search

dbContext / SiteShield-OpenResty

Advanced Layer 7 HTTP(s) DDoS Mitigation module for OpenResty ("dynamic web platform based on NGINX and LuaJIT")
GNU General Public License v3.0
25 stars 7 forks source link
ddos-detection ddos-mitigation ddos-protection lua luajit nginx nginx-proxy openresty openresty-lua openresty-module resty

readme

SiteShield OpenResty

Advanced Layer 7 HTTP(s) DDoS Mitigation module for OpenResty ("dynamic web platform based on NGINX and LuaJIT")

## Features * **Layer 7 DDoS Mitigation** via JavaScript Challenge. * Firewall * Allow IP Address (Bypass JavaScript Challenge) * Block IP Address * Allow URI (Bypass JavaScript Challenge) * Block URI * SEO Optimised (Popular Search Engines Bypass JavaScript Challenge) * Variable Challenge Authentication Time Window * Variable Rate limit on Served Challenges ## Coming Soon * Google Recaptcha Challenge * Invisible JavaScript Challenge * On Detection Mitigation (currently Always On) * Automatic Installer Script (Requires Fresh/Vanilla Install) ## Getting Started Below we will go through installing SiteShield-OpenResty on a CentOS 7.9.2009 (Core) linux server, from zero to a fully fledged HTTP reverse proxy, with Layer 7 DDoS Mitigation. ## Prerequisites You'll need to install a few dependencies that SiteShield-OpenResty utilises. ``` yum install gcc ipset iptables bind-utils -y ``` ### OpenResty ``` wget https://openresty.org/package/centos/openresty.repo sudo mv openresty.repo /etc/yum.repos.d/ yum check-update yum install openresty -y useradd -r nginx ``` ### Redis First, install redis server: ``` yum install epel-release -y yum install redis -y ``` ### Sockproc ``` wget https://raw.githubusercontent.com/dbContext/sockproc/master/sockproc.c gcc sockproc.c -o sockproc ./sockproc /tmp/shell.sock chmod +x /tmp/shell.sock ``` ### Shell ``` mkdir /usr/local/openresty/lualib/resty/lua-resty-shell wget https://raw.githubusercontent.com/dbContext/lua-resty-shell/master/lib/resty/shell.lua mv shell.lua /usr/local/openresty/lualib/resty/lua-resty-shell ``` ## Configuring Network Firewall By dropping the IP address at the network interface, we're removing the overhead of OpenResty (CPU) processing the bad requests - greatly improving mitigation throughput. ``` ipset create siteshield-droplist hash:ip hashsize 4096 iptables -I INPUT -m set --match-set siteshield-droplist src -j DROP iptables -I FORWARD -m set --match-set siteshield-droplist src -j DROP ``` ## Installing SiteShield First, download `SiteShield.lua` to the relevant OpenResty/Nginx Directory. ``` wget https://raw.githubusercontent.com/dbContext/SiteShield-OpenResty/main/SiteShield.lua mv SiteShield.lua /usr/local/openresty/nginx/conf ``` Lastly, you'll now want to alter your nginx.conf, to utilise `SiteShield.lua`. ``` ... server { ... set $auth_time '86400'; # Time User is Authenticated after Challenge in seconds. set $allow_ip ''; # format: 1.1.1.1;2.2.2.2;3.3.3.3 set $block_ip ''; # format: 4.4.4.4;5.5.5.5;6.6.6.6 set $allow_uri ''; # format: /allow-this-uri;/also/allow/this/uri set $block_uri ''; # format: /block-this-uri;/also/block/this/uri set $max_failed_challenge_attempts '5'; # Max Failed Challenge Attempts before IP block. set $max_time_window_challenges '120'; # Max Challenges Served in Time Window (e.g. 5 Challenges with in 120 seconds.) location / { content_by_lua_file /usr/local/openresty/nginx/conf/SiteShield.lua; } error_page 555 = @backend; location @backend { proxy_set_header Host $host; proxy_set_header SiteShield-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ''; proxy_redirect off; proxy_buffering off; proxy_pass http://google.com; } } ... ``` ## Ready to go! If everything above went as expected, after restarting the relevant services (commands below), you'll have a HTTP Reverse Proxy with Layer 7 DDoS Mitigation. ``` service redis restart service openresty restart ``` ## Contributing Please read [CONTRIBUTING](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull requests to us. ## Authors * **[dbContext](https://github.com/dbContext)** - *Initial work* See also the list of [contributors](https://github.com/dbContext/SiteShield-OpenResty/contributors) who participated in this project. ## License This project is licensed under the GPL-3.0 License - see the [LICENSE](LICENSE) file for details ## Acknowledgments * **[openresty](https://github.com/openresty/openresty)** * **[redis](https://github.com/redis/redis)** * **[lua-resty-shell](https://github.com/juce/lua-resty-shell)** * **[sockproc](https://github.com/juce/sockproc)**