Config.lua configuration file reference

October 19, 2016 3611 points heat 1 person likes 1 comment
Config.lua configuration

--The http guard installation directory is modified to the actual installation directory-- The http guard installation directory is modified to the actual installation directory. baseDir = '/data/www/waf/'
Local Config={-- Whether the key is generated dynamically, static and dynamic can be selected. If dynamic is selected, all the following keySecrets do not need to be changed. If static is selected, modify and manually modify the following keySecret keyDefine="dynamic",
--Passive defense, limit request module. According to the number of requests counted in a certain period of time, it is recommended to always enable -- state: this is the status of the module, which indicates whether it is on or off, and the optional values are On or Off-- MaxReqs, amongTime: the maximum number of requests allowed in amongTime seconds maxReqs. For example, the default is 50 requests allowed in 10s-- UrlProtect: specifies the url regular expression file that limits the number of requests. The default value is . Php $, which means that only php requests are restricted (of course, this rule can work when urlMatchMode="uri") limitReqModules={state="On", maxReqs=50, amongTime=10, urlProtect=baseDir.. "Url protect/limit. txt"},

--Active defense, 302 response head jump module. Use the feature that cc control terminal does not support parsing response header to identify whether it is a normal user. It is recommended to open it when necessary-- State: This is the status of the module, indicating that it is on or off, and the optional values are On or Off-- VerifyMaxFail amongTime: because this module will send 302 response headers with cckey and keyexpire. If the visitor exceeds verifyMaxFail times in amongTime and fails to jump to the url in 302 response header, it will be added to the blacklist. The default value is 5 times-- KeySecret: used to generate the token password. If the above keyDefine is dynamic, it does not need to be modified -- urlProtect is the same as the interpretation of urlProtect in the limitReqModules module. redirectModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'yK48J276hg', amongTime = 60 ,urlProtect = baseDir.."url-protect/302.txt"},

--Take the initiative to defend and send the js jump code module. Use the feature that the cc control end cannot parse the js jump to identify whether it is a normal user. It is recommended to open it when necessary-- State: This is the status of the module, indicating that it is on or off, and the optional values are On or Off-- VerifyMaxFail amongTime: because this module will send a response body with a js jump code. If a visitor fails to jump to the url in the js jump code for more than verifyMaxFail times within amongTime, it will be added to the blacklist. The default value is 5 times-- KeySecret: used to generate the token password. If the above keyDefine is dynamic, it does not need to be modified -- urlProtect is the same as the interpretation of urlProtect in the limitReqModules module. JsJumpModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'QSjL6p38h9', amongTime = 60 , urlProtect = baseDir.."url-protect/js.txt"},
--Active defense, sending cookie verification module. This module will send cookies to the visitors, and then wait for the visitors to return the correct cookies. This module uses the feature that the cc control terminal cannot support cookies to identify cc attacks, and it is recommended to open when necessary -- state: the status of this module, which indicates that it is open or closed, and the optional values are On or Off-- VerifyMaxFail amongTime: because this module will send cookies. If a visitor fails to return the correct cookie after verifying MaxFail times within amongTime, they will be added to the blacklist. The default value is 5 times-- KeySecret: used to generate the token password. If the above keyDefine is dynamic, it does not need to be modified -- urlProtect is the same as the interpretation of urlProtect in the limitReqModules module. cookieModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'bGMfY2D5t3', amongTime = 60 , urlProtect = baseDir.."url-protect/cookie.txt"},
--The active defense is automatically enabled. The principle is to determine based on the number of connected protectPort ports exceeding maxConnection -- state: this is the status of the module, indicating that it is enabled or disabled, and the optional values are On or Off-- Interval Check the number of connections every 30 seconds. The default value is 30 seconds-- ProtectPort, maxConnection, normalTimes, exceedTimes: When the module in the enableModule is closed, when the number of connections of the port protectPort exceeds maxConnection for consecutive exceedTimes times, the module in the enableModule is enabled-- When the module in the enableModule is in the open state, when the number of connections of the port protectPort is lower than maxConnection for consecutive normalTimes times, close the module in the enableModule-- SsCommand: We use the ss command to check the number of connected connections on a specific port. The ss command is much faster than netstat, a similar command. Please change the path of the ss command to the path on your system-- EnableModules: which active defense module is automatically started. The optional values are redirectModules JsJumpModules cookieModules autoEnable={state="off", protectPort="80", interval=30, normalTimes=3, exceedTimes=2, maxConnection=500, ssCommand="/usr/sbin/ss", enableModule="redirectModules"},
--It is used to generate the key password when the input verification code passes the verification. If the above keyDefinition is dynamic, captchaKey="K4QEaHjwyF" does not need to be modified,
--The action that the IP performs when blacklisting (optional values are captcha, forbidden, iptables) -- When the value is captcha, it means that the IP returns to the page with the verification code after the blacklist, and the correct verification code is entered before continuing to visit the website -- When the value is forbidden, it means that the server will directly disconnect from the user after the IP is blacklisted-- When the value is iptables, it means that after the IP is in the blacklist, http guard will block the connection of this IP with iptables -- when the value is iptables, you need to set the password for the nginx running user and add it to sudo so that the iptables command can be executed. Assuming that the running user of nginx is www, the setting method is: -- 1. Set the www password, and the command is passwd www -- 2. Execute the visudo command as the root user, and add www ALL=(root)/sbin/iptables - I INPUT - p tcp - s [0-9.] * -- dport 80 - j DROP -- 3. Execute the visudo command as the root user, and find the Default requirement comment, that is, change it to # Default requirement. If this setting cannot be found, There is no need to change it. blockAction = "captcha",
--The sudo password of the nginx running user. If the blockAction value is iptables, you need to set it. Otherwise, sudoPass='' is not required,
--Indicates the time blockTime=600 when http guard blocks IP,
--After the JsJumpModules redirectModules cookieModules pass the verification, the IP time in the white list whiteTime=600,
--The expiration time of the key used to generate the token password keyExpire=600,
--To match the url pattern, the optional values are requestUri, uri -- when the value requestUri is selected, the regular match in the url protect directory is the address originally requested by the browser and has not been decoded, and the link with parameters -- when the value is uri, the regular match in the url protect directory is the rewritten address, without parameters, and has been decoded UrlMatchMode="uri", -- the path of the verification code page. Generally, it is not necessary to modify captchaPage=baseDir "html/captcha.html",
--The page path displayed when the verification code is entered incorrectly. Generally, it is not necessary to modify reCaptchaPage=baseDir "html/reCatchaPage.html",
--The whitelist IP file contains regular expressions. whiteIpModules = { state = "Off", ipList = baseDir.."url-protect/white_ip_list.txt" },
--If you need to obtain the real IP address from the request header, this value needs to be set, such as x-forwarded-for -- when the state is on, this setting is valid realIpFromHeader={state="Off", header="x-forwarded-for"},
--Specify the verification code image directory. Generally, it is not necessary to modify captchaDir=baseDir "captcha/",
--Whether to enable the debug log debug=false,
--The log directory generally does not need to be modified. However, you need to set the logs owner as the running user of nginx. If the running user of nginx is www, the command is chown www logs logPath=baseDir "logs/",}
return Config

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article comments