update

2022-01-30 17:07:51 +01:00 · 2022-01-30 17:07:51 +01:00 · 10a2c34b96
commit 10a2c34b96
parent cec44d2549
7 changed files with 27 additions and 33 deletions
--- a/nginx/config.lua
+++ b/nginx/config.lua
@ -35,7 +35,7 @@ function config.loadConfig(file)
        return nil, "File ".. file .." doesn't exist"
    end
    local conf = {}
-    local valid_params = {'API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'EXCLUDE_LOCATION'}
+    local valid_params = {'API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'BAN_TEMPLATE_PATH' ,'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'EXCLUDE_LOCATION'}
    local valid_int_params = {'CACHE_EXPIRATION', 'CACHE_SIZE', 'REQUEST_TIMEOUT', 'UPDATE_FREQUENCY', 'CAPTCHA_EXPIRATION'}
    local valid_bouncing_on_type_values = {'ban', 'captcha', 'all'}
    local default_values = {
--- a/nginx/crowdsec.lua
+++ b/nginx/crowdsec.lua
@ -6,6 +6,7 @@ local http = require "resty.http"
 local cjson = require "cjson"
 local recaptcha = require "plugins.crowdsec.recaptcha"
 local utils = require "plugins.crowdsec.utils"
+local ban = require "plugins.crowdsec.ban"

 -- contain runtime = {}
 local runtime = {}
@ -32,6 +33,7 @@ function csmod.init(configFile, userAgent)
  captcha_ok = true

  err = recaptcha.New(runtime.conf["SITE_KEY"], runtime.conf["SECRET_KEY"], runtime.conf["CAPTCHA_TEMPLATE_PATH"])
+  err = ban.new(runtime.conf["BAN_TEMPLATE_PATH"], runtime.conf["REDIRECT_LOCATION"], runtime.conf["RET_CODE"])

  if runtime.conf["REDIRECT_LOCATION"] ~= "" then
    table.insert(runtime.conf["EXCLUDE_LOCATION"], runtime.conf["REDIRECT_LOCATION"])
@ -367,7 +369,7 @@ end


 function csmod.Allow(ip)
-  if utils.table_len(runtime.conf["EXCLUDE_LOCATION"]) > 0 then
+  if runtime.conf["EXCLUDE_LOCATION"] ~= nil and utils.table_len(runtime.conf["EXCLUDE_LOCATION"]) > 0 then
    for k, v in pairs(runtime.conf["EXCLUDE_LOCATION"]) do
      if ngx.var.uri == v then
        ngx.log(ngx.ERR,  "whitelisted location: " .. v)
@ -426,16 +428,7 @@ function csmod.Allow(ip)
  if not ok then
      ngx.log(ngx.ALERT, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "' with '"..remediation.."'")
      if remediation == "ban" then
-        if runtime.conf["REDIRECT_LOCATION"] ~= "" then
-          ngx.redirect(runtime.conf["REDIRECT_LOCATION"])
-        else
-          ret_code = runtime.conf["RET_CODE"]
-          if ret_code ~= nil and ret_code ~= "" and ret_code ~= 0 then
-            ngx.exit(utils.HTTP_CODE[ret_code])
-          else
-            ngx.exit(ngx.HTTP_FORBIDDEN)
-          end
-        end
+        ban.apply()
        return
      end
      -- if the remediation is a captcha and captcha is well configured
--- a/nginx/recaptcha.lua
+++ b/nginx/recaptcha.lua
@ -1,7 +1,7 @@
--local template = require "resty.template.safe"
 local http = require "resty.http"
 local cjson = require "cjson"
 local template = require "plugins.crowdsec.template"
+local utils = require "plugins.crowdsec.utils"


 local M = {_TYPE='module', _NAME='recaptcha.funcs', _VERSION='1.0-0'}
@ -30,24 +30,7 @@ function M.GetStateID(state)
    return nil
 end

-local function read_file(path)
-    local file = io.open(path, "r") -- r read mode and b binary mode
-    if not file then return nil end
-    io.input(file)
-    content = io.read("*a")
-    io.close(file)
-    return content
-  end

-local function file_exist(path)
-  local f = io.open(path, "r")
-  if f ~= nil then 
-    io.close(f)
-    return true 
-  else 
-    return false
-  end
-end

 function M.New(siteKey, secretKey, TemplateFilePath)

@ -62,11 +45,11 @@ function M.New(siteKey, secretKey, TemplateFilePath)

    M.SecretKey = secretKey

-    if file_exist(TemplateFilePath) == false then
+    if utils.file_exist(TemplateFilePath) == false then
      return "captcha template file doesn't exist, can't use recaptcha"
    end

-    local captcha_template = read_file(TemplateFilePath)
+    local captcha_template = utils.read_file(TemplateFilePath)
    if captcha_template == nil then
        return "Template file " .. TemplateFilePath .. "not found."
    end
--- a/nginx/template.conf
+++ b/nginx/template.conf
@ -11,6 +11,7 @@ MODE=stream
 EXCLUDE_LOCATION=
 #those apply for "ban" action
 # /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
+BAN_TEMPLATE_PATH=/usr/local/lua/crowdsec/templates/captcha.html
 REDIRECT_LOCATION=
 RET_CODE=
 #those apply for "captcha" action
@ -18,5 +19,5 @@ RET_CODE=
 SECRET_KEY=
 # Recaptcha Site key
 SITE_KEY=
-CAPTCHA_TEMPLATE_PATH=/usr/local/lua/crowdsec/captcha.html
+CAPTCHA_TEMPLATE_PATH=/usr/local/lua/crowdsec/templates/captcha.html
 CAPTCHA_EXPIRATION=3600
--- a/nginx/templates/ban.html
+++ b/nginx/templates/ban.html
--- a/nginx/templates/captcha.html
+++ b/nginx/templates/captcha.html
--- a/nginx/utils.lua
+++ b/nginx/utils.lua
@ -15,7 +15,24 @@ M.HTTP_CODE["404"] = ngx.HTTP_NOT_FOUND
 M.HTTP_CODE["405"] = ngx.HTTP_NOT_ALLOWED
 M.HTTP_CODE["500"] = ngx.HTTP_INTERNAL_SERVER_ERROR

+function M.read_file(path)
+   local file = io.open(path, "r") -- r read mode and b binary mode
+   if not file then return nil end
+   io.input(file)
+   content = io.read("*a")
+   io.close(file)
+   return content
+ end

+function M.file_exist(path)
+ local f = io.open(path, "r")
+ if f ~= nil then 
+   io.close(f)
+   return true 
+ else 
+   return false
+ end
+end

 function M.starts_with(str, start)
    return str:sub(1, #start) == start