Handy, High performance, ModSecurity compatible Nginx firewall module & 方便、高性能、兼容 ModSecurity 的 Nginx 防火墙模块
You can set the directive waf
to bypass
, in which case no requests will be intercepted, but ngx_waf will still do the detection and logging.
The directive waf_verify_bot
has a new parameter SogouSpider
, which is used to verify if it is a Sogou crawler.
Garbage collection is not running, which does not lead to memory leaks, but does lead to performance problems.
Sometimes the [FAKE-BOT]
log is printed incorrectly.
指令 waf
可以设置为 bypass
模式,即仅检测并记录日志,但不会拦截任何请求。
指令 waf_verify_bot
新增了参数 SogouSpider
,用于验证是否为搜狗爬虫。
内存回收机制并未正常运行,这虽然不会造成内存泄漏,但会导致内存占用居高不下,并引发性能问题。
友好爬虫验证功能会错误地打印拦截日志。
waf_mode
corresponding to the request method are not working.waf_mode
中所有与请求方法对应的参数均失效。New directive waf_zone
, used to declare a piece of shared memory that will be used for other directives, such as waf_cc_deny
.
New directive waf_action
, used to set actions after intercepting a request, such as returning a specific status code or challenging the client with a captcha.
New directive waf_block_page
, used to set the blocking page to return the specified HTML file when the request is blocked.
A new embedded variable, $waf_rate
, is used to indicate the number of accesses to the current IP in a period. The period is determined by the parameter rate
of the directive waf_cc_deny
, or by the parameter duration
if the IP has been blacked out.
The directive waf_captcha
has a new parameter max_fails
, which sets the maximum number of attempts for the captcha and the blocking time after it is exceeded.
The directive waf_captcha
has a new parameter zone
that specifies a piece of shared memory, which needs to be set if and only if the parameter max_fails
is set.
The directive waf_captcha
has a new parameter sitekey
, which needs to be set if and only if the parameter file
is omitted.
When you reload nginx, the module keeps as much information in shared memory as possible so that it is not emptied, such as statistics used by CC protection.
The directive waf_http_status
has been removed and the related features have been merged into the directive waf_action
.
The parameter size
of the directive waf_cc_deny
has been removed and zone
is now used instead.
You can omit the parameter file
of the directive waf_under_attack
; omitting this parameter will use a built-in file from assets/under_attack.html
.
You can omit the argument file
to the directive waf_captcha
, which when omitted will use a built-in file based on the value of the argument prov
, which comes from the directory assets/
.
新指令 waf_zone
,用来声明一块共享内存,这块内存将被用于其他的指令,比如 waf_cc_deny
。
新指令 waf_action
,用于设置拦截请求后的动作,比如返回特定的状态码或者使用验证码对客户端做人机认证。
新指令 waf_block_page
,用于设置拦截页面,当请求被拦截后将指定的 HTML 文件返回。
新内置变量 $waf_rate
,用来表示一个统计周期内当前 IP 的访问次数。统计周期由指令 waf_cc_deny
的参数 rate
决定,如果 IP 已经被拉黑,则由参数 duration
决定。
指令 waf_captcha
增加了一个参数 max_fails
,用来设置验证码最大试错次数和超出后的拉黑时间。
指令 waf_captcha
增加了一个参数 zone
,用来指定一块共享内存,当且仅当设置了参数 max_fails
时才需要设置。
指令 waf_captcha
增加了一个参数 sitekey
,当且仅当省略了参数 file
时才需要设置。
当你重载 nginx 时,模块会尽可能地保留共享内存中的信息,使其不被清空,比如 CC 防护的拉黑列表。
移除了指令 waf_http_status
,相关的功能合并到指令 waf_action
。
移除了指令 waf_cc_deny
的参数 size
,现在使用 zone
代替。
允许省略指令 waf_under_attack
的参数 file
,省略此参数时将使用一个内置的文件,它来自 assets/under_attack.html
。
允许省略指令 waf_captcha
的参数 file
,省略此参数时将根据参数 prov
的值使用一个内置的文件,这些文件来自目录 assets/
。
更多的调试日志。
By chance, I found a test suite: test-nginx.
It looked great, so I wrote a lot of test cases and tested with it. Unfortunately I found a lot of bugs, very wise of me.
Removed useless debug log.
More debug log.
Sometimes the connection is closed prematurely.
When CAPTCHA is enabled, the request body inspection may be wrong.
CAPTCHA may fail due to HTTP caching.
Memory leak when reloading nginx.
Failed to properly merge directive waf_cache
from different contexts.
Failed to properly merge directives waf_cc_deny
from different contexts.
Failed to inherit Referer
blacklist different contexts.
Failed to properly handle incorrect command syntax.
Fixed a default rule of URL.
Fixed the following files so that the page can be refreshed automatically after the CAPTCHA is completed.
assets/hCaptcha.html
assets/reCAPTCHAv2_Checkbox.html
assets/reCAPTCHAv2_Invisible.html
assets/reCAPTCHAv3.html
偶然间看到了一个测试套件:test-nginx。 看完之后感觉很好便拿来测试,编了不少测试用例,果不其然发现了一大堆 Bug,不愧是我。
删除了无用的调试日志。
更多的调试日志。
有时连接会被过早地关闭。
启用 CAPTCHA 后请求体的检测结果可能会出错。
CAPTCHA 可能会因为 HTTP 缓存而失败。
重载 nginx 时存在内存泄露。
未能正确合并上层配置块的 waf_cache
指令。
未能正确合并上层配置块的 waf_cc_deny
指令。
未能正确继承上层配置块的 Referer 黑名单。
未能正确识别一些错误的配置。
修复了一条默认的 URL 黑名单规则。
修复了下列文件,使得验证码完成后可以自动刷新网页。
assets/hCaptcha.html
assets/reCAPTCHAv2_Checkbox.html
assets/reCAPTCHAv2_Invisible.html
assets/reCAPTCHAv3.html