Config.lua configuration file reference

October 19, 2016 1746 point heat 0 liked it 1 comment
Config.lua configuration

--The HTTP guard installation directory is modified to the directory where the actual installation is located-- The HTTP guard installation directory is modified to the directory where the actual installation is located. baseDir = '/data/www/waf/'
Local config = {- whether the key is generated dynamically or not can be selected as static or dynamic. If dynamic is selected, all of the following keysecrets do not need to be changed. If static is selected, modify and manually modify the following keysecret keydefine = dynamic ",
--Passive defense, limit request module. According to the number of requests counted in a certain period of time, it is recommended to always turn on -- state: the state of this module, indicating on or off; the optional values are on or off-- Maxreqs, amongtime: the maximum number of requests allowed in amongtime seconds, maxreqs. For example, the maximum number of requests allowed in 10 seconds is 50 requests by default-- Urlprotect: Specifies the URL regular expression file that limits the number of requests. The default value is \. PHP $, which means that only PHP requests are restricted (of course, this rule works when urlmatchmode = URI '). Limitreqmodules = {state = on ", maxreqs = 50, amongtime = 10, urlprotect = basedir.." URL protect / limit. TXT "},

--Active defense, 302 response head jump module. The CC controller does not support parsing response header to identify whether it is a normal user or not, and it is recommended to open it when necessary-- State: the status of this module, indicating on or off; the optional values are on or off-- verifyMaxFail   Amongtime: because this module will send a 302 response header with cckey and keyexpiration. If a visitor does not jump to the URL in the 302 response header more than verifymaxfail times in the amongtime time, it will be added to the blacklist. The default value is 5 times-- Keysecret: the password used to generate the token. If the keydefine above is dynamic, there is no need to modify urlprotect   Same as the explanation of urlprotect in the limitreqmodules module. redirectModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'yK48J276hg', amongTime = 60 ,urlProtect = baseDir.."url-protect/302.txt"},

--Active defense, send JS jump code module. The CC control terminal can not analyze the characteristics of JS jump to identify whether it is a normal user or not. When necessary, it is suggested to open it-- State: the status of this module, indicating on or off; the optional values are on or off-- verifyMaxFail   Amongtime: because this module will send the response body with JS jump code. If the visitor does not jump to the URL in the JS jump code more than verifymaxfail times in the amongtime time, it will be added to the blacklist, with the default value of 5 times-- Keysecret: the password used to generate the token. If the keydefine above is dynamic, there is no need to modify urlprotect   Same as the explanation of urlprotect in the limitreqmodules module. JsJumpModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'QSjL6p38h9', amongTime = 60 , urlProtect = baseDir.."url-protect/js.txt"},
--Active defense, sending cookie verification module. This module will send a cookie to the visitor, and then wait for the visitor to return the correct cookie. This module uses the feature that CC control terminal cannot support cookie to identify CC attack. When necessary, it is suggested to turn on -- state: the state of this module, indicating on or off; the optional value is on or off-- verifyMaxFail   Amongtime: because this module will send a cookie, if a visitor fails to return the correct cookie after verifymaxfail times within the amongtime time, it will be added to the blacklist. The default value is 5 times-- Keysecret: the password used to generate the token. If the keydefine above is dynamic, there is no need to modify urlprotect   Same as the explanation of urlprotect in the limitreqmodules module. cookieModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'bGMfY2D5t3', amongTime = 60 , urlProtect = baseDir.."url-protect/cookie.txt"},
--The principle is to automatically turn on active defense. The principle is to determine whether the number of connected protectport ports exceeds maxconnection. State: the status of this module, indicating on or off. The optional values are on or off-- interval   Check the number of connections every 30 seconds. The default is 30 seconds-- protectPort,maxConnection,normalTimes,exceedTimes :   When the module in the enablemodule is closed, when the number of connections to the port protectport exceeds maxconnection for consecutive times, the module in the enablemodule is opened-- When the module in the enablemodule is in the on state, when the number of connections to the port protectport is lower than maxconnection for consecutive times, the module in the enablemodule is closed-- ssCommand  : We use the SS command to check the number of connected connections on a specific port. The SS command is much faster than the similar command netstat. Please change the path of the SS command to the path on your own system-- Enable modules: which active defense module to start automatically. The optional values are redirectmodules jsjumpmodules cookiemodules autoenable = {state = off ", protectport = 80", interval = 30, normaltimes = 3, exceededtimes = 2, maxconnection = 500, sscommand = "/ usr / SBIN / SS", enablemodule = redirectmodules "},
--It is used to generate the key password when the input verification code is verified. If the keydefine above is dynamic, it is not necessary to modify captchakey = "k4qeahjwyf",
--Actions performed by IP in blacklist (optional values are captcha, forbidden, iptables) - when the value is captcha, it means that the IP returns to the page with the verification code after the blacklist, and the correct verification code is entered before continuing to visit the website. When the value is forbidden, the server will directly disconnect the user after the IP is blacklisted, HTTP guard will block the connection of this IP with iptables -- when the value is iptables, it is necessary to set the password for the user running nginx and add it to sudo so that the iptables command can be executed. Suppose that nginx runs as WWW, and the setting method is: - - 1. Set the password of WWW, and the command is passwd www -- 2. Execute the visudo command with root user, and add www   All = (root) / SBIN / iptables - I input - P TCP - s [0-9.] * -- dport 80 - J drop -- 3. Execute the visudo command with the root user, find the default requirement comment, that is, change it to "default requirement". If this setting cannot be found, it is not necessary to change it. blockAction = "captcha",
--Nginx runs the sudo password of the user. If the blockaction value is iptables, it needs to be set. Otherwise, sudopass is not required,
--Indicates the blocking time of HTTP guard IP, blocktime = 600,
--After the verification of jsjumpmodules redirectmodules cookiemodules, the time of IP in the white list is whitetime = 600,
--The key expiration time used to generate token password keyexpiration = 600,
--Matching URL mode, optional values are requesturi, URI -- when the value of requesturi is value, the regular matching in the URL protect directory is the address originally requested by the browser and has not been decoded. When the value is URI, the regular matching in the URL protect directory is the rewritten address without parameters and has been decoded. Urlmatchmode = URI ", -- the path of the verification code page, Generally, captchapage = basedir.. "HTML / captcha. HTML" does not need to be modified,
--In general, it is not necessary to modify recaptchapage = basedir.. "HTML / recatchapage. HTML",
--Whitelist IP file, the content of the file is regular expression. whiteIpModules = { state = "Off", ipList = baseDir.."url-protect/white_ ip_ list.txt" },
--If you need to get the real IP from the request header, this value needs to be set, such as x-forwarded-for -- this setting is only valid when the state is on. Realipfromheader = {state = off ", header = {x-forwarded-for"},
--Specify the captchadir = basedir.. "captcha /", and it is not necessary to modify captchadir = basedir.. "captcha /",
--Whether to enable the debug log. Debug = false,
--The log directory does not need to be modified. However, it is necessary to set the logs owner as the nginx running user. If the nginx running user is WWW, the command is chown www logs logpath = basedir.. "logs /",}
return Config

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article review