commit: add non-re versions of blacklists and whitelists

2017-12-02 12:45:52 +00:00 · 2017-12-02 12:45:52 +00:00 · e8e673c647
commit e8e673c647
--- a/lib.d/generate-bw-code.pl
+++ b/lib.d/generate-bw-code.pl
@ -73,7 +73,7 @@ while (<DATA>) {
    ($how, $lc_what, $condition) = split(/\s+/, $_, 3);

    if ($how eq "bwlist") {
-        #&blackwhite("=", $lc_what, split(" ", $condition));
+        &blackwhite("=", $lc_what, split(" ", $condition));
        &blackwhite("~*", $lc_what, split(" ", $condition));
    }
    elsif ($how eq "block") {
--- a/templates.d/nginx-generated-blocks.conf
+++ b/templates.d/nginx-generated-blocks.conf
@ -86,6 +86,15 @@

    # blacklists (generated)

+    %%IF %USER_AGENT_BLACKLIST%
+    # check user_agent_blacklist (generated)
+    %%CSV %USER_AGENT_BLACKLIST%
+    if ( $http_user_agent = "%0%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no user_agent_blacklist (generated)
+    %%ENDIF
+
    %%IF %USER_AGENT_BLACKLIST_RE%
    # check user_agent_blacklist_re (generated)
    %%CSV %USER_AGENT_BLACKLIST_RE%
@ -95,6 +104,15 @@
    # no user_agent_blacklist_re (generated)
    %%ENDIF

+    %%IF %REFERER_BLACKLIST%
+    # check referer_blacklist (generated)
+    %%CSV %REFERER_BLACKLIST%
+    if ( $http_referer = "%0%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no referer_blacklist (generated)
+    %%ENDIF
+
    %%IF %REFERER_BLACKLIST_RE%
    # check referer_blacklist_re (generated)
    %%CSV %REFERER_BLACKLIST_RE%
@ -104,6 +122,15 @@
    # no referer_blacklist_re (generated)
    %%ENDIF

+    %%IF %HOST_BLACKLIST%
+    # check host_blacklist (generated)
+    %%CSV %HOST_BLACKLIST%
+    if ( $http_host = "%0%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no host_blacklist (generated)
+    %%ENDIF
+
    %%IF %HOST_BLACKLIST_RE%
    # check host_blacklist_re (generated)
    %%CSV %HOST_BLACKLIST_RE%
@ -113,6 +140,15 @@
    # no host_blacklist_re (generated)
    %%ENDIF

+    %%IF %PATH_BLACKLIST%
+    # check path_blacklist (generated)
+    %%CSV %PATH_BLACKLIST%
+    if ( $uri = "%0%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no path_blacklist (generated)
+    %%ENDIF
+
    %%IF %PATH_BLACKLIST_RE%
    # check path_blacklist_re (generated)
    %%CSV %PATH_BLACKLIST_RE%
@ -122,6 +158,15 @@
    # no path_blacklist_re (generated)
    %%ENDIF

+    %%IF %PARAM_BLACKLIST%
+    # check param_blacklist (generated)
+    %%CSV %PARAM_BLACKLIST%
+    if ( $arg_%1% = "%2%" ) { %NGINX_ACTION_ABORT%; }
+    %%ENDCSV
+    %%ELSE
+    # no param_blacklist (generated)
+    %%ENDIF
+
    %%IF %PARAM_BLACKLIST_RE%
    # check param_blacklist_re (generated)
    %%CSV %PARAM_BLACKLIST_RE%
@ -164,6 +209,16 @@

    # whitelists (generated)

+    %%IF %USER_AGENT_WHITELIST%
+    # check user_agent_whitelist (generated)
+    set $non_whitelist_user_agent 1;
+    %%CSV %USER_AGENT_WHITELIST%
+    if ( $http_user_agent = "%0%" ) { set $non_whitelist_user_agent 0; }
+    %%ENDCSV
+    %%ELSE
+    # no user_agent_whitelist (generated)
+    %%ENDIF
+
    %%IF %USER_AGENT_WHITELIST_RE%
    # check user_agent_whitelist_re (generated)
    set $non_whitelist_user_agent 1;
@ -174,6 +229,16 @@
    # no user_agent_whitelist_re (generated)
    %%ENDIF

+    %%IF %REFERER_WHITELIST%
+    # check referer_whitelist (generated)
+    set $non_whitelist_referer 1;
+    %%CSV %REFERER_WHITELIST%
+    if ( $http_referer = "%0%" ) { set $non_whitelist_referer 0; }
+    %%ENDCSV
+    %%ELSE
+    # no referer_whitelist (generated)
+    %%ENDIF
+
    %%IF %REFERER_WHITELIST_RE%
    # check referer_whitelist_re (generated)
    set $non_whitelist_referer 1;
@ -184,6 +249,16 @@
    # no referer_whitelist_re (generated)
    %%ENDIF

+    %%IF %HOST_WHITELIST%
+    # check host_whitelist (generated)
+    set $non_whitelist_host 1;
+    %%CSV %HOST_WHITELIST%
+    if ( $http_host = "%0%" ) { set $non_whitelist_host 0; }
+    %%ENDCSV
+    %%ELSE
+    # no host_whitelist (generated)
+    %%ENDIF
+
    %%IF %HOST_WHITELIST_RE%
    # check host_whitelist_re (generated)
    set $non_whitelist_host 1;
@ -194,6 +269,16 @@
    # no host_whitelist_re (generated)
    %%ENDIF

+    %%IF %PATH_WHITELIST%
+    # check path_whitelist (generated)
+    set $non_whitelist_path 1;
+    %%CSV %PATH_WHITELIST%
+    if ( $uri = "%0%" ) { set $non_whitelist_path 0; }
+    %%ENDCSV
+    %%ELSE
+    # no path_whitelist (generated)
+    %%ENDIF
+
    %%IF %PATH_WHITELIST_RE%
    # check path_whitelist_re (generated)
    set $non_whitelist_path 1;
@ -204,6 +289,16 @@
    # no path_whitelist_re (generated)
    %%ENDIF

+    %%IF %PARAM_WHITELIST%
+    # check param_whitelist (generated)
+    set $non_whitelist_param 1;
+    %%CSV %PARAM_WHITELIST%
+    if ( $arg_%1% = "%2%" ) { set $non_whitelist_param 0; }
+    %%ENDCSV
+    %%ELSE
+    # no param_whitelist (generated)
+    %%ENDIF
+
    %%IF %PARAM_WHITELIST_RE%
    # check param_whitelist_re (generated)
    set $non_whitelist_param 1;
--- a/templates.d/nginx-generated-checks.conf
+++ b/templates.d/nginx-generated-checks.conf
@ -2,6 +2,13 @@

      # whitelist checks (generated)

+      %%IF %USER_AGENT_WHITELIST%
+      # check success of user_agent_whitelist (generated)
+      if ( $non_whitelist_user_agent ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of user_agent_whitelist (generated)
+      %%ENDIF
+
      %%IF %USER_AGENT_WHITELIST_RE%
      # check success of user_agent_whitelist_re (generated)
      if ( $non_whitelist_user_agent ) { %NGINX_ACTION_ABORT%; }
@ -9,6 +16,13 @@
      # no check for success of user_agent_whitelist_re (generated)
      %%ENDIF

+      %%IF %REFERER_WHITELIST%
+      # check success of referer_whitelist (generated)
+      if ( $non_whitelist_referer ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of referer_whitelist (generated)
+      %%ENDIF
+
      %%IF %REFERER_WHITELIST_RE%
      # check success of referer_whitelist_re (generated)
      if ( $non_whitelist_referer ) { %NGINX_ACTION_ABORT%; }
@ -16,6 +30,13 @@
      # no check for success of referer_whitelist_re (generated)
      %%ENDIF

+      %%IF %HOST_WHITELIST%
+      # check success of host_whitelist (generated)
+      if ( $non_whitelist_host ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of host_whitelist (generated)
+      %%ENDIF
+
      %%IF %HOST_WHITELIST_RE%
      # check success of host_whitelist_re (generated)
      if ( $non_whitelist_host ) { %NGINX_ACTION_ABORT%; }
@ -23,6 +44,13 @@
      # no check for success of host_whitelist_re (generated)
      %%ENDIF

+      %%IF %PATH_WHITELIST%
+      # check success of path_whitelist (generated)
+      if ( $non_whitelist_path ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of path_whitelist (generated)
+      %%ENDIF
+
      %%IF %PATH_WHITELIST_RE%
      # check success of path_whitelist_re (generated)
      if ( $non_whitelist_path ) { %NGINX_ACTION_ABORT%; }
@ -30,6 +58,13 @@
      # no check for success of path_whitelist_re (generated)
      %%ENDIF

+      %%IF %PARAM_WHITELIST%
+      # check success of param_whitelist (generated)
+      if ( $non_whitelist_param ) { %NGINX_ACTION_ABORT%; }
+      %%ELSE
+      # no check for success of param_whitelist (generated)
+      %%ENDIF
+
      %%IF %PARAM_WHITELIST_RE%
      # check success of param_whitelist_re (generated)
      if ( $non_whitelist_param ) { %NGINX_ACTION_ABORT%; }