Skip to content

Commit

Permalink
Merge pull request #63 from deflect-ca/refactor/per-site-regex
Browse files Browse the repository at this point in the history 
Optimize per-site regex banner, support per-site allowlist in regex banner
  • Loading branch information
@jeremy5189
jeremy5189 authored Sep 5, 2024
2 parents e77f08e + 7b65f27 commit 4115911
Show file tree
Hide file tree
Showing 13 changed files with 290 additions and 98 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ password_hashes: # for password_protected_paths
password_protected_paths: # for password_protected_paths
example.com:
- wp-admin
per_site_rate_limited_regexes: # fail2ban-like challenging/blocking (per-site)
per_site_regexes_with_rates: # fail2ban-like challenging/blocking (per-site)
example.com:
- decision: block
hits_per_interval: 10
Expand Down
14 changes: 8 additions & 6 deletions banjax-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ per_site_decision_lists:
- 90.90.90.90
challenge:
- 91.91.91.91
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: nginx_block
hits_per_interval: 800
Expand All @@ -75,11 +75,6 @@ regexes_with_rates:
interval: 1
regex: .*allowme.*
rule: "unblock backdoor"
- decision: nginx_block
hits_per_interval: 0
interval: 1
regex: .*blockme.*
rule: "instant block"
- decision: challenge
hits_per_interval: 0
interval: 1
Expand All @@ -90,6 +85,13 @@ regexes_with_rates:
interval: 1
regex: ".*banme.*"
rule: "instant ban"
per_site_regexes_with_rates:
localhost:
- decision: nginx_block
hits_per_interval: 0
interval: 1
regex: .*blockme.*
rule: "instant block"
sitewide_sha_inv_list:
example.com: block
foobar.com: no_block
Expand Down
11 changes: 11 additions & 0 deletions banjax.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,17 @@ func load_config(config *internal.Config, standaloneTestingPtr *bool, configFile
config.RegexesWithRates[i].CompiledRegex = *re
}

for site, p_regex := range config.PerSiteRegexWithRates {
log.Printf("PerSiteRegexWithRates: %s\n", site)
for i, _ := range p_regex {
re, err := regexp.Compile(config.PerSiteRegexWithRates[site][i].Regex)
if err != nil {
panic("bad regex")
}
config.PerSiteRegexWithRates[site][i].CompiledRegex = *re
}
}

if config.Debug {
for site, failAction := range config.SitewideShaInvList {
log.Printf("load_config: sitewide site: %s, failAction: %s\n", site, failAction)
Expand Down
22 changes: 22 additions & 0 deletions banjax_integration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,3 +372,25 @@ func TestRegexesWithRates(t *testing.T) {
{"GET", prefix + "/45in60-whitelist", 200, ClientIP("12.12.12.12"), nil},
})
}

func TestRegexesWithRatesAllowList(t *testing.T) {
defer reloadConfig(fixtureConfigTest, 1)

prefix := "/auth_request?path="

// test per-site allow list for regex banner
httpTester(t, []TestResource{
// should be exempted from regex banner
{"GET", prefix + "/block_local", 200, ClientIP("171.171.171.171"), nil},
{"GET", prefix + "/block_local", 200, ClientIP("171.171.171.171"), nil},
{"GET", prefix + "/block_local", 200, ClientIP("171.171.171.171"), nil},
})

// test global allow list for regex banner
httpTester(t, []TestResource{
// should be exempted from regex banner
{"GET", prefix + "/blockme/", 200, ClientIP("20.20.20.20"), nil},
{"GET", prefix + "/blockme/", 200, ClientIP("20.20.20.20"), nil},
{"GET", prefix + "/blockme/", 200, ClientIP("20.20.20.20"), nil},
})
}
2 changes: 1 addition & 1 deletion fixtures/banjax-config-test-persite-fail.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ per_site_decision_lists:
allow:
- 92.92.92.92
- 192.168.1.0/24
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
2 changes: 1 addition & 1 deletion fixtures/banjax-config-test-regex-banner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ per_site_decision_lists:
- 91.91.91.91
nginx_block:
- 92.92.92.92
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
2 changes: 1 addition & 1 deletion fixtures/banjax-config-test-reload-cidr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ per_site_decision_lists:
nginx_block:
- 92.92.92.92
- 192.168.3.0/24
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
2 changes: 1 addition & 1 deletion fixtures/banjax-config-test-reload.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ per_site_decision_lists:
challenge: [] # test remove
nginx_block:
- 92.92.92.92
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
2 changes: 1 addition & 1 deletion fixtures/banjax-config-test-sha-inv.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ per_site_decision_lists:
challenge: [] # test remove
nginx_block:
- 92.92.92.92
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates: {}
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
9 changes: 8 additions & 1 deletion fixtures/banjax-config-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,19 @@ per_site_decision_lists:
"localhost:8081":
allow:
- 90.90.90.90
- 171.171.171.0/24
challenge:
- 91.91.91.91
- 192.168.0.0/24
nginx_block:
- 92.92.92.92
per_site_rate_limited_regexes: {}
per_site_regexes_with_rates:
"localhost:8081":
- decision: nginx_block
hits_per_interval: 0
interval: 1
regex: .*block_local
rule: "instant block_local"
regexes_with_rates:
- decision: allow
hits_per_interval: 0
Expand Down
1 change: 1 addition & 0 deletions internal/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (

type Config struct {
RegexesWithRates []RegexWithRate `yaml:"regexes_with_rates"`
PerSiteRegexWithRates map[string][]RegexWithRate `yaml:"per_site_regexes_with_rates"`
ServerLogFile string `yaml:"server_log_file"`
BanningLogFile string `yaml:"banning_log_file"`
IptablesBanSeconds int `yaml:"iptables_ban_seconds"`
Expand Down
Loading

0 comments on commit 4115911

Please sign in to comment.