From 44345d59d68fccb08dd80c7d5ad29081600617a6 Mon Sep 17 00:00:00 2001 From: ADD-SP Date: Sat, 9 Mar 2024 21:00:15 +0800 Subject: [PATCH] refactor: remove all debug logs --- inc/ngx_http_waf_module_macro.h | 43 -------- src/ngx_http_waf_module_action.c | 94 ------------------ src/ngx_http_waf_module_captcha.c | 124 ----------------------- src/ngx_http_waf_module_check.c | 120 ---------------------- src/ngx_http_waf_module_core.c | 70 ------------- src/ngx_http_waf_module_modsecurity.c | 132 ------------------------- src/ngx_http_waf_module_under_attack.c | 47 --------- src/ngx_http_waf_module_util.c | 32 ------ src/ngx_http_waf_module_var.c | 25 ----- src/ngx_http_waf_module_verify_bot.c | 33 ------- 10 files changed, 720 deletions(-) diff --git a/inc/ngx_http_waf_module_macro.h b/inc/ngx_http_waf_module_macro.h index 8c28da95..71b61680 100644 --- a/inc/ngx_http_waf_module_macro.h +++ b/inc/ngx_http_waf_module_macro.h @@ -359,47 +359,4 @@ #define ngx_is_null_str(s) ((s) == NULL || (s)->data == NULL || (s)->len == 0 || ((s)->data[0] == '\0' && (s)->len == 1)) -#ifndef NGX_HTTP_WAF_NO_DEBUG -#define ngx_http_waf_dp_func_start(r) { \ - if (r != NULL) { \ - ngx_http_waf_dpf(r, "%s start", __func__); \ - } \ -} - - -#define ngx_http_waf_dp(r, str) { \ - if (r != NULL) { \ - ngx_log_error(NGX_LOG_DEBUG, (r)->connection->log, 0, \ - "ngx_waf_debug: ["str"] at %s:%s:%d, ngx_waf %s", __func__, __FILE__, __LINE__, NGX_HTTP_WAF_VERSION); \ - } \ -} - - -#define ngx_http_waf_dpf(r, fmt, ...) { \ - if (r != NULL) { \ - ngx_log_error(NGX_LOG_DEBUG, (r)->connection->log, 0, \ - "ngx_waf_debug: ["fmt"] at %s:%s:%d, ngx_waf %s", __VA_ARGS__, __func__, __FILE__, __LINE__, NGX_HTTP_WAF_VERSION); \ - } \ -} - - -#define ngx_http_waf_dp_func_end(r) { \ - if (r != NULL) { \ - ngx_http_waf_dpf(r, "%s end", __func__); \ - } \ -} -#else -#define ngx_http_waf_dp_func_start(...) {} - - -#define ngx_http_waf_dp(...) {} - - -#define ngx_http_waf_dpf(...) {} - - -#define ngx_http_waf_dp_func_end(...) {} -#endif - - #endif // !NGX_HTTP_WAF_MODULE_MACRO_H diff --git a/src/ngx_http_waf_module_action.c b/src/ngx_http_waf_module_action.c index 90c4a38c..fca58224 100644 --- a/src/ngx_http_waf_module_action.c +++ b/src/ngx_http_waf_module_action.c @@ -26,20 +26,17 @@ static ngx_int_t _gen_response(ngx_http_request_t* r, ngx_str_t data, ngx_str_t ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); if (loc_conf->waf == 2) { - ngx_http_waf_dp(r, "bypass mode ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } lru_cache_t* cache = loc_conf->action_cache_captcha; if (!ngx_http_waf_is_valid_ptr_value(cache)) { - ngx_http_waf_dp(r, "cache is null ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -49,32 +46,23 @@ ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { ngx_int_t ret_value = NGX_HTTP_WAF_NOT_MATCHED; ngx_slab_pool_t *shpool = (ngx_slab_pool_t *)loc_conf->action_zone_captcha->shm.addr; - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "searching cache"); lru_cache_find_result_t result = lru_cache_find(cache, &inx_addr, sizeof(inx_addr)); - ngx_http_waf_dp(r, "unlocking shared memory") ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); ngx_int_t need_delete = 0; if (result.status == NGX_HTTP_WAF_KEY_EXISTS) { - ngx_http_waf_dp(r, "cache exists"); - ngx_http_waf_dp(r, "testing captcha") switch (ngx_http_waf_captcha_test(r)) { case NGX_HTTP_WAF_FAULT: - ngx_http_waf_dp(r, "fault"); ngx_http_waf_append_action_return(r, NGX_HTTP_SERVICE_UNAVAILABLE, ACTION_FLAG_NONE); ret_value = NGX_HTTP_WAF_MATCHED; break; case NGX_HTTP_WAF_CAPTCHA_CHALLENGE: - ngx_http_waf_dp(r, "challenge"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -99,7 +87,6 @@ ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { break; case NGX_HTTP_WAF_CAPTCHA_BAD: - ngx_http_waf_dp(r, "bad"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -125,7 +112,6 @@ ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { break; case NGX_HTTP_WAF_CAPTCHA_PASS: - ngx_http_waf_dp(r, "pass"); need_delete = 1; ngx_str_t* res_str = ngx_pcalloc(r->pool, sizeof(ngx_str_t)); ngx_str_set(res_str, "good"); @@ -134,7 +120,6 @@ ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { break; case NGX_HTTP_WAF_FAIL: - ngx_http_waf_dp(r, "fail"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -159,60 +144,46 @@ ngx_int_t ngx_http_waf_perform_action_at_access_start(ngx_http_request_t* r) { } } else { - ngx_http_waf_dp(r, "cache not exists"); } if (need_delete) { - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "deleting cache"); lru_cache_delete(cache, &inx_addr, sizeof(inx_addr)); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "unlocking shared memory") ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_perform_action_at_access_end(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (loc_conf->waf == 2) { - ngx_http_waf_dp(r, "bypass mode ... return"); return NGX_DECLINED; } ngx_int_t ret_value = NGX_DECLINED; action_t *elt = NULL, *tmp = NULL; - ngx_http_waf_dp(r, "looking action chain"); DL_FOREACH_SAFE(ctx->action_chain, elt, tmp) { if (ngx_http_waf_check_flag(elt->flag, ACTION_FLAG_DECLINE)) { - ngx_http_waf_dp(r, "action is decline"); DL_DELETE(ctx->action_chain, elt); ret_value = _perform_action_decline(r, elt); break; } else if (ngx_http_waf_check_flag(elt->flag, ACTION_FLAG_RETURN)) { - ngx_http_waf_dp(r, "action is return"); DL_DELETE(ctx->action_chain, elt); ret_value = _perform_action_return(r, elt); break; } else if (ngx_http_waf_check_flag(elt->flag, ACTION_FLAG_REG_CONTENT)) { - ngx_http_waf_dp(r, "action is reg content"); DL_DELETE(ctx->action_chain, elt); _perform_action_reg_content(r, elt); @@ -221,13 +192,11 @@ ngx_int_t ngx_http_waf_perform_action_at_access_end(ngx_http_request_t* r) { } } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_perform_action_at_content(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; // ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -236,17 +205,14 @@ ngx_int_t ngx_http_waf_perform_action_at_content(ngx_http_request_t* r) { ngx_int_t ret_value = NGX_DECLINED; action_t *elt = NULL, *tmp = NULL; - ngx_http_waf_dp(r, "looking action chain"); DL_FOREACH_SAFE(ctx->action_chain, elt, tmp) { if (ngx_http_waf_check_flag(elt->flag, ACTION_FLAG_STR)) { - ngx_http_waf_dp(r, "action is str"); DL_DELETE(ctx->action_chain, elt); ret_value = _perform_action_str(r, elt); break; } else if (ngx_http_waf_check_flag(elt->flag, ACTION_FLAG_HTML)) { - ngx_http_waf_dp(r, "action is html"); DL_DELETE(ctx->action_chain, elt); ret_value = _perform_action_html(r, elt); break; @@ -256,38 +222,28 @@ ngx_int_t ngx_http_waf_perform_action_at_content(ngx_http_request_t* r) { } } - ngx_http_waf_dp_func_end(r); return ret_value; } static ngx_int_t _perform_action_return(ngx_http_request_t* r, action_t* action) { - ngx_http_waf_dp_func_start(r); ngx_int_t ret = action->extra.http_status; - ngx_http_waf_dpf(r, "return %i", ret); - ngx_http_waf_dp_func_end(r); return ret; } static ngx_int_t _perform_action_decline(ngx_http_request_t* r, action_t* action) { - ngx_http_waf_dp_func_start(r); - ngx_http_waf_dp(r, "return NGX_DECLINED"); - ngx_http_waf_dp_func_end(r); return NGX_DECLINED; } static void _perform_action_reg_content(ngx_http_request_t* r, action_t* action) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_register_content_handler(r); - ngx_http_waf_dp_func_end(r); } static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -302,35 +258,28 @@ static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { if (ngx_http_waf_check_flag(action->flag, ACTION_FLAG_CAPTCHA)) { if (!ngx_http_waf_check_flag(action->flag, ACTION_FLAG_FROM_CAPTCHA)) { - ngx_http_waf_dp(r, "action not from CPATCHA"); lru_cache_t* cache = loc_conf->action_cache_captcha; if (!ngx_http_waf_is_valid_ptr_value(cache)) { - ngx_http_waf_dp(r, "cache is null ... return"); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_WAF_NOT_MATCHED; } ngx_slab_pool_t *shpool = (ngx_slab_pool_t *)loc_conf->action_zone_captcha->shm.addr; - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "adding cache"); /** 过期时间为 [15, 60] 分钟 */ time_t expire = (time_t)randombytes_uniform(60 * 15) + 60 * 45; lru_cache_add_result_t result = lru_cache_add(cache, &inx_addr, sizeof(inx_addr), expire); if (result.status == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "success"); _captcha_cache_t* tmp = lru_cache_calloc(cache, sizeof(_captcha_cache_t)); if (tmp == NULL) { - ngx_http_waf_dp(r, "no memory ... return"); ret_value = NGX_HTTP_INTERNAL_SERVER_ERROR; } @@ -351,41 +300,31 @@ static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { } } else { - ngx_http_waf_dp(r, "error"); ret_value = NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "unlocking shared memory"); ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); } if (ngx_http_waf_check_flag(action->flag, ACTION_FLAG_FROM_CC_DENY)) { - ngx_http_waf_dp(r, "action from CC_DENY"); lru_cache_t* cache = loc_conf->ip_access_statistics; if (!ngx_http_waf_is_valid_ptr_value(cache)) { - ngx_http_waf_dp(r, "cache is null ... return"); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_WAF_NOT_MATCHED; } ngx_slab_pool_t *shpool = (ngx_slab_pool_t *)loc_conf->shm_zone_cc_deny->shm.addr; - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "searching cache"); lru_cache_find_result_t result = lru_cache_find(cache, &inx_addr, sizeof(inx_addr)); if (result.status == NGX_HTTP_WAF_KEY_NOT_EXISTS) { - ngx_http_waf_dp(r, "not found"); ret_value = NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "found"); ip_statis_t* ip_statis = *(result.data); ip_statis->count = 0; @@ -394,9 +333,7 @@ static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { ip_statis->block_time = 0; - ngx_http_waf_dp(r, "unlocking shared memory"); ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); } } @@ -408,7 +345,6 @@ static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { if (error_page) { - ngx_http_waf_dp(r, "error page 403"); if (ngx_is_null_str(&loc_conf->waf_block_page)) { ngx_http_finalize_request(r, NGX_HTTP_FORBIDDEN); @@ -417,46 +353,32 @@ static ngx_int_t _perform_action_html(ngx_http_request_t* r, action_t* action) { } } else { - ngx_http_waf_dp(r, "gen response"); ret_value = _gen_response(r, *action->extra.extra_html.html, content_type, action->extra.extra_html.http_status); } - ngx_http_waf_dp_func_end(r); return ret_value; } static ngx_int_t _perform_action_str(ngx_http_request_t* r, action_t* action) { - ngx_http_waf_dp_func_start(r); ngx_str_t content_type = ngx_string("text/plain"); - ngx_http_waf_dp_func_end(r); return _gen_response(r, *action->extra.extra_str.str, content_type, action->extra.extra_str.http_status); } static ngx_int_t _gen_response(ngx_http_request_t* r, ngx_str_t data, ngx_str_t content_type, ngx_uint_t http_status) { - ngx_http_waf_dp_func_start(r); - ngx_http_waf_dp(r, "discard_request_body"); ngx_int_t rc = ngx_http_discard_request_body(r); if (rc != NGX_OK) { - ngx_http_waf_dpf(r, "failed(%i) ... return", rc); return rc; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "getting response str"); ngx_str_t res = data; - ngx_http_waf_dpf(r, "success(%V)", &res); - ngx_http_waf_dp(r, "generating response headers"); r->headers_out.content_type.data = ngx_pstrdup(r->pool, &content_type); r->headers_out.content_type.len = content_type.len; - ngx_http_waf_dpf(r, "success(Content-Type=%V)", &content_type); - ngx_http_waf_dp(r, "setting resposne status code"); r->headers_out.status = http_status; - ngx_http_waf_dpf(r, "success(%ui)", r->headers_out.status); r->headers_out.content_length_n = res.len; @@ -465,60 +387,44 @@ static ngx_int_t _gen_response(ngx_http_request_t* r, ngx_str_t data, ngx_str_t return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "sending headers"); rc = ngx_http_send_header(r); if (rc == NGX_ERROR || rc > NGX_OK) { - ngx_http_waf_dpf(r, "failed(%i) ... return", rc); return rc; } if (r->header_only) { - ngx_http_waf_dp(r, "success ... return"); return rc; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "allocating buffer object"); ngx_buf_t* buf = ngx_pcalloc(r->pool, sizeof(ngx_buf_t)); if (buf == NULL) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "allocating buffer space"); buf->pos = ngx_pcalloc(r->pool, res.len); if (buf->pos == NULL) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "copying str to buffer"); ngx_memcpy(buf->pos, res.data, res.len); buf->last = buf->pos + res.len; buf->memory = 1; buf->last_buf = (r == r->main) ? 1 : 0; - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "allocating out chain"); ngx_chain_t* out = ngx_pcalloc(r->pool, sizeof(ngx_chain_t)); if (out == NULL) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_HTTP_INTERNAL_SERVER_ERROR; } out->buf = buf; out->next = NULL; - ngx_http_waf_dp(r, "success"); rc = ngx_http_output_filter(r, out); - ngx_http_waf_dp_func_end(r); return rc; } diff --git a/src/ngx_http_waf_module_captcha.c b/src/ngx_http_waf_module_captcha.c index c9c769db..7e9e2772 100644 --- a/src/ngx_http_waf_module_captcha.c +++ b/src/ngx_http_waf_module_captcha.c @@ -37,53 +37,41 @@ static ngx_int_t _verfiy_reCAPTCHA_compatible(ngx_http_request_t* r, ngx_int_t ngx_http_waf_handler_captcha(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_captcha)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } - ngx_http_waf_dp(r, "verifying cookie"); switch (_verify_cookies(r)) { case NGX_HTTP_WAF_FAULT: - ngx_http_waf_dp(r, "bad ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CAPTCHA); return NGX_HTTP_WAF_MATCHED; case NGX_HTTP_WAF_SUCCESS: - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "checking if request_uri(%V) equals verify_url(%V)", &r->uri, &loc_conf->waf_captcha_verify_url); if (r->uri.len == loc_conf->waf_captcha_verify_url.len && ngx_memcmp(r->uri.data, loc_conf->waf_captcha_verify_url.data, r->uri.len) == 0) { - ngx_http_waf_dp(r, "equal"); ngx_str_t* res_str = ngx_pcalloc(r->pool, sizeof(ngx_str_t)); ngx_str_set(res_str, "good"); ngx_http_waf_append_action_str(r, res_str, NGX_HTTP_OK, ACTION_FLAG_FROM_CAPTCHA); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "not equal"); break; case NGX_HTTP_WAF_FAIL: - ngx_http_waf_dp(r, "failed"); - ngx_http_waf_dp(r, "verifying captcha"); switch (_verify_captcha_dispatcher(r)) { case NGX_HTTP_WAF_FAULT: - ngx_http_waf_dp(r, "bad ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CAPTCHA); return NGX_HTTP_WAF_MATCHED; case NGX_HTTP_WAF_CAPTCHA_CHALLENGE: - ngx_http_waf_dp(r, "challenging ... return"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -107,7 +95,6 @@ ngx_int_t ngx_http_waf_handler_captcha(ngx_http_request_t* r) { return NGX_HTTP_WAF_MATCHED; case NGX_HTTP_WAF_CAPTCHA_BAD: - ngx_http_waf_dp(r, "captcha bad ... return"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -134,28 +121,23 @@ ngx_int_t ngx_http_waf_handler_captcha(ngx_http_request_t* r) { case NGX_HTTP_WAF_CAPTCHA_PASS: { - ngx_http_waf_dp(r, "pass"); - ngx_http_waf_dp(r, "generating releated info"); _info_t* info = ngx_pcalloc(r->pool, sizeof(_info_t)); if (info != NULL && _gen_info(r, info) == NGX_HTTP_WAF_SUCCESS && _gen_verify_cookie(r, info) == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "success ... return"); ngx_http_waf_set_rule_info(r, "CAPTCHA", "PASS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); ngx_str_t* res_str = ngx_pcalloc(r->pool, sizeof(ngx_str_t)); ngx_str_set(res_str, "good"); ngx_http_waf_append_action_str(r, res_str, NGX_HTTP_OK, ACTION_FLAG_FROM_CAPTCHA); } else { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CAPTCHA); } return NGX_HTTP_WAF_MATCHED; } case NGX_HTTP_WAF_FAIL: - ngx_http_waf_dp(r, "failed ... return"); if (ngx_http_waf_captcha_inc_fails(r) == NGX_HTTP_WAF_MATCHED) { ngx_http_waf_set_rule_info(r, "CAPTCHA", "TO MANY FAILS", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -178,58 +160,45 @@ ngx_int_t ngx_http_waf_handler_captcha(ngx_http_request_t* r) { return NGX_HTTP_WAF_MATCHED; default: - ngx_http_waf_dp(r, "default ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CAPTCHA); return NGX_HTTP_WAF_MATCHED; } break; default: - ngx_http_waf_dp(r, "default ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CAPTCHA); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } ngx_int_t ngx_http_waf_captcha_test(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); - ngx_http_waf_dp(r, "verifying captcha"); switch (_verify_captcha_dispatcher(r)) { case NGX_HTTP_WAF_FAULT: - ngx_http_waf_dp(r, "bad ... return"); return NGX_HTTP_WAF_FAULT; case NGX_HTTP_WAF_CAPTCHA_CHALLENGE: - ngx_http_waf_dp(r, "challenging ... return"); return NGX_HTTP_WAF_CAPTCHA_CHALLENGE; case NGX_HTTP_WAF_CAPTCHA_BAD: - ngx_http_waf_dp(r, "bad captcha ... return"); return NGX_HTTP_WAF_CAPTCHA_BAD; case NGX_HTTP_WAF_CAPTCHA_PASS: - ngx_http_waf_dp(r, "captcha pass ... return"); return NGX_HTTP_WAF_CAPTCHA_PASS; case NGX_HTTP_WAF_FAIL: - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_CAPTCHA_CHALLENGE; default: - ngx_http_waf_dp(r, "default ... return"); return NGX_HTTP_WAF_FAULT; } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_FAULT; } ngx_int_t ngx_http_waf_captcha_inc_fails(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -237,12 +206,10 @@ ngx_int_t ngx_http_waf_captcha_inc_fails(ngx_http_request_t* r) { if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_captcha_max_fails) || ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_captcha_duration)) { - ngx_http_waf_dp(r, "unset or disable conf ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (!ngx_http_waf_is_valid_ptr_value(loc_conf->waf_captcha_cache)) { - ngx_http_waf_dp(r, "cache is null ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -253,9 +220,7 @@ ngx_int_t ngx_http_waf_captcha_inc_fails(ngx_http_request_t* r) { lru_cache_t* cache = loc_conf->waf_captcha_cache; ngx_slab_pool_t* shpool = (ngx_slab_pool_t*)loc_conf->waf_captcha_shm_zone->shm.addr; - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); /** 过期时间为 [15, 60] 分钟 */ time_t expire = (time_t)randombytes_uniform(60 * 15) + 60 * 45; @@ -265,7 +230,6 @@ ngx_int_t ngx_http_waf_captcha_inc_fails(ngx_http_request_t* r) { _cache_info_t* tmp = lru_cache_calloc(cache, sizeof(_cache_info_t)); if (tmp == NULL) { - ngx_http_waf_dp(r, "no memory ... return"); } else { *result.data = tmp; @@ -288,17 +252,13 @@ ngx_int_t ngx_http_waf_captcha_inc_fails(ngx_http_request_t* r) { } } - ngx_http_waf_dp(r, "unlocking shared memory") ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return ret_value; } static ngx_int_t _gen_info(ngx_http_request_t* r, _info_t* info) { - ngx_http_waf_dp_func_start(r); time_t now = time(NULL); @@ -310,28 +270,21 @@ static ngx_int_t _gen_info(ngx_http_request_t* r, _info_t* info) { #error The size of time_t is unexpected. #endif - ngx_http_waf_dp(r, "generating random string"); if (ngx_http_waf_rand_str(info->uid, sizeof(info->uid) - 1) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return _gen_hmac(r, info); } static ngx_int_t _gen_verify_cookie(ngx_http_request_t *r, _info_t* info) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_get_ctx_and_conf(r, NULL, &ctx); - ngx_http_waf_dpf(r, "generating cookie %s", "__waf_captcha_time"); ngx_table_elt_t *header = (ngx_table_elt_t *)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } header->hash = 1; @@ -339,12 +292,9 @@ static ngx_int_t _gen_verify_cookie(ngx_http_request_t *r, _info_t* info) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(info->time) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_captcha_time=%s; Path=/", info->time); - ngx_http_waf_dpf(r, "success %V", &header->value); - ngx_http_waf_dpf(r, "generating cookie %s", "__waf_captcha_uid"); header = (ngx_table_elt_t *)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } header->hash = 1; @@ -352,12 +302,9 @@ static ngx_int_t _gen_verify_cookie(ngx_http_request_t *r, _info_t* info) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(info->uid) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_captcha_uid=%s; Path=/", info->uid); - ngx_http_waf_dpf(r, "success %V", &header->value); - ngx_http_waf_dpf(r, "generating cookie %s", "__waf_captcha_hmac"); header = (ngx_table_elt_t *)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } header->hash = 1; @@ -365,15 +312,12 @@ static ngx_int_t _gen_verify_cookie(ngx_http_request_t *r, _info_t* info) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(info->hmac) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_captcha_hmac=%s; Path=/", info->hmac); - ngx_http_waf_dpf(r, "success %V", &header->value); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } static ngx_int_t _gen_hmac(ngx_http_request_t *r, _info_t* info) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -389,7 +333,6 @@ static ngx_int_t _gen_hmac(ngx_http_request_t *r, _info_t* info) { ngx_memcpy(buf.uid, info->uid, sizeof(buf.uid)); ngx_memcpy(buf.salt, loc_conf->random_str, sizeof(buf.salt)); - ngx_http_waf_dpf(r, "time=%s, uid=%s, salt=%s", buf.time, buf.uid, buf.salt); if (r->connection->sockaddr->sa_family == AF_INET) { struct sockaddr_in *sin = (struct sockaddr_in *)r->connection->sockaddr; @@ -405,21 +348,16 @@ static ngx_int_t _gen_hmac(ngx_http_request_t *r, _info_t* info) { ngx_memzero(info->hmac, sizeof(info->hmac)); - ngx_http_waf_dp(r, "getting hmac"); ngx_int_t ret = ngx_http_waf_sha256(info->hmac, sizeof(info->hmac), &buf, sizeof(buf)); if (ret == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "success(%s)", info->hmac); } else { - ngx_http_waf_dp(r, "failed"); } - ngx_http_waf_dp_func_end(r); return ret; } static ngx_int_t _verify_cookies(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -429,7 +367,6 @@ static ngx_int_t _verify_cookies(ngx_http_request_t* r) { _info_t* under_attack_expect = ngx_pcalloc(r->pool, sizeof(_info_t)); if (under_attack_client == NULL || under_attack_expect == NULL) { - ngx_http_waf_dp(r, "no memcoy ... return"); return NGX_HTTP_WAF_FAULT; } @@ -447,107 +384,82 @@ static ngx_int_t _verify_cookies(ngx_http_request_t* r) { ngx_str_set(&key, "__waf_captcha_uid"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &value); ngx_memcpy(under_attack_client->uid, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } ngx_str_set(&key, "__waf_captcha_hmac"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &value); ngx_memcpy(under_attack_client->hmac, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } ngx_str_set(&key, "__waf_captcha_time"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &value); ngx_memcpy(under_attack_client->time, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } } ngx_memcpy(under_attack_expect, under_attack_client, sizeof(_info_t)); /* 计算正确的 HMAC */ - ngx_http_waf_dp(r, "generating hmac"); if (_gen_hmac(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAULT; } - ngx_http_waf_dpf(r, "success(%s)", under_attack_expect->hmac); - ngx_http_waf_dpf(r, "client.time=%s, client.uid=%s, client.hmac=%s", under_attack_client->time, under_attack_client->uid, under_attack_client->hmac); - ngx_http_waf_dpf(r, "expect.time=%s, expect.uid=%s, expect.hmac=%s", under_attack_expect->time, under_attack_expect->uid, under_attack_expect->hmac); /* 验证 HMAC 是否正确 */ - ngx_http_waf_dp(r, "verifying hmac"); if (ngx_memcmp(under_attack_client, under_attack_expect, sizeof(_info_t)) != 0) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "expired(%s)?", under_attack_client->time); time_t client_time = ngx_atoi(under_attack_client->time, ngx_strlen(under_attack_client->time)); if (difftime(time(NULL), client_time) > loc_conf->waf_captcha_expire) { - ngx_http_waf_dp(r, "yes"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "no"); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } static ngx_int_t _verify_captcha_dispatcher(ngx_http_request_t* r) { - ngx_http_waf_dp_func_end(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); - ngx_http_waf_dp(r, "allocating memory to store uri"); ngx_str_t uri = ngx_null_string; uri.data = ngx_pnalloc(r->pool, r->uri.len + 1); if (uri.data == NULL) { - ngx_http_waf_dp(r, "no memory ... return"); return NGX_HTTP_WAF_FAULT; } ngx_memcpy(uri.data, r->uri.data, r->uri.len); uri.data[r->uri.len] = '\0'; uri.len = r->uri.len; - ngx_http_waf_dpf(r, "success(%V)", &uri); if (ngx_strcmp(uri.data, loc_conf->waf_captcha_verify_url.data) == 0 @@ -555,37 +467,30 @@ static ngx_int_t _verify_captcha_dispatcher(ngx_http_request_t* r) { ngx_int_t is_valid = NGX_HTTP_WAF_FALSE; switch (loc_conf->waf_captcha_type) { case NGX_HTTP_WAF_HCAPTCHA: - ngx_http_waf_dp(r, "verifying hCaptcha"); is_valid = _verify_hCaptcha(r); break; case NGX_HTTP_WAF_RECAPTCHA_V2_CHECKBOX: case NGX_HTTP_WAF_RECAPTCHA_V2_INVISIBLE: - ngx_http_waf_dp(r, "verifying reCAPTCHAv2"); is_valid = _verify_reCAPTCHAv2(r); break; case NGX_HTTP_WAF_RECAPTCHA_V3: - ngx_http_waf_dp(r, "verifying reCAPTCHAv3"); is_valid = _verify_reCAPTCHAv3(r); break; default: return NGX_HTTP_WAF_FAULT; } if (is_valid == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "pass"); return NGX_HTTP_WAF_CAPTCHA_PASS; } else { - ngx_http_waf_dp(r, "bad"); return NGX_HTTP_WAF_CAPTCHA_BAD; } } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_FAIL; } static ngx_int_t _verify_hCaptcha(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -599,13 +504,11 @@ static ngx_int_t _verify_hCaptcha(ngx_http_request_t* r) { NGX_HTTP_WAF_FALSE, INT_MIN); - ngx_http_waf_dp_func_end(r); return ret; } static ngx_int_t _verify_reCAPTCHAv2(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -619,13 +522,11 @@ static ngx_int_t _verify_reCAPTCHAv2(ngx_http_request_t* r) { NGX_HTTP_WAF_FALSE, INT_MIN); - ngx_http_waf_dp_func_end(r); return ret; } static ngx_int_t _verify_reCAPTCHAv3(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -639,7 +540,6 @@ static ngx_int_t _verify_reCAPTCHAv3(ngx_http_request_t* r) { NGX_HTTP_WAF_TRUE, loc_conf->waf_captcha_reCAPTCHAv3_score); - ngx_http_waf_dp_func_end(r); return ret; } @@ -650,7 +550,6 @@ static ngx_int_t _verfiy_reCAPTCHA_compatible(ngx_http_request_t* r, ngx_str_t url, ngx_int_t is_reCAPTCHA_v3, ngx_int_t score) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -658,79 +557,57 @@ static ngx_int_t _verfiy_reCAPTCHA_compatible(ngx_http_request_t* r, ngx_str_t body = { ctx->req_body.last - ctx->req_body.pos, ctx->req_body.pos }; key_value_t* kvs = NULL; - ngx_http_waf_dpf(r, "parsing form %V", &body); ngx_int_t ret = ngx_http_waf_parse_form_string(&body, &kvs); if (ret != NGX_HTTP_WAF_SUCCESS) { goto hash_map_free; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "getting %V", &response_key); key_value_t* captcha_response = NULL; HASH_FIND(hh, kvs, response_key.data, response_key.len, captcha_response); if (captcha_response == NULL) { - ngx_http_waf_dp(r, "failed ... releasing resources"); ret = NGX_HTTP_WAF_FAIL; goto hash_map_free; } - ngx_http_waf_dpf(r, "success(%V)", &captcha_response->value); char* json_str = NULL; - ngx_http_waf_dpf(r, "using serect %V", &secret); - ngx_http_waf_dp(r, "gererating request body for verification"); char* in = ngx_pnalloc(r->pool, captcha_response->value.len + secret.len + 64); if (in == NULL) { - ngx_http_waf_dp(r, "no memory ... releasing resources"); goto hash_map_free; } sprintf(in, "response=%s&secret=%s", (char*)(captcha_response->value.data), (char*)(secret.data)); - ngx_http_waf_dpf(r, "success(%s)", in); - ngx_http_waf_dpf(r, "sending a request to %V", &url); if (ngx_http_waf_http_post(r, (char*)url.data, in, &json_str) != NGX_HTTP_WAF_SUCCESS) { if (json_str != NULL) { - ngx_http_waf_dpf(r, "failed(%s)", json_str); ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: %s", json_str); free(json_str); } else { - ngx_http_waf_dp(r, "failed"); ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: ngx_http_waf_http_post failed"); } - ngx_http_waf_dp(r, "releasing resources"); goto hash_map_free; } - ngx_http_waf_dpf(r, "success(%s)", json_str); - ngx_http_waf_dpf(r, "parsing json_string(%s)", json_str); cJSON* json_obj = cJSON_Parse(json_str); free(json_str); if (json_obj == NULL) { - ngx_http_waf_dp(r, "failed ... releasing resources"); ret = NGX_HTTP_WAF_FAIL; goto hash_map_free; } - ngx_http_waf_dp(r, "success"); cJSON* json = json_obj->child; ngx_int_t flag = 0; while(json != NULL) { switch (json->type) { case cJSON_NULL: - ngx_http_waf_dpf(r, "%s: null", json->string); break; case cJSON_True: - ngx_http_waf_dpf(r, "%s: true", json->string); break; case cJSON_False: - ngx_http_waf_dpf(r, "%s: false", json->string); break; case cJSON_Number: - ngx_http_waf_dpf(r, "%s: %f", json->string, json->valuedouble); break; case cJSON_String: - ngx_http_waf_dpf(r, "%s: %s", json->string, json->valuestring); break; default: break; @@ -767,6 +644,5 @@ static ngx_int_t _verfiy_reCAPTCHA_compatible(ngx_http_request_t* r, } } - ngx_http_waf_dp_func_end(r); return ret; } \ No newline at end of file diff --git a/src/ngx_http_waf_module_check.c b/src/ngx_http_waf_module_check.c index e6d2ec7f..49e4fa64 100644 --- a/src/ngx_http_waf_module_check.c +++ b/src/ngx_http_waf_module_check.c @@ -4,7 +4,6 @@ extern ngx_module_t ngx_http_waf_module; /**< 模块详情 */ ngx_int_t ngx_http_waf_handler_check_white_ip(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -16,7 +15,6 @@ ngx_int_t ngx_http_waf_handler_check_white_ip(ngx_http_request_t* r) { ngx_http_waf_set_action_decline(action, ACTION_FLAG_FROM_WHITE_LIST); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_IP)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -25,9 +23,7 @@ ngx_int_t ngx_http_waf_handler_check_white_ip(ngx_http_request_t* r) { ngx_http_waf_make_inx_addr(r, &inx_addr); if (r->connection->sockaddr->sa_family == AF_INET) { - ngx_http_waf_dp(r, "matching ipv4"); if (ip_trie_find(loc_conf->white_ipv4, &inx_addr, &ip_trie_node) == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "matched(%s)", ip_trie_node->data); ctx->gernal_logged = 1; ctx->blocked = 0; ngx_http_waf_set_rule_info(r, "WHITE-IPV4", ip_trie_node->data, @@ -35,14 +31,11 @@ ngx_int_t ngx_http_waf_handler_check_white_ip(ngx_http_request_t* r) { ngx_http_waf_append_action(r, action); ret_value = NGX_HTTP_WAF_MATCHED; } else { - ngx_http_waf_dp(r, "not matched"); } } #if (NGX_HAVE_INET6) else if (r->connection->sockaddr->sa_family == AF_INET6) { - ngx_http_waf_dp(r, "matching ipv6"); if (ip_trie_find(loc_conf->white_ipv6, &inx_addr, &ip_trie_node) == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "matched(%s)", ip_trie_node->data); ctx->gernal_logged = 1; ctx->blocked = 0; ngx_http_waf_set_rule_info(r, "WHITE-IPV6", ip_trie_node->data, @@ -50,18 +43,15 @@ ngx_int_t ngx_http_waf_handler_check_white_ip(ngx_http_request_t* r) { ngx_http_waf_append_action(r, action); ret_value = NGX_HTTP_WAF_MATCHED; } else { - ngx_http_waf_dp(r, "not matched"); } } #endif - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_ip(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -73,7 +63,6 @@ ngx_int_t ngx_http_waf_handler_check_black_ip(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_IP)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -82,9 +71,7 @@ ngx_int_t ngx_http_waf_handler_check_black_ip(ngx_http_request_t* r) { ngx_http_waf_make_inx_addr(r, &inx_addr); if (r->connection->sockaddr->sa_family == AF_INET) { - ngx_http_waf_dp(r, "matching ipv4"); if (ip_trie_find(loc_conf->black_ipv4, &inx_addr, &ip_trie_node) == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "matched(%s)", ip_trie_node->data); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_set_rule_info(r, "BLACK-IPV4", ip_trie_node->data, @@ -92,14 +79,11 @@ ngx_int_t ngx_http_waf_handler_check_black_ip(ngx_http_request_t* r) { ngx_http_waf_append_action_chain(r, action); ret_value = NGX_HTTP_WAF_MATCHED; } else { - ngx_http_waf_dp(r, "not matched"); } } #if (NGX_HAVE_INET6) else if (r->connection->sockaddr->sa_family == AF_INET6) { - ngx_http_waf_dp(r, "matching ipv6"); if (ip_trie_find(loc_conf->black_ipv6, &inx_addr, &ip_trie_node) == NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "matched(%s)", ip_trie_node->data); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_set_rule_info(r, "BLACK-IPV6", ip_trie_node->data, @@ -107,18 +91,15 @@ ngx_int_t ngx_http_waf_handler_check_black_ip(ngx_http_request_t* r) { ngx_http_waf_append_action_chain(r, action); ret_value = NGX_HTTP_WAF_MATCHED; } else { - ngx_http_waf_dp(r, "not matched"); } } #endif - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -131,7 +112,6 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_cc_deny); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_cc_deny)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -140,36 +120,26 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { || ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_cc_deny_cycle) || !ngx_http_waf_is_valid_ptr_value(loc_conf->shm_zone_cc_deny) || !ngx_http_waf_is_valid_ptr_value(loc_conf->ip_access_statistics)) { - ngx_http_waf_dp(r, "invalid configuratiion ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_CC_DENY); return NGX_HTTP_WAF_NOT_MATCHED; } - ngx_http_waf_dp(r, "generating inx_addr_t"); inx_addr_t inx_addr; ngx_http_waf_make_inx_addr(r, &inx_addr); - ngx_http_waf_dp(r, "success"); ngx_int_t limit = loc_conf->waf_cc_deny_limit; ngx_int_t duration = loc_conf->waf_cc_deny_duration; ip_statis_t* statis = NULL; - ngx_http_waf_dpf(r, "limit: %i, duration: %i", limit, duration); ngx_slab_pool_t *shpool = (ngx_slab_pool_t *)loc_conf->shm_zone_cc_deny->shm.addr; - ngx_http_waf_dp(r, "locking shared memory"); ngx_shmtx_lock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "getting cache"); lru_cache_find_result_t tmp0 = lru_cache_find(loc_conf->ip_access_statistics, &inx_addr, sizeof(inx_addr_t)); if (tmp0.status == NGX_HTTP_WAF_KEY_EXISTS) { - ngx_http_waf_dp(r, "found"); statis = *(tmp0).data; } else { - ngx_http_waf_dp(r, "not found"); - ngx_http_waf_dp(r, "adding cache"); lru_cache_add_result_t tmp1 = lru_cache_add( loc_conf->ip_access_statistics, &inx_addr, @@ -179,7 +149,6 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { if (tmp1.status == NGX_HTTP_WAF_SUCCESS) { statis = mem_pool_calloc(loc_conf->ip_access_statistics->pool, sizeof(ip_statis_t)); if (statis == NULL) { - ngx_http_waf_dp(r, "no memroy ... exception"); goto exception; } statis->count = 0; @@ -188,7 +157,6 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { statis->block_time = 0; ctx->rate = 0; *(tmp1.data) = statis; - ngx_http_waf_dp(r, "success"); } else { goto exception; @@ -217,10 +185,8 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { // if (statis->is_blocked == NGX_HTTP_WAF_TRUE) { // /* 如果还在拦截时间内 */ // if (diff_second_block < duration) { - // ngx_http_waf_dp(r, "still blocked"); // goto matched; // } else { - // ngx_http_waf_dp(r, "reset record"); // statis->count = 1; // statis->is_blocked = NGX_HTTP_WAF_FALSE; // statis->record_time = now; @@ -232,11 +198,9 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { // else if (diff_second_record <= loc_conf->waf_cc_deny_cycle) { // /* 如果访问频率超出限制 */ // if (statis->count > limit) { - // ngx_http_waf_dp(r, "start blocking"); // goto matched; // } // } else { - // ngx_http_waf_dp(r, "expired cache"); // statis->count = 1; // statis->is_blocked = NGX_HTTP_WAF_FALSE; // statis->record_time = now; @@ -249,13 +213,11 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { matched: { - ngx_http_waf_dp(r, "flow: matched"); goto block; } block: { - ngx_http_waf_dp(r, "flow: block"); ctx->gernal_logged = 1; ctx->blocked = 1; @@ -266,10 +228,8 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { /* 如果不是 444 状态码则生成响应头 Retry-After。*/ if (ngx_http_waf_check_flag(action->flag, ACTION_FLAG_RETURN) && action->extra.http_status != NGX_HTTP_CLOSE) { - ngx_http_waf_dp(r, "generating reponse header: Retry-After "); ngx_table_elt_t* header = (ngx_table_elt_t*)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { - ngx_http_waf_dp(r, "failed ... unlock"); goto unlock; } @@ -279,7 +239,6 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { ngx_str_set(&header->key, "Retry-After"); header->value.data = ngx_palloc(r->pool, NGX_TIME_T_LEN + 1); if (header->value.data == NULL) { - ngx_http_waf_dp(r, "no memory ... unlock"); goto unlock; } @@ -290,14 +249,12 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { #else #error The size of time_t is unexpected. #endif - ngx_http_waf_dpf(r, "success(%V=%V)", &header->key, &header->value); } goto unlock; } exception: { - ngx_http_waf_dp(r, "flow expcetion"); ngx_http_waf_append_action_return(r, NGX_HTTP_SERVICE_UNAVAILABLE, ACTION_FLAG_FROM_CC_DENY); ret_value = NGX_HTTP_WAF_MATCHED; goto unlock; @@ -305,20 +262,15 @@ ngx_int_t ngx_http_waf_handler_check_cc(ngx_http_request_t* r) { // no_memory: // not_matched: unlock: - ngx_http_waf_dp(r, "flow unlock"); - ngx_http_waf_dp(r, "unlocking shared memory") ngx_shmtx_unlock(&shpool->mutex); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_white_url(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -330,7 +282,6 @@ ngx_int_t ngx_http_waf_handler_check_white_url(ngx_http_request_t* r) { ngx_http_waf_set_action_decline(action, ACTION_FLAG_FROM_WHITE_LIST); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -338,25 +289,20 @@ ngx_int_t ngx_http_waf_handler_check_white_url(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->white_url; lru_cache_t* cache = loc_conf->white_url_inspection_cache; - ngx_http_waf_dpf(r, "matching uri(%V)", p_uri); ret_value = ngx_http_waf_regex_exec_arrray(r, p_uri, regex_array, (u_char*)"WHITE-URL", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 0; ngx_http_waf_append_action(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_url(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -368,7 +314,6 @@ ngx_int_t ngx_http_waf_handler_check_black_url(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_URL | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -376,25 +321,20 @@ ngx_int_t ngx_http_waf_handler_check_black_url(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->black_url; lru_cache_t* cache = loc_conf->black_url_inspection_cache; - ngx_http_waf_dpf(r, "matching uri(%V)", p_uri); ret_value = ngx_http_waf_regex_exec_arrray(r, p_uri, regex_array, (u_char*)"BLACK-URL", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_args(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -406,7 +346,6 @@ ngx_int_t ngx_http_waf_handler_check_black_args(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_ARGS | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -414,25 +353,20 @@ ngx_int_t ngx_http_waf_handler_check_black_args(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->black_args; lru_cache_t* cache = loc_conf->black_args_inspection_cache; - ngx_http_waf_dpf(r, "matching args(%V)", p_args); ret_value = ngx_http_waf_regex_exec_arrray(r, p_args, regex_array, (u_char*)"BLACK-ARGS", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_user_agent(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -444,12 +378,10 @@ ngx_int_t ngx_http_waf_handler_check_black_user_agent(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_UA | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (r->headers_in.user_agent == NULL) { - ngx_http_waf_dp(r, "empty user-agent ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -457,25 +389,20 @@ ngx_int_t ngx_http_waf_handler_check_black_user_agent(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->black_ua; lru_cache_t* cache = loc_conf->black_ua_inspection_cache; - ngx_http_waf_dpf(r, "matching user-agent(%V)", p_ua); ret_value = ngx_http_waf_regex_exec_arrray(r, p_ua, regex_array, (u_char*)"BLACK-UA", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_white_referer(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -487,12 +414,10 @@ ngx_int_t ngx_http_waf_handler_check_white_referer(ngx_http_request_t* r) { ngx_http_waf_set_action_decline(action, ACTION_FLAG_FROM_WHITE_LIST); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (r->headers_in.referer == NULL) { - ngx_http_waf_dp(r, "empty referer ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -501,25 +426,20 @@ ngx_int_t ngx_http_waf_handler_check_white_referer(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->white_referer; lru_cache_t* cache = loc_conf->white_referer_inspection_cache; - ngx_http_waf_dpf(r, "matching referer(%V)", p_referer); ret_value = ngx_http_waf_regex_exec_arrray(r, p_referer, regex_array, (u_char*)"WHITE-REFERER", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 0; ngx_http_waf_append_action(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_referer(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -531,12 +451,10 @@ ngx_int_t ngx_http_waf_handler_check_black_referer(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_REFERER | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (r->headers_in.referer == NULL) { - ngx_http_waf_dp(r, "empty referer ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -544,25 +462,20 @@ ngx_int_t ngx_http_waf_handler_check_black_referer(ngx_http_request_t* r) { ngx_array_t* regex_array = loc_conf->black_referer; lru_cache_t* cache = loc_conf->black_referer_inspection_cache; - ngx_http_waf_dpf(r, "matching referer(%V)", p_referer); ret_value = ngx_http_waf_regex_exec_arrray(r, p_referer, regex_array, (u_char*)"BLACK-REFERER", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -574,13 +487,11 @@ ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_COOKIE | r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } #if (nginx_version >= 1023000) if (r->headers_in.cookie == NULL) { - ngx_http_waf_dp(r, "empty cookies ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -608,23 +519,19 @@ ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r) { ret_value = ngx_http_waf_regex_exec_arrray(r, &cookie, regex_array, (u_char*)"BLACK-COOKIE", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } if (ctx->blocked) { - ngx_http_waf_dp(r, "blocked ... break"); break; } } #else if (r->headers_in.cookies.nelts == 0) { - ngx_http_waf_dp(r, "empty cookies ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -633,36 +540,30 @@ ngx_int_t ngx_http_waf_handler_check_black_cookie(ngx_http_request_t* r) { for (i = 0; i < r->headers_in.cookies.nelts; i++, ppcookie++) { ngx_str_t* native_cookies = &((**ppcookie).value); - ngx_http_waf_dpf(r, "matching cookie(%V)", native_cookies); ngx_array_t* regex_array = loc_conf->black_cookie; lru_cache_t* cache = loc_conf->black_cookie_inspection_cache; ret_value = ngx_http_waf_regex_exec_arrray(r, native_cookies, regex_array, (u_char*)"BLACK-COOKIE", cache); if (ret_value == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); } else { - ngx_http_waf_dp(r, "not matched"); } if (ctx->blocked) { - ngx_http_waf_dp(r, "blocked ... break"); break; } } #endif - ngx_http_waf_dp_func_end(r); return ret_value; } ngx_int_t ngx_http_waf_handler_check_black_post(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -673,12 +574,10 @@ ngx_int_t ngx_http_waf_handler_check_black_post(ngx_http_request_t* r) { ngx_http_waf_copy_action_chain(r->pool, action, loc_conf->action_chain_blacklist); if (!ngx_http_waf_check_flag(loc_conf->waf_mode, NGX_HTTP_WAF_MODE_INSPECT_RB)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (ctx->has_req_body == NGX_HTTP_WAF_FALSE) { - ngx_http_waf_dp(r, "empty request body ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -686,17 +585,13 @@ ngx_int_t ngx_http_waf_handler_check_black_post(ngx_http_request_t* r) { body_str.data = ctx->req_body.pos; body_str.len = ctx->req_body.last - ctx->req_body.pos; - ngx_http_waf_dpf(r, "matching request body %V", &body_str); ngx_int_t rc = ngx_http_waf_regex_exec_arrray(r, &body_str, loc_conf->black_post, (u_char*)"BLACK-POST", NULL); if (rc == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); ctx->gernal_logged = 1; ctx->blocked = 1; ngx_http_waf_append_action_chain(r, action); return NGX_HTTP_WAF_MATCHED; } else { - ngx_http_waf_dp(r, "not matched"); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } } @@ -707,7 +602,6 @@ ngx_int_t ngx_http_waf_regex_exec_arrray(ngx_http_request_t* r, ngx_array_t* array, const u_char* rule_type, lru_cache_t* cache) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_ctx_t* ctx = NULL; @@ -718,33 +612,26 @@ ngx_int_t ngx_http_waf_regex_exec_arrray(ngx_http_request_t* r, result.detail = NULL; if (ngx_http_waf_is_empty_str_value(str) || !ngx_http_waf_is_valid_ptr_value(array)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if ( loc_conf->waf_cache == 1 && loc_conf->waf_cache_capacity != NGX_CONF_UNSET && cache != NULL) { - ngx_http_waf_dp(r, "getting cache"); lru_cache_find_result_t tmp = lru_cache_find(cache, str->data, sizeof(u_char) * str->len); if (tmp.status == NGX_HTTP_WAF_KEY_EXISTS) { - ngx_http_waf_dp(r, "found"); cache_hit = NGX_HTTP_WAF_SUCCESS; ngx_memcpy(&result, *(tmp.data), sizeof(check_result_t)); } else { - ngx_http_waf_dp(r, "not found"); } } if (cache_hit != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dpf(r, "matching str(%V)", str); ngx_regex_elt_t* p = (ngx_regex_elt_t*)(array->elts); for (size_t i = 0; i < array->nelts; i++, p++) { - ngx_http_waf_dpf(r, "testing %s", p->name); ngx_int_t rc = ngx_regex_exec(p->regex, str, NULL, 0); if (rc >= 0) { - ngx_http_waf_dp(r, "matched"); result.is_matched = NGX_HTTP_WAF_MATCHED; result.detail = p->name; break; @@ -755,7 +642,6 @@ ngx_int_t ngx_http_waf_regex_exec_arrray(ngx_http_request_t* r, if ( loc_conf->waf_cache == 1 && loc_conf->waf_cache_capacity != NGX_CONF_UNSET && cache != NULL) { - ngx_http_waf_dp(r, "adding cache"); /* 过期时间为 [5, 10] 分钟 */ time_t expire = (time_t)randombytes_uniform(60 * 5) + 60 * 5; @@ -763,28 +649,22 @@ ngx_int_t ngx_http_waf_regex_exec_arrray(ngx_http_request_t* r, if (tmp.status == NGX_HTTP_WAF_SUCCESS) { *(tmp.data) = lru_cache_calloc(cache, sizeof(check_result_t)); if (*(tmp.data) == NULL) { - ngx_http_waf_dp(r, "no memory"); } else { ngx_memcpy(*(tmp.data), &result, sizeof(check_result_t)); - ngx_http_waf_dp(r, "success"); } } else { - ngx_http_waf_dp(r, "failed"); } } if (result.is_matched == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched"); /* 这里不设置 ctx->gernal_logged 和 ctx->blocked,参数只是凑数的。 */ ngx_http_waf_set_rule_info(r, (char*)rule_type, (char*)result.detail, 0, 0); } else { - ngx_http_waf_dp(r, "not matched"); } - ngx_http_waf_dp_func_end(r); return result.is_matched; } diff --git a/src/ngx_http_waf_module_core.c b/src/ngx_http_waf_module_core.c index 715b23d7..a0a72436 100644 --- a/src/ngx_http_waf_module_core.c +++ b/src/ngx_http_waf_module_core.c @@ -171,7 +171,6 @@ ngx_int_t ngx_http_waf_handler_access_phase(ngx_http_request_t* r) { } ngx_int_t ngx_http_waf_handler_precontent_phase(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -179,60 +178,47 @@ ngx_int_t ngx_http_waf_handler_precontent_phase(ngx_http_request_t* r) { ngx_http_waf_perform_action_at_content(r); - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t ngx_http_waf_handler_log_phase(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (loc_conf->waf == 0 || loc_conf->waf == NGX_CONF_UNSET) { - ngx_http_waf_dp(r, "do nothing due to not enabled ... return"); return NGX_DECLINED; } _gc(r); if (ctx == NULL) { - ngx_http_waf_dp(r, "no ctx ... return"); return NGX_OK; } if (ctx->gernal_logged) { ctx->gernal_logged = 0; - ngx_http_waf_dp(r, "logging (gernal)"); ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: [%V][%V]", &ctx->rule_type, &ctx->rule_deatils); - ngx_http_waf_dp(r, "success ... return"); } if (ctx->modsecurity_transaction != NULL) { - ngx_http_waf_dp(r, "logging (ModSecurity)"); int ret = msc_process_logging(ctx->modsecurity_transaction); - ngx_http_waf_dp(ctx->r, "cleaning transaction"); msc_transaction_cleanup(ctx->modsecurity_transaction); ctx->modsecurity_transaction = NULL; - ngx_http_waf_dp(ctx->r, "success ... return"); if (ret != 1) { - ngx_http_waf_dp(r, "msc_process_logging() failed ... return"); return NGX_ERROR; } - ngx_http_waf_dp(r, "success ... return"); } - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -240,34 +226,25 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { ngx_int_t is_matched = NGX_HTTP_WAF_NOT_MATCHED; if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf)) { - ngx_http_waf_dp(r, "do nothing due to not enabled ... return"); return NGX_DECLINED; } if (ctx == NULL) { - ngx_http_waf_dp(r, "allocating memory to storage ctx"); ngx_http_cleanup_t* cln = ngx_palloc(r->pool, sizeof(ngx_http_cleanup_t)); if (cln == NULL) { - ngx_http_waf_dp(r, "no memory to store cleanup_pt ... return"); return NGX_ERROR; } - ngx_http_waf_dp(r, "success"); ctx = ngx_palloc(r->pool, sizeof(ngx_http_waf_ctx_t)); if (ctx == NULL) { - ngx_http_waf_dp(r, "no memory to store ctx ... return"); return NGX_ERROR; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "initializing cleanup_pt"); cln->handler = ngx_http_waf_handler_cleanup; cln->data = ctx; cln->next = NULL; - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "initializing ctx"); ctx->r = r; ctx->action_chain = NULL; ctx->rate = 0; @@ -293,10 +270,8 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { ctx->modsecurity_triggered = NGX_HTTP_WAF_FALSE; ctx->start_from_thread = NGX_HTTP_WAF_FALSE; #endif - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "installing cleanup_pt"); if (r->cleanup == NULL) { r->cleanup = cln; } else { @@ -307,11 +282,8 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { } } } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "installing cleanup_pt"); ngx_http_set_ctx(r, ctx, ngx_http_waf_module); - ngx_http_waf_dp(r, "success"); } if (ngx_http_get_module_ctx(r, ngx_http_waf_module) == NULL) { @@ -320,13 +292,10 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { if (ctx->register_content_handler && loc_conf->waf == 1) { - ngx_http_waf_dp(r, "registering content handler"); ngx_http_waf_register_content_handler(r); - ngx_http_waf_dp(r, "success"); } if (ngx_http_waf_check_flag(!loc_conf->waf_mode, r->method)) { - ngx_http_waf_dp(r, "do nothing due to waf_mode ... return"); return NGX_DECLINED; } @@ -336,25 +305,21 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { } if (!ctx->read_body_done) { - ngx_http_waf_dp(r, "reading request body"); r->request_body_in_single_buf = 1; r->request_body_in_persistent_file = 1; r->request_body_in_clean_file = 1; ngx_int_t rc = ngx_http_read_client_request_body(r, _handler_read_request_body); if (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE) { - ngx_http_waf_dpf(r, "failed(%i) ... return", rc); return rc; } if (rc == NGX_AGAIN) { - ngx_http_waf_dpf(r, "continuse(%i) ... return", rc); ctx->waiting_more_body = 1; return NGX_DONE; } } if (!r->internal && ctx->checked) { - ngx_http_waf_dp(r, "do nothing due to multiple internal redirects ... return"); return NGX_DECLINED; } @@ -369,20 +334,15 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { #endif if (ctx->checked) { - ngx_http_waf_dp(r, "do nothing due to internal redirect ... return"); return NGX_DECLINED; } - ngx_http_waf_dp(r, "reading request body to ctx"); if (_read_request_body(r) == NGX_HTTP_WAF_FAULT) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_http_waf_dp(r, "success"); ctx->checked = 1; - ngx_http_waf_dp(r, "invoke inspection handler"); ngx_http_waf_check_pt* funcs = loc_conf->check_proc; for (size_t i = 0; funcs[i] != NULL; i++) { is_matched = funcs[i](r); @@ -395,9 +355,7 @@ ngx_int_t ngx_http_waf_check_all(ngx_http_request_t* r, ngx_int_t is_check_cc) { ctx->spend = ((double)clock() / CLOCKS_PER_SEC * 1000) - ctx->spend; ngx_int_t http_status = ngx_http_waf_perform_action_at_access_end(r); - ngx_http_waf_dpf(r, "return %i", http_status); - ngx_http_waf_dp_func_end(r); return http_status; } @@ -408,7 +366,6 @@ void ngx_http_waf_handler_cleanup(void *data) { static ngx_int_t _read_request_body(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -416,48 +373,38 @@ static ngx_int_t _read_request_body(ngx_http_request_t* r) { if (r->request_body == NULL) { - ngx_http_waf_dp(r, "no request body ... return"); return NGX_HTTP_WAF_FAIL; } if (r->request_body->bufs == NULL) { - ngx_http_waf_dp(r, "no request body ... return"); return NGX_HTTP_WAF_FAIL; } if (r->request_body->temp_file) { - ngx_http_waf_dp(r, "in temp file ... return"); return NGX_HTTP_WAF_FAIL; } if (ctx->has_req_body) { - ngx_http_waf_dp(r, "already read ... return"); return NGX_HTTP_WAF_SUCCESS; } ngx_chain_t* bufs = r->request_body->bufs; size_t len = 0; - ngx_http_waf_dp(r, "getting request body length"); while (bufs != NULL) { len += (bufs->buf->last - bufs->buf->pos) * (sizeof(u_char) / sizeof(uint8_t)); bufs = bufs->next; } - ngx_http_waf_dpf(r, "request body length is %z", len); - ngx_http_waf_dp(r, "allocing memory to store request body into ctx"); u_char* body = ngx_pnalloc(r->pool, len + sizeof(u_char)); if (body == NULL) { - ngx_http_waf_dp(r, "no memroy ... return"); return NGX_HTTP_WAF_FAULT; } - ngx_http_waf_dp(r, "success"); ctx->has_req_body = 1; ctx->req_body.pos = body; ctx->req_body.last = (u_char*)((uint8_t*)body + len); - ngx_http_waf_dp(r, "copying request body into ctx"); bufs = r->request_body->bufs; size_t offset = 0; while (bufs != NULL) { @@ -466,17 +413,13 @@ static ngx_int_t _read_request_body(ngx_http_request_t* r) { offset += size; bufs = bufs->next; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "request body is %*s", len, body); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } static void _handler_read_request_body(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -490,18 +433,15 @@ static void _handler_read_request_body(ngx_http_request_t* r) { ngx_http_core_run_phases(r); } - ngx_http_waf_dp_func_end(r); } static ngx_int_t _gc(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_main_conf_t* mcf = ngx_http_get_module_main_conf(r, ngx_http_waf_module); ngx_core_conf_t* ccf = (ngx_core_conf_t *)ngx_get_conf(ngx_cycle->conf_ctx, ngx_core_module); ngx_int_t worker_processes = ccf->worker_processes; - ngx_http_waf_dpf(r, "%i worker processes", worker_processes); /* 如果至少有一个 worker 进程则计算概率 */ if (worker_processes > 1 && randombytes_uniform(worker_processes) != 0) { @@ -509,51 +449,41 @@ static ngx_int_t _gc(ngx_http_request_t* r) { } /* 首先释放共享内存 */ - ngx_http_waf_dp(r, "freeing shared memory"); shm_t* shms = mcf->shms->elts; for (size_t i = 0; i < mcf->shms->nelts; i++) { shm_t* shm = &shms[i]; - ngx_http_waf_dpf(r, "freeing shared memory %V", &shm->name); if (ngx_http_waf_shm_gc(shm) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); } /* 最后释放非共享内存 */ - ngx_http_waf_dp(r, "freeing non-shared memory"); lru_cache_t** caches = mcf->local_caches->elts; ngx_uint_t nelts = mcf->local_caches->nelts; - ngx_http_waf_dpf(r, "%i caches", nelts); if (nelts != 0) { for (ngx_uint_t i = 0; i < nelts; i++){ lru_cache_t* cache = caches[i]; if (cache->no_memory) { - ngx_http_waf_dp(r, "low memory"); cache->no_memory = 0; lru_cache_eliminate(cache, 5); } else { ngx_uint_t limit = 10, loop = 0; - ngx_http_waf_dpf(r, "limit is %ui", limit); while (loop < limit && lru_cache_eliminate_expire(cache, 5) >= 3) { - ngx_http_waf_dpf(r, "loop %ui", loop); loop++; } } } } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } \ No newline at end of file diff --git a/src/ngx_http_waf_module_modsecurity.c b/src/ngx_http_waf_module_modsecurity.c index 6b5f8212..0e96e433 100644 --- a/src/ngx_http_waf_module_modsecurity.c +++ b/src/ngx_http_waf_module_modsecurity.c @@ -75,24 +75,20 @@ void ngx_http_waf_modsecurity_handler_log(void* log, const void* data) { ngx_int_t ngx_http_waf_handler_modsecurity(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_modsecurity)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } if (!ngx_http_waf_check_flag(loc_conf->waf_mode, r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -134,7 +130,6 @@ ngx_int_t ngx_http_waf_handler_modsecurity(ngx_http_request_t* r) { } } - ngx_http_waf_dp_func_end(r); return ret; #endif @@ -142,96 +137,77 @@ ngx_int_t ngx_http_waf_handler_modsecurity(ngx_http_request_t* r) { ngx_int_t ngx_http_waf_header_filter(ngx_http_request_t *r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_header_filter(r); } if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_modsecurity)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_header_filter(r); } if (!ngx_http_waf_check_flag(loc_conf->waf_mode, r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_header_filter(r); } if (ctx == NULL) { - ngx_http_waf_dp(r, "no ctx ... return"); return ngx_http_next_header_filter(r); } if (ctx->modsecurity_transaction == NULL) { - ngx_http_waf_dp(r, "no transaction ... return"); return ngx_http_next_header_filter(r); } ngx_int_t out_http_status = NGX_DECLINED; - ngx_http_waf_dp(r, "processing response header"); switch (_process_response_header(r, &out_http_status)) { case NGX_HTTP_WAF_MATCHED: - ngx_http_waf_dpf(r, "matched(%i) ... return", out_http_status); return out_http_status; case NGX_HTTP_WAF_NEXT_FILTER: - ngx_http_waf_dp(r, "next filter ... return"); return ngx_http_next_header_filter(r); default: break; } - ngx_http_waf_dp_func_end(r); return ngx_http_next_header_filter(r); } ngx_int_t ngx_http_waf_body_filter(ngx_http_request_t *r, ngx_chain_t *in) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_body_filter(r, in); } if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_modsecurity)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_body_filter(r, in); } if (!ngx_http_waf_check_flag(loc_conf->waf_mode, r->method)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return ngx_http_next_body_filter(r, in); } if (ctx == NULL) { - ngx_http_waf_dp(r, "no ctx ... return"); return ngx_http_next_body_filter(r, in); } if (ctx->modsecurity_transaction == NULL) { - ngx_http_waf_dp(r, "no transaction ... return"); return ngx_http_next_body_filter(r, in); } if (in == NULL) { - ngx_http_waf_dp(r, "no input body ... return"); return ngx_http_next_body_filter(r, in); } ngx_int_t out_http_status = NGX_DECLINED; - ngx_http_waf_dp(r, "processing response body"); if (_process_response_body(r, in, &out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dpf(r, "matched(%i) ... return", out_http_status); return out_http_status; } @@ -240,55 +216,37 @@ ngx_int_t ngx_http_waf_body_filter(ngx_http_request_t *r, ngx_chain_t *in) { static ngx_int_t _process_request(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); - ngx_http_waf_dp(r, "initializing ctx about ModSecurity"); if (_init_ctx(r) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "_init_ctx() failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing connecting"); if (_process_connection(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched ... return"); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing uri"); if (_process_uri(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched ... return"); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing request header"); if (_process_request_header(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched ... return"); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing request body"); if (_process_request_body(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dp(r, "matched ... return"); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } static ngx_int_t _init_ctx(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -303,37 +261,27 @@ static ngx_int_t _init_ctx(ngx_http_request_t* r) { } ctx->modsecurity_transaction = NULL; - ngx_http_waf_dp(r, "creating transaction"); if (transaction_id != NULL && transaction_id != NGX_CONF_UNSET_PTR) { - ngx_http_waf_dp(r, "creating transaction with id"); ngx_str_t current_transaction_id; ngx_str_null(¤t_transaction_id); - ngx_http_waf_dp(r, "getting transaction id"); if (ngx_http_complex_value(r, transaction_id, ¤t_transaction_id) != NGX_OK) { - ngx_http_waf_dp(r, "ngx_http_complex_value() failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); ctx->modsecurity_transaction = msc_new_transaction_with_id(instance, rules, (char*)current_transaction_id.data, r->connection->log); } else { - ngx_http_waf_dp(r, "creating transaction without id"); ctx->modsecurity_transaction = msc_new_transaction(instance, rules, r->connection->log); } if (ctx->modsecurity_transaction == NULL) { - ngx_http_waf_dp(r, "no transaction ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } static ngx_int_t _process_connection(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -349,38 +297,28 @@ static ngx_int_t _process_connection(ngx_http_request_t* r, ngx_int_t* out_http_ int client_port = ngx_inet_get_port(connection->sockaddr); int server_port = ngx_inet_get_port(connection->local_sockaddr); - ngx_http_waf_dp(r, "getting server addr"); if (ngx_connection_local_sockaddr(r->connection, &server_addr_str, 0) != NGX_OK) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } server_addr_c_str[server_addr_str.len] = '\0'; - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "converting client client addr to c-style string"); char* client_addr_c_str = ngx_http_waf_c_str(client_addr_str, r->pool); if (client_addr_c_str == NULL) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing connection"); if (msc_process_connection(transaction, client_addr_c_str, client_port, (char*)server_addr_c_str, server_port) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp_func_end(r); return _process_intervention(r, out_http_status); } static ngx_int_t _process_uri(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -388,25 +326,18 @@ static ngx_int_t _process_uri(ngx_http_request_t* r, ngx_int_t* out_http_status) Transaction *transaction = ctx->modsecurity_transaction; - ngx_http_waf_dp(r, "converting unparsed uri to c-style string"); char* uri = ngx_http_waf_c_str(&r->unparsed_uri, r->pool); if (uri == NULL) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "converting method name to c-style string"); char* method = ngx_http_waf_c_str(&r->method_name, r->pool); if (method == NULL) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "getting http version"); char* http_version = NULL; switch(r->http_version) { case NGX_HTTP_VERSION_9: @@ -427,23 +358,17 @@ static ngx_int_t _process_uri(ngx_http_request_t* r, ngx_int_t* out_http_status) http_version = "1.0"; break; } - ngx_http_waf_dpf(r, "http version is %s", http_version); - ngx_http_waf_dp(r, "processing uri"); if (msc_process_uri(transaction, uri, method, http_version) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return _process_intervention(r, out_http_status); } static ngx_int_t _process_request_header(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -464,14 +389,12 @@ static ngx_int_t _process_request_header(ngx_http_request_t* r, ngx_int_t* out_h i = 0; } else { - ngx_http_waf_dpf(r, "adding request header: %V with valuse %V", &header[i].key, &header[i].value); if (msc_add_n_request_header(transaction, (const u_char*) header[i].key.data, header[i].key.len, (const u_char*) header[i].value.data, header[i].value.len) != 1) { - ngx_http_waf_dp(r, "msc_add_n_request_header failed"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } @@ -479,21 +402,16 @@ static ngx_int_t _process_request_header(ngx_http_request_t* r, ngx_int_t* out_h } } - ngx_http_waf_dp(r, "processing request header"); if (msc_process_request_headers(transaction) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return _process_intervention(r, out_http_status); } static ngx_int_t _process_request_body(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -505,30 +423,22 @@ static ngx_int_t _process_request_body(ngx_http_request_t* r, ngx_int_t* out_htt ngx_str_t body; body.data = ctx->req_body.pos; body.len = ctx->req_body.last - ctx->req_body.pos; - ngx_http_waf_dpf(r, "appending request body %V", &body); if (msc_append_request_body(transaction, body.data, body.len) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); } - ngx_http_waf_dp(r, "processing request body"); if (msc_process_request_body(transaction) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return _process_intervention(r, out_http_status); } static ngx_int_t _process_response_header(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -543,14 +453,12 @@ static ngx_int_t _process_response_header(ngx_http_request_t* r, ngx_int_t* out_ headers = headers->next; i = 0; } else { - ngx_http_waf_dpf(r, "adding response header: %V with valuse %V", &header[i].key, &header[i].value); if (msc_add_n_response_header(transaction, (const u_char*) header[i].key.data, header[i].key.len, (const u_char*) header[i].value.data, header[i].value.len) != 1) { - ngx_http_waf_dp(r, "msc_add_n_response_header failed"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } @@ -566,42 +474,32 @@ static ngx_int_t _process_response_header(ngx_http_request_t* r, ngx_int_t* out_ status = r->headers_out.status; } - ngx_http_waf_dp(r, "getting http response version"); char* http_response_ver = "HTTP 1.1"; #if (NGX_HTTP_V2) if (r->stream) { http_response_ver = "HTTP 2.0"; } #endif - ngx_http_waf_dpf(r, "http response version is %s", http_response_ver); - ngx_http_waf_dp(r, "processing response header"); if (msc_process_response_headers(transaction, status, http_response_ver) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing intervention"); ngx_int_t ret = _process_intervention(r, out_http_status); if (r->error_page) { - ngx_http_waf_dp(r, "next filter ... return"); return NGX_HTTP_WAF_NEXT_FILTER; } if (ret == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dpf(r, "matched(%i)", *out_http_status); } - ngx_http_waf_dp_func_end(r); return ret; } static ngx_int_t _process_response_body(ngx_http_request_t* r, ngx_chain_t *in, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -611,7 +509,6 @@ static ngx_int_t _process_response_body(ngx_http_request_t* r, ngx_chain_t *in, ngx_chain_t* chain = in; if (chain == NULL) { - ngx_http_waf_dp(r, "no input body ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -621,45 +518,32 @@ static ngx_int_t _process_response_body(ngx_http_request_t* r, ngx_chain_t *in, body.data = chain->buf->pos; body.len = chain->buf->last - chain->buf->pos; - ngx_http_waf_dpf(r, "appending response body %V", &body); if (msc_append_response_body(transaction, body.data, body.len) != 1) { - ngx_http_waf_dp(r, "failed ... return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing intervention"); if (_process_intervention(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dpf(r, "matched(%i) ... return", *out_http_status); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "not matched"); if (msc_process_response_body(transaction) != 1) { - ngx_http_waf_dp(r, "msc_process_response_body failed"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "processing intervention"); if (_process_intervention(r, out_http_status) == NGX_HTTP_WAF_MATCHED) { - ngx_http_waf_dpf(r, "matched(%i) ... return", *out_http_status); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "not matched"); chain = chain->next; } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } static ngx_int_t _process_intervention(ngx_http_request_t* r, ngx_int_t* out_http_status) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; @@ -671,21 +555,16 @@ static ngx_int_t _process_intervention(ngx_http_request_t* r, ngx_int_t* out_htt ngx_memzero(&intervention, sizeof(ModSecurityIntervention)); intervention.status = 200; - ngx_http_waf_dp(r, "processing intervention"); if (msc_intervention(transaction, &intervention) <= 0) { - ngx_http_waf_dp(r, "not matched ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } - ngx_http_waf_dp(r, "matched"); - ngx_http_waf_dp(r, "getting intervention log") char* log = "(no log message was specified)"; if (intervention.log != NULL) { ctx->gernal_logged = NGX_HTTP_WAF_TRUE; log = intervention.log; ngx_http_waf_set_rule_info(r, "ModSecurity", log, NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); } - ngx_http_waf_dpf(r, "intervention log is %s", log); if (intervention.log != NULL) { free(intervention.log); } @@ -696,10 +575,8 @@ static ngx_int_t _process_intervention(ngx_http_request_t* r, ngx_int_t* out_htt if (intervention.url != NULL) { - ngx_http_waf_dpf(r, "intervention -- redirecting to %s with status code %d", intervention.url, intervention.status); if (r->header_sent) { - ngx_http_waf_dp(r, "headers are already sent. Cannot perform the redirection at this point"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } @@ -707,7 +584,6 @@ static ngx_int_t _process_intervention(ngx_http_request_t* r, ngx_int_t* out_htt ngx_http_clear_location(r); ngx_table_elt_t *location = ngx_list_push(&r->headers_out.headers); if (location == NULL) { - ngx_http_waf_dp(r, "header 'Location' generation failed"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } @@ -726,27 +602,21 @@ static ngx_int_t _process_intervention(ngx_http_request_t* r, ngx_int_t* out_htt if (intervention.status != 200) { - ngx_http_waf_dp(r, "updating status code"); if (msc_update_status_code(transaction, intervention.status) != 1) { - ngx_http_waf_dp(r, "failed return"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); if (r->header_sent) { - ngx_http_waf_dp(r, "headers are already sent. Cannot perform the redirection at this point"); *out_http_status = NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dpf(r, "intervention -- returning code: %d", intervention.status); *out_http_status = intervention.status; return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -759,13 +629,11 @@ static void _invoke(void* data, ngx_log_t* log) { ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (loc_conf->waf == 0 || loc_conf->waf == NGX_CONF_UNSET) { - ngx_http_waf_dp(r, "nothing to do ... return"); ctx->modsecurity_triggered = NGX_HTTP_WAF_FALSE; return; } if (loc_conf->waf_modsecurity == 0 || loc_conf->waf_modsecurity == NGX_CONF_UNSET) { - ngx_http_waf_dp(r, "nothing to do ... return"); ctx->modsecurity_triggered = NGX_HTTP_WAF_FALSE; return; } diff --git a/src/ngx_http_waf_module_under_attack.c b/src/ngx_http_waf_module_under_attack.c index 4b8f6781..d95c5869 100644 --- a/src/ngx_http_waf_module_under_attack.c +++ b/src/ngx_http_waf_module_under_attack.c @@ -21,14 +21,12 @@ static ngx_int_t _gen_verification(ngx_http_request_t *r, _info_t* under_attack) ngx_int_t ngx_http_waf_handler_under_attack(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, &ctx); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_under_attack)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -47,89 +45,67 @@ ngx_int_t ngx_http_waf_handler_under_attack(ngx_http_request_t* r) { ngx_str_set(&key, "__waf_under_attack_time"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &key); ngx_memcpy(under_attack_client->time, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } ngx_str_set(&key, "__waf_under_attack_uid"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &key); ngx_memcpy(under_attack_client->uid, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } ngx_str_set(&key, "__waf_under_attack_hmac"); ngx_str_null(&value); - ngx_http_waf_dpf(r, "searching cookie %V", &key); #if (nginx_version >= 1023000) if (ngx_http_parse_multi_header_lines(r, cookies, &key, &value) != NULL) { #else if (ngx_http_parse_multi_header_lines(cookies, &key, &value) != NGX_DECLINED) { #endif - ngx_http_waf_dpf(r, "found cookie %V", &key); ngx_memcpy(under_attack_client->hmac, value.data, value.len); } else { - ngx_http_waf_dpf(r, "not found cookie %V", &key); } } ngx_memcpy(under_attack_expect, under_attack_client, sizeof(_info_t)); - ngx_http_waf_dp(r, "generating expected message") if (_gen_verification(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_UNDER_ATTACK); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "client.time=%s, client.uid=%s, client.hmac=%s", under_attack_client->time, under_attack_client->uid, under_attack_client->hmac); - ngx_http_waf_dpf(r, "expect.time=%s, expect.uid=%s, expect.hmac=%s", under_attack_expect->time, under_attack_expect->uid, under_attack_expect->hmac); /* 验证 token 是否正确 */ - ngx_http_waf_dp(r, "verifying info"); if (ngx_memcmp(under_attack_client, under_attack_expect, sizeof(_info_t)) != 0) { - ngx_http_waf_dp(r, "failed"); - ngx_http_waf_dp(r, "generating new info"); if (_gen_under_attack_info(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_UNDER_ATTACK); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "generating new cookies"); if (_gen_cookie(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_UNDER_ATTACK); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success ... return"); ngx_http_waf_append_action_under_attack(r, ACTION_FLAG_FROM_UNDER_ATTACK); ngx_http_waf_set_rule_info(r, "UNDER-ATTACK", "", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -139,46 +115,35 @@ ngx_int_t ngx_http_waf_handler_under_attack(ngx_http_request_t* r) { /* 验证时间是否超过 5 秒 */ - ngx_http_waf_dp(r, "is expired?"); time_t client_time = ngx_atoi(under_attack_client->time, ngx_strlen(under_attack_client->time)); /* 如果 Cookie 不合法 或 已经超过 30 分钟 */ if (client_time == NGX_ERROR || difftime(time(NULL), client_time) > 60 * 30) { - ngx_http_waf_dp(r, "expired info"); - ngx_http_waf_dp(r, "generating new info"); if (_gen_under_attack_info(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_UNDER_ATTACK); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "generating new cookies"); if (_gen_cookie(r, under_attack_expect) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); ngx_http_waf_append_action_return(r, NGX_HTTP_INTERNAL_SERVER_ERROR, ACTION_FLAG_FROM_UNDER_ATTACK); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp(r, "success ... return"); ngx_http_waf_append_action_under_attack(r, ACTION_FLAG_FROM_UNDER_ATTACK); ngx_http_waf_set_rule_info(r, "UNDER-ATTACK", "", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); return NGX_HTTP_WAF_MATCHED; } else if (difftime(time(NULL), client_time) <= 5) { - ngx_http_waf_dp(r, "on delay ... return"); ngx_http_waf_append_action_under_attack(r, ACTION_FLAG_FROM_UNDER_ATTACK); ngx_http_waf_set_rule_info(r, "UNDER-ATTACK", "", NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); return NGX_HTTP_WAF_MATCHED; } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } static ngx_int_t _gen_under_attack_info(ngx_http_request_t* r, _info_t* under_attack) { - ngx_http_waf_dp_func_start(r); time_t now = time(NULL); @@ -190,20 +155,15 @@ static ngx_int_t _gen_under_attack_info(ngx_http_request_t* r, _info_t* under_at #error The size of time_t is unexpected. #endif - ngx_http_waf_dp(r, "generating random string"); if (ngx_http_waf_rand_str(under_attack->uid, sizeof(under_attack->uid) - 1) != NGX_HTTP_WAF_SUCCESS) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp_func_end(r); return _gen_verification(r, under_attack); } static ngx_int_t _gen_cookie(ngx_http_request_t *r, _info_t* under_attack) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_get_ctx_and_conf(r, NULL, &ctx); @@ -217,7 +177,6 @@ static ngx_int_t _gen_cookie(ngx_http_request_t *r, _info_t* under_attack) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(under_attack->time) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_under_attack_time=%s; Path=/", under_attack->time); - ngx_http_waf_dpf(r, "Header %V: %V", &header->key, &header->value); header = (ngx_table_elt_t *)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { @@ -228,7 +187,6 @@ static ngx_int_t _gen_cookie(ngx_http_request_t *r, _info_t* under_attack) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(under_attack->uid) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_under_attack_uid=%s; Path=/", under_attack->uid); - ngx_http_waf_dpf(r, "Header %V: %V", &header->key, &header->value); header = (ngx_table_elt_t *)ngx_list_push(&(r->headers_out.headers)); if (header == NULL) { @@ -239,15 +197,12 @@ static ngx_int_t _gen_cookie(ngx_http_request_t *r, _info_t* under_attack) { ngx_str_set(&header->key, "Set-Cookie"); header->value.data = ngx_pnalloc(r->pool, sizeof(under_attack->hmac) + 64); header->value.len = sprintf((char*)header->value.data, "__waf_under_attack_hmac=%s; Path=/", under_attack->hmac); - ngx_http_waf_dpf(r, "Header %V: %V", &header->key, &header->value); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; } static ngx_int_t _gen_verification(ngx_http_request_t *r, _info_t* under_attack) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -263,7 +218,6 @@ static ngx_int_t _gen_verification(ngx_http_request_t *r, _info_t* under_attack) ngx_memcpy(buf.uid, under_attack->uid, sizeof(buf.uid)); ngx_memcpy(buf.salt, loc_conf->random_str, sizeof(buf.salt)); - ngx_http_waf_dpf(r, "time=%s, uid=%s, salt=%s", buf.time, buf.uid, buf.salt); if (r->connection->sockaddr->sa_family == AF_INET) { struct sockaddr_in *sin = (struct sockaddr_in *)r->connection->sockaddr; @@ -279,6 +233,5 @@ static ngx_int_t _gen_verification(ngx_http_request_t *r, _info_t* under_attack) ngx_memzero(under_attack->hmac, sizeof(under_attack->hmac)); - ngx_http_waf_dp_func_end(r); return ngx_http_waf_sha256(under_attack->hmac, sizeof(under_attack->hmac), &buf, sizeof(buf)); } \ No newline at end of file diff --git a/src/ngx_http_waf_module_util.c b/src/ngx_http_waf_module_util.c index 90a9c689..74bfe20b 100644 --- a/src/ngx_http_waf_module_util.c +++ b/src/ngx_http_waf_module_util.c @@ -555,7 +555,6 @@ ngx_int_t ngx_http_waf_sha256(u_char* dst, size_t dst_len, const void* buf, size void ngx_http_waf_get_ctx_and_conf(ngx_http_request_t* r, ngx_http_waf_loc_conf_t** conf, ngx_http_waf_ctx_t** ctx) { - ngx_http_waf_dp_func_start(r); if (ctx != NULL) { *ctx = NULL; @@ -598,7 +597,6 @@ void ngx_http_waf_get_ctx_and_conf(ngx_http_request_t* r, ngx_http_waf_loc_conf_ } } - ngx_http_waf_dp_func_end(r); } @@ -620,12 +618,10 @@ void ngx_http_waf_make_inx_addr(ngx_http_request_t* r, inx_addr_t* inx_addr) { void ngx_http_waf_set_rule_info(ngx_http_request_t* r, char* type, char* details, ngx_int_t gernal_logged, ngx_int_t blocked) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_get_ctx_and_conf(r, NULL, &ctx); - ngx_http_waf_dpf(r, "type: %s, details: %s", type, details); size_t type_len = ngx_strlen(type); size_t details_len = ngx_strlen(details); @@ -646,37 +642,29 @@ void ngx_http_waf_set_rule_info(ngx_http_request_t* r, char* type, char* details ctx->blocked = 1; } - ngx_http_waf_dp_func_end(r); } ngx_int_t ngx_http_waf_http_post(ngx_http_request_t* r, const char* url, char* in, char** out) { - ngx_http_waf_dp_func_start(r); #define _error_without_msg() { \ - ngx_http_waf_dp(r, "failed ... return"); \ *out = NULL; \ return NGX_HTTP_WAF_FAIL; \ } #define _set_opt(handler, option, value) { \ - ngx_http_waf_dpf(r, "Setting curl option %s", #option); \ CURLcode res = curl_easy_setopt((handler), (option), (value)); \ if (res != CURLE_OK) { \ _error_without_msg(); \ } \ - ngx_http_waf_dp(r, "success"); \ } - ngx_http_waf_dp(r, "initializing curl handle"); CURL* curl_handle = curl_easy_init(); if (curl_handle == NULL) { _error_without_msg(); } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "initializing buf"); struct { ngx_http_request_t* r; ngx_buf_t buf; @@ -688,7 +676,6 @@ ngx_int_t ngx_http_waf_http_post(ngx_http_request_t* r, const char* url, char* i if (buf.buf.pos == NULL) { _error_without_msg(); } - ngx_http_waf_dp(r, "success"); _set_opt(curl_handle, CURLOPT_URL, url); _set_opt(curl_handle, CURLOPT_TIMEOUT, 5L); @@ -706,11 +693,8 @@ ngx_int_t ngx_http_waf_http_post(ngx_http_request_t* r, const char* url, char* i _set_opt(curl_handle, CURLOPT_VERBOSE, 1L); } - ngx_http_waf_dpf(r, "request body is %s", in); - ngx_http_waf_dp(r, "performing request"); CURLcode res = curl_easy_perform(curl_handle); if (res != CURLE_OK) { - ngx_http_waf_dp(r, "failed ... return"); *out = malloc(1024); if (*out != NULL) { sprintf(*out, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); @@ -719,12 +703,9 @@ ngx_int_t ngx_http_waf_http_post(ngx_http_request_t* r, const char* url, char* i return NGX_HTTP_WAF_FAIL; } *out = (char*)buf.buf.pos; - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "response body is %s", *out); curl_easy_cleanup(curl_handle); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_SUCCESS; #undef _error_without_msg @@ -786,13 +767,11 @@ ngx_int_t ngx_http_waf_gen_no_cache_header(ngx_http_request_t* r) { void ngx_http_waf_register_content_handler(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_ctx_t* ctx = NULL; ngx_http_waf_get_ctx_and_conf(r, NULL, &ctx); ctx->register_content_handler = NGX_HTTP_WAF_TRUE; r->content_handler = ngx_http_waf_handler_precontent_phase; - ngx_http_waf_dp_func_end(r); } @@ -822,31 +801,23 @@ static size_t _curl_handler_write(void *contents, size_t size, size_t nmemb, voi size_t realsize = size * nmemb; size_t offset = buf->last - buf->pos; - ngx_http_waf_dp_func_start(r); - ngx_http_waf_dp(r, "reallocing"); char *ptr = realloc(buf->pos, buf->last - buf->pos + realsize + 1); assert(ptr != NULL); - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "copying response"); buf->pos = (u_char*)ptr; buf->last = buf->pos + offset; ngx_memcpy(buf->last, contents, realsize); buf->last += realsize; *(buf->last) = 0; - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dpf(r, "current response is %s", buf->pos); - ngx_http_waf_dp_func_end(r); return realsize; } static int _curl_handler_debug(CURL* handle, curl_infotype type, char* data, size_t size, void* userp) { ngx_http_request_t* r = userp; - ngx_http_waf_dp_func_start(r); char* type_str = ""; int is_ssl = NGX_HTTP_WAF_FALSE; @@ -884,12 +855,9 @@ static int _curl_handler_debug(CURL* handle, curl_infotype type, char* data, siz tmp.len = size / sizeof(u_char); if (is_ssl == NGX_HTTP_WAF_TRUE) { - ngx_http_waf_dpf(r, "curl_debug - %s - Encrypted Data", type_str); } else { - ngx_http_waf_dpf(r, "curl_debug - %s - %V", type_str, &tmp); } - ngx_http_waf_dp_func_end(r); return CURLE_OK; } diff --git a/src/ngx_http_waf_module_var.c b/src/ngx_http_waf_module_var.c index 1eb38b85..c3160e70 100644 --- a/src/ngx_http_waf_module_var.c +++ b/src/ngx_http_waf_module_var.c @@ -6,7 +6,6 @@ (v)->valid = 1; \ (v)->no_cacheable = 1; \ if (ctx == NULL) { \ - ngx_http_waf_dp(r, "no ctx ... return"); \ v->not_found = 1; \ return NGX_OK; \ } @@ -79,101 +78,82 @@ ngx_int_t ngx_http_waf_install_add_var(ngx_conf_t* cf) { } ngx_int_t _waf_log_get_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); if (!ctx->checked) { - ngx_http_waf_dp(r, "not checked ... return"); v->not_found = 1; return NGX_OK; } - ngx_http_waf_dp(r, "checked ... return"); v->not_found = 0; v->data = (u_char*)"true"; v->len = 4; - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_blocking_log_get_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); if (!ctx->blocked) { - ngx_http_waf_dp(r, "not blocked ... return"); v->not_found = 1; return NGX_OK; } - ngx_http_waf_dp(r, "blocked ... return"); v->not_found = 0; v->data = (u_char*)"true"; v->len = 4; - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_blocked_get_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); if (ctx->blocked) { - ngx_http_waf_dp(r, "blocked ... return"); v->not_found = 0; v->len = 4; v->data = (u_char*)"true"; } else { - ngx_http_waf_dp(r, "not blocked ... return"); v->not_found = 0; v->len = 5; v->data = (u_char*)"false"; } - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_rule_type_get_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); v->not_found = 0; v->data = ctx->rule_type.data; v->len = ctx->rule_type.len; - ngx_http_waf_dpf(r, "$waf_rule_type=%V", &ctx->rule_type); - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_rule_deatils_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); v->not_found = 0; v->data = ctx->rule_deatils.data; v->len = ctx->rule_deatils.len; - ngx_http_waf_dpf(r, "$waf_rule_details=%V", &ctx->rule_deatils); - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_spend_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); @@ -182,24 +162,19 @@ ngx_int_t _waf_spend_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v v->len = ngx_strlen(text); v->data = ngx_palloc(r->pool, sizeof(u_char) * v->len); strcpy((char*)v->data, (char*)text); - ngx_http_waf_dpf(r, "$waf_spend=%s", (char*)v->data); - ngx_http_waf_dp_func_end(r); return NGX_OK; } ngx_int_t _waf_rate_handler(ngx_http_request_t* r, ngx_http_variable_value_t* v, uintptr_t data) { - ngx_http_waf_dp_func_start(r); _init(r, v); u_char* buf = ngx_pcalloc(r->pool, NGX_INT_T_LEN + sizeof(u_char)); v->len = ngx_sprintf(buf, "%i", ctx->rate) - buf; v->data = buf; - ngx_http_waf_dpf(r, "$waf_rate=%s", (char*)v->data); - ngx_http_waf_dp_func_end(r); return NGX_OK; } diff --git a/src/ngx_http_waf_module_verify_bot.c b/src/ngx_http_waf_module_verify_bot.c index 7c287e9c..2abf1e19 100644 --- a/src/ngx_http_waf_module_verify_bot.c +++ b/src/ngx_http_waf_module_verify_bot.c @@ -26,13 +26,11 @@ ngx_int_t ngx_http_waf_handler_verify_bot(ngx_http_request_t* r) { NULL, NULL }; - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); if (ngx_http_waf_is_unset_or_disable_value(loc_conf->waf_verify_bot)) { - ngx_http_waf_dp(r, "nothing to do ... return"); return NGX_HTTP_WAF_NOT_MATCHED; } @@ -47,12 +45,10 @@ ngx_int_t ngx_http_waf_handler_verify_bot(ngx_http_request_t* r) { for (int i = 0; _func[i] != NULL; i += 2) { - ngx_http_waf_dpf(r, "verfiying %s", _func[i + 1]); _handler handler = (_handler)_func[i]; ngx_int_t rc = handler(r); if (rc == NGX_HTTP_WAF_FAKE_BOT) { - ngx_http_waf_dp(r, "fake bot ... return"); if (loc_conf->waf_verify_bot == 2) { ngx_http_waf_set_rule_info(r, "FAKE-BOT", _func[i + 1], NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_TRUE); @@ -66,7 +62,6 @@ ngx_int_t ngx_http_waf_handler_verify_bot(ngx_http_request_t* r) { } } else if (rc == NGX_HTTP_WAF_SUCCESS){ - ngx_http_waf_dp(r, "real bot ... return"); ngx_http_waf_append_action_chain(r, action_decline); ngx_http_waf_set_rule_info(r, "REAL-BOT", _func[i + 1], NGX_HTTP_WAF_TRUE, NGX_HTTP_WAF_FALSE); @@ -74,13 +69,11 @@ ngx_int_t ngx_http_waf_handler_verify_bot(ngx_http_request_t* r) { } } - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_NOT_MATCHED; } static ngx_int_t _verify_google_bot(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -93,13 +86,11 @@ static ngx_int_t _verify_google_bot(ngx_http_request_t* r) { loc_conf->waf_verify_bot_google_ua_regexp, loc_conf->waf_verify_bot_google_domain_regexp); - ngx_http_waf_dp_func_end(r); return rc; } static ngx_int_t _verify_bing_bot(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -112,13 +103,11 @@ static ngx_int_t _verify_bing_bot(ngx_http_request_t* r) { loc_conf->waf_verify_bot_bing_ua_regexp, loc_conf->waf_verify_bot_bing_domain_regexp); - ngx_http_waf_dp_func_end(r); return rc; } static ngx_int_t _verify_baidu_spider(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -131,12 +120,10 @@ static ngx_int_t _verify_baidu_spider(ngx_http_request_t* r) { loc_conf->waf_verify_bot_baidu_ua_regexp, loc_conf->waf_verify_bot_baidu_domain_regexp); - ngx_http_waf_dp_func_end(r); return rc; } static ngx_int_t _verify_yandex_bot(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -149,12 +136,10 @@ static ngx_int_t _verify_yandex_bot(ngx_http_request_t* r) { loc_conf->waf_verify_bot_yandex_ua_regexp, loc_conf->waf_verify_bot_yandex_domain_regexp); - ngx_http_waf_dp_func_end(r); return rc; } static ngx_int_t _verify_sogou_spider(ngx_http_request_t* r) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); @@ -167,37 +152,29 @@ static ngx_int_t _verify_sogou_spider(ngx_http_request_t* r) { loc_conf->waf_verify_bot_sogou_ua_regexp, loc_conf->waf_verify_bot_sogou_domain_regexp); - ngx_http_waf_dp_func_end(r); return rc; } static ngx_int_t _verify_by_rdns(ngx_http_request_t* r, ngx_array_t* ua_regex, ngx_array_t* domain_regex) { - ngx_http_waf_dp_func_start(r); ngx_http_waf_loc_conf_t* loc_conf = NULL; ngx_http_waf_get_ctx_and_conf(r, &loc_conf, NULL); if (r->headers_in.user_agent == NULL) { - ngx_http_waf_dp(r, "no user-agent"); return NGX_HTTP_WAF_FAIL; } if (r->headers_in.user_agent->value.data == NULL || r->headers_in.user_agent->value.len == 0) { - ngx_http_waf_dp(r, "no user-agent"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dpf(r, "verifying user-agent %V", &r->headers_in.user_agent->value); if (ngx_regex_exec_array(ua_regex, &r->headers_in.user_agent->value, r->connection->log) != NGX_OK) { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } - ngx_http_waf_dp(r, "success"); - ngx_http_waf_dp(r, "getting client's host"); struct hostent* h = NULL; if (r->connection->sockaddr->sa_family == AF_INET) { struct sockaddr_in* sin = (struct sockaddr_in*)r->connection->sockaddr; @@ -212,37 +189,27 @@ static ngx_int_t _verify_by_rdns(ngx_http_request_t* r, ngx_array_t* ua_regex, n if (h == NULL) { if (h_errno == HOST_NOT_FOUND) { - ngx_http_waf_dp(r, "host not found"); - ngx_http_waf_dp(r, "fake bot ... return"); return NGX_HTTP_WAF_FAKE_BOT; } else { - ngx_http_waf_dp(r, "failed ... return"); return NGX_HTTP_WAF_FAIL; } } - ngx_http_waf_dp(r, "success"); ngx_str_t host; host.data = (u_char*)h->h_name; host.len = ngx_strlen(h->h_name); - ngx_http_waf_dpf(r, "verifying host %V", &host); if (ngx_regex_exec_array(domain_regex, &host, r->connection->log) == NGX_OK) { - ngx_http_waf_dp(r, "success ... return"); return NGX_HTTP_WAF_SUCCESS; } for (int i = 0; h->h_aliases[i] != NULL; i++) { host.data = (u_char*)h->h_aliases[i]; host.len = ngx_strlen(h->h_aliases[i]); - ngx_http_waf_dpf(r, "verifying host %V", &host); if (ngx_regex_exec_array(domain_regex, &host, r->connection->log) == NGX_OK) { - ngx_http_waf_dp(r, "success ... return"); return NGX_HTTP_WAF_SUCCESS; } } - ngx_http_waf_dp(r, "fake bot"); - ngx_http_waf_dp_func_end(r); return NGX_HTTP_WAF_FAKE_BOT; } \ No newline at end of file