diff --git a/lib/crowdsec.lua b/lib/crowdsec.lua index 1fb62f7..ddcf874 100644 --- a/lib/crowdsec.lua +++ b/lib/crowdsec.lua @@ -512,7 +512,7 @@ function csmod.AppSecCheck(ip) -- set CrowdSec APPSEC Host headers["host"] = runtime.conf["APPSEC_HOST"] - local ok, remediation = true, "allow" + local ok, remediation, status_code = true, "allow", 200 if runtime.conf["APPSEC_FAILURE_ACTION"] == DENY then ok = false remediation = runtime.conf["FALLBACK_REMEDIATION"] @@ -548,15 +548,22 @@ function csmod.AppSecCheck(ip) remediation = "allow" elseif res.status == 403 then ok = false + ngx.log(ngx.DEBUG, "Appsec body response: " .. res.body) local response = cjson.decode(res.body) remediation = response.action + if response.http_status ~= nil then + ngx.log(ngx.DEBUG, "Got status code from APPSEC: " .. response.http_status) + status_code = response.http_status + else + status_code = ngx.HTTP_FORBIDDEN + end elseif res.status == 401 then ngx.log(ngx.ERR, "Unauthenticated request to APPSEC") else ngx.log(ngx.ERR, "Bad request to APPSEC (" .. res.status .. "): " .. res.body) end - return ok, remediation, err + return ok, remediation, status_code, err end @@ -570,6 +577,7 @@ function csmod.Allow(ip) end local remediationSource = flag.BOUNCER_SOURCE + local ret_code = nil if utils.table_len(runtime.conf["EXCLUDE_LOCATION"]) > 0 then for k, v in pairs(runtime.conf["EXCLUDE_LOCATION"]) do @@ -602,7 +610,7 @@ function csmod.Allow(ip) -- that user configured the remediation component to always check on the appSec (even if there is a decision for the IP) if ok == true or runtime.conf["ALWAYS_SEND_TO_APPSEC"] == true then if runtime.conf["APPSEC_ENABLED"] == true and ngx.var.no_appsec ~= "1" then - local appsecOk, appsecRemediation, err = csmod.AppSecCheck(ip) + local appsecOk, appsecRemediation, status_code, err = csmod.AppSecCheck(ip) if err ~= nil then ngx.log(ngx.ERR, "AppSec check: " .. err) end @@ -610,6 +618,7 @@ function csmod.Allow(ip) ok = false remediationSource = flag.APPSEC_SOURCE remediation = appsecRemediation + ret_code = status_code end end end @@ -669,7 +678,7 @@ function csmod.Allow(ip) if not ok then if remediation == "ban" then ngx.log(ngx.ALERT, "[Crowdsec] denied '" .. ip .. "' with '"..remediation.."' (by " .. flag.Flags[remediationSource] .. ")") - ban.apply() + ban.apply(ret_code) return end -- if the remediation is a captcha and captcha is well configured diff --git a/lib/plugins/crowdsec/ban.lua b/lib/plugins/crowdsec/ban.lua index 08cb400..1dddf8b 100644 --- a/lib/plugins/crowdsec/ban.lua +++ b/lib/plugins/crowdsec/ban.lua @@ -42,7 +42,20 @@ end -function M.apply() +function M.apply(...) + local args = {...} + local ret_code = args[1] + + ngx.log(ngx.DEBUG, "args:" .. tostring(args[1])) + + local status = 0 + if ret_code ~= nil then + status = ret_code + else + status = M.ret_code + end + + ngx.log(ngx.DEBUG, "BAN: status=" .. status .. ", redirect_location=" .. M.redirect_location .. ", template_str=" .. M.template_str) if M.redirect_location ~= "" then ngx.redirect(M.redirect_location) return @@ -50,13 +63,13 @@ function M.apply() if M.template_str ~= "" then ngx.header.content_type = "text/html" ngx.header.cache_control = "no-cache" - ngx.status = M.ret_code + ngx.status = status ngx.say(M.template_str) - ngx.exit(M.ret_code) + ngx.exit(status) return end - ngx.exit(M.ret_code) + ngx.exit(status) return end diff --git a/lib/plugins/crowdsec/utils.lua b/lib/plugins/crowdsec/utils.lua index a0ee333..0665c4c 100644 --- a/lib/plugins/crowdsec/utils.lua +++ b/lib/plugins/crowdsec/utils.lua @@ -20,7 +20,7 @@ function M.read_file(path) local file = io.open(path, "r") -- r read mode and b binary mode if not file then return nil end io.input(file) - content = io.read("*a") + local content = io.read("*a") io.close(file) return content end