This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 455d5bfac feat: support chaitin-waf plugin (#9838)
455d5bfac is described below
commit 455d5bfac93ed1b16bc9d0209bb29143c22a5585
Author: Sarasa Kisaragi <[email protected]>
AuthorDate: Tue Aug 1 14:42:53 2023 +0800
feat: support chaitin-waf plugin (#9838)
---
apisix/plugins/chaitin-waf.lua | 373 ++++++++++++++++++++++++++++++++++
conf/config-default.yaml | 1 +
docs/en/latest/config.json | 3 +-
docs/en/latest/plugins/chaitin-waf.md | 253 +++++++++++++++++++++++
docs/zh/latest/config.json | 3 +-
docs/zh/latest/plugins/chaitin-waf.md | 253 +++++++++++++++++++++++
rockspec/apisix-master-0.rockspec | 3 +-
t/admin/plugins.t | 1 +
t/lib/chaitin_waf_server.lua | 60 ++++++
t/plugin/chaitin-waf-reject.t | 139 +++++++++++++
t/plugin/chaitin-waf-timeout.t | 139 +++++++++++++
t/plugin/chaitin-waf.t | 267 ++++++++++++++++++++++++
12 files changed, 1492 insertions(+), 3 deletions(-)
diff --git a/apisix/plugins/chaitin-waf.lua b/apisix/plugins/chaitin-waf.lua
new file mode 100644
index 000000000..afb4c108b
--- /dev/null
+++ b/apisix/plugins/chaitin-waf.lua
@@ -0,0 +1,373 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local require = require
+local core = require("apisix.core")
+local rr_balancer = require("apisix.balancer.roundrobin")
+local plugin = require("apisix.plugin")
+local t1k = require "resty.t1k"
+local expr = require("resty.expr.v1")
+
+local ngx = ngx
+local ngx_now = ngx.now
+local string = string
+local fmt = string.format
+local tostring = tostring
+local tonumber = tonumber
+local ipairs = ipairs
+
+local plugin_name = "chaitin-waf"
+
+local vars_schema = {
+ type = "array",
+}
+
+local match_schema = {
+ type = "array",
+ items = {
+ type = "object",
+ properties = {
+ vars = vars_schema
+ }
+ },
+}
+
+local plugin_schema = {
+ type = "object",
+ properties = {
+ -- TODO: we should add a configuration "mode" here
+ -- It can be one of off, block and monitor
+ match = match_schema,
+ append_waf_resp_header = {
+ type = "boolean",
+ default = true
+ },
+ append_waf_debug_header = {
+ type = "boolean",
+ default = false
+ },
+ config = {
+ type = "object",
+ properties = {
+ connect_timeout = {
+ type = "integer",
+ },
+ send_timeout = {
+ type = "integer",
+ },
+ read_timeout = {
+ type = "integer",
+ },
+ req_body_size = {
+ type = "integer",
+ },
+ keepalive_size = {
+ type = "integer",
+ },
+ keepalive_timeout = {
+ type = "integer",
+ }
+ },
+ },
+ },
+}
+
+local metadata_schema = {
+ type = "object",
+ properties = {
+ nodes = {
+ type = "array",
+ items = {
+ type = "object",
+ properties = {
+ host = {
+ type = "string",
+ pattern = "^\\*?[0-9a-zA-Z-._\\[\\]:]+$"
+ },
+ port = {
+ type = "integer",
+ minimum = 1,
+ default = 80
+ },
+ },
+ required = { "host" }
+ },
+ minItems = 1,
+ },
+ config = {
+ type = "object",
+ properties = {
+ connect_timeout = {
+ type = "integer",
+ default = 1000 -- milliseconds
+ },
+ send_timeout = {
+ type = "integer",
+ default = 1000 -- milliseconds
+ },
+ read_timeout = {
+ type = "integer",
+ default = 1000 -- milliseconds
+ },
+ req_body_size = {
+ type = "integer",
+ default = 1024 -- milliseconds
+ },
+ -- maximum concurrent idle connections to
+ -- the SafeLine WAF detection service
+ keepalive_size = {
+ type = "integer",
+ default = 256
+ },
+ keepalive_timeout = {
+ type = "integer",
+ default = 60000 -- milliseconds
+ },
+ -- TODO: we need a configuration to enable/disable the real
client ip
+ -- the real client ip is calculated by APISIX
+ },
+ default = {},
+ },
+ },
+ required = { "nodes" },
+}
+
+local _M = {
+ version = 0.1,
+ priority = 2700,
+ name = plugin_name,
+ schema = plugin_schema,
+ metadata_schema = metadata_schema
+}
+
+local global_server_picker
+
+local HEADER_CHAITIN_WAF = "X-APISIX-CHAITIN-WAF"
+local HEADER_CHAITIN_WAF_ERROR = "X-APISIX-CHAITIN-WAF-ERROR"
+local HEADER_CHAITIN_WAF_TIME = "X-APISIX-CHAITIN-WAF-TIME"
+local HEADER_CHAITIN_WAF_STATUS = "X-APISIX-CHAITIN-WAF-STATUS"
+local HEADER_CHAITIN_WAF_ACTION = "X-APISIX-CHAITIN-WAF-ACTION"
+local HEADER_CHAITIN_WAF_SERVER = "X-APISIX-CHAITIN-WAF-SERVER"
+local blocked_message = [[{"code": %s, "success":false, ]] ..
+ [["message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "%s"}]]
+
+
+function _M.check_schema(conf, schema_type)
+ if schema_type == core.schema.TYPE_METADATA then
+ return core.schema.check(metadata_schema, conf)
+ end
+
+ local ok, err = core.schema.check(plugin_schema, conf)
+
+ if not ok then
+ return false, err
+ end
+
+ if conf.match then
+ for _, m in ipairs(conf.match) do
+ local ok, err = expr.new(m.vars)
+ if not ok then
+ return false, "failed to validate the 'vars' expression: " ..
err
+ end
+ end
+ end
+
+ return true
+end
+
+
+local function get_healthy_chaitin_server_nodes(metadata, checker)
+ local nodes = metadata.nodes
+ local new_nodes = core.table.new(0, #nodes)
+
+ for i = 1, #nodes do
+ local host, port = nodes[i].host, nodes[i].port
+ new_nodes[host .. ":" .. tostring(port)] = 1
+ end
+
+ return new_nodes
+end
+
+
+local function get_chaitin_server(metadata, ctx)
+ if not global_server_picker or global_server_picker.upstream ~=
metadata.value.nodes then
+ local up_nodes = get_healthy_chaitin_server_nodes(metadata.value)
+ if core.table.nkeys(up_nodes) == 0 then
+ return nil, nil, "no healthy nodes"
+ end
+ core.log.info("chaitin-waf nodes: ", core.json.delay_encode(up_nodes))
+
+ global_server_picker = rr_balancer.new(up_nodes, metadata.value.nodes)
+ end
+
+ local server = global_server_picker.get(ctx)
+ local host, port, err = core.utils.parse_addr(server)
+ if err then
+ return nil, nil, err
+ end
+
+ return host, port, nil
+end
+
+
+local function check_match(conf, ctx)
+ local match_passed = true
+
+ if conf.match then
+ for _, match in ipairs(conf.match) do
+ -- todo: use lrucache to cache the result
+ local exp, err = expr.new(match.vars)
+ if err then
+ local msg = "failed to create match expression for " ..
+ tostring(match.vars) .. ", err: " .. tostring(err)
+ core.log.error(msg)
+ return false, msg
+ end
+
+ match_passed = exp:eval(ctx.var)
+ if match_passed then
+ break
+ end
+ end
+ end
+
+ return match_passed, nil
+end
+
+
+local function get_conf(conf, metadata)
+ local t = {
+ mode = "block",
+ }
+
+ if metadata.config then
+ t.connect_timeout = metadata.config.connect_timeout
+ t.send_timeout = metadata.config.send_timeout
+ t.read_timeout = metadata.config.read_timeout
+ t.req_body_size = metadata.config.req_body_size
+ t.keepalive_size = metadata.config.keepalive_size
+ t.keepalive_timeout = metadata.config.keepalive_timeout
+ end
+
+ if conf.config then
+ t.connect_timeout = conf.config.connect_timeout
+ t.send_timeout = conf.config.send_timeout
+ t.read_timeout = conf.config.read_timeout
+ t.req_body_size = conf.config.req_body_size
+ t.keepalive_size = conf.config.keepalive_size
+ t.keepalive_timeout = conf.config.keepalive_timeout
+ end
+
+ return t
+end
+
+
+local function do_access(conf, ctx)
+ local extra_headers = {}
+
+ local match, err = check_match(conf, ctx)
+ if not match then
+ if err then
+ extra_headers[HEADER_CHAITIN_WAF] = "err"
+ extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+ return 500, nil, extra_headers
+ else
+ extra_headers[HEADER_CHAITIN_WAF] = "no"
+ return nil, nil, extra_headers
+ end
+ end
+
+ local metadata = plugin.plugin_metadata(plugin_name)
+ if not core.table.try_read_attr(metadata, "value", "nodes") then
+ extra_headers[HEADER_CHAITIN_WAF] = "err"
+ extra_headers[HEADER_CHAITIN_WAF_ERROR] = "missing metadata"
+ return 500, nil, extra_headers
+ end
+
+ local host, port, err = get_chaitin_server(metadata, ctx)
+ if err then
+ extra_headers[HEADER_CHAITIN_WAF] = "unhealthy"
+ extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+
+ return 500, nil, extra_headers
+ end
+
+ core.log.info("picked chaitin-waf server: ", host, ":", port)
+
+ local t = get_conf(conf, metadata.value)
+ t.host = host
+ t.port = port
+
+ extra_headers[HEADER_CHAITIN_WAF_SERVER] = host
+ extra_headers[HEADER_CHAITIN_WAF] = "yes"
+
+ local start_time = ngx_now() * 1000
+ local ok, err, result = t1k.do_access(t, false)
+ if not ok then
+ extra_headers[HEADER_CHAITIN_WAF] = "waf-err"
+ local err_msg = tostring(err)
+ if core.string.find(err_msg, "timeout") then
+ extra_headers[HEADER_CHAITIN_WAF] = "timeout"
+ end
+ extra_headers[HEADER_CHAITIN_WAF_ERROR] = tostring(err)
+ else
+ extra_headers[HEADER_CHAITIN_WAF_ACTION] = "pass"
+ end
+ extra_headers[HEADER_CHAITIN_WAF_TIME] = ngx_now() * 1000 - start_time
+
+ local code = 200
+ extra_headers[HEADER_CHAITIN_WAF_STATUS] = code
+ if result then
+ if result.status then
+ code = result.status
+ extra_headers[HEADER_CHAITIN_WAF_STATUS] = code
+ extra_headers[HEADER_CHAITIN_WAF_ACTION] = "reject"
+
+ core.log.error("request rejected by chaitin-waf, event_id: " ..
result.event_id)
+ return tonumber(code), fmt(blocked_message, code,
+ result.event_id) .. "\n", extra_headers
+ end
+ end
+ if not ok then
+ extra_headers[HEADER_CHAITIN_WAF_STATUS] = nil
+ end
+
+ return nil, nil, extra_headers
+end
+
+
+function _M.access(conf, ctx)
+ local code, msg, extra_headers = do_access(conf, ctx)
+
+ if not conf.append_waf_debug_header then
+ extra_headers[HEADER_CHAITIN_WAF_ERROR] = nil
+ extra_headers[HEADER_CHAITIN_WAF_SERVER] = nil
+ end
+
+ if conf.append_waf_resp_header then
+ core.response.set_header(extra_headers)
+ end
+
+ return code, msg
+end
+
+
+function _M.header_filter(conf, ctx)
+ t1k.do_header_filter()
+end
+
+
+return _M
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 3115749d0..359e2c2d8 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -450,6 +450,7 @@ plugins: # plugin list (sorted by
priority)
- csrf # priority: 2980
- uri-blocker # priority: 2900
- request-validation # priority: 2800
+ - chaitin-waf # priority: 2700
- openid-connect # priority: 2599
- cas-auth # priority: 2597
- authz-casbin # priority: 2560
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 64e717c1b..e564dc7d0 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -126,7 +126,8 @@
"plugins/consumer-restriction",
"plugins/csrf",
"plugins/public-api",
- "plugins/gm"
+ "plugins/gm",
+ "plugins/chaitin-waf"
]
},
{
diff --git a/docs/en/latest/plugins/chaitin-waf.md
b/docs/en/latest/plugins/chaitin-waf.md
new file mode 100644
index 000000000..620672840
--- /dev/null
+++ b/docs/en/latest/plugins/chaitin-waf.md
@@ -0,0 +1,253 @@
+---
+title: chaitin-waf
+keywords:
+ - Apache APISIX
+ - API Gateway
+ - Plugin
+ - WAF
+description: This document contains basic information about the Apache APISIX
`chaitin-waf` plugin.
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Description
+
+After enabling the chaitin-waf plugin, the traffic will be forwarded to the
Chaitin WAF service for the detection and prevention of various web application
attacks, ensuring the security of the application and user data.
+
+## Response Headers
+
+Depending on the plugin configuration, it is optional to add additional
response headers.
+
+The response headers are listed below:
+
+- **X-APISIX-CHAITIN-WAF**: Whether APISIX forwards the request to the WAF
server.
+ - yes: forwarded
+ - no: no forwarded
+ - unhealthy: matches the match variables, but no WAF server is available.
+ - err: an error occurred during the execution of the plugin. Also with
**X-APISIX-CHAITIN-WAF-ERROR** request header
+ - waf-err: Error while interacting with the WAF server. Also with
**X-APISIX-CHAITIN-WAF-ERROR** request header
+ - timeout: Timeout for request to the WAF server
+- **X-APISIX-CHAITIN-WAF-ERROR**: Debug header. WAF error message
+- **X-APISIX-CHAITIN-WAF-TIME**: The time in milliseconds that APISIX spent
interacting with WAF.
+- **X-APISIX-CHAITIN-WAF-STATUS**: The status code returned to APISIX by the
WAF server.
+- **X-APISIX-CHAITIN-WAF-ACTION**: Processing result returned to APISIX by the
WAF server.
+ - pass: request valid and passed
+ - reject: request rejected by WAF service
+- **X-APISIX-CHAITIN-WAF-SERVER**: Debug header. Picked WAF server.
+
+## Plugin Metadata
+
+| Name | Type | Required | Default value
| Description
|
+|--------------------------|---------------|----------|-----------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| nodes | array(object) | true |
| A list of addresses for the Chaitin SafeLine WAF service.
|
+| nodes[0].host | string | true |
| The address of Chaitin SafeLine WAF service. Supports IPV4, IPV6, Unix
Socket, etc. |
+| nodes[0].port | string | false | 80
| The port of Chaitin SafeLine WAF service.
|
+| config | object | false |
| Configuration of the Chaitin SafeLine WAF service. The parameters
configured here will be used when route is not configured. |
+| config.connect_timeout | integer | false | 1000
| connect timeout, in milliseconds
|
+| config.send_timeout | integer | false | 1000
| send timeout, in milliseconds
|
+| config.read_timeout | integer | false | 1000
| read timeout, in milliseconds
|
+| config.req_body_size | integer | false | 1024
| request body size, in KB
|
+| config.keepalive_size | integer | false | 256
| maximum concurrent idle connections to the SafeLine WAF detection
service |
+| config.keepalive_timeout | integer | false | 60000
| idle connection timeout, in milliseconds
|
+
+An example configuration is as follows.
+
+```bash
+curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf -H
'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "nodes":[
+ {
+ "host": "unix:/path/to/safeline/resources/detector/snserver.sock",
+ "port": 8000
+ }
+ ]
+}'
+```
+
+## Attributes
+
+| Name | Type | Required | Default value |
Description
|
+|--------------------------|---------------|----------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| match | array[object] | false | | The
list of matching rules, default is empty
|
+| match.vars | array[array] | false | | List
of variables to match for filtering requests for conditional traffic split. It
is in the format `{variable operator value}`. For example, `{"arg_name", "==",
"json"}`. The variables here are consistent with NGINX internal variables. For
details on supported operators,
[lua-resty-expr](https://github.com/api7/lua-resty-expr#operator-list). |
+| add_header | bool | false | true |
Whether to add response headers
|
+| add_debug_header | bool | false | false |
Whether or not to add debugging headers, effective when `add_header` is `true`.
|
+| config | object | false | |
Configuration of the Chaitin SafeLine WAF service. When the route is not
configured, the parameters configured in the metadata are used.
|
+| config.connect_timeout | integer | false | |
connect timeout, in milliseconds
|
+| config.send_timeout | integer | false | | send
timeout, in milliseconds
|
+| config.read_timeout | integer | false | | read
timeout, in milliseconds
|
+| config.req_body_size | integer | false | |
request body size, in KB
|
+| config.keepalive_size | integer | false | |
maximum concurrent idle connections to the SafeLine WAF detection service
|
+| config.keepalive_timeout | integer | false | | idle
connection timeout, in milliseconds
|
+
+A sample configuration is shown below, using `httpbun.org` as the example
backend, which can be replaced as needed:
+
+```bash
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/*",
+ "plugins": {
+ "chaitin-waf": {
+ "match": [
+ {
+ "vars": [
+ ["http_waf","==","true"]
+ ]
+ }
+ ]
+ }
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbun.org:80": 1
+ }
+ }
+}'
+```
+
+## Test Plugin
+
+Test the above example configuration.
+
+If the match condition is not met, the request can be reached normally:
+
+```bash
+curl -H "Host: httpbun.org" http://127.0.0.1:9080/get -i
+
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 408
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: no
+Date: Wed, 19 Jul 2023 09:30:42 GMT
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+{
+ "args": {},
+ "headers": {
+ "Accept": "*/*",
+ "Connection": "close",
+ "Host": "httpbun.org",
+ "User-Agent": "curl/8.1.2",
+ "X-Forwarded-For": "127.0.0.1",
+ "X-Forwarded-Host": "httpbun.org",
+ "X-Forwarded-Port": "9080",
+ "X-Forwarded-Proto": "http",
+ "X-Real-Ip": "127.0.0.1"
+ },
+ "method": "GET",
+ "origin": "127.0.0.1, 122.231.76.178",
+ "url": "http://httpbun.org/get";
+}
+```
+
+Potential injection requests are also forwarded as is and encounter a 404
error:
+
+```bash
+curl -H "Host: httpbun.org" http://127.0.0.1:9080/getid=1%20AND%201=1 -i
+
+HTTP/1.1 404 Not Found
+Content-Type: text/plain; charset=utf-8
+Content-Length: 19
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: no
+Date: Wed, 19 Jul 2023 09:30:28 GMT
+X-Content-Type-Options: nosniff
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+404 page not found
+```
+
+Normal requests are still reachable when the match condition is met:
+
+```bash
+curl -H "Host: httpbun.org" -H "waf: true" http://127.0.0.1:9080/get -i
+
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 427
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF-TIME: 2
+X-APISIX-CHAITIN-WAF-STATUS: 200
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-ACTION: pass
+Date: Wed, 19 Jul 2023 09:29:58 GMT
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+{
+ "args": {},
+ "headers": {
+ "Accept": "*/*",
+ "Connection": "close",
+ "Host": "httpbun.org",
+ "User-Agent": "curl/8.1.2",
+ "Waf": "true",
+ "X-Forwarded-For": "127.0.0.1",
+ "X-Forwarded-Host": "httpbun.org",
+ "X-Forwarded-Port": "9080",
+ "X-Forwarded-Proto": "http",
+ "X-Real-Ip": "127.0.0.1"
+ },
+ "method": "GET",
+ "origin": "127.0.0.1, 122.231.76.178",
+ "url": "http://httpbun.org/get";
+}
+```
+
+Potential attack requests will be intercepted and returned a 403 error:
+
+```bash
+curl -H "Host: httpbun.org" -H "waf: true"
http://127.0.0.1:9080/getid=1%20AND%201=1 -i
+
+HTTP/1.1 403 Forbidden
+Date: Wed, 19 Jul 2023 09:29:06 GMT
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-TIME: 2
+X-APISIX-CHAITIN-WAF-ACTION: reject
+X-APISIX-CHAITIN-WAF-STATUS: 403
+Server: APISIX/3.3.0
+Set-Cookie: sl-session=UdywdGL+uGS7q8xMfnJlbQ==; Domain=; Path=/; Max-Age=86400
+
+{"code": 403, "success":false, "message": "blocked by Chaitin SafeLine Web
Application Firewall", "event_id": "51a268653f2c4189bfa3ec66afbcb26d"}
+```
+
+## Delete Plugin
+
+To remove the `chaitin-waf` plugin, you can delete the corresponding JSON
configuration from the Plugin configuration. APISIX will automatically reload
and you do not have to restart for this to take effect:
+
+```bash
+$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/*",
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbun.org:80": 1
+ }
+ }
+}'
+```
diff --git a/docs/zh/latest/config.json b/docs/zh/latest/config.json
index 98db5b6a8..8e13d3e1e 100644
--- a/docs/zh/latest/config.json
+++ b/docs/zh/latest/config.json
@@ -104,7 +104,8 @@
"plugins/consumer-restriction",
"plugins/csrf",
"plugins/public-api",
- "plugins/gm"
+ "plugins/gm",
+ "plugins/chaitin-waf"
]
},
{
diff --git a/docs/zh/latest/plugins/chaitin-waf.md
b/docs/zh/latest/plugins/chaitin-waf.md
new file mode 100644
index 000000000..2657ed66c
--- /dev/null
+++ b/docs/zh/latest/plugins/chaitin-waf.md
@@ -0,0 +1,253 @@
+---
+title: chaitin-waf
+keywords:
+ - Apache APISIX
+ - API 网关
+ - Plugin
+ - WAF
+description: 本文介绍了关于 Apache APISIX `chaitin-waf` 插件的基本信息及使用方法。
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## 描述
+
+在启用 `chaitin-waf` 插件后,流量将被转发给长亭 WAF 服务,用以检测和防止各种 Web 应用程序攻击,以保护应用程序和用户数据的安全。
+
+## 响应头
+
+根据插件配置,可以选择是否附加额外的响应头。
+
+响应头的信息如下:
+
+- **X-APISIX-CHAITIN-WAF**:APISIX 是否将请求转发给 WAF 服务器。
+ - yes:转发
+ - no:不转发
+ - unhealthy:符合匹配条件,但没有可用的 WAF 服务器
+ - err:插件执行过程中出错。此时会附带 **X-APISIX-CHAITIN-WAF-ERROR** 请求头
+ - waf-err:与 WAF 服务器交互时出错。此时会附带 **X-APISIX-CHAITIN-WAF-ERROR** 请求头
+ - timeout:与 WAF 服务器的交互超时
+- **X-APISIX-CHAITIN-WAF-ERROR**:调试用响应头。APISIX 与 WAF 交互时的错误信息。
+- **X-APISIX-CHAITIN-WAF-TIME**:APISIX 与 WAF 交互所耗费的时间,单位是毫秒。
+- **X-APISIX-CHAITIN-WAF-STATUS**:WAF 服务器返回给 APISIX 的状态码。
+- **X-APISIX-CHAITIN-WAF-ACTION**:WAF 服务器返回给 APISIX 的处理结果。
+ - pass:请求合法
+ - reject:请求被 WAF 服务器拒绝
+- **X-APISIX-CHAITIN-WAF-SERVER**:调试用响应头。所使用的 WAF 服务器。
+
+## 插件元数据
+
+| 名称 | 类型 | 必选项 | 默认值
| 描述
|
+|--------------------------|---------------|-----|-----------------------------|-------------------------------------------------------------------------------------------------------------|
+| nodes | array(object) | 必选 |
| 长亭 WAF 的地址列表。
|
+| nodes[0].host | string | 必选 |
| 长亭 WAF 的地址,支持 IPV4、IPV6、Unix Socket 等配置方式。
|
+| nodes[0].port | string | 可选 | 80
| 长亭 WAF 的端口。
|
+| config | object | 否 |
| 长亭 WAF 服务的配置参数值。当路由没有配置时将使用这里所配置的参数。
|
+| config.connect_timeout | integer | 否 | 1000
| connect timeout, 毫秒
|
+| config.send_timeout | integer | 否 | 1000
| send timeout, 毫秒
|
+| config.read_timeout | integer | 否 | 1000
| read timeout, 毫秒
|
+| config.req_body_size | integer | 否 | 1024
| 请求体大小,单位为 KB
|
+| config.keepalive_size | integer | 否 | 256
| 长亭 WAF 服务的最大并发空闲连接数
|
+| config.keepalive_timeout | integer | 否 | 60000
| 空闲链接超时,毫秒
|
+
+一个典型的示例配置如下:
+
+```bash
+curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf -H
'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "nodes":[
+ {
+ "host": "unix:/path/to/safeline/resources/detector/snserver.sock",
+ "port": 8000
+ }
+ ]
+}'
+```
+
+## 属性
+
+| 名称 | 类型 | 必选项 | 默认值 | 描述
|
+|--------------------------|---------------|-----|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| match | array[object] | 否 | |
匹配规则列表,默认为空且规则将被无条件执行。
|
+| match.vars | array[array] | 否 | | 由一个或多个 `{var,
operator, val}` 元素组成的列表,例如:`{"arg_name", "==", "json"}`,表示当前请求参数 `name` 是
`json`。这里的 `var` 与 NGINX 内部自身变量命名是保持一致,所以也可以使用 `request_uri`、`host`
等;对于已支持的运算符,具体用法请参考
[lua-resty-expr](https://github.com/api7/lua-resty-expr#operator-list) 的
`operator-list` 部分。 |
+| add_header | bool | 否 | true | 是否添加响应头
|
+| add_debug_header | bool | 否 | false |
是否添加调试用响应头,`add_header` 为 `true` 时才生效
|
+| config | object | 否 | | 长亭 WAF
服务的配置参数值。当路由没有配置时将使用元数据里所配置的参数。
|
+| config.connect_timeout | integer | 否 | | connect timeout, 毫秒
|
+| config.send_timeout | integer | 否 | | send timeout, 毫秒
|
+| config.read_timeout | integer | 否 | | read timeout, 毫秒
|
+| config.req_body_size | integer | 否 | | 请求体大小,单位为 KB
|
+| config.keepalive_size | integer | 否 | | 长亭 WAF 服务的最大并发空闲连接数
|
+| config.keepalive_timeout | integer | 否 | | 空闲链接超时,毫秒
|
+
+一个典型的示例配置如下,这里使用 `httpbun.org` 作为示例后端,可以按需替换:
+
+```bash
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/*",
+ "plugins": {
+ "chaitin-waf": {
+ "match": [
+ {
+ "vars": [
+ ["http_waf","==","true"]
+ ]
+ }
+ ]
+ }
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbun.org:80": 1
+ }
+ }
+}'
+```
+
+## 测试插件
+
+以上述的示例配置为例进行测试。
+
+不满足匹配条件时,请求可以正常触达:
+
+```bash
+curl -H "Host: httpbun.org" http://127.0.0.1:9080/get -i
+
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 408
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: no
+Date: Wed, 19 Jul 2023 09:30:42 GMT
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+{
+ "args": {},
+ "headers": {
+ "Accept": "*/*",
+ "Connection": "close",
+ "Host": "httpbun.org",
+ "User-Agent": "curl/8.1.2",
+ "X-Forwarded-For": "127.0.0.1",
+ "X-Forwarded-Host": "httpbun.org",
+ "X-Forwarded-Port": "9080",
+ "X-Forwarded-Proto": "http",
+ "X-Real-Ip": "127.0.0.1"
+ },
+ "method": "GET",
+ "origin": "127.0.0.1, 122.231.76.178",
+ "url": "http://httpbun.org/get";
+}
+```
+
+面对潜在的注入请求也原样转发并遇到 404 错误:
+
+```bash
+curl -H "Host: httpbun.org" http://127.0.0.1:9080/getid=1%20AND%201=1 -i
+
+HTTP/1.1 404 Not Found
+Content-Type: text/plain; charset=utf-8
+Content-Length: 19
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: no
+Date: Wed, 19 Jul 2023 09:30:28 GMT
+X-Content-Type-Options: nosniff
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+404 page not found
+```
+
+当满足匹配条件时,正常请求依然可以触达上游:
+
+```bash
+curl -H "Host: httpbun.org" -H "waf: true" http://127.0.0.1:9080/get -i
+
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 427
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF-TIME: 2
+X-APISIX-CHAITIN-WAF-STATUS: 200
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-ACTION: pass
+Date: Wed, 19 Jul 2023 09:29:58 GMT
+X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
+Server: APISIX/3.3.0
+
+{
+ "args": {},
+ "headers": {
+ "Accept": "*/*",
+ "Connection": "close",
+ "Host": "httpbun.org",
+ "User-Agent": "curl/8.1.2",
+ "Waf": "true",
+ "X-Forwarded-For": "127.0.0.1",
+ "X-Forwarded-Host": "httpbun.org",
+ "X-Forwarded-Port": "9080",
+ "X-Forwarded-Proto": "http",
+ "X-Real-Ip": "127.0.0.1"
+ },
+ "method": "GET",
+ "origin": "127.0.0.1, 122.231.76.178",
+ "url": "http://httpbun.org/get";
+}
+```
+
+而潜在的攻击请求将会被拦截并返回 403 错误:
+
+```bash
+curl -H "Host: httpbun.org" -H "waf: true"
http://127.0.0.1:9080/getid=1%20AND%201=1 -i
+
+HTTP/1.1 403 Forbidden
+Date: Wed, 19 Jul 2023 09:29:06 GMT
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-TIME: 2
+X-APISIX-CHAITIN-WAF-ACTION: reject
+X-APISIX-CHAITIN-WAF-STATUS: 403
+Server: APISIX/3.3.0
+Set-Cookie: sl-session=UdywdGL+uGS7q8xMfnJlbQ==; Domain=; Path=/; Max-Age=86400
+
+{"code": 403, "success":false, "message": "blocked by Chaitin SafeLine Web
Application Firewall", "event_id": "51a268653f2c4189bfa3ec66afbcb26d"}
+```
+
+## 删除插件
+
+当你需要删除该插件时,可以通过以下命令删除相应的 JSON 配置,APISIX 将会自动重新加载相关配置,无需重启服务:
+
+```bash
+$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/*",
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbun.org:80": 1
+ }
+ }
+}'
+```
diff --git a/rockspec/apisix-master-0.rockspec
b/rockspec/apisix-master-0.rockspec
index f6cb44c46..c0abef20c 100644
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@@ -77,7 +77,8 @@ dependencies = {
"xml2lua = 1.5-2",
"nanoid = 0.1-1",
"lua-resty-mediador = 0.1.2-1",
- "lua-resty-ldap = 0.2.2-0"
+ "lua-resty-ldap = 0.2.2-0",
+ "lua-resty-t1k = 1.0.3"
}
build = {
diff --git a/t/admin/plugins.t b/t/admin/plugins.t
index 53bb82df8..e7bcf09e9 100644
--- a/t/admin/plugins.t
+++ b/t/admin/plugins.t
@@ -74,6 +74,7 @@ referer-restriction
csrf
uri-blocker
request-validation
+chaitin-waf
openid-connect
cas-auth
authz-casbin
diff --git a/t/lib/chaitin_waf_server.lua b/t/lib/chaitin_waf_server.lua
new file mode 100644
index 000000000..4130bd019
--- /dev/null
+++ b/t/lib/chaitin_waf_server.lua
@@ -0,0 +1,60 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local _M = {}
+
+local function get_socket()
+ ngx.flush(true)
+ local sock, err = ngx.req.socket(true)
+ if not sock then
+ ngx.log(ngx.ERR, "failed to get the request socket: " .. tostring(err))
+ return nil
+ end
+ return sock
+end
+
+function _M.pass()
+ local sock = get_socket()
+ sock:send({ string.char(65), string.char(1), string.char(0),
string.char(0), string.char(0) })
+ sock:send(".")
+ sock:send({ string.char(165), string.char(77), string.char(0),
string.char(0), string.char(0) })
+
sock:send("{\"event_id\":\"1e902e84bf5a4ead8f7760a0fe2c7719\",\"request_hit_whitelist\":false}")
+
+ ngx.exit(200)
+end
+
+function _M.reject()
+ local sock = get_socket()
+ sock:send({ string.char(65), string.char(1), string.char(0),
string.char(0), string.char(0) })
+ sock:send("?")
+ sock:send({ string.char(2), string.char(3), string.char(0),
string.char(0), string.char(0) })
+ sock:send("403")
+ sock:send({ string.char(37), string.char(77), string.char(0),
string.char(0), string.char(0) })
+
sock:send("{\"event_id\":\"b3c6ce574dc24f09a01f634a39dca83b\",\"request_hit_whitelist\":false}")
+ sock:send({ string.char(35), string.char(79), string.char(0),
string.char(0), string.char(0) })
+ sock:send("Set-Cookie:sl-session=ulgbPfMSuWRNsi/u7Aj9aA==; Domain=;
Path=/; Max-Age=86400\n")
+ sock:send({ string.char(164), string.char(51), string.char(0),
string.char(0), string.char(0) })
+ sock:send("<!-- event_id: b3c6ce574dc24f09a01f634a39dca83b -->")
+
+ ngx.exit(200)
+end
+
+function _M.timeout()
+ ngx.sleep(100)
+ _M.pass()
+end
+
+return _M
diff --git a/t/plugin/chaitin-waf-reject.t b/t/plugin/chaitin-waf-reject.t
new file mode 100644
index 000000000..262ed28f0
--- /dev/null
+++ b/t/plugin/chaitin-waf-reject.t
@@ -0,0 +1,139 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ my $stream_default_server = <<_EOC_;
+ server {
+ listen 8088;
+ listen 8089;
+ content_by_lua_block {
+ require("lib.chaitin_waf_server").reject()
+ }
+ }
+_EOC_
+
+ $block->set_value("extra_stream_config", $stream_default_server);
+ $block->set_value("stream_conf_enable", 1);
+
+ # setup default conf.yaml
+ my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_;
+apisix:
+ stream_proxy: # TCP/UDP L4 proxy
+ only: true # Enable L4 proxy only without L7 proxy.
+ tcp:
+ - addr: 9100 # Set the TCP proxy listening ports.
+ tls: true
+ - addr: "127.0.0.1:9101"
+ udp: # Set the UDP proxy listening ports.
+ - 9200
+ - "127.0.0.1:9201"
+_EOC_
+
+ $block->set_value("extra_yaml_config", $extra_yaml_config);
+
+ if (!$block->request) {
+ # use /do instead of /t because stream server will inject a default /t
location
+ $block->set_value("request", "GET /do");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: set route
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": [
+ {
+ "host": "127.0.0.1",
+ "port": 8088
+ },
+ {
+ "host": "127.0.0.1",
+ "port": 8089
+ }
+ ]
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ return ngx.print(body)
+ end
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "plugins": {
+ "chaitin-waf": {
+ "upstream": {
+ "servers": ["httpbun.org"]
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: pass
+--- request
+GET /hello
+--- error_code: 403
+--- response_body
+{"code": 403, "success":false, "message": "blocked by Chaitin SafeLine Web
Application Firewall", "event_id": "b3c6ce574dc24f09a01f634a39dca83b"}
+--- error_log
+--- response_headers
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-STATUS: 403
+X-APISIX-CHAITIN-WAF-ACTION: reject
+--- response_headers_like
+X-APISIX-CHAITIN-WAF-TIME:
diff --git a/t/plugin/chaitin-waf-timeout.t b/t/plugin/chaitin-waf-timeout.t
new file mode 100644
index 000000000..063f1bc4e
--- /dev/null
+++ b/t/plugin/chaitin-waf-timeout.t
@@ -0,0 +1,139 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ my $stream_default_server = <<_EOC_;
+ server {
+ listen 8088;
+ listen 8089;
+ content_by_lua_block {
+ require("lib.chaitin_waf_server").timeout()
+ }
+ }
+_EOC_
+
+ $block->set_value("extra_stream_config", $stream_default_server);
+ $block->set_value("stream_conf_enable", 1);
+
+ # setup default conf.yaml
+ my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_;
+apisix:
+ stream_proxy: # TCP/UDP L4 proxy
+ only: true # Enable L4 proxy only without L7 proxy.
+ tcp:
+ - addr: 9100 # Set the TCP proxy listening ports.
+ tls: true
+ - addr: "127.0.0.1:9101"
+ udp: # Set the UDP proxy listening ports.
+ - 9200
+ - "127.0.0.1:9201"
+plugins:
+ - chaitin-waf
+_EOC_
+
+ $block->set_value("extra_yaml_config", $extra_yaml_config);
+
+ if (!$block->request) {
+ # use /do instead of /t because stream server will inject a default /t
location
+ $block->set_value("request", "GET /do");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: set route
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": [
+ {
+ "host": "127.0.0.1",
+ "port": 8088
+ },
+ {
+ "host": "127.0.0.1",
+ "port": 8089
+ }
+ ]
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ return ngx.print(body)
+ end
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "plugins": {
+ "chaitin-waf": {
+ "upstream": {
+ "servers": ["httpbun.org"]
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: timeout
+--- request
+GET /hello
+--- error_code: 200
+--- response_body
+hello world
+--- error_log
+--- response_headers
+X-APISIX-CHAITIN-WAF: timeout
+--- response_headers_like
+X-APISIX-CHAITIN-WAF-TIME:
diff --git a/t/plugin/chaitin-waf.t b/t/plugin/chaitin-waf.t
new file mode 100644
index 000000000..e2ee42f93
--- /dev/null
+++ b/t/plugin/chaitin-waf.t
@@ -0,0 +1,267 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ my $stream_default_server = <<_EOC_;
+ server {
+ listen 8088;
+ listen 8089;
+ content_by_lua_block {
+ require("lib.chaitin_waf_server").pass()
+ }
+ }
+_EOC_
+
+ $block->set_value("extra_stream_config", $stream_default_server);
+ $block->set_value("stream_conf_enable", 1);
+
+ # setup default conf.yaml
+ my $extra_yaml_config = $block->extra_yaml_config // <<_EOC_;
+apisix:
+ stream_proxy: # TCP/UDP L4 proxy
+ only: true # Enable L4 proxy only without L7 proxy.
+ tcp:
+ - addr: 9100 # Set the TCP proxy listening ports.
+ tls: true
+ - addr: "127.0.0.1:9101"
+ udp: # Set the UDP proxy listening ports.
+ - 9200
+ - "127.0.0.1:9201"
+plugins:
+ - chaitin-waf
+_EOC_
+
+ $block->set_value("extra_yaml_config", $extra_yaml_config);
+
+ if (!$block->request) {
+ # use /do instead of /t because stream server will inject a default /t
location
+ $block->set_value("request", "GET /do");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: wrong schema: nodes empty
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": []
+ }
+ ]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.print(body)
+ }
+ }
+--- error_code: 400
+--- response_body
+{"error_msg":"invalid configuration: property \"nodes\" validation failed:
expect array to have at least 1 items"}
+
+
+
+=== TEST 2: wrong schema: nodes misses host
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": [
+ {}
+ ]
+ }
+ ]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.print(body)
+ }
+ }
+--- error_code: 400
+--- response_body
+{"error_msg":"invalid configuration: property \"nodes\" validation failed:
failed to validate item 1: property \"host\" is required"}
+
+
+
+=== TEST 3: sanity
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": [
+ {
+ "host": "127.0.0.1",
+ "port": 8088
+ },
+ {
+ "host": "127.0.0.1",
+ "port": 8089
+ }
+ ]
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ return ngx.print(body)
+ end
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "plugins": {
+ "chaitin-waf": {
+ "upstream": {
+ "servers": ["httpbun.org"]
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 4: pass
+--- request
+GET /hello
+--- error_code: 200
+--- response_body
+hello world
+--- error_log
+--- response_headers
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-STATUS: 200
+X-APISIX-CHAITIN-WAF-ACTION: pass
+--- response_headers_like
+X-APISIX-CHAITIN-WAF-TIME:
+
+
+
+=== TEST 5: match condition
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "plugins": {
+ "chaitin-waf": {
+ "upstream": {
+ "servers": ["httpbun.org"]
+ },
+ "match": [
+ {
+ "vars": [
+ ["http_waf","==","true"]
+ ]
+ }
+ ]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 6: no match
+--- request
+GET /hello
+--- error_code: 200
+--- response_body
+hello world
+--- error_log
+--- response_headers
+X-APISIX-CHAITIN-WAF: no
+
+
+
+=== TEST 7: matched
+--- request
+GET /hello
+--- more_headers
+waf: true
+--- error_code: 200
+--- response_body
+hello world
+--- error_log
+--- response_headers
+X-APISIX-CHAITIN-WAF: yes
+X-APISIX-CHAITIN-WAF-STATUS: 200
+X-APISIX-CHAITIN-WAF-ACTION: pass
+--- response_headers_like
+X-APISIX-CHAITIN-WAF-TIME:
