diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile index 172521e43..5491f4114 100644 --- a/src/bw/Dockerfile +++ b/src/bw/Dockerfile @@ -18,6 +18,7 @@ RUN apk add --no-cache --virtual .build-deps py3-pip && \ pip install --no-cache-dir --upgrade pip && \ pip install wheel && \ mkdir -p /usr/share/bunkerweb/deps/python && \ + export MAKEFLAGS="-j$(nproc)" && \ pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \ apk del .build-deps diff --git a/src/bw/lua/bunkerweb/api.lua b/src/bw/lua/bunkerweb/api.lua index 297053943..275b13763 100644 --- a/src/bw/lua/bunkerweb/api.lua +++ b/src/bw/lua/bunkerweb/api.lua @@ -141,12 +141,12 @@ api.global.GET["^/bans$"] = function(self) return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", "can't access " .. k .. " from datastore : " + reason) end - local ttl, err = self.datastore:ttl(k) - if not ttl then + local ok, ttl = self.datastore:ttl(k) + if not ok then return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error", - "can't access ttl " .. k .. " from datastore : " .. err) + "can't access ttl " .. k .. " from datastore : " .. ttl) end - local ban = { ip = k:sub(9, #k), reason = reason, exp = ttl } + local ban = { ip = k:sub(9, #k), reason = reason, exp = math.floor(ttl) } table.insert(data, ban) end end diff --git a/src/bw/lua/bunkerweb/utils.lua b/src/bw/lua/bunkerweb/utils.lua index 049bb386b..ffaaa1ae2 100644 --- a/src/bw/lua/bunkerweb/utils.lua +++ b/src/bw/lua/bunkerweb/utils.lua @@ -383,7 +383,7 @@ utils.get_ips = function(fqdn) local ips = {} for i, answer in ipairs(answers) do if answer.address then - table.insert(ips, answer.addres) + table.insert(ips, answer.address) end end return ips, "success" diff --git a/src/common/cli/CLI.py b/src/common/cli/CLI.py index 823049dc9..ba495ba11 100644 --- a/src/common/cli/CLI.py +++ b/src/common/cli/CLI.py @@ -26,7 +26,7 @@ def format_remaining_time(seconds): if minutes > 0: time_parts.append(f"{int(minutes)} minute{'' if minutes == 1 else 's'}") if seconds > 0: - time_parts.append(f"{seconds:.2f} second{'' if seconds == 1 else 's'}") + time_parts.append(f"{seconds} second{'' if seconds == 1 else 's'}") if len(time_parts) > 1: time_parts[-1] = f"and {time_parts[-1]}" diff --git a/src/common/core/blacklist/blacklist.lua b/src/common/core/blacklist/blacklist.lua index f23ffd5cb..ddb8c97a2 100644 --- a/src/common/core/blacklist/blacklist.lua +++ b/src/common/core/blacklist/blacklist.lua @@ -22,6 +22,7 @@ function blacklist:initialize() local lists, err = self.datastore:get("plugin_blacklist_lists") if not lists then self.logger:log(ngx.ERR, err) + self.lists = {} else self.lists = cjson.decode(lists) end @@ -39,6 +40,9 @@ function blacklist:initialize() } for kind, _ in pairs(kinds) do for data in self.variables["BLACKLIST_" .. kind]:gmatch("%S+") do + if not self.lists[kind] then + self.lists[kind] = {} + end table.insert(self.lists[kind], data) end end @@ -116,7 +120,7 @@ function blacklist:access() elseif cached and cached ~= "ok" then return self:ret(true, k .. " is in cached blacklist (info : " .. cached .. ")", utils.get_deny_status()) end - if cached then + if ok and cached then already_cached[k] = true end end diff --git a/src/common/core/dnsbl/dnsbl.lua b/src/common/core/dnsbl/dnsbl.lua index da060971e..7198547ef 100644 --- a/src/common/core/dnsbl/dnsbl.lua +++ b/src/common/core/dnsbl/dnsbl.lua @@ -27,6 +27,10 @@ function dnsbl:access() if self.variables["DNSBL_LIST"] == "" then return self:ret(true, "dnsbl list is empty") end + -- Don't go further if IP is not global + if not ngx.ctx.bw.ip_is_global then + return self:ret(true, "client IP is not global, skipping DNSBL check") + end -- Check if IP is in cache local ok, cached = self:is_in_cache(ngx.ctx.bw.remote_addr) if not ok then @@ -37,14 +41,6 @@ function dnsbl:access() end return self:ret(true, "client IP " .. ngx.ctx.bw.remote_addr .. " is in DNSBL cache (server = " .. cached .. ")", utils.get_deny_status()) end - -- Don't go further if IP is not global - if not ngx.ctx.bw.ip_is_global then - local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, "ok") - if not ok then - return self:ret(false, "error while adding element to cache : " .. err) - end - return self:ret(true, "client IP is not global, skipping DNSBL check") - end -- Loop on DNSBL list for server in self.variables["DNSBL_LIST"]:gmatch("%S+") do local result, err = self:is_in_dnsbl(ngx.ctx.bw.remote_addr, server) @@ -52,7 +48,7 @@ function dnsbl:access() self.logger:log(ngx.ERR, "error while sending DNS request to " .. server .. " : " .. err) end if result then - local ok, err self:add_to_cache(ngx.ctx.bw.remote_addr, server) + local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, server) if not ok then return self:ret(false, "error while adding element to cache : " .. err) end @@ -72,7 +68,7 @@ function dnsbl:preread() end function dnsbl:is_in_cache(ip) - local ok, data = self.cachestore:get("plugin_dnsbl_" .. ip) + local ok, data = self.cachestore:get("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip) if not ok then return false, data end @@ -80,7 +76,7 @@ function dnsbl:is_in_cache(ip) end function dnsbl:add_to_cache(ip, value) - local ok, err = self.cachestore:set("plugin_dnsbl_" .. ip, value, 86400) + local ok, err = self.cachestore:set("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip, value, 86400) if not ok then return false, err end @@ -88,14 +84,13 @@ function dnsbl:add_to_cache(ip, value) end function dnsbl:is_in_dnsbl(ip, server) - local request = resolver.arpa_str(ip) .. "." .. server + local request = resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") .. "." .. server local ips, err = utils.get_ips(request) if not ips then return nil, err end for i, ip in ipairs(ips) do - local a, b, c, d = ip:match("([%d]+).([%d]+).([%d]+).([%d]+)") - if a == "127" then + if ip:find("^127%.0%.0%.") then return true, "success" end end diff --git a/src/common/core/greylist/greylist.lua b/src/common/core/greylist/greylist.lua index d24cd00c6..65bafc5e1 100644 --- a/src/common/core/greylist/greylist.lua +++ b/src/common/core/greylist/greylist.lua @@ -21,6 +21,7 @@ function greylist:initialize() local lists, err = self.datastore:get("plugin_greylist_lists") if not lists then self.logger:log(ngx.ERR, err) + self.lists = {} else self.lists = cjson.decode(lists) end @@ -33,6 +34,9 @@ function greylist:initialize() } for kind, _ in pairs(kinds) do for data in self.variables["GREYLIST_" .. kind]:gmatch("%S+") do + if not self.lists[kind] then + self.lists[kind] = {} + end table.insert(self.lists[kind], data) end end @@ -98,13 +102,13 @@ function greylist:access() ["UA"] = false } for k, v in pairs(checks) do - local cached, err = self:is_in_cache(v) - if not cached and err ~= "success" then - self.logger:log(ngx.ERR, "error while checking cache : " .. err) - elseif cached and cached ~= "ok" then - return self:ret(true, k .. " is in cached greylist", utils.get_deny_status()) + local ok, cached = self:is_in_cache(v) + if not ok then + self.logger:log(ngx.ERR, "error while checking cache : " .. cached) + elseif cached and cached ~= "ko" then + return self:ret(true, k .. " is in cached greylist (info : " .. cached .. ")") end - if cached then + if ok and cached then already_cached[k] = true end end @@ -115,23 +119,23 @@ function greylist:access() -- Perform checks for k, v in pairs(checks) do if not already_cached[k] then - local greylisted, err = self:is_greylisted(k) - if greylisted == nil then - self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. err) + local ok, greylisted = self:is_greylisted(k) + if ok == nil then + self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. greylisted) else - local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted or "ok") + local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted) if not ok then self.logger:log(ngx.ERR, "error while adding element to cache : " .. err) end - if greylisted == "ko" then - return self:ret(true, k .. " is not in greylist", utils.get_deny_status()) + if greylisted ~= "ko" then + return self:ret(true, k .. " is in greylist") end end end end -- Return - return self:ret(true, "greylisted") + return self:ret(true, "not in greylist", utils.get_deny_status()) end function greylist:preread() diff --git a/src/common/core/realip/jobs/realip-download.py b/src/common/core/realip/jobs/realip-download.py index 7843d7fb0..a681959c8 100755 --- a/src/common/core/realip/jobs/realip-download.py +++ b/src/common/core/realip/jobs/realip-download.py @@ -119,7 +119,7 @@ try: # Put file in cache cached, err = cache_file( - "/var/tmp/bunkerweb/realip-combined.list", + "/var/tmp/bunkerweb/realip/combined.list", "/var/cache/bunkerweb/realip/combined.list", new_hash, db, diff --git a/src/common/core/whitelist/whitelist.lua b/src/common/core/whitelist/whitelist.lua index e9e1e8a4b..70742af80 100644 --- a/src/common/core/whitelist/whitelist.lua +++ b/src/common/core/whitelist/whitelist.lua @@ -23,6 +23,7 @@ function whitelist:initialize() local lists, err = self.datastore:get("plugin_whitelist_lists") if not lists then self.logger:log(ngx.ERR, err) + self.lists = {} else self.lists = cjson.decode(lists) end @@ -35,6 +36,9 @@ function whitelist:initialize() } for kind, _ in pairs(kinds) do for data in self.variables["WHITELIST_" .. kind]:gmatch("%S+") do + if not self.lists[kind] then + self.lists[kind] = {} + end table.insert(self.lists[kind], data) end end @@ -166,7 +170,7 @@ function whitelist:check_cache() checks["URI"] = "uri" .. ngx.ctx.bw.uri end local already_cached = {} - for i, k in ipairs(checks) do + for k, v in pairs(checks) do already_cached[k] = false end for k, v in pairs(checks) do @@ -176,7 +180,7 @@ function whitelist:check_cache() elseif cached and cached ~= "ok" then return true, k .. " is in cached whitelist (info : " .. cached .. ")" end - if cached then + if ok and cached then already_cached[k] = true end end