bukaleyang / zhongkui-waf

WAF based on lua-nginx-module.
Apache License 2.0
165 stars 39 forks source link

init_by_lua_file error: /home/work/nginx/lualib/resty/redis.lua:238: bad argument #1 to 'rawget' (table expected, got string) #11

Closed topicgit closed 1 year ago

topicgit commented 1 year ago

我是openresty 1.11.2.5 版本,加载时候报这个错,应该怎么排查?感谢

$ /home/work/nginx/sbin/nginx -t nginx: the configuration file /home/work/nginx/conf/nginx.conf syntax is ok nginx: [error] init_by_lua_file error: /home/work/nginx/lualib/resty/redis.lua:238: bad argument #1 to 'rawget' (table expected, got string) stack traceback: [C]: in function 'rawget' /home/work/nginx/lualib/resty/redis.lua:238: in function 'register_module_prefix' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:4: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk nginx: configuration file /home/work/nginx/conf/nginx.conf test failed

我的openresty编译参数

configure arguments: --prefix=/home/work/nginx/nginx --with-cc-opt='-O2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.06 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.10 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.32 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.18 --add-module=../redis2-nginx-module-0.14 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt='-Wl,-rpath,/home/work/nginx/luajit/lib -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --sbin-path=/home/work/nginx/sbin/nginx --conf-path=/home/work/nginx/conf/nginx.conf --pid-path=/home/work/nginx/var/nginx.pid --lock-path=/home/work/nginx/var/nginx.lock --error-log-path=/home/work/logs/nginx/error.log --http-log-path=/home/work/logs/nginx/access.log --http-client-body-temp-path=/home/work/nginx/var/client_temp --http-proxy-temp-path=/home/work/nginx/var/proxy_temp --http-fastcgi-temp-path=/home/work/nginx/var/fastcgi_temp --http-uwsgi-temp-path=/home/work/nginx/var/uwsgi_temp --http-scgi-temp-path=/home/work/nginx/var/scgi_temp --user=work --group=work --with-file-aio --with-threads --with-ipv6 --with-http_realip_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-http_image_filter_module --add-module=/home/work/soft/ngx_cache_purge-2.3

bukaleyang commented 1 year ago

看上去是redis配置有问题,你可以先把redis设置为"off"再重新reload试试。再检查下redis配置有没有问题,以及redis能否正常访问。

topicgit commented 1 year ago

看上去是redis配置有问题,你可以先把redis设置为"off"再重新reload试试。再检查下redis配置有没有问题,以及redis能否正常访问。

@bukaleyang redis 可以访问,我把config.lua中的redis设置成off,也是同样的报错.

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ redis-cli 127.0.0.1:6379> ping PONG 127.0.0.1:6379> [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx nginx: [error] init_by_lua_file error: /home/work/nginx/lualib/resty/redis.lua:238: bad argument #1 to 'rawget' (table expected, got string) stack traceback: [C]: in function 'rawget' /home/work/nginx/lualib/resty/redis.lua:238: in function 'register_module_prefix' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:4: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk

/home/work/nginx/lualib/resty/redis.lua:238 的代码是这样的,不知道什么情况导致

235 local function _do_cmd(self, ...) 236 local args = {...} 237 238 local sock = rawget(self, "_sock") 239 if not sock then 240 return nil, "not initialized" 241 end 242 243 local req = _gen_req(args) 244 245 local reqs = rawget(self, "_reqs") 246 if reqs then 247 reqs[#reqs + 1] = req 248 return 249 end 250 251 -- print("request: ", table.concat(req)) 252 253 local bytes, err = sock:send(req) 254 if not bytes then 255 return nil, err 256 end 257 258 return _read_reply(self, sock) 259 end

bukaleyang commented 1 year ago

看上去是redis配置有问题,你可以先把redis设置为"off"再重新reload试试。再检查下redis配置有没有问题,以及redis能否正常访问。

@bukaleyang redis 可以访问,我把config.lua中的redis设置成off,也是同样的报错.

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ redis-cli 127.0.0.1:6379> ping PONG 127.0.0.1:6379> [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx nginx: [error] init_by_lua_file error: /home/work/nginx/lualib/resty/redis.lua:238: bad argument #1 to 'rawget' (table expected, got string) stack traceback: [C]: in function 'rawget' /home/work/nginx/lualib/resty/redis.lua:238: in function 'register_module_prefix' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:4: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk

/home/work/nginx/lualib/resty/redis.lua:238 的代码是这样的,不知道什么情况导致

235 local function _do_cmd(self, ...) 236 local args = {...} 237 238 local sock = rawget(self, "_sock") 239 if not sock then 240 return nil, "not initialized" 241 end 242 243 local req = _gen_req(args) 244 245 local reqs = rawget(self, "_reqs") 246 if reqs then 247 reqs[#reqs + 1] = req 248 return 249 end 250 251 -- print("request: ", table.concat(req)) 252 253 local bytes, err = sock:send(req) 254 if not bytes then 255 return nil, err 256 end 257 258 return _read_reply(self, sock) 259 end

你的Redis版本多少?是不是版本太低了?你可以升级下Redis,或者把redisCli.lua中的第四行注释掉再看看。--redis.register_module_prefix("bf")

topicgit commented 1 year ago

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx nginx: [error] init_by_lua_file error: /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: no request object found stack traceback: [C]: in function 'ngxmatch' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk

$ redis-server -v Redis server v=3.2.12 sha=00000000:0 malloc=jemalloc-3.6.0 bits=64 build=7897e7d0e13773f

还是报错.

看上去是redis配置有问题,你可以先把redis设置为"off"再重新reload试试。再检查下redis配置有没有问题,以及redis能否正常访问。

@bukaleyang redis 可以访问,我把config.lua中的redis设置成off,也是同样的报错. [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ redis-cli 127.0.0.1:6379> ping PONG 127.0.0.1:6379> [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx nginx: [error] init_by_lua_file error: /home/work/nginx/lualib/resty/redis.lua:238: bad argument #1 to 'rawget' (table expected, got string) stack traceback: [C]: in function 'rawget' /home/work/nginx/lualib/resty/redis.lua:238: in function 'register_module_prefix' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:4: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk /home/work/nginx/lualib/resty/redis.lua:238 的代码是这样的,不知道什么情况导致 235 local function _do_cmd(self, ...) 236 local args = {...} 237 238 local sock = rawget(self, "_sock") 239 if not sock then 240 return nil, "not initialized" 241 end 242 243 local req = _gen_req(args) 244 245 local reqs = rawget(self, "_reqs") 246 if reqs then 247 reqs[#reqs + 1] = req 248 return 249 end 250 251 -- print("request: ", table.concat(req)) 252 253 local bytes, err = sock:send(req) 254 if not bytes then 255 return nil, err 256 end 257 258 return _read_reply(self, sock) 259 end

你的Redis版本多少?是不是版本太低了?你可以升级下Redis,或者把redisCli.lua中的第四行注释掉再看看。--redis.register_module_prefix("bf")

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx nginx: [error] init_by_lua_file error: /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: no request object found stack traceback: [C]: in function 'ngxmatch' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk

$ redis-server -v Redis server v=3.2.12 sha=00000000:0 malloc=jemalloc-3.6.0 bits=64 build=7897e7d0e13773f

还是报错.

bukaleyang commented 1 year ago

贴一下你的配置文件,config.lua后半部分,即redis那部分。还有nginx配置中防火墙相关的部分配置。

topicgit commented 1 year ago

############################################################

config.lua

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ cat config.lua local _M = {}

local config = { -- Turn the waf on or off waf = "on", -- Specify the working mode of this waf,The following option characters are supported: -- monitor: Record attack logs but do not intercept attack requests -- protection: Intercept attack requests and record attack logs mode = "protection",

-- 开启规则自动排序,开启后按规则命中次数降序排序,可以提高拦截效率
rules_sort = "off",
-- 规则每隔多少秒排序一次
rules_sort_period = 60,

-- 攻击日志
attackLog = "on",
-- 攻击日志输出为json格式
attackLog_json_format = "off",
-- waf日志文件路径
logPath = "/usr/local/openresty/nginx/logs/hack/",
-- 规则文件路径
rulePath = "/usr/local/openresty/zhongkui-waf/rules/",

-- 开启ip地理位置识别
geoip = "off",
-- geoip数据文件路径
geoip_db_file = "/usr/local/share/GeoIP/GeoLite2-City.mmdb",
-- 允许哪些国家的ip请求,其值为大写的ISO国家代码,如CN,如果设置为空值则允许所有
geoip_allow_country = {},
-- geoip显示语言,默认中文
geoip_language = "zh-CN",

-- 开启ip白名单
whiteIP = "on",
-- ip白名单列表,支持网段配置,"127.0.0.1/24"或"127.0.0.1/255.255.255.0"
ipWhiteList = {"127.0.0.1"},

-- 开启ip黑名单
blackIP = "on",
-- ip黑名单列表,支持网段配置,"127.0.0.1/24"或"127.0.0.1/255.255.255.0",也可以配置在./rules/ipBlackList文件中
ipBlackList = {},

-- url白名单
whiteURL = "on",
-- url黑名单
blackURL = "on",

-- http方法白名单
methodWhiteList = {"GET","POST","HEAD"},
-- 请求体检查
requestBodyCheck = "off",
-- 上传文件类型黑名单
fileExtBlackList = {"php","jsp","asp","exe","sh"},
-- 上传文件内容检查
fileContentCheck = "off",

-- cookie检查
cookie = "off",

-- bot管理
bot = "off",

-- cc攻击拦截
cc_defence = "on",
-- 浏览器验证失败几次后自动拉黑IP地址,需要将autoIpBlock设置为on
cc_max_fail_times = 5,
-- 处置动作超时时间,单位是秒
cc_action_timeout = 60,
-- 验证请求来自于真实浏览器后,浏览器cookie携带的访问令牌有效时间,单位是秒
cc_accesstoken_timeout = 1800,

-- 密钥,用于请求签名等,可任意修改,建议长度长一点
secret = "2215D605B798A5CCEB6D5C900EE3585B",

-- 敏感数据脱敏
sensitive_data_filtering = "off",

-- Redis支持,打开后请求频率统计及ip黑名单将从Redis中存取
redis = "off",
redis_host = "127.0.0.1",
redis_port = "6379",
redis_passwd = "",
redis_ssl = false,
redis_pool_size = "10",
-- Respectively sets the connect, send, and read timeout thresholds (in ms)
redis_timeouts = "1000,1000,1000",

-- 是否重定向
redirect = "on",
-- 非法请求将重定向的html
redirect_html = "/usr/local/openresty/zhongkui-waf/redirect.html",

-- 流量监控页面
dashboard = "off",
dashboard_html = "/usr/local/openresty/zhongkui-waf/dashboard/dashboard.html"

}

function _M.get(option) return config[option] end -- Returns true if the config option is "on",otherwise false function _M.isOptionOn(option) return config[option] == "on" and true or false end

return _M

############################################################

Nginx 配置文件lua部分

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ cat /home/work/nginx/conf/nginx.conf |grep lua lua_shared_dict dict_cclimit 10m; lua_shared_dict dict_accesstoken 10m; lua_shared_dict dict_blackip 10m; lua_shared_dict dict_locks 100k; lua_shared_dict dict_config 5m; lua_shared_dict dict_config_rules_hits 5m; lua_shared_dict dict_req_count 5m; lua_package_path "/home/work/www/run/zhongkui-waf/?.lua;/home/work/www/run/zhongkui-waf/lib/?.lua;;"; init_by_lua_file /home/work/www/run/zhongkui-waf/init.lua; init_worker_by_lua_file /home/work/www/run/zhongkui-waf/init_worker.lua; access_by_lua_file /home/work/www/run/zhongkui-waf/waf.lua; body_filter_by_lua_file /home/work/www/run/zhongkui-waf/body_filter.lua; header_filter_by_lua_file /home/work/www/run/zhongkui-waf/header_filter.lua; log_by_lua_file /home/work/www/run/zhongkui-waf/dashboard/count_traffic.lua;

############################################################

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx -t nginx: the configuration file /home/work/nginx/conf/nginx.conf syntax is ok nginx: [error] init_by_lua_file error: /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: no request object found stack traceback: [C]: in function 'ngxmatch' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk nginx: configuration file /home/work/nginx/conf/nginx.conf test failed

bukaleyang commented 1 year ago

你这配置有问题吧,config.lua中配置的是/usr/local/openresty/zhongkui-waf,但nginx中配的是/home/work/www/run/zhongkui-waf 你先保持统一再看看吧

topicgit commented 1 year ago

[root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ cat config.lua local _M = {}

local config = { -- Turn the waf on or off waf = "on", -- Specify the working mode of this waf,The following option characters are supported: -- monitor: Record attack logs but do not intercept attack requests -- protection: Intercept attack requests and record attack logs mode = "protection",

-- 开启规则自动排序,开启后按规则命中次数降序排序,可以提高拦截效率
rules_sort = "off",
-- 规则每隔多少秒排序一次
rules_sort_period = 60,

-- 攻击日志
attackLog = "on",
-- 攻击日志输出为json格式
attackLog_json_format = "off",
-- waf日志文件路径
logPath = "/home/work/logs/waf/",
-- 规则文件路径
rulePath = "/home/work/www/run/zhongkui-waf/rules/",

-- 开启ip地理位置识别
geoip = "off",
-- geoip数据文件路径
geoip_db_file = "/usr/local/share/GeoIP/GeoLite2-City.mmdb",
-- 允许哪些国家的ip请求,其值为大写的ISO国家代码,如CN,如果设置为空值则允许所有
geoip_allow_country = {},
-- geoip显示语言,默认中文
geoip_language = "zh-CN",

-- 开启ip白名单
whiteIP = "off",
-- ip白名单列表,支持网段配置,"127.0.0.1/24"或"127.0.0.1/255.255.255.0"
ipWhiteList = {"127.0.0.1"},

-- 开启ip黑名单
blackIP = "off",
-- ip黑名单列表,支持网段配置,"127.0.0.1/24"或"127.0.0.1/255.255.255.0",也可以配置在./rules/ipBlackList文件中
ipBlackList = {},

-- url白名单
whiteURL = "on",
-- url黑名单
blackURL = "on",

-- http方法白名单
methodWhiteList = {"GET","POST","HEAD"},
-- 请求体检查
requestBodyCheck = "off",
-- 上传文件类型黑名单
fileExtBlackList = {"php","jsp","asp","exe","sh"},
-- 上传文件内容检查
fileContentCheck = "off",

-- cookie检查
cookie = "off",

-- bot管理
bot = "off",

-- cc攻击拦截
cc_defence = "on",
-- 浏览器验证失败几次后自动拉黑IP地址,需要将autoIpBlock设置为on
cc_max_fail_times = 5,
-- 处置动作超时时间,单位是秒
cc_action_timeout = 60,
-- 验证请求来自于真实浏览器后,浏览器cookie携带的访问令牌有效时间,单位是秒
cc_accesstoken_timeout = 1800,

-- 密钥,用于请求签名等,可任意修改,建议长度长一点
secret = "2215D605B798A5CCEB6D5C900EE3585B",

-- 敏感数据脱敏
sensitive_data_filtering = "off",

-- Redis支持,打开后请求频率统计及ip黑名单将从Redis中存取
redis = "off",
redis_host = "127.0.0.1",
redis_port = "6379",
redis_passwd = "",
redis_ssl = false,
redis_pool_size = "10",
-- Respectively sets the connect, send, and read timeout thresholds (in ms)
redis_timeouts = "1000,1000,1000",

-- 是否重定向
redirect = "on",
-- 非法请求将重定向的html
redirect_html = "/home/work/www/run/zhongkui-waf/redirect.html",

-- 流量监控页面
dashboard = "off",
dashboard_html = "/home/work/www/run/zhongkui-waf/dashboard/dashboard.html"

}

function _M.get(option) return config[option] end -- Returns true if the config option is "on",otherwise false function _M.isOptionOn(option) return config[option] == "on" and true or false end

return _M [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ grep lua /home/work/nginx/conf/nginx.conf lua_shared_dict dict_cclimit 10m; lua_shared_dict dict_accesstoken 10m; lua_shared_dict dict_blackip 10m; lua_shared_dict dict_locks 100k; lua_shared_dict dict_config 5m; lua_shared_dict dict_config_rules_hits 5m; lua_shared_dict dict_req_count 5m; lua_package_path "/home/work/www/run/zhongkui-waf/?.lua;/home/work/www/run/zhongkui-waf/lib/?.lua;;"; init_by_lua_file /home/work/www/run/zhongkui-waf/init.lua; init_worker_by_lua_file /home/work/www/run/zhongkui-waf/init_worker.lua; access_by_lua_file /home/work/www/run/zhongkui-waf/waf.lua; body_filter_by_lua_file /home/work/www/run/zhongkui-waf/body_filter.lua; header_filter_by_lua_file /home/work/www/run/zhongkui-waf/header_filter.lua; log_by_lua_file /home/work/www/run/zhongkui-waf/dashboard/count_traffic.lua; [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ ls /home/work/www/run/zhongkui-waf/dashboard/dashboard.html /home/work/www/run/zhongkui-waf/dashboard/dashboard.html [root@51dd47a7726c:/home/work/www/run/zhongkui-waf] $ /home/work/nginx/sbin/nginx -t nginx: the configuration file /home/work/nginx/conf/nginx.conf syntax is ok nginx: [error] init_by_lua_file error: /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: no request object found stack traceback: [C]: in function 'ngxmatch' /home/work/www/run/zhongkui-waf/lib/redisCli.lua:21: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/lib/lib.lua:2: in main chunk [C]: in function 'require' /home/work/www/run/zhongkui-waf/init.lua:2: in main chunk nginx: configuration file /home/work/nginx/conf/nginx.conf test failed

统一了,还是不行,报错还是redis这块的

bukaleyang commented 1 year ago

要不你升级下OpenResty版本到最新看看……

bukaleyang commented 1 year ago

nginx: configuration file /home/work/nginx/conf/nginx.conf test failed nginx 配置文件测试没通过?