bw - add missing condition for antibot modsec rule and init work on blocking bad SNI requests

2026-05-24 09:28:37 +00:00 · 2024-02-26 18:43:17 +01:00 · 2024-02-26 18:43:17 +01:00 · f2d5273f68
commit f2d5273f68
parent 8c88a8967b
2 changed files with 55 additions and 1 deletions
--- a/src/common/core/antibot/confs/modsec-crs/antibot.conf
+++ b/src/common/core/antibot/confs/modsec-crs/antibot.conf
@ -1 +1,3 @@
-SecRule REQUEST_FILENAME "@rx ^{{ ANTIBOT_URI }}$" "nolog,phase:4,allow,id:1010"
+{% if USE_ANTIBOT != "no" +%}
+SecRule REQUEST_FILENAME "@rx ^{{ ANTIBOT_URI }}$" "nolog,phase:4,allow,id:1010"
+{% endif %}
--- a/src/common/core/misc/confs/default-server-http/disable.conf
+++ b/src/common/core/misc/confs/default-server-http/disable.conf
@ -4,4 +4,56 @@ location / {
 	set $reason_data "";
 	return {{ DENY_HTTP_STATUS }};
 }
+ssl_client_hello_by_lua_block {
+	local ssl_clt = require "ngx.ssl.clienthello"
+	local utils = require "bunkerweb.utils"
+	local clogger = require "bunkerweb.logger"
+	local cdatastore = require "bunkerweb.datastore"
+	local logger = clogger:new("SSL-DISABLE")
+	local datastore = cdatastore:new()
+	local ngx = ngx
+	local exit = ngx.exit
+	local ERROR = ngx.ERROR
+	local WARN = ngx.WARN
+	local ERR = ngx.ERR
+	local get_variable = utils.get_variable
+	local host, err = ssl_clt.get_client_hello_server_name()
+	if not host then
+		logger:log(WARN, "can't get SNI host, denying access : " .. (err or "no SNI"))
+		return exit(ERROR)
+	end
+	local multisite, err = get_variable("MULTISITE", false)
+	if not multisite then
+		logger:log(ERR, "can't get MULTISITE variable : " .. err)
+		return
+	end
+	if multisite == "no" then
+		local domains, err = get_variable("SERVER_NAME", false)
+		if not domains then
+			logger:log(ERR, "can't get SERVER_NAME variable : " .. err)
+			return
+		end
+		for domain in domains:gmatch("%S+") do
+			if host == domain then
+				return
+			end
+		end
+	else
+		local variables, err = datastore:get("variables", true)
+		if not variables then
+			logger:log(ERR, "can't get variables : " .. err)
+			return
+		end
+		for server_name, server_vars in pairs(variables) do
+			local domains = server_vars["SERVER_NAME"]
+			for domain in domains:gmatch("%S+") do
+				if host == domain then
+					return
+				end
+			end
+		end
+	end
+	logger:log(WARN, "unknown SNI host " .. host .. ", denying access")
+	exit(ERROR)
+}
 {% endif %}