wafris 0.5.4 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/lua/dist/wafris_core.lua +4 -10
- data/lib/wafris/middleware.rb +17 -0
- data/lib/wafris/version.rb +1 -1
- data/lib/wafris.rb +2 -18
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 283b178e632194aa6ff2e0aaaa5e3eca428cacb17a6383a8aa3b57d005c5a316
|
|
4
|
+
data.tar.gz: 9ce784b1e57629d072ccc9da4c9e8ec81916dbdcf03c3138e004777e498db4d4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 32df667c3fa70c28fb2ea9b298c05ca2542f38d2c6ecee45208e1de6df518c33e6252cce179f2d9a65759fd60093c06909b3aef65068f926405daa07722d6ee8
|
|
7
|
+
data.tar.gz: 46722bd780d683360be5382f7b9729067cc1624e12d602caba624629ebb9b88e7e454e23e3231aef98a63087d2824fded586088cbf0d5a6ceff4203fbe0c0385
|
|
@@ -74,10 +74,9 @@ local client_ip = ARGV[1]
|
|
|
74
74
|
local client_ip_to_decimal = ARGV[2]
|
|
75
75
|
local unix_time_milliseconds = ARGV[3]
|
|
76
76
|
local unix_time = ARGV[3] / 1000
|
|
77
|
-
local
|
|
78
|
-
local
|
|
79
|
-
local
|
|
80
|
-
local host = ARGV[7]
|
|
77
|
+
local user_agent = ARGV[4]
|
|
78
|
+
local request_path = ARGV[5]
|
|
79
|
+
local host = ARGV[6]
|
|
81
80
|
|
|
82
81
|
-- Initialize local variables
|
|
83
82
|
local request_id = get_request_id(nil, client_ip, max_requests)
|
|
@@ -89,16 +88,11 @@ add_to_HLL_request_count(current_timebucket, request_id)
|
|
|
89
88
|
-- LEADERBOARD DATA COLLECTION
|
|
90
89
|
-- TODO: breaking change will to switch to client_ip: prefix
|
|
91
90
|
increment_timebucket_for(nil, current_timebucket, client_ip)
|
|
92
|
-
if proxy_ip ~= nil and proxy_ip ~= "" then
|
|
93
|
-
increment_timebucket_for("proxy_ip:", current_timebucket, proxy_ip)
|
|
94
|
-
end
|
|
95
91
|
increment_timebucket_for("user_agent:", current_timebucket, user_agent)
|
|
96
92
|
increment_timebucket_for("request_path:", current_timebucket, request_path)
|
|
97
93
|
increment_timebucket_for("host:", current_timebucket, host)
|
|
98
94
|
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
redis.breakpoint()
|
|
95
|
+
redis.call("ZRANGEBYSCORE", "blocked_ranges", client_ip_to_decimal, client_ip_to_decimal, "LIMIT", 0, 1)
|
|
102
96
|
|
|
103
97
|
-- BLOCKING LOGIC
|
|
104
98
|
-- TODO: ZRANGEBYSCORE is deprecated in Redis 6.2+. Replace with ZRANGE
|
data/lib/wafris/middleware.rb
CHANGED
|
@@ -7,6 +7,23 @@ module Wafris
|
|
|
7
7
|
end
|
|
8
8
|
|
|
9
9
|
def call(env)
|
|
10
|
+
user_defined_proxies = ENV['MY_PROXIES'].split(',') if ENV['MY_PROXIES']
|
|
11
|
+
|
|
12
|
+
valid_ipv4_octet = /\.(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/
|
|
13
|
+
|
|
14
|
+
trusted_proxies = Regexp.union(
|
|
15
|
+
/\A127#{valid_ipv4_octet}{3}\z/, # localhost IPv4 range 127.x.x.x, per RFC-3330
|
|
16
|
+
/\A::1\z/, # localhost IPv6 ::1
|
|
17
|
+
/\Af[cd][0-9a-f]{2}(?::[0-9a-f]{0,4}){0,7}\z/i, # private IPv6 range fc00 .. fdff
|
|
18
|
+
/\A10#{valid_ipv4_octet}{3}\z/, # private IPv4 range 10.x.x.x
|
|
19
|
+
/\A172\.(1[6-9]|2[0-9]|3[01])#{valid_ipv4_octet}{2}\z/, # private IPv4 range 172.16.0.0 .. 172.31.255.255
|
|
20
|
+
/\A192\.168#{valid_ipv4_octet}{2}\z/, # private IPv4 range 192.168.x.x
|
|
21
|
+
/\Alocalhost\z|\Aunix(\z|:)/i, # localhost hostname, and unix domain sockets
|
|
22
|
+
*user_defined_proxies
|
|
23
|
+
)
|
|
24
|
+
|
|
25
|
+
Rack::Request.ip_filter = lambda { |ip| trusted_proxies.match?(ip) }
|
|
26
|
+
|
|
10
27
|
request = Rack::Request.new(env)
|
|
11
28
|
|
|
12
29
|
if Wafris.configuration.enabled? && Wafris.allow_request?(request)
|
data/lib/wafris/version.rb
CHANGED
data/lib/wafris.rb
CHANGED
|
@@ -33,15 +33,13 @@ module Wafris
|
|
|
33
33
|
configuration.connection_pool.with do |conn|
|
|
34
34
|
time = Time.now.to_f * 1000
|
|
35
35
|
puts "WAF LOG: headers with http-x-forwarded-for key #{request.get_header(Rack::Request::HTTP_X_FORWARDED_FOR)}"
|
|
36
|
-
puts "WAF LOG: Client IP #{
|
|
37
|
-
puts "WAF LOG: Proxy IP #{proxy_ip(request)}"
|
|
36
|
+
puts "WAF LOG: Client IP #{request.ip}"
|
|
38
37
|
status = conn.evalsha(
|
|
39
38
|
configuration.core_sha,
|
|
40
39
|
argv: [
|
|
41
|
-
|
|
40
|
+
request.ip,
|
|
42
41
|
IPAddr.new(request.ip).to_i,
|
|
43
42
|
time.to_i,
|
|
44
|
-
proxy_ip(request),
|
|
45
43
|
request.user_agent,
|
|
46
44
|
request.path,
|
|
47
45
|
request.host
|
|
@@ -55,19 +53,5 @@ module Wafris
|
|
|
55
53
|
end
|
|
56
54
|
end
|
|
57
55
|
end
|
|
58
|
-
|
|
59
|
-
private
|
|
60
|
-
|
|
61
|
-
def client_ip(request)
|
|
62
|
-
return request.ip if request.get_header(Rack::Request::HTTP_X_FORWARDED_FOR).eql?(request.ip)
|
|
63
|
-
|
|
64
|
-
request.get_header(Rack::Request::HTTP_X_FORWARDED_FOR).split(',').first
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
def proxy_ip(request)
|
|
68
|
-
return nil if request.get_header(Rack::Request::HTTP_X_FORWARDED_FOR).eql?(request.ip)
|
|
69
|
-
|
|
70
|
-
request.get_header(Rack::Request::HTTP_X_FORWARDED_FOR).split(',').last
|
|
71
|
-
end
|
|
72
56
|
end
|
|
73
57
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wafris
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Micahel Buckbee
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2023-06-
|
|
12
|
+
date: 2023-06-20 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: connection_pool
|