Config.lua configuration file reference

October 19, 2016 1204 point heat 0 liked it 1 comment
Config.lua configuration

--The HTTP guard installation directory is modified to the directory where the actual installation is located. --The HTTP guard installation directory is modified to the directory where the actual installation is located. baseDir = '/data/www/waf/'
Local config = {- whether the key is generated dynamically or not can be selected as static or dynamic. If dynamic is selected, all of the following keysecrets do not need to be changed. If static is selected, modify and manually modify the following keysecret keydefine = dynamic ",
--Passive defense, limit request module. According to the number of requests counted in a certain period of time, it is recommended to always turn on -- state: the state of the module, indicating on or off; the optional values are on or off; -- maxreqs, amongtime: the maximum number of requests allowed in amongtime seconds, maxreqs, for example, the maximum number of requests allowed in 10s by default. --Urlprotect: Specifies the URL regular expression file that limits the number of requests. The default value is \. PHP $, which means that only PHP requests are restricted (of course, this rule works when urlmatchmode = URI '). Limitreqmodules = {state = on ", maxreqs = 50, amongtime = 10, urlprotect = basedir.." URL protect / limit. TXT "},

--Active defense, 302 response head jump module. The CC controller does not support parsing response header to identify whether it is a normal user or not, and it is recommended to open it when necessary. --If the value of maxverify time in this module is not activated, it will be added to the first time of the module. --Keysecret: the password used to generate the token. If the keydefine above is dynamic, it does not need to be modified. Urlprotect is the same as urlprotect in the limitreqmodules module. redirectModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'yK48J276hg', amongTime = 60 ,urlProtect = baseDir.."url-protect/302.txt"},

--Active defense, send JS jump code module. The CC control terminal can not analyze the characteristics of JS jump to identify whether it is a normal user or not. When necessary, it is suggested to open it. --For this module, if the value of "off time" or "false time" in this module is not open, it will jump to the "off" status of the module. --Keysecret: the password used to generate the token. If the keydefine above is dynamic, it does not need to be modified. Urlprotect is the same as urlprotect in the limitreqmodules module. JsJumpModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'QSjL6p38h9', amongTime = 60 , urlProtect = baseDir.."url-protect/js.txt"},
--Active defense, sending cookie verification module. This module will send a cookie to the visitor, and then wait for the visitor to return the correct cookie. This module uses the feature that CC control terminal cannot support cookie to identify CC attack. When necessary, it is suggested to turn on -- state: the state of this module, indicating on or off; the optional value is on or off; --Verifymaxfail amongtime: because this module will send a cookie, if a visitor fails to return the correct cookie more than verifymaxfail times within the amongtime time, it will be added to the blacklist. The default value is 5 times. --Keysecret: the password used to generate the token. If the keydefine above is dynamic, it does not need to be modified. Urlprotect is the same as urlprotect in the limitreqmodules module. cookieModules = { state = "Off" ,verifyMaxFail = 5, keySecret = 'bGMfY2D5t3', amongTime = 60 , urlProtect = baseDir.."url-protect/cookie.txt"},
--The principle is to automatically turn on active defense. The principle is to determine whether the number of connected protectport ports exceeds maxconnection. State: the status of this module, indicating on or off. The optional values are on or off; -- interval check the number of connections once every 30 seconds. The default is 30 seconds. -- protectPort,maxConnection,normalTimes, Exceededtimes: when the module in the enablemodule is closed, when the number of connections to the port protectport exceeds maxconnection for consecutive times, the module in the enablemodule is opened; when the module in the enablemodule is in the open state, when the connection number of the port protectport is lower than maxconnection, the module in the enablemodule is closed. --Sscommand: we use the SS command to check the number of connected connections on a specific port. The SS command is much faster than the similar command netstat. Please change the path of the SS command to the path on your own system. --Enable modules: which active defense module to start automatically. The optional values are redirectmodules jsjumpmodules cookiemodules autoenable = {state = off ", protectport = 80", interval = 30, normaltimes = 3, exceededtimes = 2, maxconnection = 500, sscommand = "/ usr / SBIN / SS", enablemodule = redirectmodules "},
--It is used to generate the key password when the input verification code is verified. If the keydefine above is dynamic, it is not necessary to modify captchakey = "k4qeahjwyf",
--Actions performed by IP in blacklist (optional values are captcha, forbidden, iptables) - when the value is captcha, it means that the IP returns to the page with the verification code after the blacklist, and the correct verification code is entered before continuing to visit the website. When the value is forbidden, the server will directly disconnect the user after the IP is blacklisted, HTTP guard will block the connection of this IP with iptables -- when the value is iptables, it is necessary to set the password for the user running nginx and add it to sudo so that the iptables command can be executed. Suppose that nginx runs on www, The setting method is as follows: - - 1. Set the WWW password, and the command is passwd www -- 2. Execute the visudo command with the root user, add www all = (root) / SBIN / iptables - I input - P TCP - s [0-9.] * -- dport 80 - J drop -- 3. Execute the visudo command with the root user, find the default requirement comment and change it to ා default requirement. If this setting is not found, it is not necessary to change it. blockAction = "captcha",
--Nginx runs the sudo password of the user. If the blockaction value is iptables, it needs to be set. Otherwise, sudopass is not required,
--Indicates the blocking time of HTTP guard IP, blocktime = 600,
--After the verification of jsjumpmodules redirectmodules cookiemodules, the time of IP in the white list is whitetime = 600,
--The key expiration time used to generate token password keyexpiration = 600,
--Matching URL mode, optional values are requesturi, URI -- when the value of requesturi is value, the regular matching in the URL protect directory is the address originally requested by the browser and has not been decoded. When the value is URI, the regular matching in the URL protect directory is the rewritten address without parameters and has been decoded. Urlmatchmode = URI ", -- the path of the verification code page, Generally, captchapage = basedir.. "HTML / captcha. HTML" does not need to be modified,
--In general, it is not necessary to modify recaptchapage = basedir.. "HTML / recatchapage. HTML",
--Whitelist IP file, the content of the file is regular expression. whiteIpModules = { state = "Off", ipList = baseDir.."url-protect/white_ ip_ list.txt" },
--If you need to get the real IP from the request header, this value needs to be set, such as x-forwarded-for -- this setting is only valid when the state is on. Realipfromheader = {state = off ", header = {x-forwarded-for"},
--Specify the captchadir = basedir.. "captcha /", and it is not necessary to modify captchadir = basedir.. "captcha /",
--Whether to enable the debug log. Debug = false,
--The log directory does not need to be modified. However, it is necessary to set the logs owner as the nginx running user. If the nginx running user is WWW, the command is chown www logs logpath = basedir.. "logs /",}
return Config

Gcod

Talking about the trivial matters of life and talking about the whole world, that's all

Article review