_string(ip, "ip")
|
2022-01-13 05:48:05 -03:00
|
|
|
local key_parts = {}
|
|
|
|
|
for i in key.gmatch(key, "([^_]+)") do
|
|
|
|
|
table.insert(key_parts, i)
|
|
|
|
|
end
|
2022-01-20 06:47:08 -03:00
|
|
|
|
2022-01-13 05:48:05 -03:00
|
|
|
local key_type = key_parts[1]
|
|
|
|
|
if key_type == "normal" then
|
|
|
|
|
local in_cache, remediation_id = runtime.cache:get(key)
|
|
|
|
|
if in_cache ~= nil then -- we have it in cache
|
|
|
|
|
ngx.log(ngx.DEBUG, "'" .. key .. "' is in cache")
|
|
|
|
|
return in_cache, runtime.remediations[tostring(remediation_id)], nil
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-20 06:47:08 -03:00
|
|
|
local ip_network_address = key_parts[3]
|
2022-01-13 05:48:05 -03:00
|
|
|
local netmasks = iputils.netmasks_by_key_type[key_type]
|
2022-01-20 06:47:08 -03:00
|
|
|
for i, netmask in pairs(netmasks) do
|
2022-01-21 17:31:23 -03:00
|
|
|
local item
|
|
|
|
|
if key_type == "ipv4" then
|
|
|
|
|
item = key_type.."_"..netmask.."_"..iputils.ipv4_band(ip_network_address, netmask)
|
|
|
|
|
end
|
|
|
|
|
if key_type == "ipv6" then
|
|
|
|
|
item = key_type.."_"..table.concat(netmask, ":").."_"..iputils.ipv6_band(ip_network_address, netmask)
|
|
|
|
|
end
|
2022-01-24 08:25:27 -03:00
|
|
|
local in_cache, remediation_id = runtime.cache:get(item)
|
2022-01-13 05:48:05 -03:00
|
|
|
if in_cache ~= nil then -- we have it in cache
|
|
|
|
|
ngx.log(ngx.DEBUG, "'" .. key .. "' is in cache")
|
|
|
|
|
return in_cache, runtime.remediations[tostring(remediation_id)], nil
|
|
|
|
|
end
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
-- if live mode, query lapi
|
|
|
|
|
if runtime.conf["MODE"] == "live" then
|
2022-01-24 07:32:01 -03:00
|
|
|
local ok, remediation, err = live_query(ip)
|
|
|
|
|
return ok, remediation, err
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
2022-01-24 07:32:01 -03:00
|
|
|
return true, nil, nil
|
2022-01-05 11:10:54 -03:00
|
|
|
end
|
|
|
|
|
|
2022-01-26 12:50:29 -03:00
|
|
|
function csmod.Allow(ip)
|
2022-02-22 01:33:05 -03:00
|
|
|
|
|
|
|
|
if runtime.conf["ENABLED"] == "false" then
|
|
|
|
|
return "Disabled", nil
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-30 13:11:05 -03:00
|
|
|
if utils.table_len(runtime.conf["EXCLUDE_LOCATION"]) > 0 then
|
2022-01-28 13:08:08 -03:00
|
|
|
for k, v in pairs(runtime.conf["EXCLUDE_LOCATION"]) do
|
|
|
|
|
if ngx.var.uri == v then
|
|
|
|
|
ngx.log(ngx.ERR, "whitelisted location: " .. v)
|
|
|
|
|
return
|
|
|
|
|
end
|
2022-02-01 07:51:10 -03:00
|
|
|
local uri_to_check = v
|
2022-01-31 09:12:29 -03:00
|
|
|
if utils.ends_with(uri_to_check, "/") == false then
|
|
|
|
|
uri_to_check = uri_to_check .. "/"
|
2022-01-28 13:08:08 -03:00
|
|
|
end
|
|
|
|
|
if utils.starts_with(ngx.var.uri, uri_to_check) then
|
|
|
|
|
ngx.log(ngx.ERR, "whitelisted location: " .. uri_to_check)
|
|
|
|
|
end
|
2022-01-28 07:03:15 -03:00
|
|
|
end
|
2022-01-26 19:02:27 -03:00
|
|
|
end
|
2022-01-28 08:40:58 -03:00
|
|
|
|
|
|
|
|
local ok, remediation, err = csmod.allowIp(ip)
|
|
|
|
|
if err ~= nil then
|
|
|
|
|
ngx.log(ngx.ERR, "[Crowdsec] bouncer error: " .. err)
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-31 09:25:07 -03:00
|
|
|
-- if the ip is now allowed, try to delete its captcha state in cache
|
2022-01-28 09:00:27 -03:00
|
|
|
if ok == true then
|
|
|
|
|
ngx.shared.crowdsec_cache:delete("captcha_" .. ip)
|
2022-01-28 08:40:58 -03:00
|
|
|
end
|
|
|
|
|
|
2022-02-01 07:51:10 -03:00
|
|
|
local captcha_ok = runtime.cache:get("captcha_ok")
|
2022-01-31 09:25:07 -03:00
|
|
|
|
|
|
|
|
if runtime.fallback ~= "" then
|
2023-03-29 06:07:30 -03:00
|
|
|
-- if we can't use captcha, fallback
|
2022-01-31 09:25:07 -03:00
|
|
|
if remediation == "captcha" and captcha_ok == false then
|
|
|
|
|
remediation = runtime.fallback
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
-- if remediation is not supported, fallback
|
|
|
|
|
if remediation ~= "captcha" and remediation ~= "ban" then
|
|
|
|
|
remediation = runtime.fallback
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-26 14:41:57 -03:00
|
|
|
if captcha_ok then -- if captcha can be use (configuration is valid)
|
2022-01-26 14:15:09 -03:00
|
|
|
-- we check if the IP need to validate its captcha before checking it against crowdsec local API
|
2022-02-01 07:51:10 -03:00
|
|
|
local previous_uri, state_id = ngx.shared.crowdsec_cache:get("captcha_"..ngx.var.remote_addr)
|
2023-03-29 06:07:30 -03:00
|
|
|
if previous_uri ~= nil and state_id == captcha.GetStateID(captcha._VERIFY_STATE) then
|
2022-01-26 14:15:09 -03:00
|
|
|
ngx.req.read_body()
|
2023-03-29 06:07:30 -03:00
|
|
|
local captcha_res = ngx.req.get_post_args()[csmod.GetCaptchaBackendKey()] or 0
|
|
|
|
|
if captcha_res ~= 0 then
|
|
|
|
|
local valid, err = csmod.validateCaptcha(captcha_res, ngx.var.remote_addr)
|
2022-01-26 14:15:09 -03:00
|
|
|
if err ~= nil then
|
|
|
|
|
ngx.log(ngx.ERR, "Error while validating captcha: " .. err)
|
|
|
|
|
end
|
|
|
|
|
if valid == true then
|
|
|
|
|
-- captcha is valid, we redirect the IP to its previous URI but in GET method
|
2023-03-29 06:07:30 -03:00
|
|
|
local succ, err, forcible = ngx.shared.crowdsec_cache:set("captcha_"..ngx.var.remote_addr, previous_uri, runtime.conf["CAPTCHA_EXPIRATION"], captcha.GetStateID(captcha._VALIDATED_STATE))
|
2022-01-28 13:29:13 -03:00
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add key about captcha for ip '" .. ngx.var.remote_addr .. "' in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
|
|
|
|
|
2022-01-26 14:15:09 -03:00
|
|
|
ngx.req.set_method(ngx.HTTP_GET)
|
|
|
|
|
ngx.redirect(previous_uri)
|
|
|
|
|
return
|
|
|
|
|
else
|
|
|
|
|
ngx.log(ngx.ALERT, "Invalid captcha from " .. ngx.var.remote_addr)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2022-01-26 12:50:29 -03:00
|
|
|
end
|
2022-01-26 14:15:09 -03:00
|
|
|
|
2022-01-26 12:50:29 -03:00
|
|
|
if not ok then
|
|
|
|
|
if remediation == "ban" then
|
2022-01-31 09:25:07 -03:00
|
|
|
ngx.log(ngx.ALERT, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "' with '"..remediation.."'")
|
2022-01-30 13:07:51 -03:00
|
|
|
ban.apply()
|
2022-01-27 14:57:05 -03:00
|
|
|
return
|
2022-01-26 12:50:29 -03:00
|
|
|
end
|
2022-01-26 14:15:09 -03:00
|
|
|
-- if the remediation is a captcha and captcha is well configured
|
2022-01-31 09:10:13 -03:00
|
|
|
if remediation == "captcha" and captcha_ok and ngx.var.uri ~= "/favicon.ico" then
|
2022-02-01 07:51:10 -03:00
|
|
|
local previous_uri, state_id = ngx.shared.crowdsec_cache:get("captcha_"..ngx.var.remote_addr)
|
2022-01-26 14:15:09 -03:00
|
|
|
-- we check if the IP is already in cache for captcha and not yet validated
|
2023-03-29 06:07:30 -03:00
|
|
|
if previous_uri == nil or state_id ~= captcha.GetStateID(captcha._VALIDATED_STATE) then
|
2022-01-26 12:50:29 -03:00
|
|
|
ngx.header.content_type = "text/html"
|
2022-02-01 06:12:13 -03:00
|
|
|
ngx.say(csmod.GetCaptchaTemplate())
|
2022-01-26 13:14:13 -03:00
|
|
|
local uri = ngx.var.uri
|
2022-01-26 14:15:09 -03:00
|
|
|
-- in case its not a GET request, we prefer to fallback on referer
|
2022-01-26 13:14:13 -03:00
|
|
|
if ngx.req.get_method() ~= "GET" then
|
2022-02-01 07:51:10 -03:00
|
|
|
local headers, err = ngx.req.get_headers()
|
2022-01-26 12:58:02 -03:00
|
|
|
for k, v in pairs(headers) do
|
2022-01-26 13:14:13 -03:00
|
|
|
if k == "referer" then
|
|
|
|
|
uri = v
|
|
|
|
|
end
|
2022-01-26 12:58:02 -03:00
|
|
|
end
|
|
|
|
|
end
|
2023-03-29 06:07:30 -03:00
|
|
|
local succ, err, forcible = ngx.shared.crowdsec_cache:set("captcha_"..ngx.var.remote_addr, uri , 60, captcha.GetStateID(captcha._VERIFY_STATE))
|
2022-01-28 13:29:13 -03:00
|
|
|
if not succ then
|
|
|
|
|
ngx.log(ngx.ERR, "failed to add key about captcha for ip '" .. ngx.var.remote_addr .. "' in cache: "..err)
|
|
|
|
|
end
|
|
|
|
|
if forcible then
|
|
|
|
|
ngx.log(ngx.ERR, "Lua shared dict (crowdsec cache) is full, please increase dict size in config")
|
|
|
|
|
end
|
2022-01-31 09:25:07 -03:00
|
|
|
ngx.log(ngx.ALERT, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "' with '"..remediation.."'")
|
2022-01-26 12:50:29 -03:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2022-01-05 11:10:54 -03:00
|
|
|
-- Use it if you are able to close at shuttime
|
|
|
|
|
function csmod.close()
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return csmod
|
