一、环境准备
基于 Nginx 整合 lua-module;
直接使用 OpenResty(1.19.9.1)
二、配置内容
1. server层处理 RequestParam 入参
server {
listen 7777;
# 过滤requestParam 中的 非法参数,返回403
if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|from|grant|exec|where|select|and|chr|mid|like|iframe|script|alert|webscan|dbappsecurity|style|WAITFOR|confirm|innerhtml|innertext|class).*")
{ return 403; }
location / {
# 过滤 requestBody中的非法参数
rewrite_by_lua_file conf/conf/checkSqlInject.lua;
proxy_pass <http://localhost:8001>;
}
}
2. location层处理 RequestBody 入参
-- rewrite_by_lua_file Your_conf_pos/checkSqlInject.lua;
-- 声明读取body内容
ngx.req.read_body()
-- 获取body内容
local body = ngx.req.get_body_data()
-- 判定请求类型(只处理post请求)
if ngx.var.request_method == "POST" and body ~= nil then
-- 声明正则
local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(exec)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(script)|(alert)|(webscan)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}"
-- 使用body进行正则匹配
local m = ngx.re.match(body, regex)
if m then
-- 匹配成功,说明请求体中包含敏感内容,返回403
ngx.log(ngx.ERR,"this request body contain the sql inject,this is dangerous! body = " .. body)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
end
三、测试结果
1. 测试脚本
#!/bin/sh
export CURL_HOME=/usr/bin
# GET - requestParam - Right
get_right(){
$CURL_HOME/curl -X GET 'localhost:7777/provider/testRight?name=eric&age=23'
# $CURL_HOME/curl -X GET 'www.baidu.com'
exit 1
}
# GET - requestParam - Wrong
get_wrong(){
$CURL_HOME/curl -X GET 'localhost:7777/provider/testRight?name=eric&age=23%illegal=fdaas ; drop assd; fdsa'
}
# POST - requestBody - Right
post_right(){
$CURL_HOME/curl -X POST -d '{"name":"eric","age":89}' -H 'content-type:application/json;charset:utf-8' 'localhost:7777/provider/testPostRight'
}
post_wrong(){
$CURL_HOME/curl -X POST -d '{"name":"eric","age":89,"illegal":"asdf; drop asdf; ert"}' -H 'content-type:application/json;charset:utf-8' 'localhost:7777/provider/testPostRight'
}
usage(){
echo "Usage: \\n sh curlX.sh [get_right|get_wrong|post_right|post_wrong]"
exit 1
}
# 根据入参内容,调用不同的执行函数,输入不对(执行说明函数)
case "$1" in
"get_right")
get_right
;;
"get_wrong")
get_wrong
;;
"post_right")
post_right
;;
"post_wrong")
post_wrong
;;
*)
usage
;;
esac
exit 0
2. HTTP-GET-RIGHT
./curlX.sh get_right
port: 8001, this is test-provider, OK.
3. HTTP-GET-WRONG
./curlX.sh get_wrong
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.19.9.1</center>
</body>
</html>
4. HTTP-POST-RIGHT
./curlX.sh post_right
port: 8001, this is test-provider, OK.
5. HTTP-POST-WRONG
./curlX.sh post_wrong
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.19.9.1</center>
</body>
</html>
四、扩展:OpenResty-Lua执行节点
注意:lua脚本的执行时机 & nginx原生指令的执行时机!
可能导致lua脚本失去执行机会
这里附上一个OpenResty的文档和学习地址:https://moonbingbing.gitbooks.io/openresty-best-practices/content/index.html