mirror of
https://github.com/QYG2297248353/appstore-1panel.git
synced 2024-11-25 06:28:47 +08:00
feat: 修改 nginx WAF
This commit is contained in:
parent
11dc8bc7c8
commit
31fa8a0e6e
9
apps/nginx/versions/1.21.4/www/common/waf/.gitignore
vendored
Normal file
9
apps/nginx/versions/1.21.4/www/common/waf/.gitignore
vendored
Normal file
@ -0,0 +1,9 @@
|
||||
# Binaries for programs and plugins
|
||||
*.exe
|
||||
*.exe~
|
||||
*.dll
|
||||
*.so
|
||||
*.dylib
|
||||
.idea
|
||||
|
||||
|
674
apps/nginx/versions/1.21.4/www/common/waf/LICENSE
Normal file
674
apps/nginx/versions/1.21.4/www/common/waf/LICENSE
Normal file
@ -0,0 +1,674 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU General Public License is a free, copyleft license for
|
||||
software and other kinds of works.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
the GNU General Public License is intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users. We, the Free Software Foundation, use the
|
||||
GNU General Public License for most of our software; it applies also to
|
||||
any other work released this way by its authors. You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to prevent others from denying you
|
||||
these rights or asking you to surrender the rights. Therefore, you have
|
||||
certain responsibilities if you distribute copies of the software, or if
|
||||
you modify it: responsibilities to respect the freedom of others.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must pass on to the recipients the same
|
||||
freedoms that you received. You must make sure that they, too, receive
|
||||
or can get the source code. And you must show them these terms so they
|
||||
know their rights.
|
||||
|
||||
Developers that use the GNU GPL protect your rights with two steps:
|
||||
(1) assert copyright on the software, and (2) offer you this License
|
||||
giving you legal permission to copy, distribute and/or modify it.
|
||||
|
||||
For the developers' and authors' protection, the GPL clearly explains
|
||||
that there is no warranty for this free software. For both users' and
|
||||
authors' sake, the GPL requires that modified versions be marked as
|
||||
changed, so that their problems will not be attributed erroneously to
|
||||
authors of previous versions.
|
||||
|
||||
Some devices are designed to deny users access to install or run
|
||||
modified versions of the software inside them, although the manufacturer
|
||||
can do so. This is fundamentally incompatible with the aim of
|
||||
protecting users' freedom to change the software. The systematic
|
||||
pattern of such abuse occurs in the area of products for individuals to
|
||||
use, which is precisely where it is most unacceptable. Therefore, we
|
||||
have designed this version of the GPL to prohibit the practice for those
|
||||
products. If such problems arise substantially in other domains, we
|
||||
stand ready to extend this provision to those domains in future versions
|
||||
of the GPL, as needed to protect the freedom of users.
|
||||
|
||||
Finally, every program is threatened constantly by software patents.
|
||||
States should not allow patents to restrict development and use of
|
||||
software on general-purpose computers, but in those that do, we wish to
|
||||
avoid the special danger that patents applied to a free program could
|
||||
make it effectively proprietary. To prevent this, the GPL assures that
|
||||
patents cannot be used to render the program non-free.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
TERMS AND CONDITIONS
|
||||
|
||||
0. Definitions.
|
||||
|
||||
"This License" refers to version 3 of the GNU General Public License.
|
||||
|
||||
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||
works, such as semiconductor masks.
|
||||
|
||||
"The Program" refers to any copyrightable work licensed under this
|
||||
License. Each licensee is addressed as "you". "Licensees" and
|
||||
"recipients" may be individuals or organizations.
|
||||
|
||||
To "modify" a work means to copy from or adapt all or part of the work
|
||||
in a fashion requiring copyright permission, other than the making of an
|
||||
exact copy. The resulting work is called a "modified version" of the
|
||||
earlier work or a work "based on" the earlier work.
|
||||
|
||||
A "covered work" means either the unmodified Program or a work based
|
||||
on the Program.
|
||||
|
||||
To "propagate" a work means to do anything with it that, without
|
||||
permission, would make you directly or secondarily liable for
|
||||
infringement under applicable copyright law, except executing it on a
|
||||
computer or modifying a private copy. Propagation includes copying,
|
||||
distribution (with or without modification), making available to the
|
||||
public, and in some countries other activities as well.
|
||||
|
||||
To "convey" a work means any kind of propagation that enables other
|
||||
parties to make or receive copies. Mere interaction with a user through
|
||||
a computer network, with no transfer of a copy, is not conveying.
|
||||
|
||||
An interactive user interface displays "Appropriate Legal Notices"
|
||||
to the extent that it includes a convenient and prominently visible
|
||||
feature that (1) displays an appropriate copyright notice, and (2)
|
||||
tells the user that there is no warranty for the work (except to the
|
||||
extent that warranties are provided), that licensees may convey the
|
||||
work under this License, and how to view a copy of this License. If
|
||||
the interface presents a list of user commands or options, such as a
|
||||
menu, a prominent item in the list meets this criterion.
|
||||
|
||||
1. Source Code.
|
||||
|
||||
The "source code" for a work means the preferred form of the work
|
||||
for making modifications to it. "Object code" means any non-source
|
||||
form of a work.
|
||||
|
||||
A "Standard Interface" means an interface that either is an official
|
||||
standard defined by a recognized standards body, or, in the case of
|
||||
interfaces specified for a particular programming language, one that
|
||||
is widely used among developers working in that language.
|
||||
|
||||
The "System Libraries" of an executable work include anything, other
|
||||
than the work as a whole, that (a) is included in the normal form of
|
||||
packaging a Major Component, but which is not part of that Major
|
||||
Component, and (b) serves only to enable use of the work with that
|
||||
Major Component, or to implement a Standard Interface for which an
|
||||
implementation is available to the public in source code form. A
|
||||
"Major Component", in this context, means a major essential component
|
||||
(kernel, window system, and so on) of the specific operating system
|
||||
(if any) on which the executable work runs, or a compiler used to
|
||||
produce the work, or an object code interpreter used to run it.
|
||||
|
||||
The "Corresponding Source" for a work in object code form means all
|
||||
the source code needed to generate, install, and (for an executable
|
||||
work) run the object code and to modify the work, including scripts to
|
||||
control those activities. However, it does not include the work's
|
||||
System Libraries, or general-purpose tools or generally available free
|
||||
programs which are used unmodified in performing those activities but
|
||||
which are not part of the work. For example, Corresponding Source
|
||||
includes interface definition files associated with source files for
|
||||
the work, and the source code for shared libraries and dynamically
|
||||
linked subprograms that the work is specifically designed to require,
|
||||
such as by intimate data communication or control flow between those
|
||||
subprograms and other parts of the work.
|
||||
|
||||
The Corresponding Source need not include anything that users
|
||||
can regenerate automatically from other parts of the Corresponding
|
||||
Source.
|
||||
|
||||
The Corresponding Source for a work in source code form is that
|
||||
same work.
|
||||
|
||||
2. Basic Permissions.
|
||||
|
||||
All rights granted under this License are granted for the term of
|
||||
copyright on the Program, and are irrevocable provided the stated
|
||||
conditions are met. This License explicitly affirms your unlimited
|
||||
permission to run the unmodified Program. The output from running a
|
||||
covered work is covered by this License only if the output, given its
|
||||
content, constitutes a covered work. This License acknowledges your
|
||||
rights of fair use or other equivalent, as provided by copyright law.
|
||||
|
||||
You may make, run and propagate covered works that you do not
|
||||
convey, without conditions so long as your license otherwise remains
|
||||
in force. You may convey covered works to others for the sole purpose
|
||||
of having them make modifications exclusively for you, or provide you
|
||||
with facilities for running those works, provided that you comply with
|
||||
the terms of this License in conveying all material for which you do
|
||||
not control copyright. Those thus making or running the covered works
|
||||
for you must do so exclusively on your behalf, under your direction
|
||||
and control, on terms that prohibit them from making any copies of
|
||||
your copyrighted material outside their relationship with you.
|
||||
|
||||
Conveying under any other circumstances is permitted solely under
|
||||
the conditions stated below. Sublicensing is not allowed; section 10
|
||||
makes it unnecessary.
|
||||
|
||||
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||
|
||||
No covered work shall be deemed part of an effective technological
|
||||
measure under any applicable law fulfilling obligations under article
|
||||
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||
similar laws prohibiting or restricting circumvention of such
|
||||
measures.
|
||||
|
||||
When you convey a covered work, you waive any legal power to forbid
|
||||
circumvention of technological measures to the extent such circumvention
|
||||
is effected by exercising rights under this License with respect to
|
||||
the covered work, and you disclaim any intention to limit operation or
|
||||
modification of the work as a means of enforcing, against the work's
|
||||
users, your or third parties' legal rights to forbid circumvention of
|
||||
technological measures.
|
||||
|
||||
4. Conveying Verbatim Copies.
|
||||
|
||||
You may convey verbatim copies of the Program's source code as you
|
||||
receive it, in any medium, provided that you conspicuously and
|
||||
appropriately publish on each copy an appropriate copyright notice;
|
||||
keep intact all notices stating that this License and any
|
||||
non-permissive terms added in accord with section 7 apply to the code;
|
||||
keep intact all notices of the absence of any warranty; and give all
|
||||
recipients a copy of this License along with the Program.
|
||||
|
||||
You may charge any price or no price for each copy that you convey,
|
||||
and you may offer support or warranty protection for a fee.
|
||||
|
||||
5. Conveying Modified Source Versions.
|
||||
|
||||
You may convey a work based on the Program, or the modifications to
|
||||
produce it from the Program, in the form of source code under the
|
||||
terms of section 4, provided that you also meet all of these conditions:
|
||||
|
||||
a) The work must carry prominent notices stating that you modified
|
||||
it, and giving a relevant date.
|
||||
|
||||
b) The work must carry prominent notices stating that it is
|
||||
released under this License and any conditions added under section
|
||||
7. This requirement modifies the requirement in section 4 to
|
||||
"keep intact all notices".
|
||||
|
||||
c) You must license the entire work, as a whole, under this
|
||||
License to anyone who comes into possession of a copy. This
|
||||
License will therefore apply, along with any applicable section 7
|
||||
additional terms, to the whole of the work, and all its parts,
|
||||
regardless of how they are packaged. This License gives no
|
||||
permission to license the work in any other way, but it does not
|
||||
invalidate such permission if you have separately received it.
|
||||
|
||||
d) If the work has interactive user interfaces, each must display
|
||||
Appropriate Legal Notices; however, if the Program has interactive
|
||||
interfaces that do not display Appropriate Legal Notices, your
|
||||
work need not make them do so.
|
||||
|
||||
A compilation of a covered work with other separate and independent
|
||||
works, which are not by their nature extensions of the covered work,
|
||||
and which are not combined with it such as to form a larger program,
|
||||
in or on a volume of a storage or distribution medium, is called an
|
||||
"aggregate" if the compilation and its resulting copyright are not
|
||||
used to limit the access or legal rights of the compilation's users
|
||||
beyond what the individual works permit. Inclusion of a covered work
|
||||
in an aggregate does not cause this License to apply to the other
|
||||
parts of the aggregate.
|
||||
|
||||
6. Conveying Non-Source Forms.
|
||||
|
||||
You may convey a covered work in object code form under the terms
|
||||
of sections 4 and 5, provided that you also convey the
|
||||
machine-readable Corresponding Source under the terms of this License,
|
||||
in one of these ways:
|
||||
|
||||
a) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by the
|
||||
Corresponding Source fixed on a durable physical medium
|
||||
customarily used for software interchange.
|
||||
|
||||
b) Convey the object code in, or embodied in, a physical product
|
||||
(including a physical distribution medium), accompanied by a
|
||||
written offer, valid for at least three years and valid for as
|
||||
long as you offer spare parts or customer support for that product
|
||||
model, to give anyone who possesses the object code either (1) a
|
||||
copy of the Corresponding Source for all the software in the
|
||||
product that is covered by this License, on a durable physical
|
||||
medium customarily used for software interchange, for a price no
|
||||
more than your reasonable cost of physically performing this
|
||||
conveying of source, or (2) access to copy the
|
||||
Corresponding Source from a network server at no charge.
|
||||
|
||||
c) Convey individual copies of the object code with a copy of the
|
||||
written offer to provide the Corresponding Source. This
|
||||
alternative is allowed only occasionally and noncommercially, and
|
||||
only if you received the object code with such an offer, in accord
|
||||
with subsection 6b.
|
||||
|
||||
d) Convey the object code by offering access from a designated
|
||||
place (gratis or for a charge), and offer equivalent access to the
|
||||
Corresponding Source in the same way through the same place at no
|
||||
further charge. You need not require recipients to copy the
|
||||
Corresponding Source along with the object code. If the place to
|
||||
copy the object code is a network server, the Corresponding Source
|
||||
may be on a different server (operated by you or a third party)
|
||||
that supports equivalent copying facilities, provided you maintain
|
||||
clear directions next to the object code saying where to find the
|
||||
Corresponding Source. Regardless of what server hosts the
|
||||
Corresponding Source, you remain obligated to ensure that it is
|
||||
available for as long as needed to satisfy these requirements.
|
||||
|
||||
e) Convey the object code using peer-to-peer transmission, provided
|
||||
you inform other peers where the object code and Corresponding
|
||||
Source of the work are being offered to the general public at no
|
||||
charge under subsection 6d.
|
||||
|
||||
A separable portion of the object code, whose source code is excluded
|
||||
from the Corresponding Source as a System Library, need not be
|
||||
included in conveying the object code work.
|
||||
|
||||
A "User Product" is either (1) a "consumer product", which means any
|
||||
tangible personal property which is normally used for personal, family,
|
||||
or household purposes, or (2) anything designed or sold for incorporation
|
||||
into a dwelling. In determining whether a product is a consumer product,
|
||||
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||
product received by a particular user, "normally used" refers to a
|
||||
typical or common use of that class of product, regardless of the status
|
||||
of the particular user or of the way in which the particular user
|
||||
actually uses, or expects or is expected to use, the product. A product
|
||||
is a consumer product regardless of whether the product has substantial
|
||||
commercial, industrial or non-consumer uses, unless such uses represent
|
||||
the only significant mode of use of the product.
|
||||
|
||||
"Installation Information" for a User Product means any methods,
|
||||
procedures, authorization keys, or other information required to install
|
||||
and execute modified versions of a covered work in that User Product from
|
||||
a modified version of its Corresponding Source. The information must
|
||||
suffice to ensure that the continued functioning of the modified object
|
||||
code is in no case prevented or interfered with solely because
|
||||
modification has been made.
|
||||
|
||||
If you convey an object code work under this section in, or with, or
|
||||
specifically for use in, a User Product, and the conveying occurs as
|
||||
part of a transaction in which the right of possession and use of the
|
||||
User Product is transferred to the recipient in perpetuity or for a
|
||||
fixed term (regardless of how the transaction is characterized), the
|
||||
Corresponding Source conveyed under this section must be accompanied
|
||||
by the Installation Information. But this requirement does not apply
|
||||
if neither you nor any third party retains the ability to install
|
||||
modified object code on the User Product (for example, the work has
|
||||
been installed in ROM).
|
||||
|
||||
The requirement to provide Installation Information does not include a
|
||||
requirement to continue to provide support service, warranty, or updates
|
||||
for a work that has been modified or installed by the recipient, or for
|
||||
the User Product in which it has been modified or installed. Access to a
|
||||
network may be denied when the modification itself materially and
|
||||
adversely affects the operation of the network or violates the rules and
|
||||
protocols for communication across the network.
|
||||
|
||||
Corresponding Source conveyed, and Installation Information provided,
|
||||
in accord with this section must be in a format that is publicly
|
||||
documented (and with an implementation available to the public in
|
||||
source code form), and must require no special password or key for
|
||||
unpacking, reading or copying.
|
||||
|
||||
7. Additional Terms.
|
||||
|
||||
"Additional permissions" are terms that supplement the terms of this
|
||||
License by making exceptions from one or more of its conditions.
|
||||
Additional permissions that are applicable to the entire Program shall
|
||||
be treated as though they were included in this License, to the extent
|
||||
that they are valid under applicable law. If additional permissions
|
||||
apply only to part of the Program, that part may be used separately
|
||||
under those permissions, but the entire Program remains governed by
|
||||
this License without regard to the additional permissions.
|
||||
|
||||
When you convey a copy of a covered work, you may at your option
|
||||
remove any additional permissions from that copy, or from any part of
|
||||
it. (Additional permissions may be written to require their own
|
||||
removal in certain cases when you modify the work.) You may place
|
||||
additional permissions on material, added by you to a covered work,
|
||||
for which you have or can give appropriate copyright permission.
|
||||
|
||||
Notwithstanding any other provision of this License, for material you
|
||||
add to a covered work, you may (if authorized by the copyright holders of
|
||||
that material) supplement the terms of this License with terms:
|
||||
|
||||
a) Disclaiming warranty or limiting liability differently from the
|
||||
terms of sections 15 and 16 of this License; or
|
||||
|
||||
b) Requiring preservation of specified reasonable legal notices or
|
||||
author attributions in that material or in the Appropriate Legal
|
||||
Notices displayed by works containing it; or
|
||||
|
||||
c) Prohibiting misrepresentation of the origin of that material, or
|
||||
requiring that modified versions of such material be marked in
|
||||
reasonable ways as different from the original version; or
|
||||
|
||||
d) Limiting the use for publicity purposes of names of licensors or
|
||||
authors of the material; or
|
||||
|
||||
e) Declining to grant rights under trademark law for use of some
|
||||
trade names, trademarks, or service marks; or
|
||||
|
||||
f) Requiring indemnification of licensors and authors of that
|
||||
material by anyone who conveys the material (or modified versions of
|
||||
it) with contractual assumptions of liability to the recipient, for
|
||||
any liability that these contractual assumptions directly impose on
|
||||
those licensors and authors.
|
||||
|
||||
All other non-permissive additional terms are considered "further
|
||||
restrictions" within the meaning of section 10. If the Program as you
|
||||
received it, or any part of it, contains a notice stating that it is
|
||||
governed by this License along with a term that is a further
|
||||
restriction, you may remove that term. If a license document contains
|
||||
a further restriction but permits relicensing or conveying under this
|
||||
License, you may add to a covered work material governed by the terms
|
||||
of that license document, provided that the further restriction does
|
||||
not survive such relicensing or conveying.
|
||||
|
||||
If you add terms to a covered work in accord with this section, you
|
||||
must place, in the relevant source files, a statement of the
|
||||
additional terms that apply to those files, or a notice indicating
|
||||
where to find the applicable terms.
|
||||
|
||||
Additional terms, permissive or non-permissive, may be stated in the
|
||||
form of a separately written license, or stated as exceptions;
|
||||
the above requirements apply either way.
|
||||
|
||||
8. Termination.
|
||||
|
||||
You may not propagate or modify a covered work except as expressly
|
||||
provided under this License. Any attempt otherwise to propagate or
|
||||
modify it is void, and will automatically terminate your rights under
|
||||
this License (including any patent licenses granted under the third
|
||||
paragraph of section 11).
|
||||
|
||||
However, if you cease all violation of this License, then your
|
||||
license from a particular copyright holder is reinstated (a)
|
||||
provisionally, unless and until the copyright holder explicitly and
|
||||
finally terminates your license, and (b) permanently, if the copyright
|
||||
holder fails to notify you of the violation by some reasonable means
|
||||
prior to 60 days after the cessation.
|
||||
|
||||
Moreover, your license from a particular copyright holder is
|
||||
reinstated permanently if the copyright holder notifies you of the
|
||||
violation by some reasonable means, this is the first time you have
|
||||
received notice of violation of this License (for any work) from that
|
||||
copyright holder, and you cure the violation prior to 30 days after
|
||||
your receipt of the notice.
|
||||
|
||||
Termination of your rights under this section does not terminate the
|
||||
licenses of parties who have received copies or rights from you under
|
||||
this License. If your rights have been terminated and not permanently
|
||||
reinstated, you do not qualify to receive new licenses for the same
|
||||
material under section 10.
|
||||
|
||||
9. Acceptance Not Required for Having Copies.
|
||||
|
||||
You are not required to accept this License in order to receive or
|
||||
run a copy of the Program. Ancillary propagation of a covered work
|
||||
occurring solely as a consequence of using peer-to-peer transmission
|
||||
to receive a copy likewise does not require acceptance. However,
|
||||
nothing other than this License grants you permission to propagate or
|
||||
modify any covered work. These actions infringe copyright if you do
|
||||
not accept this License. Therefore, by modifying or propagating a
|
||||
covered work, you indicate your acceptance of this License to do so.
|
||||
|
||||
10. Automatic Licensing of Downstream Recipients.
|
||||
|
||||
Each time you convey a covered work, the recipient automatically
|
||||
receives a license from the original licensors, to run, modify and
|
||||
propagate that work, subject to this License. You are not responsible
|
||||
for enforcing compliance by third parties with this License.
|
||||
|
||||
An "entity transaction" is a transaction transferring control of an
|
||||
organization, or substantially all assets of one, or subdividing an
|
||||
organization, or merging organizations. If propagation of a covered
|
||||
work results from an entity transaction, each party to that
|
||||
transaction who receives a copy of the work also receives whatever
|
||||
licenses to the work the party's predecessor in interest had or could
|
||||
give under the previous paragraph, plus a right to possession of the
|
||||
Corresponding Source of the work from the predecessor in interest, if
|
||||
the predecessor has it or can get it with reasonable efforts.
|
||||
|
||||
You may not impose any further restrictions on the exercise of the
|
||||
rights granted or affirmed under this License. For example, you may
|
||||
not impose a license fee, royalty, or other charge for exercise of
|
||||
rights granted under this License, and you may not initiate litigation
|
||||
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||
any patent claim is infringed by making, using, selling, offering for
|
||||
sale, or importing the Program or any portion of it.
|
||||
|
||||
11. Patents.
|
||||
|
||||
A "contributor" is a copyright holder who authorizes use under this
|
||||
License of the Program or a work on which the Program is based. The
|
||||
work thus licensed is called the contributor's "contributor version".
|
||||
|
||||
A contributor's "essential patent claims" are all patent claims
|
||||
owned or controlled by the contributor, whether already acquired or
|
||||
hereafter acquired, that would be infringed by some manner, permitted
|
||||
by this License, of making, using, or selling its contributor version,
|
||||
but do not include claims that would be infringed only as a
|
||||
consequence of further modification of the contributor version. For
|
||||
purposes of this definition, "control" includes the right to grant
|
||||
patent sublicenses in a manner consistent with the requirements of
|
||||
this License.
|
||||
|
||||
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||
patent license under the contributor's essential patent claims, to
|
||||
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||
propagate the contents of its contributor version.
|
||||
|
||||
In the following three paragraphs, a "patent license" is any express
|
||||
agreement or commitment, however denominated, not to enforce a patent
|
||||
(such as an express permission to practice a patent or covenant not to
|
||||
sue for patent infringement). To "grant" such a patent license to a
|
||||
party means to make such an agreement or commitment not to enforce a
|
||||
patent against the party.
|
||||
|
||||
If you convey a covered work, knowingly relying on a patent license,
|
||||
and the Corresponding Source of the work is not available for anyone
|
||||
to copy, free of charge and under the terms of this License, through a
|
||||
publicly available network server or other readily accessible means,
|
||||
then you must either (1) cause the Corresponding Source to be so
|
||||
available, or (2) arrange to deprive yourself of the benefit of the
|
||||
patent license for this particular work, or (3) arrange, in a manner
|
||||
consistent with the requirements of this License, to extend the patent
|
||||
license to downstream recipients. "Knowingly relying" means you have
|
||||
actual knowledge that, but for the patent license, your conveying the
|
||||
covered work in a country, or your recipient's use of the covered work
|
||||
in a country, would infringe one or more identifiable patents in that
|
||||
country that you have reason to believe are valid.
|
||||
|
||||
If, pursuant to or in connection with a single transaction or
|
||||
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||
covered work, and grant a patent license to some of the parties
|
||||
receiving the covered work authorizing them to use, propagate, modify
|
||||
or convey a specific copy of the covered work, then the patent license
|
||||
you grant is automatically extended to all recipients of the covered
|
||||
work and works based on it.
|
||||
|
||||
A patent license is "discriminatory" if it does not include within
|
||||
the scope of its coverage, prohibits the exercise of, or is
|
||||
conditioned on the non-exercise of one or more of the rights that are
|
||||
specifically granted under this License. You may not convey a covered
|
||||
work if you are a party to an arrangement with a third party that is
|
||||
in the business of distributing software, under which you make payment
|
||||
to the third party based on the extent of your activity of conveying
|
||||
the work, and under which the third party grants, to any of the
|
||||
parties who would receive the covered work from you, a discriminatory
|
||||
patent license (a) in connection with copies of the covered work
|
||||
conveyed by you (or copies made from those copies), or (b) primarily
|
||||
for and in connection with specific products or compilations that
|
||||
contain the covered work, unless you entered into that arrangement,
|
||||
or that patent license was granted, prior to 28 March 2007.
|
||||
|
||||
Nothing in this License shall be construed as excluding or limiting
|
||||
any implied license or other defenses to infringement that may
|
||||
otherwise be available to you under applicable patent law.
|
||||
|
||||
12. No Surrender of Others' Freedom.
|
||||
|
||||
If conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot convey a
|
||||
covered work so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you may
|
||||
not convey it at all. For example, if you agree to terms that obligate you
|
||||
to collect a royalty for further conveying from those to whom you convey
|
||||
the Program, the only way you could satisfy both those terms and this
|
||||
License would be to refrain entirely from conveying the Program.
|
||||
|
||||
13. Use with the GNU Affero General Public License.
|
||||
|
||||
Notwithstanding any other provision of this License, you have
|
||||
permission to link or combine any covered work with a work licensed
|
||||
under version 3 of the GNU Affero General Public License into a single
|
||||
combined work, and to convey the resulting work. The terms of this
|
||||
License will continue to apply to the part which is the covered work,
|
||||
but the special requirements of the GNU Affero General Public License,
|
||||
section 13, concerning interaction through a network will apply to the
|
||||
combination as such.
|
||||
|
||||
14. Revised Versions of this License.
|
||||
|
||||
The Free Software Foundation may publish revised and/or new versions of
|
||||
the GNU General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the
|
||||
Program specifies that a certain numbered version of the GNU General
|
||||
Public License "or any later version" applies to it, you have the
|
||||
option of following the terms and conditions either of that numbered
|
||||
version or of any later version published by the Free Software
|
||||
Foundation. If the Program does not specify a version number of the
|
||||
GNU General Public License, you may choose any version ever published
|
||||
by the Free Software Foundation.
|
||||
|
||||
If the Program specifies that a proxy can decide which future
|
||||
versions of the GNU General Public License can be used, that proxy's
|
||||
public statement of acceptance of a version permanently authorizes you
|
||||
to choose that version for the Program.
|
||||
|
||||
Later license versions may give you additional or different
|
||||
permissions. However, no additional obligations are imposed on any
|
||||
author or copyright holder as a result of your choosing to follow a
|
||||
later version.
|
||||
|
||||
15. Disclaimer of Warranty.
|
||||
|
||||
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||
|
||||
16. Limitation of Liability.
|
||||
|
||||
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||
SUCH DAMAGES.
|
||||
|
||||
17. Interpretation of Sections 15 and 16.
|
||||
|
||||
If the disclaimer of warranty and limitation of liability provided
|
||||
above cannot be given local legal effect according to their terms,
|
||||
reviewing courts shall apply local law that most closely approximates
|
||||
an absolute waiver of all civil liability in connection with the
|
||||
Program, unless a warranty or assumption of liability accompanies a
|
||||
copy of the Program in return for a fee.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
state the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program does terminal interaction, make it output a short
|
||||
notice like this when it starts in an interactive mode:
|
||||
|
||||
<program> Copyright (C) <year> <name of author>
|
||||
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, your program's commands
|
||||
might be different; for a GUI interface, you would use an "about box".
|
||||
|
||||
You should also get your employer (if you work as a programmer) or school,
|
||||
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||
For more information on this, and how to apply and follow the GNU GPL, see
|
||||
<https://www.gnu.org/licenses/>.
|
||||
|
||||
The GNU General Public License does not permit incorporating your program
|
||||
into proprietary programs. If your program is a subroutine library, you
|
||||
may consider it more useful to permit linking proprietary applications with
|
||||
the library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License. But first, please read
|
||||
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
2
apps/nginx/versions/1.21.4/www/common/waf/README.md
Normal file
2
apps/nginx/versions/1.21.4/www/common/waf/README.md
Normal file
@ -0,0 +1,2 @@
|
||||
# waf
|
||||
waf 是一个基于 lua-nginx-module(openresty) 的 web 应用防火墙
|
@ -8,7 +8,7 @@ local method=ngx.req.get_method()
|
||||
|
||||
|
||||
local function optionIsOn(options)
|
||||
return options == "on" or options == "On" or options == "ON"
|
||||
return options == "on" or options == "On" or options == "ON"
|
||||
end
|
||||
|
||||
local logpath = ngx.var.logdir
|
||||
@ -26,273 +26,297 @@ local CookieDeny = optionIsOn(ngx.var.cookieDeny)
|
||||
local FileExtDeny = optionIsOn(ngx.var.fileExtDeny)
|
||||
|
||||
local function getClientIp()
|
||||
IP = ngx.var.remote_addr
|
||||
if IP == nil then
|
||||
IP = "unknown"
|
||||
end
|
||||
return IP
|
||||
IP = ngx.var.remote_addr
|
||||
if IP == nil then
|
||||
IP = "unknown"
|
||||
end
|
||||
return IP
|
||||
end
|
||||
local function write(logfile,msg)
|
||||
local fd = io.open(logfile,"ab")
|
||||
if fd == nil then return end
|
||||
fd:write(msg)
|
||||
fd:flush()
|
||||
fd:close()
|
||||
local fd = io.open(logfile,"ab")
|
||||
if fd == nil then return end
|
||||
fd:write(msg)
|
||||
fd:flush()
|
||||
fd:close()
|
||||
end
|
||||
local function log(method,url,data,ruletag)
|
||||
if attacklog then
|
||||
local realIp = getClientIp()
|
||||
local ua = ngx.var.http_user_agent
|
||||
local servername=ngx.var.server_name
|
||||
local time=ngx.localtime()
|
||||
if attacklog then
|
||||
local realIp = getClientIp()
|
||||
local ua = ngx.var.http_user_agent
|
||||
local servername=ngx.var.server_name
|
||||
local time=ngx.localtime()
|
||||
local line = nil
|
||||
if ua then
|
||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
|
||||
else
|
||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
|
||||
end
|
||||
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
|
||||
write(filename,line)
|
||||
end
|
||||
if ua then
|
||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
|
||||
else
|
||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
|
||||
end
|
||||
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
|
||||
write(filename,line)
|
||||
end
|
||||
end
|
||||
------------------------------------规则读取函数-------------------------------------------------------------------
|
||||
local function read_rule(var)
|
||||
file = io.open(rulepath..'/'..var,"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
t = {}
|
||||
for line in file:lines() do
|
||||
table.insert(t,line)
|
||||
end
|
||||
file:close()
|
||||
return(t)
|
||||
end
|
||||
--local function read_rule(var)
|
||||
-- file = io.open(rulepath..'/'..var,"r")
|
||||
-- if file==nil then
|
||||
-- return
|
||||
-- end
|
||||
-- t = {}
|
||||
-- for line in file:lines() do
|
||||
-- table.insert(t,line)
|
||||
-- end
|
||||
-- file:close()
|
||||
-- return(t)
|
||||
--end
|
||||
|
||||
--local function read_json(var)
|
||||
-- file = io.open(rulepath..'/'..var,"r")
|
||||
-- if file==nil then
|
||||
-- return
|
||||
-- end
|
||||
-- str = file:read("*a")
|
||||
-- file:close()
|
||||
-- list = cjson.decode(str)
|
||||
-- return list
|
||||
--end
|
||||
|
||||
|
||||
local function read_json(var)
|
||||
file = io.open(rulepath..'/'..var,"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
file = io.open(rulepath..'/'..var .. '.json',"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
str = file:read("*a")
|
||||
file:close()
|
||||
list = cjson.decode(str)
|
||||
return list
|
||||
end
|
||||
|
||||
local function read_str(var)
|
||||
file = io.open(rulepath..'/'..var,"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
local str = file:read("*a")
|
||||
file:close()
|
||||
return str
|
||||
|
||||
local function select_rules(rules)
|
||||
if not rules then return {} end
|
||||
new_rules = {}
|
||||
for i,v in ipairs(rules) do
|
||||
if v[1] == 1 then
|
||||
print("111")
|
||||
table.insert(new_rules,v[2])
|
||||
end
|
||||
end
|
||||
return new_rules
|
||||
end
|
||||
|
||||
local function read_str(var)
|
||||
file = io.open(rulepath..'/'..var,"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
local str = file:read("*a")
|
||||
file:close()
|
||||
return str
|
||||
end
|
||||
|
||||
local argsCheckList=select_rules(read_json('args_check'))
|
||||
local postCheckList=select_rules(read_json('post_check'))
|
||||
local cookieBlockList=select_rules(read_json('cookie_block'))
|
||||
local uarules=select_rules(read_json('user_agent'))
|
||||
|
||||
local urlWhiteList=read_rule('urlWhiteList')
|
||||
local urlBlockList=read_rule('urlBlockList')
|
||||
local argsCheckList=read_rule('argsCheckList')
|
||||
local postCheckList=read_rule('postCheckList')
|
||||
local cookieBlockList=read_rule('cookieBlockList')
|
||||
local ipWhiteList=read_json('ipWhiteList')
|
||||
local ipBlockList=read_json('ipBlockList')
|
||||
local ccRate=read_str('ccRate')
|
||||
local fileExtBlockList = read_json('fileExtBlockList')
|
||||
local urlWhiteList=read_json('url_white')
|
||||
local urlBlockList=read_json('url_block')
|
||||
local ipWhiteList=read_json('ip_white')
|
||||
local ipBlockList=read_json('ip_block')
|
||||
local fileExtBlockList = read_json('file_ext_block')
|
||||
|
||||
local ccRate=read_str('cc.json')
|
||||
local html=read_str('html')
|
||||
local uarules=read_rule('user-agent')
|
||||
|
||||
local function say_html()
|
||||
if Redirect then
|
||||
ngx.header.content_type = "text/html"
|
||||
ngx.status = ngx.HTTP_FORBIDDEN
|
||||
ngx.say(html)
|
||||
ngx.exit(ngx.status)
|
||||
end
|
||||
if Redirect then
|
||||
ngx.header.content_type = "text/html"
|
||||
ngx.status = ngx.HTTP_FORBIDDEN
|
||||
ngx.say(html)
|
||||
ngx.exit(ngx.status)
|
||||
end
|
||||
end
|
||||
|
||||
local function whiteurl()
|
||||
if UrlWhiteAllow then
|
||||
if urlWhiteList ~=nil then
|
||||
for _,rule in pairs(urlWhiteList) do
|
||||
if ngxmatch(ngx.var.uri,rule,"isjo") then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if UrlWhiteAllow then
|
||||
if urlWhiteList ~=nil then
|
||||
for _,rule in pairs(urlWhiteList) do
|
||||
if ngxmatch(ngx.var.uri,rule,"isjo") then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
local function fileExtCheck(ext)
|
||||
if FileExtDeny then
|
||||
local items = Set(fileExtBlockList)
|
||||
ext=string.lower(ext)
|
||||
if ext then
|
||||
for rule in pairs(items) do
|
||||
if ngx.re.match(ext,rule,"isjo") then
|
||||
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
|
||||
say_html()
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if FileExtDeny then
|
||||
local items = Set(fileExtBlockList)
|
||||
ext=string.lower(ext)
|
||||
if ext then
|
||||
for rule in pairs(items) do
|
||||
if ngx.re.match(ext,rule,"isjo") then
|
||||
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
|
||||
say_html()
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
function Set (list)
|
||||
local set = {}
|
||||
for _, l in ipairs(list) do set[l] = true end
|
||||
return set
|
||||
local set = {}
|
||||
for _, l in ipairs(list) do set[l] = true end
|
||||
return set
|
||||
end
|
||||
|
||||
local function args()
|
||||
if ArgsDeny then
|
||||
if argsCheckList then
|
||||
for _,rule in pairs(argsCheckList) do
|
||||
local uriArgs = ngx.req.get_uri_args()
|
||||
for key, val in pairs(uriArgs) do
|
||||
if type(val)=='table' then
|
||||
local t={}
|
||||
for k,v in pairs(val) do
|
||||
if v == true then
|
||||
v=""
|
||||
end
|
||||
table.insert(t,v)
|
||||
end
|
||||
data=table.concat(t, " ")
|
||||
else
|
||||
data=val
|
||||
end
|
||||
if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||
log('GET',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if ArgsDeny then
|
||||
if argsCheckList then
|
||||
for _,rule in pairs(argsCheckList) do
|
||||
local uriArgs = ngx.req.get_uri_args()
|
||||
for key, val in pairs(uriArgs) do
|
||||
if type(val)=='table' then
|
||||
local t={}
|
||||
for k,v in pairs(val) do
|
||||
if v == true then
|
||||
v=""
|
||||
end
|
||||
table.insert(t,v)
|
||||
end
|
||||
data=table.concat(t, " ")
|
||||
else
|
||||
data=val
|
||||
end
|
||||
if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||
log('GET',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
local function url()
|
||||
if UrlBlockDeny then
|
||||
for _,rule in pairs(urlBlockList) do
|
||||
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
|
||||
log('GET',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if UrlBlockDeny then
|
||||
for _,rule in pairs(urlBlockList) do
|
||||
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
|
||||
log('GET',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
function ua()
|
||||
local ua = ngx.var.http_user_agent
|
||||
if ua ~= nil then
|
||||
for _,rule in pairs(uarules) do
|
||||
if rule ~="" and ngxmatch(ua,rule,"isjo") then
|
||||
log('UA',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
local ua = ngx.var.http_user_agent
|
||||
if ua ~= nil then
|
||||
for _,rule in pairs(uarules) do
|
||||
if rule ~="" and ngxmatch(ua,rule,"isjo") then
|
||||
log('UA',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
function body(data)
|
||||
for _,rule in pairs(postCheckList) do
|
||||
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||
log('POST',ngx.var.request_uri,data,rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
return false
|
||||
for _,rule in pairs(postCheckList) do
|
||||
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||
log('POST',ngx.var.request_uri,data,rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
local function cookie()
|
||||
local ck = ngx.var.http_cookie
|
||||
if CookieDeny and ck then
|
||||
for _,rule in pairs(cookieBlockList) do
|
||||
if rule ~="" and ngxmatch(ck,rule,"isjo") then
|
||||
log('Cookie',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
local ck = ngx.var.http_cookie
|
||||
if CookieDeny and ck then
|
||||
for _,rule in pairs(cookieBlockList) do
|
||||
if rule ~="" and ngxmatch(ck,rule,"isjo") then
|
||||
log('Cookie',ngx.var.request_uri,"-",rule)
|
||||
say_html()
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
local function denycc()
|
||||
if CCDeny and ccRate then
|
||||
local uri=ngx.var.uri
|
||||
CCcount=tonumber(string.match(ccRate,'(.*)/'))
|
||||
CCseconds=tonumber(string.match(ccRate,'/(.*)'))
|
||||
local uri = getClientIp()..uri
|
||||
local limit = ngx.shared.limit
|
||||
local req,_=limit:get(uri)
|
||||
if req then
|
||||
if req > CCcount then
|
||||
ngx.exit(503)
|
||||
return true
|
||||
else
|
||||
limit:incr(token,1)
|
||||
end
|
||||
else
|
||||
limit:set(uri,1,CCseconds)
|
||||
end
|
||||
end
|
||||
return false
|
||||
if CCDeny and ccRate then
|
||||
local uri=ngx.var.uri
|
||||
CCcount=tonumber(string.match(ccRate,'(.*)/'))
|
||||
CCseconds=tonumber(string.match(ccRate,'/(.*)'))
|
||||
local uri = getClientIp()..uri
|
||||
local limit = ngx.shared.limit
|
||||
local req,_=limit:get(uri)
|
||||
if req then
|
||||
if req > CCcount then
|
||||
ngx.exit(503)
|
||||
return true
|
||||
else
|
||||
limit:incr(token,1)
|
||||
end
|
||||
else
|
||||
limit:set(uri,1,CCseconds)
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
local function get_boundary()
|
||||
local header = get_headers()["content-type"]
|
||||
if not header then
|
||||
return nil
|
||||
end
|
||||
local header = get_headers()["content-type"]
|
||||
if not header then
|
||||
return nil
|
||||
end
|
||||
|
||||
if type(header) == "table" then
|
||||
header = header[1]
|
||||
end
|
||||
if type(header) == "table" then
|
||||
header = header[1]
|
||||
end
|
||||
|
||||
local m = match(header, ";%s*boundary=\"([^\"]+)\"")
|
||||
if m then
|
||||
return m
|
||||
end
|
||||
local m = match(header, ";%s*boundary=\"([^\"]+)\"")
|
||||
if m then
|
||||
return m
|
||||
end
|
||||
|
||||
return match(header, ";%s*boundary=([^\",;]+)")
|
||||
return match(header, ";%s*boundary=([^\",;]+)")
|
||||
end
|
||||
|
||||
local function whiteip()
|
||||
if IpWhiteAllow then
|
||||
if next(ipWhiteList) ~= nil then
|
||||
for _,ip in pairs(ipWhiteList) do
|
||||
if getClientIp()==ip then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if IpWhiteAllow then
|
||||
if next(ipWhiteList) ~= nil then
|
||||
for _,ip in pairs(ipWhiteList) do
|
||||
if getClientIp()==ip then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
local function blockip()
|
||||
if IpBlockDeny then
|
||||
if next(ipBlockList) ~= nil then
|
||||
for _,ip in pairs(ipBlockList) do
|
||||
if getClientIp()==ip then
|
||||
ngx.exit(403)
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
if IpBlockDeny then
|
||||
if next(ipBlockList) ~= nil then
|
||||
for _,ip in pairs(ipBlockList) do
|
||||
if getClientIp()==ip then
|
||||
ngx.exit(403)
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
@ -310,74 +334,74 @@ elseif url() then
|
||||
elseif args() then
|
||||
elseif cookie() then
|
||||
elseif PostDeny then
|
||||
if method=="POST" then
|
||||
local boundary = get_boundary()
|
||||
if boundary then
|
||||
local len = string.len
|
||||
if method=="POST" then
|
||||
local boundary = get_boundary()
|
||||
if boundary then
|
||||
local len = string.len
|
||||
local sock, err = ngx.req.socket()
|
||||
if not sock then
|
||||
return
|
||||
if not sock then
|
||||
return
|
||||
end
|
||||
ngx.req.init_body(128 * 1024)
|
||||
ngx.req.init_body(128 * 1024)
|
||||
sock:settimeout(0)
|
||||
local content_length = nil
|
||||
content_length=tonumber(ngx.req.get_headers()['content-length'])
|
||||
local chunk_size = 4096
|
||||
local content_length = nil
|
||||
content_length=tonumber(ngx.req.get_headers()['content-length'])
|
||||
local chunk_size = 4096
|
||||
if content_length < chunk_size then
|
||||
chunk_size = content_length
|
||||
end
|
||||
chunk_size = content_length
|
||||
end
|
||||
local size = 0
|
||||
while size < content_length do
|
||||
local data, err, partial = sock:receive(chunk_size)
|
||||
data = data or partial
|
||||
if not data then
|
||||
return
|
||||
end
|
||||
ngx.req.append_body(data)
|
||||
if body(data) then
|
||||
return true
|
||||
end
|
||||
size = size + len(data)
|
||||
local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
|
||||
if m then
|
||||
fileExtCheck(m[3])
|
||||
filetranslate = true
|
||||
else
|
||||
if ngxmatch(data,"Content-Disposition:",'isjo') then
|
||||
filetranslate = false
|
||||
end
|
||||
if filetranslate==false then
|
||||
if body(data) then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
local less = content_length - size
|
||||
if less < chunk_size then
|
||||
chunk_size = less
|
||||
end
|
||||
end
|
||||
ngx.req.finish_body()
|
||||
else
|
||||
ngx.req.read_body()
|
||||
local args = ngx.req.get_post_args()
|
||||
if not args then
|
||||
return
|
||||
end
|
||||
for key, val in pairs(args) do
|
||||
if type(val) == "table" then
|
||||
if type(val[1]) == "boolean" then
|
||||
return
|
||||
end
|
||||
data=table.concat(val, ", ")
|
||||
else
|
||||
data=val
|
||||
end
|
||||
if data and type(data) ~= "boolean" and body(data) then
|
||||
body(key)
|
||||
end
|
||||
end
|
||||
end
|
||||
while size < content_length do
|
||||
local data, err, partial = sock:receive(chunk_size)
|
||||
data = data or partial
|
||||
if not data then
|
||||
return
|
||||
end
|
||||
ngx.req.append_body(data)
|
||||
if body(data) then
|
||||
return true
|
||||
end
|
||||
size = size + len(data)
|
||||
local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
|
||||
if m then
|
||||
fileExtCheck(m[3])
|
||||
filetranslate = true
|
||||
else
|
||||
if ngxmatch(data,"Content-Disposition:",'isjo') then
|
||||
filetranslate = false
|
||||
end
|
||||
if filetranslate==false then
|
||||
if body(data) then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
local less = content_length - size
|
||||
if less < chunk_size then
|
||||
chunk_size = less
|
||||
end
|
||||
end
|
||||
ngx.req.finish_body()
|
||||
else
|
||||
ngx.req.read_body()
|
||||
local args = ngx.req.get_post_args()
|
||||
if not args then
|
||||
return
|
||||
end
|
||||
for key, val in pairs(args) do
|
||||
if type(val) == "table" then
|
||||
if type(val[1]) == "boolean" then
|
||||
return
|
||||
end
|
||||
data=table.concat(val, ", ")
|
||||
else
|
||||
data=val
|
||||
end
|
||||
if data and type(data) ~= "boolean" and body(data) then
|
||||
body(key)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
else
|
||||
return
|
||||
|
@ -1,22 +0,0 @@
|
||||
\.\./
|
||||
\:\$
|
||||
\$\{
|
||||
select.+(from|limit)
|
||||
(?:(union(.*?)select))
|
||||
having|rongjitest
|
||||
sleep\((\s*)(\d*)(\s*)\)
|
||||
benchmark\((.*)\,(.*)\)
|
||||
base64_decode\(
|
||||
(?:from\W+information_schema\W)
|
||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
||||
(?:etc\/\W*passwd)
|
||||
into(\s+)+(?:dump|out)file\s*
|
||||
group\s+by.+\(
|
||||
xwork.MethodAccessor
|
||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
||||
xwork\.MethodAccessor
|
||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
||||
java\.lang
|
||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
||||
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
|
||||
(onmouseover|onerror|onload)\=
|
@ -0,0 +1,26 @@
|
||||
[
|
||||
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1 ],
|
||||
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1 ],
|
||||
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1 ],
|
||||
["base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 1],
|
||||
["(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee44", 1 ],
|
||||
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 1],
|
||||
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1 ],
|
||||
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1 ],
|
||||
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1 ],
|
||||
["\\<(iframe|script|body|img|layer|div|meta|style|base|object)", "XSS\u8fc7\u6ee41", 1],
|
||||
["(invokefunction|call_user_func_array|\\\\think\\\\)", "ThinkPHP payload\u5c01\u5835", 1 ],
|
||||
["^url_array\\[.*\\]$", "Metinfo6.x XSS\u6f0f\u6d1e", 1],
|
||||
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||
["(?:from.+?information_schema.+?)", "", 1],
|
||||
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||
["'$", "test", 1],
|
||||
["\\${jndi:", "log4j2\u62e6\u622a", 1 ],
|
||||
["terrewrewrwr", "", 1]
|
||||
]
|
@ -1,20 +0,0 @@
|
||||
\.\./
|
||||
\:\$
|
||||
\$\{
|
||||
select.+(from|limit)
|
||||
(?:(union(.*?)select))
|
||||
having|rongjitest
|
||||
sleep\((\s*)(\d*)(\s*)\)
|
||||
benchmark\((.*)\,(.*)\)
|
||||
base64_decode\(
|
||||
(?:from\W+information_schema\W)
|
||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
||||
(?:etc\/\W*passwd)
|
||||
into(\s+)+(?:dump|out)file\s*
|
||||
group\s+by.+\(
|
||||
xwork.MethodAccessor
|
||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
||||
xwork\.MethodAccessor
|
||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
||||
java\.lang
|
||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
@ -0,0 +1,12 @@
|
||||
[
|
||||
["base64_decode\\(","一句话木马过滤3",1],
|
||||
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[","一句话木马过滤5",1],
|
||||
["select.+(from|limit)","SQL注入过滤2",1],
|
||||
["(?:(union(.*?)select))","SQL注入过滤3",1],
|
||||
["sleep\\((\\s*)(\\d*)(\\s*)\\)","SQL注入过滤5",1],
|
||||
["benchmark\\((.*)\\,(.*)\\)","SQL注入过滤6",1],
|
||||
["(?:from\\W+information_schema\\W)","SQL注入过滤7",1],
|
||||
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(","SQL注入过滤8",1],
|
||||
["into(\\s+)+(?:dump|out)file\\s*","SQL注入过滤9",1],
|
||||
["group\\s+by.+\\(","SQL注入过滤10",1]
|
||||
]
|
@ -0,0 +1 @@
|
||||
["1.1.1.1"]
|
@ -1,19 +0,0 @@
|
||||
select.+(from|limit)
|
||||
(?:(union(.*?)select))
|
||||
having|rongjitest
|
||||
sleep\((\s*)(\d*)(\s*)\)
|
||||
benchmark\((.*)\,(.*)\)
|
||||
base64_decode\(
|
||||
(?:from\W+information_schema\W)
|
||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
||||
(?:etc\/\W*passwd)
|
||||
into(\s+)+(?:dump|out)file\s*
|
||||
group\s+by.+\(
|
||||
xwork.MethodAccessor
|
||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
||||
xwork\.MethodAccessor
|
||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
||||
java\.lang
|
||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
||||
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
|
||||
(onmouseover|onerror|onload)\=
|
@ -0,0 +1,22 @@
|
||||
[
|
||||
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1],
|
||||
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1],
|
||||
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1],
|
||||
["base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 1],
|
||||
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
|
||||
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
|
||||
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42",1],
|
||||
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43",1],
|
||||
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48",1],
|
||||
["(extractvalue\\(|concat\\(|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\(|right\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
|
||||
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(EXISTS\\(|SELECT\\#|\\(SELECT|select\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||
["(?:from.+?information_schema.+?)", "", 1],
|
||||
["\\${jndi:", "log4j2\u62e6\u622a", 1]
|
||||
]
|
@ -1,6 +0,0 @@
|
||||
\.(svn|htaccess|bash_history)
|
||||
\.(bak|inc|old|mdb|sql|backup|java|class)$
|
||||
(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
|
||||
(phpmyadmin|jmx-console|jmxinvokerservlet)
|
||||
java\.lang
|
||||
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)
|
@ -1 +0,0 @@
|
||||
^/123/$
|
@ -0,0 +1 @@
|
||||
[]
|
@ -1 +0,0 @@
|
||||
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)
|
@ -0,0 +1,17 @@
|
||||
[
|
||||
["(WPScan|HTTrack|antSword|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 1],
|
||||
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
|
||||
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
|
||||
["select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1],
|
||||
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1],
|
||||
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1],
|
||||
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
|
||||
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1]
|
||||
]
|
35
apps/nginx/versions/1.21.4/www/common/waf/test.lua
Normal file
35
apps/nginx/versions/1.21.4/www/common/waf/test.lua
Normal file
@ -0,0 +1,35 @@
|
||||
local cjson = require "cjson"
|
||||
local rulepath = "rules"
|
||||
|
||||
local function read_json(var)
|
||||
file = io.open(rulepath..'/'..var .. '.json',"r")
|
||||
if file==nil then
|
||||
return
|
||||
end
|
||||
str = file:read("*a")
|
||||
file:close()
|
||||
list = cjson.decode(str)
|
||||
return list
|
||||
end
|
||||
|
||||
|
||||
local function select_rules(rules)
|
||||
if not rules then return {} end
|
||||
new_rules = {}
|
||||
for i,v in ipairs(rules) do
|
||||
if v[1] == 1 then
|
||||
print("111")
|
||||
table.insert(new_rules,v[2])
|
||||
end
|
||||
end
|
||||
return new_rules
|
||||
end
|
||||
|
||||
|
||||
|
||||
local rules = select_rules(read_json('user_agent'))
|
||||
|
||||
for _,v in ipairs(rules) do
|
||||
print(v)
|
||||
end
|
||||
|
@ -1,12 +1,3 @@
|
||||
# Redis configuration rewrite by 1Panel
|
||||
timeout 0
|
||||
# maxclients 10000
|
||||
# maxmemory <bytes>
|
||||
save 3600 1 300 100 60 10000
|
||||
appendonly no
|
||||
appendfsync everysec
|
||||
# End Redis configuration rewrite by 1Panel
|
||||
|
||||
# Redis configuration file example.
|
||||
#
|
||||
# Note that in order to read the configuration file, Redis must be
|
||||
@ -41,17 +32,8 @@ appendfsync everysec
|
||||
# If instead you are interested in using includes to override configuration
|
||||
# options, it is better to use include as the last line.
|
||||
#
|
||||
# Included paths may contain wildcards. All files matching the wildcards will
|
||||
# be included in alphabetical order.
|
||||
# Note that if an include path contains a wildcards but no files match it when
|
||||
# the server is started, the include statement will be ignored and no error will
|
||||
# be emitted. It is safe, therefore, to include wildcard files from empty
|
||||
# directories.
|
||||
#
|
||||
# include /path/to/local.conf
|
||||
# include /path/to/other.conf
|
||||
# include /path/to/fragments/*.conf
|
||||
#
|
||||
|
||||
################################## MODULES #####################################
|
||||
|
||||
@ -67,80 +49,42 @@ appendfsync everysec
|
||||
# for connections from all available network interfaces on the host machine.
|
||||
# It is possible to listen to just one or multiple selected interfaces using
|
||||
# the "bind" configuration directive, followed by one or more IP addresses.
|
||||
# Each address can be prefixed by "-", which means that redis will not fail to
|
||||
# start if the address is not available. Being not available only refers to
|
||||
# addresses that does not correspond to any network interface. Addresses that
|
||||
# are already in use will always fail, and unsupported protocols will always BE
|
||||
# silently skipped.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses
|
||||
# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6
|
||||
# bind * -::* # like the default, all available interfaces
|
||||
# bind 192.168.1.100 10.0.0.1
|
||||
# bind 127.0.0.1 ::1
|
||||
#
|
||||
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
|
||||
# internet, binding to all the interfaces is dangerous and will expose the
|
||||
# instance to everybody on the internet. So by default we uncomment the
|
||||
# following bind directive, that will force Redis to listen only on the
|
||||
# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis
|
||||
# will only be able to accept client connections from the same host that it is
|
||||
# running on).
|
||||
# IPv4 loopback interface address (this means Redis will only be able to
|
||||
# accept client connections from the same host that it is running on).
|
||||
#
|
||||
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
|
||||
# COMMENT OUT THE FOLLOWING LINE.
|
||||
#
|
||||
# You will also need to set a password unless you explicitly disable protected
|
||||
# mode.
|
||||
# JUST COMMENT OUT THE FOLLOWING LINE.
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
# bind 127.0.0.1 -::1
|
||||
|
||||
# By default, outgoing connections (from replica to master, from Sentinel to
|
||||
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
||||
# most cases, this means the operating system will handle that based on routing
|
||||
# and the interface through which the connection goes out.
|
||||
#
|
||||
# Using bind-source-addr it is possible to configure a specific address to bind
|
||||
# to, which may also affect how the connection gets routed.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# bind-source-addr 10.0.0.1
|
||||
bind 0.0.0.0
|
||||
|
||||
# Protected mode is a layer of security protection, in order to avoid that
|
||||
# Redis instances left open on the internet are accessed and exploited.
|
||||
#
|
||||
# When protected mode is on and the default user has no password, the server
|
||||
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
|
||||
# (::1) or Unix domain sockets.
|
||||
# When protected mode is on and if:
|
||||
#
|
||||
# 1) The server is not binding explicitly to a set of addresses using the
|
||||
# "bind" directive.
|
||||
# 2) No password is configured.
|
||||
#
|
||||
# The server only accepts connections from clients connecting from the
|
||||
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
|
||||
# sockets.
|
||||
#
|
||||
# By default protected mode is enabled. You should disable it only if
|
||||
# you are sure you want clients from other hosts to connect to Redis
|
||||
# even if no authentication is configured.
|
||||
protected-mode no
|
||||
|
||||
# Redis uses default hardened security configuration directives to reduce the
|
||||
# attack surface on innocent users. Therefore, several sensitive configuration
|
||||
# directives are immutable, and some potentially-dangerous commands are blocked.
|
||||
#
|
||||
# Configuration directives that control files that Redis writes to (e.g., 'dir'
|
||||
# and 'dbfilename') and that aren't usually modified during runtime
|
||||
# are protected by making them immutable.
|
||||
#
|
||||
# Commands that can increase the attack surface of Redis and that aren't usually
|
||||
# called by users are blocked by default.
|
||||
#
|
||||
# These can be exposed to either all connections or just local ones by setting
|
||||
# each of the configs listed below to either of these values:
|
||||
#
|
||||
# no - Block for any connection (remain immutable)
|
||||
# yes - Allow for any connection (no protection)
|
||||
# local - Allow only for local connections. Ones originating from the
|
||||
# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
|
||||
#
|
||||
# enable-protected-configs no
|
||||
# enable-debug-command no
|
||||
# enable-module-command no
|
||||
# even if no authentication is configured, nor a specific set of interfaces
|
||||
# are explicitly listed using the "bind" directive.
|
||||
protected-mode yes
|
||||
|
||||
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
||||
# If port 0 is specified Redis will not listen on a TCP socket.
|
||||
@ -161,11 +105,11 @@ tcp-backlog 511
|
||||
# incoming connections. There is no default, so Redis will not listen
|
||||
# on a unix socket when not specified.
|
||||
#
|
||||
# unixsocket /run/redis.sock
|
||||
# unixsocket /tmp/redis.sock
|
||||
# unixsocketperm 700
|
||||
|
||||
# Close the connection after a client is idle for N seconds (0 to disable)
|
||||
# timeout 0
|
||||
timeout 0
|
||||
|
||||
# TCP keepalive.
|
||||
#
|
||||
@ -184,16 +128,6 @@ tcp-backlog 511
|
||||
# Redis default starting with Redis 3.2.1.
|
||||
tcp-keepalive 300
|
||||
|
||||
# Apply OS-specific mechanism to mark the listening socket with the specified
|
||||
# ID, to support advanced routing and filtering capabilities.
|
||||
#
|
||||
# On Linux, the ID represents a connection mark.
|
||||
# On FreeBSD, the ID represents a socket cookie ID.
|
||||
# On OpenBSD, the ID represents a route table ID.
|
||||
#
|
||||
# The default value is 0, which implies no marking is required.
|
||||
# socket-mark-id 0
|
||||
|
||||
################################# TLS/SSL #####################################
|
||||
|
||||
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
|
||||
@ -209,32 +143,8 @@ tcp-keepalive 300
|
||||
#
|
||||
# tls-cert-file redis.crt
|
||||
# tls-key-file redis.key
|
||||
#
|
||||
# If the key file is encrypted using a passphrase, it can be included here
|
||||
# as well.
|
||||
#
|
||||
# tls-key-file-pass secret
|
||||
|
||||
# Normally Redis uses the same certificate for both server functions (accepting
|
||||
# connections) and client functions (replicating from a master, establishing
|
||||
# cluster bus connections, etc.).
|
||||
#
|
||||
# Sometimes certificates are issued with attributes that designate them as
|
||||
# client-only or server-only certificates. In that case it may be desired to use
|
||||
# different certificates for incoming (server) and outgoing (client)
|
||||
# connections. To do that, use the following directives:
|
||||
#
|
||||
# tls-client-cert-file client.crt
|
||||
# tls-client-key-file client.key
|
||||
#
|
||||
# If the key file is encrypted using a passphrase, it can be included here
|
||||
# as well.
|
||||
#
|
||||
# tls-client-key-file-pass secret
|
||||
|
||||
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
|
||||
# required by older versions of OpenSSL (<3.0). Newer versions do not require
|
||||
# this configuration and recommend against it.
|
||||
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
|
||||
#
|
||||
# tls-dh-params-file redis.dh
|
||||
|
||||
@ -267,12 +177,9 @@ tcp-keepalive 300
|
||||
#
|
||||
# tls-cluster yes
|
||||
|
||||
# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
|
||||
# that older formally deprecated versions are kept disabled to reduce the attack surface.
|
||||
# You can explicitly specify TLS versions to support.
|
||||
# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
|
||||
# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
|
||||
# To enable only TLSv1.2 and TLSv1.3, use:
|
||||
# Explicitly specify TLS versions to support. Allowed values are case insensitive
|
||||
# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
|
||||
# any combination. To enable only TLSv1.2 and TLSv1.3, use:
|
||||
#
|
||||
# tls-protocols "TLSv1.2 TLSv1.3"
|
||||
|
||||
@ -314,7 +221,6 @@ tcp-keepalive 300
|
||||
|
||||
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
||||
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
|
||||
# When Redis is supervised by upstart or systemd, this parameter has no impact.
|
||||
daemonize no
|
||||
|
||||
# If you run Redis from upstart or systemd, Redis can interact with your
|
||||
@ -323,17 +229,11 @@ daemonize no
|
||||
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
|
||||
# requires "expect stop" in your upstart job config
|
||||
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
|
||||
# on startup, and updating Redis status on a regular
|
||||
# basis.
|
||||
# supervised auto - detect upstart or systemd method based on
|
||||
# UPSTART_JOB or NOTIFY_SOCKET environment variables
|
||||
# Note: these supervision methods only signal "process is ready."
|
||||
# They do not enable continuous pings back to your supervisor.
|
||||
#
|
||||
# The default is "no". To run under upstart/systemd, you can simply uncomment
|
||||
# the line below:
|
||||
#
|
||||
# supervised auto
|
||||
supervised no
|
||||
|
||||
# If a pid file is specified, Redis writes it where specified at startup
|
||||
# and removes it at exit.
|
||||
@ -344,10 +244,7 @@ daemonize no
|
||||
#
|
||||
# Creating a pid file is best effort: if Redis is not able to create it
|
||||
# nothing bad happens, the server will start and run normally.
|
||||
#
|
||||
# Note that on modern Linux systems "/run/redis.pid" is more conforming
|
||||
# and should be used instead.
|
||||
pidfile "/var/run/redis_6379.pid"
|
||||
pidfile /var/run/redis_6379.pid
|
||||
|
||||
# Specify the server verbosity level.
|
||||
# This can be one of:
|
||||
@ -372,74 +269,44 @@ logfile ""
|
||||
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
|
||||
# syslog-facility local0
|
||||
|
||||
# To disable the built in crash log, which will possibly produce cleaner core
|
||||
# dumps when they are needed, uncomment the following:
|
||||
#
|
||||
# crash-log-enabled no
|
||||
|
||||
# To disable the fast memory check that's run as part of the crash log, which
|
||||
# will possibly let redis terminate sooner, uncomment the following:
|
||||
#
|
||||
# crash-memcheck-enabled no
|
||||
|
||||
# Set the number of databases. The default database is DB 0, you can select
|
||||
# a different one on a per-connection basis using SELECT <dbid> where
|
||||
# dbid is a number between 0 and 'databases'-1
|
||||
databases 16
|
||||
|
||||
# By default Redis shows an ASCII art logo only when started to log to the
|
||||
# standard output and if the standard output is a TTY and syslog logging is
|
||||
# disabled. Basically this means that normally a logo is displayed only in
|
||||
# interactive sessions.
|
||||
# standard output and if the standard output is a TTY. Basically this means
|
||||
# that normally a logo is displayed only in interactive sessions.
|
||||
#
|
||||
# However it is possible to force the pre-4.0 behavior and always show a
|
||||
# ASCII art logo in startup logs by setting the following option to yes.
|
||||
always-show-logo no
|
||||
|
||||
# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
|
||||
# provide some runtime information. It is possible to disable this and leave
|
||||
# the process name as executed by setting the following to no.
|
||||
set-proc-title yes
|
||||
|
||||
# When changing the process title, Redis uses the following template to construct
|
||||
# the modified title.
|
||||
#
|
||||
# Template variables are specified in curly brackets. The following variables are
|
||||
# supported:
|
||||
#
|
||||
# {title} Name of process as executed if parent, or type of child process.
|
||||
# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or
|
||||
# Unix socket if only that's available.
|
||||
# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]".
|
||||
# {port} TCP port listening on, or 0.
|
||||
# {tls-port} TLS port listening on, or 0.
|
||||
# {unixsocket} Unix domain socket listening on, or "".
|
||||
# {config-file} Name of configuration file used.
|
||||
#
|
||||
proc-title-template "{title} {listen-addr} {server-mode}"
|
||||
always-show-logo yes
|
||||
|
||||
################################ SNAPSHOTTING ################################
|
||||
#
|
||||
# Save the DB on disk:
|
||||
#
|
||||
# save <seconds> <changes>
|
||||
#
|
||||
# Will save the DB if both the given number of seconds and the given
|
||||
# number of write operations against the DB occurred.
|
||||
#
|
||||
# In the example below the behavior will be to save:
|
||||
# after 900 sec (15 min) if at least 1 key changed
|
||||
# after 300 sec (5 min) if at least 10 keys changed
|
||||
# after 60 sec if at least 10000 keys changed
|
||||
#
|
||||
# Note: you can disable saving completely by commenting out all "save" lines.
|
||||
#
|
||||
# It is also possible to remove all the previously configured save
|
||||
# points by adding a save directive with a single empty string argument
|
||||
# like in the following example:
|
||||
#
|
||||
# save ""
|
||||
|
||||
# Save the DB to disk.
|
||||
#
|
||||
# save <seconds> <changes> [<seconds> <changes> ...]
|
||||
#
|
||||
# Redis will save the DB if the given number of seconds elapsed and it
|
||||
# surpassed the given number of write operations against the DB.
|
||||
#
|
||||
# Snapshotting can be completely disabled with a single empty string argument
|
||||
# as in following example:
|
||||
#
|
||||
# save ""
|
||||
#
|
||||
# Unless specified otherwise, by default Redis will save the DB:
|
||||
# * After 3600 seconds (an hour) if at least 1 change was performed
|
||||
# * After 300 seconds (5 minutes) if at least 100 changes were performed
|
||||
# * After 60 seconds if at least 10000 changes were performed
|
||||
#
|
||||
# You can set these explicitly by uncommenting the following line.
|
||||
#
|
||||
# save 3600 1 300 100 60 10000
|
||||
save 900 1
|
||||
save 300 10
|
||||
save 60 10000
|
||||
|
||||
# By default Redis will stop accepting writes if RDB snapshots are enabled
|
||||
# (at least one save point) and the latest background save failed.
|
||||
@ -471,23 +338,8 @@ rdbcompression yes
|
||||
# tell the loading code to skip the check.
|
||||
rdbchecksum yes
|
||||
|
||||
# Enables or disables full sanitization checks for ziplist and listpack etc when
|
||||
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
|
||||
# crash later on while processing commands.
|
||||
# Options:
|
||||
# no - Never perform full sanitization
|
||||
# yes - Always perform full sanitization
|
||||
# clients - Perform full sanitization only for user connections.
|
||||
# Excludes: RDB files, RESTORE commands received from the master
|
||||
# connection, and client connections which have the
|
||||
# skip-sanitize-payload ACL flag.
|
||||
# The default should be 'clients' but since it currently affects cluster
|
||||
# resharding via MIGRATE, it is temporarily set to 'no' by default.
|
||||
#
|
||||
# sanitize-dump-payload no
|
||||
|
||||
# The filename where to dump the DB
|
||||
dbfilename "dump.rdb"
|
||||
dbfilename dump.rdb
|
||||
|
||||
# Remove RDB files used by replication in instances without persistence
|
||||
# enabled. By default this option is disabled, however there are environments
|
||||
@ -510,7 +362,7 @@ rdb-del-sync-files no
|
||||
# The Append Only File will also be created inside this directory.
|
||||
#
|
||||
# Note that you must specify a directory here, not a file name.
|
||||
dir "/data"
|
||||
dir ./
|
||||
|
||||
################################# REPLICATION #################################
|
||||
|
||||
@ -560,10 +412,9 @@ dir "/data"
|
||||
# still reply to client requests, possibly with out of date data, or the
|
||||
# data set may just be empty if this is the first synchronization.
|
||||
#
|
||||
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
|
||||
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
|
||||
# to all data access commands, excluding commands such as:
|
||||
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
||||
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
|
||||
# an error "SYNC with master in progress" to all commands except:
|
||||
# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
||||
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
||||
# HOST and LATENCY.
|
||||
#
|
||||
@ -612,7 +463,7 @@ replica-read-only yes
|
||||
#
|
||||
# With slow disks and fast (large bandwidth) networks, diskless replication
|
||||
# works better.
|
||||
repl-diskless-sync yes
|
||||
repl-diskless-sync no
|
||||
|
||||
# When diskless replication is enabled, it is possible to configure the delay
|
||||
# the server waits in order to spawn the child that transfers the RDB via socket
|
||||
@ -626,18 +477,12 @@ repl-diskless-sync yes
|
||||
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
||||
repl-diskless-sync-delay 5
|
||||
|
||||
# When diskless replication is enabled with a delay, it is possible to let
|
||||
# the replication start before the maximum delay is reached if the maximum
|
||||
# number of replicas expected have connected. Default of 0 means that the
|
||||
# maximum is not defined and Redis will wait the full delay.
|
||||
repl-diskless-sync-max-replicas 0
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# WARNING: RDB diskless load is experimental. Since in this setup the replica
|
||||
# does not immediately store an RDB on disk, it may cause data loss during
|
||||
# failovers. RDB diskless load + Redis modules not handling I/O reads may also
|
||||
# cause Redis to abort in case of I/O errors during the initial synchronization
|
||||
# stage with the master. Use only if you know what you are doing.
|
||||
# stage with the master. Use only if your do what you are doing.
|
||||
# -----------------------------------------------------------------------------
|
||||
#
|
||||
# Replica can load the RDB it reads from the replication link directly from the
|
||||
@ -646,23 +491,19 @@ repl-diskless-sync-max-replicas 0
|
||||
#
|
||||
# In many cases the disk is slower than the network, and storing and loading
|
||||
# the RDB file may increase replication time (and even increase the master's
|
||||
# Copy on Write memory and replica buffers).
|
||||
# Copy on Write memory and salve buffers).
|
||||
# However, parsing the RDB file directly from the socket may mean that we have
|
||||
# to flush the contents of the current database before the full rdb was
|
||||
# received. For this reason we have the following options:
|
||||
#
|
||||
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
||||
# "on-empty-db" - Use diskless load only when it is completely safe.
|
||||
# "swapdb" - Keep current db contents in RAM while parsing the data directly
|
||||
# from the socket. Replicas in this mode can keep serving current
|
||||
# data set while replication is in progress, except for cases where
|
||||
# they can't recognize master as having a data set from same
|
||||
# replication history.
|
||||
# Note that this requires sufficient memory, if you don't have it,
|
||||
# you risk an OOM kill.
|
||||
# "swapdb" - Keep a copy of the current db contents in RAM while parsing
|
||||
# the data directly from the socket. note that this requires
|
||||
# sufficient memory, if you don't have it, you risk an OOM kill.
|
||||
repl-diskless-load disabled
|
||||
|
||||
# Master send PINGs to its replicas in a predefined interval. It's possible to
|
||||
# Replicas send PINGs to server in a predefined interval. It's possible to
|
||||
# change this interval with the repl_ping_replica_period option. The default
|
||||
# value is 10 seconds.
|
||||
#
|
||||
@ -737,43 +578,6 @@ repl-disable-tcp-nodelay no
|
||||
# By default the priority is 100.
|
||||
replica-priority 100
|
||||
|
||||
# The propagation error behavior controls how Redis will behave when it is
|
||||
# unable to handle a command being processed in the replication stream from a master
|
||||
# or processed while reading from an AOF file. Errors that occur during propagation
|
||||
# are unexpected, and can cause data inconsistency. However, there are edge cases
|
||||
# in earlier versions of Redis where it was possible for the server to replicate or persist
|
||||
# commands that would fail on future versions. For this reason the default behavior
|
||||
# is to ignore such errors and continue processing commands.
|
||||
#
|
||||
# If an application wants to ensure there is no data divergence, this configuration
|
||||
# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
|
||||
# to only panic when a replica encounters an error on the replication stream. One of
|
||||
# these two panic values will become the default value in the future once there are
|
||||
# sufficient safety mechanisms in place to prevent false positive crashes.
|
||||
#
|
||||
# propagation-error-behavior ignore
|
||||
|
||||
# Replica ignore disk write errors controls the behavior of a replica when it is
|
||||
# unable to persist a write command received from its master to disk. By default,
|
||||
# this configuration is set to 'no' and will crash the replica in this condition.
|
||||
# It is not recommended to change this default, however in order to be compatible
|
||||
# with older versions of Redis this config can be toggled to 'yes' which will just
|
||||
# log a warning and execute the write command it got from the master.
|
||||
#
|
||||
# replica-ignore-disk-write-errors no
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# By default, Redis Sentinel includes all replicas in its reports. A replica
|
||||
# can be excluded from Redis Sentinel's announcements. An unannounced replica
|
||||
# will be ignored by the 'sentinel replicas <master>' command and won't be
|
||||
# exposed to Redis Sentinel's clients.
|
||||
#
|
||||
# This option does not change the behavior of replica-priority. Even with
|
||||
# replica-announced set to 'no', the replica can be promoted to master. To
|
||||
# prevent this behavior, set replica-priority to 0.
|
||||
#
|
||||
# replica-announced yes
|
||||
|
||||
# It is possible for a master to stop accepting writes if there are less than
|
||||
# N replicas connected, having a lag less or equal than M seconds.
|
||||
#
|
||||
@ -829,7 +633,7 @@ replica-priority 100
|
||||
|
||||
# Redis implements server assisted support for client side caching of values.
|
||||
# This is implemented using an invalidation table that remembers, using
|
||||
# a radix key indexed by key name, what clients have which keys. In turn
|
||||
# 16 millions of slots, what clients may have certain subsets of keys. In turn
|
||||
# this is used in order to send invalidation messages to clients. Please
|
||||
# check this page to understand more about the feature:
|
||||
#
|
||||
@ -893,12 +697,8 @@ replica-priority 100
|
||||
# off Disable the user: it's no longer possible to authenticate
|
||||
# with this user, however the already authenticated connections
|
||||
# will still work.
|
||||
# skip-sanitize-payload RESTORE dump-payload sanitization is skipped.
|
||||
# sanitize-payload RESTORE dump-payload is sanitized (default).
|
||||
# +<command> Allow the execution of that command.
|
||||
# May be used with `|` for allowing subcommands (e.g "+config|get")
|
||||
# -<command> Disallow the execution of that command.
|
||||
# May be used with `|` for blocking subcommands (e.g "-config|set")
|
||||
# +<command> Allow the execution of that command
|
||||
# -<command> Disallow the execution of that command
|
||||
# +@<category> Allow the execution of all the commands in such category
|
||||
# with valid categories are like @admin, @set, @sortedset, ...
|
||||
# and so forth, see the full list in the server.c file where
|
||||
@ -906,11 +706,10 @@ replica-priority 100
|
||||
# The special category @all means all the commands, but currently
|
||||
# present in the server, and that will be loaded in the future
|
||||
# via modules.
|
||||
# +<command>|first-arg Allow a specific first argument of an otherwise
|
||||
# disabled command. It is only supported on commands with
|
||||
# no sub-commands, and is not allowed as negative form
|
||||
# like -SELECT|1, only additive starting with "+". This
|
||||
# feature is deprecated and may be removed in the future.
|
||||
# +<command>|subcommand Allow a specific subcommand of an otherwise
|
||||
# disabled command. Note that this form is not
|
||||
# allowed as negative like -DEBUG|SEGFAULT, but
|
||||
# only additive starting with "+".
|
||||
# allcommands Alias for +@all. Note that it implies the ability to execute
|
||||
# all the future commands loaded via the modules system.
|
||||
# nocommands Alias for -@all.
|
||||
@ -918,17 +717,8 @@ replica-priority 100
|
||||
# commands. For instance ~* allows all the keys. The pattern
|
||||
# is a glob-style pattern like the one of KEYS.
|
||||
# It is possible to specify multiple patterns.
|
||||
# %R~<pattern> Add key read pattern that specifies which keys can be read
|
||||
# from.
|
||||
# %W~<pattern> Add key write pattern that specifies which keys can be
|
||||
# written to.
|
||||
# allkeys Alias for ~*
|
||||
# resetkeys Flush the list of allowed keys patterns.
|
||||
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
|
||||
# accessed by the user. It is possible to specify multiple channel
|
||||
# patterns.
|
||||
# allchannels Alias for &*
|
||||
# resetchannels Flush the list of allowed channel patterns.
|
||||
# ><password> Add this password to the list of valid password for the user.
|
||||
# For example >mypass will add "mypass" to the list.
|
||||
# This directive clears the "nopass" flag (see later).
|
||||
@ -947,14 +737,6 @@ replica-priority 100
|
||||
# reset Performs the following actions: resetpass, resetkeys, off,
|
||||
# -@all. The user returns to the same state it has immediately
|
||||
# after its creation.
|
||||
# (<options>) Create a new selector with the options specified within the
|
||||
# parentheses and attach it to the user. Each option should be
|
||||
# space separated. The first character must be ( and the last
|
||||
# character must be ).
|
||||
# clearselectors Remove all of the currently attached selectors.
|
||||
# Note this does not change the "root" user permissions,
|
||||
# which are the permissions directly applied onto the
|
||||
# user (outside the parentheses).
|
||||
#
|
||||
# ACL rules can be specified in any order: for instance you can start with
|
||||
# passwords, then flags, or key patterns. However note that the additive
|
||||
@ -976,40 +758,6 @@ replica-priority 100
|
||||
#
|
||||
# Basically ACL rules are processed left-to-right.
|
||||
#
|
||||
# The following is a list of command categories and their meanings:
|
||||
# * keyspace - Writing or reading from keys, databases, or their metadata
|
||||
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
|
||||
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
|
||||
# key or metadata will also have `write` category. Commands that only read
|
||||
# the keyspace, key or metadata will have the `read` category.
|
||||
# * read - Reading from keys (values or metadata). Note that commands that don't
|
||||
# interact with keys, will not have either `read` or `write`.
|
||||
# * write - Writing to keys (values or metadata)
|
||||
# * admin - Administrative commands. Normal applications will never need to use
|
||||
# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
|
||||
# * dangerous - Potentially dangerous (each should be considered with care for
|
||||
# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
|
||||
# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
|
||||
# * connection - Commands affecting the connection or other connections.
|
||||
# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
|
||||
# * blocking - Potentially blocking the connection until released by another
|
||||
# command.
|
||||
# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
|
||||
# number of elements in the key.
|
||||
# * slow - All commands that are not Fast.
|
||||
# * pubsub - PUBLISH / SUBSCRIBE related
|
||||
# * transaction - WATCH / MULTI / EXEC related commands.
|
||||
# * scripting - Scripting related.
|
||||
# * set - Data type: sets related.
|
||||
# * sortedset - Data type: zsets related.
|
||||
# * list - Data type: lists related.
|
||||
# * hash - Data type: hashes related.
|
||||
# * string - Data type: strings related.
|
||||
# * bitmap - Data type: bitmaps related.
|
||||
# * hyperloglog - Data type: hyperloglog related.
|
||||
# * geo - Data type: geo related.
|
||||
# * stream - Data type: streams related.
|
||||
#
|
||||
# For more information about ACL configuration please refer to
|
||||
# the Redis web site at https://redis.io/topics/acl
|
||||
|
||||
@ -1039,24 +787,8 @@ acllog-max-len 128
|
||||
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
||||
# if they follow the new protocol: both will work.
|
||||
#
|
||||
# The requirepass is not compatible with aclfile option and the ACL LOAD
|
||||
# command, these will cause requirepass to be ignored.
|
||||
#
|
||||
# requirepass foobared
|
||||
|
||||
# New users are initialized with restrictive permissions by default, via the
|
||||
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
|
||||
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
|
||||
# default Pub/Sub channels permission if new users is controlled by the
|
||||
# acl-pubsub-default configuration directive, which accepts one of these values:
|
||||
#
|
||||
# allchannels: grants access to all Pub/Sub channels
|
||||
# resetchannels: revokes access to all Pub/Sub channels
|
||||
#
|
||||
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
|
||||
#
|
||||
# acl-pubsub-default resetchannels
|
||||
|
||||
# Command renaming (DEPRECATED).
|
||||
#
|
||||
# ------------------------------------------------------------------------
|
||||
@ -1145,12 +877,14 @@ acllog-max-len 128
|
||||
# Both LRU, LFU and volatile-ttl are implemented using approximated
|
||||
# randomized algorithms.
|
||||
#
|
||||
# Note: with any of the above policies, when there are no suitable keys for
|
||||
# eviction, Redis will return an error on write operations that require
|
||||
# more memory. These are usually commands that create new keys, add data or
|
||||
# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE,
|
||||
# SORT (due to the STORE argument), and EXEC (if the transaction includes any
|
||||
# command that requires memory).
|
||||
# Note: with any of the above policies, Redis will return an error on write
|
||||
# operations, when there are no suitable keys for eviction.
|
||||
#
|
||||
# At the date of writing these commands are: set setnx setex append
|
||||
# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
|
||||
# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
|
||||
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
|
||||
# getset mset msetnx exec sort
|
||||
#
|
||||
# The default is:
|
||||
#
|
||||
@ -1167,14 +901,6 @@ acllog-max-len 128
|
||||
#
|
||||
# maxmemory-samples 5
|
||||
|
||||
# Eviction processing is designed to function well with the default setting.
|
||||
# If there is an unusually large amount of write traffic, this value may need to
|
||||
# be increased. Decreasing this value may reduce latency at the risk of
|
||||
# eviction processing effectiveness
|
||||
# 0 = minimum latency, 10 = default, 100 = process without regard to latency
|
||||
#
|
||||
# maxmemory-eviction-tenacity 10
|
||||
|
||||
# Starting from Redis 5, by default a replica will ignore its maxmemory setting
|
||||
# (unless it is promoted to master after a failover or manually). It means
|
||||
# that the eviction of keys will be just handled by the master, sending the
|
||||
@ -1268,13 +994,6 @@ replica-lazy-flush no
|
||||
|
||||
lazyfree-lazy-user-del no
|
||||
|
||||
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
|
||||
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
|
||||
# commands. When neither flag is passed, this directive will be used to determine
|
||||
# if the data should be deleted asynchronously.
|
||||
|
||||
lazyfree-lazy-user-flush no
|
||||
|
||||
################################ THREADED I/O #################################
|
||||
|
||||
# Redis is mostly single threaded, however there are certain threaded
|
||||
@ -1313,7 +1032,7 @@ lazyfree-lazy-user-flush no
|
||||
# Usually threading reads doesn't help much.
|
||||
#
|
||||
# NOTE 1: This configuration directive cannot be changed at runtime via
|
||||
# CONFIG SET. Also, this feature currently does not work when SSL is
|
||||
# CONFIG SET. Aso this feature currently does not work when SSL is
|
||||
# enabled.
|
||||
#
|
||||
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
|
||||
@ -1331,7 +1050,7 @@ lazyfree-lazy-user-flush no
|
||||
# attempt to have background child processes killed before all others, and
|
||||
# replicas killed before masters.
|
||||
#
|
||||
# Redis supports these options:
|
||||
# Redis supports three options:
|
||||
#
|
||||
# no: Don't make changes to oom-score-adj (default).
|
||||
# yes: Alias to "relative" see below.
|
||||
@ -1352,18 +1071,6 @@ oom-score-adj no
|
||||
# oom-score-adj-values to positive values will always succeed.
|
||||
oom-score-adj-values 0 200 800
|
||||
|
||||
#################### KERNEL transparent hugepage CONTROL ######################
|
||||
|
||||
# Usually the kernel Transparent Huge Pages control is set to "madvise" or
|
||||
# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
|
||||
# case this config has no effect. On systems in which it is set to "always",
|
||||
# redis will attempt to disable it specifically for the redis process in order
|
||||
# to avoid latency problems specifically with fork(2) and CoW.
|
||||
# If for some reason you prefer to keep it enabled, you can set this config to
|
||||
# "no" and the kernel global to "always".
|
||||
|
||||
disable-thp yes
|
||||
|
||||
############################## APPEND ONLY MODE ###############################
|
||||
|
||||
# By default Redis asynchronously dumps the dataset on disk. This mode is
|
||||
@ -1382,43 +1089,14 @@ disable-thp yes
|
||||
# If the AOF is enabled on startup Redis will load the AOF, that is the file
|
||||
# with the better durability guarantees.
|
||||
#
|
||||
# Please check https://redis.io/topics/persistence for more information.
|
||||
# Please check http://redis.io/topics/persistence for more information.
|
||||
|
||||
# appendonly no
|
||||
appendonly no
|
||||
|
||||
# The base name of the append only file.
|
||||
#
|
||||
# Redis 7 and newer use a set of append-only files to persist the dataset
|
||||
# and changes applied to it. There are two basic types of files in use:
|
||||
#
|
||||
# - Base files, which are a snapshot representing the complete state of the
|
||||
# dataset at the time the file was created. Base files can be either in
|
||||
# the form of RDB (binary serialized) or AOF (textual commands).
|
||||
# - Incremental files, which contain additional commands that were applied
|
||||
# to the dataset following the previous file.
|
||||
#
|
||||
# In addition, manifest files are used to track the files and the order in
|
||||
# which they were created and should be applied.
|
||||
#
|
||||
# Append-only file names are created by Redis following a specific pattern.
|
||||
# The file name's prefix is based on the 'appendfilename' configuration
|
||||
# parameter, followed by additional information about the sequence and type.
|
||||
#
|
||||
# For example, if appendfilename is set to appendonly.aof, the following file
|
||||
# names could be derived:
|
||||
#
|
||||
# - appendonly.aof.1.base.rdb as a base file.
|
||||
# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
|
||||
# - appendonly.aof.manifest as a manifest file.
|
||||
# The name of the append only file (default: "appendonly.aof")
|
||||
|
||||
appendfilename "appendonly.aof"
|
||||
|
||||
# For convenience, Redis stores all persistent append-only files in a dedicated
|
||||
# directory. The name of the directory is determined by the appenddirname
|
||||
# configuration parameter.
|
||||
|
||||
appenddirname "appendonlydir"
|
||||
|
||||
# The fsync() call tells the Operating System to actually write data on disk
|
||||
# instead of waiting for more data in the output buffer. Some OS will really flush
|
||||
# data on disk, some other OS will just try to do it ASAP.
|
||||
@ -1443,7 +1121,7 @@ appenddirname "appendonlydir"
|
||||
# If unsure, use "everysec".
|
||||
|
||||
# appendfsync always
|
||||
# appendfsync everysec
|
||||
appendfsync everysec
|
||||
# appendfsync no
|
||||
|
||||
# When the AOF fsync policy is set to always or everysec, and a background
|
||||
@ -1458,7 +1136,7 @@ appenddirname "appendonlydir"
|
||||
# BGSAVE or BGREWRITEAOF is in progress.
|
||||
#
|
||||
# This means that while another child is saving, the durability of Redis is
|
||||
# the same as "appendfsync no". In practical terms, this means that it is
|
||||
# the same as "appendfsync none". In practical terms, this means that it is
|
||||
# possible to lose up to 30 seconds of log in the worst scenario (with the
|
||||
# default Linux settings).
|
||||
#
|
||||
@ -1511,69 +1189,34 @@ auto-aof-rewrite-min-size 64mb
|
||||
# will be found.
|
||||
aof-load-truncated yes
|
||||
|
||||
# Redis can create append-only base files in either RDB or AOF formats. Using
|
||||
# the RDB format is always faster and more efficient, and disabling it is only
|
||||
# supported for backward compatibility purposes.
|
||||
# When rewriting the AOF file, Redis is able to use an RDB preamble in the
|
||||
# AOF file for faster rewrites and recoveries. When this option is turned
|
||||
# on the rewritten AOF file is composed of two different stanzas:
|
||||
#
|
||||
# [RDB file][AOF tail]
|
||||
#
|
||||
# When loading, Redis recognizes that the AOF file starts with the "REDIS"
|
||||
# string and loads the prefixed RDB file, then continues loading the AOF
|
||||
# tail.
|
||||
aof-use-rdb-preamble yes
|
||||
|
||||
# Redis supports recording timestamp annotations in the AOF to support restoring
|
||||
# the data from a specific point-in-time. However, using this capability changes
|
||||
# the AOF format in a way that may not be compatible with existing AOF parsers.
|
||||
aof-timestamp-enabled no
|
||||
################################ LUA SCRIPTING ###############################
|
||||
|
||||
################################ SHUTDOWN #####################################
|
||||
|
||||
# Maximum time to wait for replicas when shutting down, in seconds.
|
||||
# Max execution time of a Lua script in milliseconds.
|
||||
#
|
||||
# During shut down, a grace period allows any lagging replicas to catch up with
|
||||
# the latest replication offset before the master exists. This period can
|
||||
# prevent data loss, especially for deployments without configured disk backups.
|
||||
# If the maximum execution time is reached Redis will log that a script is
|
||||
# still in execution after the maximum allowed time and will start to
|
||||
# reply to queries with an error.
|
||||
#
|
||||
# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
|
||||
# only applicable when the instance has replicas. To disable the feature, set
|
||||
# the value to 0.
|
||||
# When a long running script exceeds the maximum execution time only the
|
||||
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
|
||||
# used to stop a script that did not yet call any write commands. The second
|
||||
# is the only way to shut down the server in the case a write command was
|
||||
# already issued by the script but the user doesn't want to wait for the natural
|
||||
# termination of the script.
|
||||
#
|
||||
# shutdown-timeout 10
|
||||
|
||||
# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
|
||||
# an RDB snapshot is written to disk in a blocking operation if save points are configured.
|
||||
# The options used on signaled shutdown can include the following values:
|
||||
# default: Saves RDB snapshot only if save points are configured.
|
||||
# Waits for lagging replicas to catch up.
|
||||
# save: Forces a DB saving operation even if no save points are configured.
|
||||
# nosave: Prevents DB saving operation even if one or more save points are configured.
|
||||
# now: Skips waiting for lagging replicas.
|
||||
# force: Ignores any errors that would normally prevent the server from exiting.
|
||||
#
|
||||
# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
|
||||
# Example: "nosave force now"
|
||||
#
|
||||
# shutdown-on-sigint default
|
||||
# shutdown-on-sigterm default
|
||||
|
||||
################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
|
||||
|
||||
# Maximum time in milliseconds for EVAL scripts, functions and in some cases
|
||||
# modules' commands before Redis can start processing or rejecting other clients.
|
||||
#
|
||||
# If the maximum execution time is reached Redis will start to reply to most
|
||||
# commands with a BUSY error.
|
||||
#
|
||||
# In this state Redis will only allow a handful of commands to be executed.
|
||||
# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
|
||||
# module specific 'allow-busy' commands.
|
||||
#
|
||||
# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
|
||||
# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
|
||||
# the server in the case a write command was already issued by the script when
|
||||
# the user doesn't want to wait for the natural termination of the script.
|
||||
#
|
||||
# The default is 5 seconds. It is possible to set it to 0 or a negative value
|
||||
# to disable this mechanism (uninterrupted execution). Note that in the past
|
||||
# this config had a different name, which is now an alias, so both of these do
|
||||
# the same:
|
||||
# lua-time-limit 5000
|
||||
# busy-reply-threshold 5000
|
||||
# Set it to 0 or a negative value for unlimited execution without warnings.
|
||||
lua-time-limit 5000
|
||||
|
||||
################################ REDIS CLUSTER ###############################
|
||||
|
||||
@ -1597,11 +1240,6 @@ aof-timestamp-enabled no
|
||||
#
|
||||
# cluster-node-timeout 15000
|
||||
|
||||
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
|
||||
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
|
||||
# you to specify the cluster bus port when executing cluster meet.
|
||||
# cluster-port 0
|
||||
|
||||
# A replica of a failing master will avoid to start a failover if its data
|
||||
# looks too old.
|
||||
#
|
||||
@ -1660,21 +1298,12 @@ aof-timestamp-enabled no
|
||||
# master in your cluster.
|
||||
#
|
||||
# Default is 1 (replicas migrate only if their masters remain with at least
|
||||
# one replica). To disable migration just set it to a very large value or
|
||||
# set cluster-allow-replica-migration to 'no'.
|
||||
# one replica). To disable migration just set it to a very large value.
|
||||
# A value of 0 can be set but is useful only for debugging and dangerous
|
||||
# in production.
|
||||
#
|
||||
# cluster-migration-barrier 1
|
||||
|
||||
# Turning off this option allows to use less automatic cluster configuration.
|
||||
# It both disables migration to orphaned masters and migration from masters
|
||||
# that became empty.
|
||||
#
|
||||
# Default is 'yes' (allow automatic migrations).
|
||||
#
|
||||
# cluster-allow-replica-migration yes
|
||||
|
||||
# By default Redis Cluster nodes stop accepting queries if they detect there
|
||||
# is at least a hash slot uncovered (no available node is serving it).
|
||||
# This way if the cluster is partially down (for example a range of hash slots
|
||||
@ -1689,7 +1318,7 @@ aof-timestamp-enabled no
|
||||
# cluster-require-full-coverage yes
|
||||
|
||||
# This option, when set to yes, prevents replicas from trying to failover its
|
||||
# master during master failures. However the replica can still perform a
|
||||
# master during master failures. However the master can still perform a
|
||||
# manual failover, if forced to do so.
|
||||
#
|
||||
# This is useful in different scenarios, especially in the case of multiple
|
||||
@ -1699,7 +1328,7 @@ aof-timestamp-enabled no
|
||||
# cluster-replica-no-failover no
|
||||
|
||||
# This option, when set to yes, allows nodes to serve read traffic while the
|
||||
# cluster is in a down state, as long as it believes it owns the slots.
|
||||
# the cluster is in a down state, as long as it believes it owns the slots.
|
||||
#
|
||||
# This is useful for two cases. The first case is for when an application
|
||||
# doesn't require consistency of data during node failures or network partitions.
|
||||
@ -1714,54 +1343,8 @@ aof-timestamp-enabled no
|
||||
#
|
||||
# cluster-allow-reads-when-down no
|
||||
|
||||
# This option, when set to yes, allows nodes to serve pubsub shard traffic while
|
||||
# the cluster is in a down state, as long as it believes it owns the slots.
|
||||
#
|
||||
# This is useful if the application would like to use the pubsub feature even when
|
||||
# the cluster global stable state is not OK. If the application wants to make sure only
|
||||
# one shard is serving a given channel, this feature should be kept as yes.
|
||||
#
|
||||
# cluster-allow-pubsubshard-when-down yes
|
||||
|
||||
# Cluster link send buffer limit is the limit on the memory usage of an individual
|
||||
# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
|
||||
# this limit. This is to primarily prevent send buffers from growing unbounded on links
|
||||
# toward slow peers (E.g. PubSub messages being piled up).
|
||||
# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
|
||||
# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
|
||||
# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
|
||||
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
|
||||
#
|
||||
# cluster-link-sendbuf-limit 0
|
||||
|
||||
# Clusters can configure their announced hostname using this config. This is a common use case for
|
||||
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
|
||||
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
|
||||
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
|
||||
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
|
||||
# the hostname and also propagate the removal.
|
||||
#
|
||||
# cluster-announce-hostname ""
|
||||
|
||||
# Clusters can advertise how clients should connect to them using either their IP address,
|
||||
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
|
||||
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
|
||||
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
|
||||
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
|
||||
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
|
||||
# will be returned instead.
|
||||
#
|
||||
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
|
||||
# the server doesn't know how clients can reach the cluster. This can happen in certain
|
||||
# networking situations where there are multiple possible routes to the node, and the
|
||||
# server doesn't know which one the client took. In this case, the server is expecting
|
||||
# the client to reach out on the same endpoint it used for making the last request, but use
|
||||
# the port provided in the response.
|
||||
#
|
||||
# cluster-preferred-endpoint-type ip
|
||||
|
||||
# In order to setup your cluster make sure to read the documentation
|
||||
# available at https://redis.io web site.
|
||||
# available at http://redis.io web site.
|
||||
|
||||
########################## CLUSTER DOCKER/NAT support ########################
|
||||
|
||||
@ -1771,21 +1354,16 @@ aof-timestamp-enabled no
|
||||
#
|
||||
# In order to make Redis Cluster working in such environments, a static
|
||||
# configuration where each node knows its public address is needed. The
|
||||
# following four options are used for this scope, and are:
|
||||
# following two options are used for this scope, and are:
|
||||
#
|
||||
# * cluster-announce-ip
|
||||
# * cluster-announce-port
|
||||
# * cluster-announce-tls-port
|
||||
# * cluster-announce-bus-port
|
||||
#
|
||||
# Each instructs the node about its address, client ports (for connections
|
||||
# without and with TLS) and cluster message bus port. The information is then
|
||||
# published in the header of the bus packets so that other nodes will be able to
|
||||
# correctly map the address of the node publishing the information.
|
||||
#
|
||||
# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set
|
||||
# to zero, then cluster-announce-port refers to the TLS port. Note also that
|
||||
# cluster-announce-tls-port has no effect if cluster-tls is set to no.
|
||||
# Each instructs the node about its address, client port, and cluster message
|
||||
# bus port. The information is then published in the header of the bus packets
|
||||
# so that other nodes will be able to correctly map the address of the node
|
||||
# publishing the information.
|
||||
#
|
||||
# If the above options are not used, the normal Redis Cluster auto-detection
|
||||
# will be used instead.
|
||||
@ -1798,8 +1376,7 @@ aof-timestamp-enabled no
|
||||
# Example:
|
||||
#
|
||||
# cluster-announce-ip 10.1.1.5
|
||||
# cluster-announce-tls-port 6379
|
||||
# cluster-announce-port 0
|
||||
# cluster-announce-port 6379
|
||||
# cluster-announce-bus-port 6380
|
||||
|
||||
################################## SLOW LOG ###################################
|
||||
@ -1824,7 +1401,7 @@ slowlog-log-slower-than 10000
|
||||
|
||||
# There is no limit to this length. Just be aware that it will consume memory.
|
||||
# You can reclaim memory used by the slow log with SLOWLOG RESET.
|
||||
slowlog-max-len 10086
|
||||
slowlog-max-len 128
|
||||
|
||||
################################ LATENCY MONITOR ##############################
|
||||
|
||||
@ -1847,24 +1424,10 @@ slowlog-max-len 10086
|
||||
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
||||
latency-monitor-threshold 0
|
||||
|
||||
################################ LATENCY TRACKING ##############################
|
||||
|
||||
# The Redis extended latency monitoring tracks the per command latencies and enables
|
||||
# exporting the percentile distribution via the INFO latencystats command,
|
||||
# and cumulative latency distributions (histograms) via the LATENCY command.
|
||||
#
|
||||
# By default, the extended latency monitoring is enabled since the overhead
|
||||
# of keeping track of the command latency is very small.
|
||||
# latency-tracking yes
|
||||
|
||||
# By default the exported latency percentiles via the INFO latencystats command
|
||||
# are the p50, p99, and p999.
|
||||
# latency-tracking-info-percentiles 50 99 99.9
|
||||
|
||||
############################# EVENT NOTIFICATION ##############################
|
||||
|
||||
# Redis can notify Pub/Sub clients about events happening in the key space.
|
||||
# This feature is documented at https://redis.io/topics/notifications
|
||||
# This feature is documented at http://redis.io/topics/notifications
|
||||
#
|
||||
# For instance if keyspace events notification is enabled, and a client
|
||||
# performs a DEL operation on key "foo" stored in the Database 0, two
|
||||
@ -1886,11 +1449,9 @@ latency-monitor-threshold 0
|
||||
# z Sorted set commands
|
||||
# x Expired events (events generated every time a key expires)
|
||||
# e Evicted events (events generated when a key is evicted for maxmemory)
|
||||
# n New key events (Note: not included in the 'A' class)
|
||||
# t Stream commands
|
||||
# d Module key type events
|
||||
# m Key-miss events (Note: It is not included in the 'A' class)
|
||||
# A Alias for g$lshzxetd, so that the "AKE" string means all the events
|
||||
# A Alias for g$lshzxet, so that the "AKE" string means all the events
|
||||
# (Except key-miss events which are excluded from 'A' due to their
|
||||
# unique nature).
|
||||
#
|
||||
@ -1913,13 +1474,71 @@ latency-monitor-threshold 0
|
||||
# specify at least one of K or E, no events will be delivered.
|
||||
notify-keyspace-events ""
|
||||
|
||||
############################### GOPHER SERVER #################################
|
||||
|
||||
# Redis contains an implementation of the Gopher protocol, as specified in
|
||||
# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
|
||||
#
|
||||
# The Gopher protocol was very popular in the late '90s. It is an alternative
|
||||
# to the web, and the implementation both server and client side is so simple
|
||||
# that the Redis server has just 100 lines of code in order to implement this
|
||||
# support.
|
||||
#
|
||||
# What do you do with Gopher nowadays? Well Gopher never *really* died, and
|
||||
# lately there is a movement in order for the Gopher more hierarchical content
|
||||
# composed of just plain text documents to be resurrected. Some want a simpler
|
||||
# internet, others believe that the mainstream internet became too much
|
||||
# controlled, and it's cool to create an alternative space for people that
|
||||
# want a bit of fresh air.
|
||||
#
|
||||
# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
|
||||
# as a gift.
|
||||
#
|
||||
# --- HOW IT WORKS? ---
|
||||
#
|
||||
# The Redis Gopher support uses the inline protocol of Redis, and specifically
|
||||
# two kind of inline requests that were anyway illegal: an empty request
|
||||
# or any request that starts with "/" (there are no Redis commands starting
|
||||
# with such a slash). Normal RESP2/RESP3 requests are completely out of the
|
||||
# path of the Gopher protocol implementation and are served as usual as well.
|
||||
#
|
||||
# If you open a connection to Redis when Gopher is enabled and send it
|
||||
# a string like "/foo", if there is a key named "/foo" it is served via the
|
||||
# Gopher protocol.
|
||||
#
|
||||
# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
|
||||
# talking), you likely need a script like the following:
|
||||
#
|
||||
# https://github.com/antirez/gopher2redis
|
||||
#
|
||||
# --- SECURITY WARNING ---
|
||||
#
|
||||
# If you plan to put Redis on the internet in a publicly accessible address
|
||||
# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
|
||||
# Once a password is set:
|
||||
#
|
||||
# 1. The Gopher server (when enabled, not by default) will still serve
|
||||
# content via Gopher.
|
||||
# 2. However other commands cannot be called before the client will
|
||||
# authenticate.
|
||||
#
|
||||
# So use the 'requirepass' option to protect your instance.
|
||||
#
|
||||
# Note that Gopher is not currently supported when 'io-threads-do-reads'
|
||||
# is enabled.
|
||||
#
|
||||
# To enable Gopher support, uncomment the following line and set the option
|
||||
# from no (the default) to yes.
|
||||
#
|
||||
# gopher-enabled no
|
||||
|
||||
############################### ADVANCED CONFIG ###############################
|
||||
|
||||
# Hashes are encoded using a memory efficient data structure when they have a
|
||||
# small number of entries, and the biggest entry does not exceed a given
|
||||
# threshold. These thresholds can be configured using the following directives.
|
||||
hash-max-listpack-entries 512
|
||||
hash-max-listpack-value 64
|
||||
hash-max-ziplist-entries 512
|
||||
hash-max-ziplist-value 64
|
||||
|
||||
# Lists are also encoded in a special way to save a lot of space.
|
||||
# The number of entries allowed per internal list node can be specified
|
||||
@ -1934,7 +1553,7 @@ hash-max-listpack-value 64
|
||||
# per list node.
|
||||
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
||||
# but if your use case is unique, adjust the settings as necessary.
|
||||
list-max-listpack-size -2
|
||||
list-max-ziplist-size -2
|
||||
|
||||
# Lists may also be compressed.
|
||||
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
||||
@ -1962,8 +1581,8 @@ set-max-intset-entries 512
|
||||
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
||||
# order to save a lot of space. This encoding is only used when the length and
|
||||
# elements of a sorted set are below the following limits:
|
||||
zset-max-listpack-entries 128
|
||||
zset-max-listpack-value 64
|
||||
zset-max-ziplist-entries 128
|
||||
zset-max-ziplist-value 64
|
||||
|
||||
# HyperLogLog sparse representation bytes limit. The limit includes the
|
||||
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
|
||||
@ -1985,9 +1604,9 @@ hll-sparse-max-bytes 3000
|
||||
# maximum number of items it may contain before switching to a new node when
|
||||
# appending new stream entries. If any of the following settings are set to
|
||||
# zero, the limit is ignored, so for instance it is possible to set just a
|
||||
# max entries limit by setting max-bytes to 0 and max-entries to the desired
|
||||
# max entires limit by setting max-bytes to 0 and max-entries to the desired
|
||||
# value.
|
||||
stream-node-max-bytes 4kb
|
||||
stream-node-max-bytes 4096
|
||||
stream-node-max-entries 100
|
||||
|
||||
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
|
||||
@ -2018,7 +1637,7 @@ activerehashing yes
|
||||
# The limit can be set differently for the three different classes of clients:
|
||||
#
|
||||
# normal -> normal clients including MONITOR clients
|
||||
# replica -> replica clients
|
||||
# replica -> replica clients
|
||||
# pubsub -> clients subscribed to at least one pubsub channel or pattern
|
||||
#
|
||||
# The syntax of every client-output-buffer-limit directive is the following:
|
||||
@ -2042,13 +1661,6 @@ activerehashing yes
|
||||
# Instead there is a default limit for pubsub and replica clients, since
|
||||
# subscribers and replicas receive data in a push fashion.
|
||||
#
|
||||
# Note that it doesn't make sense to set the replica clients output buffer
|
||||
# limit lower than the repl-backlog-size config (partial sync will succeed
|
||||
# and then replica will get disconnected).
|
||||
# Such a configuration is ignored (the size of repl-backlog-size will be used).
|
||||
# This doesn't have memory consumption implications since the replica client
|
||||
# will share the backlog buffers memory.
|
||||
#
|
||||
# Both the hard or the soft limit can be disabled by setting them to zero.
|
||||
client-output-buffer-limit normal 0 0 0
|
||||
client-output-buffer-limit replica 256mb 64mb 60
|
||||
@ -2062,25 +1674,6 @@ client-output-buffer-limit pubsub 32mb 8mb 60
|
||||
#
|
||||
# client-query-buffer-limit 1gb
|
||||
|
||||
# In some scenarios client connections can hog up memory leading to OOM
|
||||
# errors or data eviction. To avoid this we can cap the accumulated memory
|
||||
# used by all client connections (all pubsub and normal clients). Once we
|
||||
# reach that limit connections will be dropped by the server freeing up
|
||||
# memory. The server will attempt to drop the connections using the most
|
||||
# memory first. We call this mechanism "client eviction".
|
||||
#
|
||||
# Client eviction is configured using the maxmemory-clients setting as follows:
|
||||
# 0 - client eviction is disabled (default)
|
||||
#
|
||||
# A memory value can be used for the client eviction threshold,
|
||||
# for example:
|
||||
# maxmemory-clients 1g
|
||||
#
|
||||
# A percentage value (between 1% and 100%) means the client eviction threshold
|
||||
# is based on a percentage of the maxmemory setting. For example to set client
|
||||
# eviction at 5% of maxmemory:
|
||||
# maxmemory-clients 5%
|
||||
|
||||
# In the Redis protocol, bulk requests, that are, elements representing single
|
||||
# strings, are normally limited to 512 mb. However you can change this limit
|
||||
# here, but must be 1mb or greater
|
||||
@ -2121,13 +1714,13 @@ hz 10
|
||||
dynamic-hz yes
|
||||
|
||||
# When a child rewrites the AOF file, if the following option is enabled
|
||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
||||
# in order to commit the file to the disk more incrementally and avoid
|
||||
# big latency spikes.
|
||||
aof-rewrite-incremental-fsync yes
|
||||
|
||||
# When redis saves RDB file, if the following option is enabled
|
||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
||||
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
||||
# in order to commit the file to the disk more incrementally and avoid
|
||||
# big latency spikes.
|
||||
rdb-save-incremental-fsync yes
|
||||
@ -2224,7 +1817,7 @@ rdb-save-incremental-fsync yes
|
||||
# defragmentation process. If you are not sure about what they mean it is
|
||||
# a good idea to leave the defaults untouched.
|
||||
|
||||
# Active defragmentation is disabled by default
|
||||
# Enabled active defragmentation
|
||||
# activedefrag no
|
||||
|
||||
# Minimum amount of fragmentation waste to start active defrag
|
||||
@ -2281,11 +1874,4 @@ jemalloc-bg-thread yes
|
||||
# by setting the following config which takes a space delimited list of warnings
|
||||
# to suppress
|
||||
#
|
||||
# ignore-warnings ARM64-COW-BUG
|
||||
|
||||
# Generated by CONFIG REWRITE
|
||||
save 3600 1
|
||||
save 300 100
|
||||
save 60 10000
|
||||
latency-tracking-info-percentiles 50 99 99.9
|
||||
user default on nopass ~* &* +@all
|
||||
# ignore-warnings ARM64-COW-BUG
|
@ -1,12 +1,3 @@
|
||||
# Redis configuration rewrite by 1Panel
|
||||
timeout 0
|
||||
# maxclients 10000
|
||||
# maxmemory <bytes>
|
||||
save 3600 1 300 100 60 10000
|
||||
appendonly no
|
||||
appendfsync everysec
|
||||
# End Redis configuration rewrite by 1Panel
|
||||
|
||||
# Redis configuration file example.
|
||||
#
|
||||
# Note that in order to read the configuration file, Redis must be
|
||||
@ -93,7 +84,7 @@ appendfsync everysec
|
||||
# You will also need to set a password unless you explicitly disable protected
|
||||
# mode.
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
# bind 127.0.0.1 -::1
|
||||
bind 0.0.0.0
|
||||
|
||||
# By default, outgoing connections (from replica to master, from Sentinel to
|
||||
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
||||
@ -165,7 +156,7 @@ tcp-backlog 511
|
||||
# unixsocketperm 700
|
||||
|
||||
# Close the connection after a client is idle for N seconds (0 to disable)
|
||||
# timeout 0
|
||||
timeout 0
|
||||
|
||||
# TCP keepalive.
|
||||
#
|
||||
@ -918,10 +909,10 @@ replica-priority 100
|
||||
# commands. For instance ~* allows all the keys. The pattern
|
||||
# is a glob-style pattern like the one of KEYS.
|
||||
# It is possible to specify multiple patterns.
|
||||
# %R~<pattern> Add key read pattern that specifies which keys can be read
|
||||
# %R~<pattern> Add key read pattern that specifies which keys can be read
|
||||
# from.
|
||||
# %W~<pattern> Add key write pattern that specifies which keys can be
|
||||
# written to.
|
||||
# written to.
|
||||
# allkeys Alias for ~*
|
||||
# resetkeys Flush the list of allowed keys patterns.
|
||||
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
|
||||
@ -948,10 +939,10 @@ replica-priority 100
|
||||
# -@all. The user returns to the same state it has immediately
|
||||
# after its creation.
|
||||
# (<options>) Create a new selector with the options specified within the
|
||||
# parentheses and attach it to the user. Each option should be
|
||||
# space separated. The first character must be ( and the last
|
||||
# parentheses and attach it to the user. Each option should be
|
||||
# space separated. The first character must be ( and the last
|
||||
# character must be ).
|
||||
# clearselectors Remove all of the currently attached selectors.
|
||||
# clearselectors Remove all of the currently attached selectors.
|
||||
# Note this does not change the "root" user permissions,
|
||||
# which are the permissions directly applied onto the
|
||||
# user (outside the parentheses).
|
||||
@ -977,7 +968,7 @@ replica-priority 100
|
||||
# Basically ACL rules are processed left-to-right.
|
||||
#
|
||||
# The following is a list of command categories and their meanings:
|
||||
# * keyspace - Writing or reading from keys, databases, or their metadata
|
||||
# * keyspace - Writing or reading from keys, databases, or their metadata
|
||||
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
|
||||
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
|
||||
# key or metadata will also have `write` category. Commands that only read
|
||||
@ -1385,7 +1376,7 @@ disable-thp yes
|
||||
#
|
||||
# Please check https://redis.io/topics/persistence for more information.
|
||||
|
||||
# appendonly no
|
||||
appendonly no
|
||||
|
||||
# The base name of the append only file.
|
||||
#
|
||||
@ -1444,7 +1435,7 @@ appenddirname "appendonlydir"
|
||||
# If unsure, use "everysec".
|
||||
|
||||
# appendfsync always
|
||||
# appendfsync everysec
|
||||
appendfsync everysec
|
||||
# appendfsync no
|
||||
|
||||
# When the AOF fsync policy is set to always or everysec, and a background
|
||||
@ -1598,8 +1589,8 @@ aof-timestamp-enabled no
|
||||
#
|
||||
# cluster-node-timeout 15000
|
||||
|
||||
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
|
||||
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
|
||||
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
|
||||
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
|
||||
# you to specify the cluster bus port when executing cluster meet.
|
||||
# cluster-port 0
|
||||
|
||||
@ -1734,12 +1725,12 @@ aof-timestamp-enabled no
|
||||
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
|
||||
#
|
||||
# cluster-link-sendbuf-limit 0
|
||||
|
||||
# Clusters can configure their announced hostname using this config. This is a common use case for
|
||||
|
||||
# Clusters can configure their announced hostname using this config. This is a common use case for
|
||||
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
|
||||
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
|
||||
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
|
||||
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
|
||||
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
|
||||
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
|
||||
# the hostname and also propagate the removal.
|
||||
#
|
||||
# cluster-announce-hostname ""
|
||||
@ -1748,13 +1739,13 @@ aof-timestamp-enabled no
|
||||
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
|
||||
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
|
||||
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
|
||||
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
|
||||
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
|
||||
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
|
||||
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
|
||||
# will be returned instead.
|
||||
#
|
||||
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
|
||||
# the server doesn't know how clients can reach the cluster. This can happen in certain
|
||||
# networking situations where there are multiple possible routes to the node, and the
|
||||
# the server doesn't know how clients can reach the cluster. This can happen in certain
|
||||
# networking situations where there are multiple possible routes to the node, and the
|
||||
# server doesn't know which one the client took. In this case, the server is expecting
|
||||
# the client to reach out on the same endpoint it used for making the last request, but use
|
||||
# the port provided in the response.
|
||||
@ -2067,7 +2058,7 @@ client-output-buffer-limit pubsub 32mb 8mb 60
|
||||
# errors or data eviction. To avoid this we can cap the accumulated memory
|
||||
# used by all client connections (all pubsub and normal clients). Once we
|
||||
# reach that limit connections will be dropped by the server freeing up
|
||||
# memory. The server will attempt to drop the connections using the most
|
||||
# memory. The server will attempt to drop the connections using the most
|
||||
# memory first. We call this mechanism "client eviction".
|
||||
#
|
||||
# Client eviction is configured using the maxmemory-clients setting as follows:
|
||||
@ -2282,4 +2273,4 @@ jemalloc-bg-thread yes
|
||||
# by setting the following config which takes a space delimited list of warnings
|
||||
# to suppress
|
||||
#
|
||||
# ignore-warnings ARM64-COW-BUG
|
||||
# ignore-warnings ARM64-COW-BUG
|
Loading…
Reference in New Issue
Block a user