From 31fa8a0e6eb1476635d363efcd057cdabcf5dfeb Mon Sep 17 00:00:00 2001 From: zhengkunwang223 Date: Mon, 20 Feb 2023 16:31:16 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=20nginx=20WAF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../versions/1.21.4/www/common/waf/.gitignore | 9 + .../versions/1.21.4/www/common/waf/LICENSE | 674 +++++++++++++++ .../versions/1.21.4/www/common/waf/README.md | 2 + .../versions/1.21.4/www/common/waf/access.lua | 568 +++++++------ .../1.21.4/www/common/waf/rules/argsCheckList | 22 - .../www/common/waf/rules/args_check.json | 26 + .../www/common/waf/rules/{ccRate => cc.json} | 0 .../www/common/waf/rules/cookieBlockList | 20 - .../www/common/waf/rules/cookie_block.json | 12 + .../{fileExtBlockList => file_ext_block.json} | 0 .../waf/rules/{ipBlockList => ip_block.json} | 0 .../1.21.4/www/common/waf/rules/ip_white.json | 1 + .../1.21.4/www/common/waf/rules/postCheckList | 19 - .../www/common/waf/rules/post_check.json | 22 + .../1.21.4/www/common/waf/rules/urlBlockList | 6 - .../1.21.4/www/common/waf/rules/urlWhiteList | 1 - .../waf/rules/{ipWhiteList => url_block.json} | 0 .../www/common/waf/rules/url_white.json | 1 + .../1.21.4/www/common/waf/rules/user-agent | 1 - .../www/common/waf/rules/user_agent.json | 17 + .../versions/1.21.4/www/common/waf/test.lua | 35 + apps/redis/versions/6.0.16/conf/redis.conf | 796 +++++------------- apps/redis/versions/7.0.5/conf/redis.conf | 53 +- 23 files changed, 1308 insertions(+), 977 deletions(-) create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/.gitignore create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/LICENSE create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/README.md delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json rename apps/nginx/versions/1.21.4/www/common/waf/rules/{ccRate => cc.json} (100%) delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json rename apps/nginx/versions/1.21.4/www/common/waf/rules/{fileExtBlockList => file_ext_block.json} (100%) rename apps/nginx/versions/1.21.4/www/common/waf/rules/{ipBlockList => ip_block.json} (100%) create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList rename apps/nginx/versions/1.21.4/www/common/waf/rules/{ipWhiteList => url_block.json} (100%) create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json delete mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json create mode 100644 apps/nginx/versions/1.21.4/www/common/waf/test.lua diff --git a/apps/nginx/versions/1.21.4/www/common/waf/.gitignore b/apps/nginx/versions/1.21.4/www/common/waf/.gitignore new file mode 100644 index 00000000..70cbd5d1 --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/.gitignore @@ -0,0 +1,9 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +.idea + + diff --git a/apps/nginx/versions/1.21.4/www/common/waf/LICENSE b/apps/nginx/versions/1.21.4/www/common/waf/LICENSE new file mode 100644 index 00000000..f288702d --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/apps/nginx/versions/1.21.4/www/common/waf/README.md b/apps/nginx/versions/1.21.4/www/common/waf/README.md new file mode 100644 index 00000000..ef09fa80 --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/README.md @@ -0,0 +1,2 @@ +# waf +waf 是一个基于 lua-nginx-module(openresty) 的 web 应用防火墙 diff --git a/apps/nginx/versions/1.21.4/www/common/waf/access.lua b/apps/nginx/versions/1.21.4/www/common/waf/access.lua index b4e8c78d..8a1d2e26 100644 --- a/apps/nginx/versions/1.21.4/www/common/waf/access.lua +++ b/apps/nginx/versions/1.21.4/www/common/waf/access.lua @@ -8,7 +8,7 @@ local method=ngx.req.get_method() local function optionIsOn(options) - return options == "on" or options == "On" or options == "ON" + return options == "on" or options == "On" or options == "ON" end local logpath = ngx.var.logdir @@ -26,273 +26,297 @@ local CookieDeny = optionIsOn(ngx.var.cookieDeny) local FileExtDeny = optionIsOn(ngx.var.fileExtDeny) local function getClientIp() - IP = ngx.var.remote_addr - if IP == nil then - IP = "unknown" - end - return IP + IP = ngx.var.remote_addr + if IP == nil then + IP = "unknown" + end + return IP end local function write(logfile,msg) - local fd = io.open(logfile,"ab") - if fd == nil then return end - fd:write(msg) - fd:flush() - fd:close() + local fd = io.open(logfile,"ab") + if fd == nil then return end + fd:write(msg) + fd:flush() + fd:close() end local function log(method,url,data,ruletag) - if attacklog then - local realIp = getClientIp() - local ua = ngx.var.http_user_agent - local servername=ngx.var.server_name - local time=ngx.localtime() + if attacklog then + local realIp = getClientIp() + local ua = ngx.var.http_user_agent + local servername=ngx.var.server_name + local time=ngx.localtime() local line = nil - if ua then - line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n" - else - line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n" - end - local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log" - write(filename,line) - end + if ua then + line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n" + else + line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n" + end + local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log" + write(filename,line) + end end ------------------------------------规则读取函数------------------------------------------------------------------- -local function read_rule(var) - file = io.open(rulepath..'/'..var,"r") - if file==nil then - return - end - t = {} - for line in file:lines() do - table.insert(t,line) - end - file:close() - return(t) -end +--local function read_rule(var) +-- file = io.open(rulepath..'/'..var,"r") +-- if file==nil then +-- return +-- end +-- t = {} +-- for line in file:lines() do +-- table.insert(t,line) +-- end +-- file:close() +-- return(t) +--end + +--local function read_json(var) +-- file = io.open(rulepath..'/'..var,"r") +-- if file==nil then +-- return +-- end +-- str = file:read("*a") +-- file:close() +-- list = cjson.decode(str) +-- return list +--end + local function read_json(var) - file = io.open(rulepath..'/'..var,"r") - if file==nil then - return - end + file = io.open(rulepath..'/'..var .. '.json',"r") + if file==nil then + return + end str = file:read("*a") file:close() list = cjson.decode(str) return list end -local function read_str(var) - file = io.open(rulepath..'/'..var,"r") - if file==nil then - return - end - local str = file:read("*a") - file:close() - return str + +local function select_rules(rules) + if not rules then return {} end + new_rules = {} + for i,v in ipairs(rules) do + if v[1] == 1 then + print("111") + table.insert(new_rules,v[2]) + end + end + return new_rules end +local function read_str(var) + file = io.open(rulepath..'/'..var,"r") + if file==nil then + return + end + local str = file:read("*a") + file:close() + return str +end +local argsCheckList=select_rules(read_json('args_check')) +local postCheckList=select_rules(read_json('post_check')) +local cookieBlockList=select_rules(read_json('cookie_block')) +local uarules=select_rules(read_json('user_agent')) -local urlWhiteList=read_rule('urlWhiteList') -local urlBlockList=read_rule('urlBlockList') -local argsCheckList=read_rule('argsCheckList') -local postCheckList=read_rule('postCheckList') -local cookieBlockList=read_rule('cookieBlockList') -local ipWhiteList=read_json('ipWhiteList') -local ipBlockList=read_json('ipBlockList') -local ccRate=read_str('ccRate') -local fileExtBlockList = read_json('fileExtBlockList') +local urlWhiteList=read_json('url_white') +local urlBlockList=read_json('url_block') +local ipWhiteList=read_json('ip_white') +local ipBlockList=read_json('ip_block') +local fileExtBlockList = read_json('file_ext_block') +local ccRate=read_str('cc.json') local html=read_str('html') -local uarules=read_rule('user-agent') local function say_html() - if Redirect then - ngx.header.content_type = "text/html" - ngx.status = ngx.HTTP_FORBIDDEN - ngx.say(html) - ngx.exit(ngx.status) - end + if Redirect then + ngx.header.content_type = "text/html" + ngx.status = ngx.HTTP_FORBIDDEN + ngx.say(html) + ngx.exit(ngx.status) + end end local function whiteurl() - if UrlWhiteAllow then - if urlWhiteList ~=nil then - for _,rule in pairs(urlWhiteList) do - if ngxmatch(ngx.var.uri,rule,"isjo") then - return true - end - end - end - end - return false + if UrlWhiteAllow then + if urlWhiteList ~=nil then + for _,rule in pairs(urlWhiteList) do + if ngxmatch(ngx.var.uri,rule,"isjo") then + return true + end + end + end + end + return false end local function fileExtCheck(ext) - if FileExtDeny then - local items = Set(fileExtBlockList) - ext=string.lower(ext) - if ext then - for rule in pairs(items) do - if ngx.re.match(ext,rule,"isjo") then - log('POST',ngx.var.request_uri,"-","file attack with ext "..ext) - say_html() - end - end - end - end - return false + if FileExtDeny then + local items = Set(fileExtBlockList) + ext=string.lower(ext) + if ext then + for rule in pairs(items) do + if ngx.re.match(ext,rule,"isjo") then + log('POST',ngx.var.request_uri,"-","file attack with ext "..ext) + say_html() + end + end + end + end + return false end function Set (list) - local set = {} - for _, l in ipairs(list) do set[l] = true end - return set + local set = {} + for _, l in ipairs(list) do set[l] = true end + return set end local function args() - if ArgsDeny then - if argsCheckList then - for _,rule in pairs(argsCheckList) do - local uriArgs = ngx.req.get_uri_args() - for key, val in pairs(uriArgs) do - if type(val)=='table' then - local t={} - for k,v in pairs(val) do - if v == true then - v="" - end - table.insert(t,v) - end - data=table.concat(t, " ") - else - data=val - end - if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then - log('GET',ngx.var.request_uri,"-",rule) - say_html() - return true - end - end - end - end - end - return false + if ArgsDeny then + if argsCheckList then + for _,rule in pairs(argsCheckList) do + local uriArgs = ngx.req.get_uri_args() + for key, val in pairs(uriArgs) do + if type(val)=='table' then + local t={} + for k,v in pairs(val) do + if v == true then + v="" + end + table.insert(t,v) + end + data=table.concat(t, " ") + else + data=val + end + if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then + log('GET',ngx.var.request_uri,"-",rule) + say_html() + return true + end + end + end + end + end + return false end local function url() - if UrlBlockDeny then - for _,rule in pairs(urlBlockList) do - if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then - log('GET',ngx.var.request_uri,"-",rule) - say_html() - return true - end - end - end - return false + if UrlBlockDeny then + for _,rule in pairs(urlBlockList) do + if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then + log('GET',ngx.var.request_uri,"-",rule) + say_html() + return true + end + end + end + return false end function ua() - local ua = ngx.var.http_user_agent - if ua ~= nil then - for _,rule in pairs(uarules) do - if rule ~="" and ngxmatch(ua,rule,"isjo") then - log('UA',ngx.var.request_uri,"-",rule) - say_html() - return true - end - end - end - return false + local ua = ngx.var.http_user_agent + if ua ~= nil then + for _,rule in pairs(uarules) do + if rule ~="" and ngxmatch(ua,rule,"isjo") then + log('UA',ngx.var.request_uri,"-",rule) + say_html() + return true + end + end + end + return false end function body(data) - for _,rule in pairs(postCheckList) do - if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then - log('POST',ngx.var.request_uri,data,rule) - say_html() - return true - end - end - return false + for _,rule in pairs(postCheckList) do + if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then + log('POST',ngx.var.request_uri,data,rule) + say_html() + return true + end + end + return false end local function cookie() - local ck = ngx.var.http_cookie - if CookieDeny and ck then - for _,rule in pairs(cookieBlockList) do - if rule ~="" and ngxmatch(ck,rule,"isjo") then - log('Cookie',ngx.var.request_uri,"-",rule) - say_html() - return true - end - end - end - return false + local ck = ngx.var.http_cookie + if CookieDeny and ck then + for _,rule in pairs(cookieBlockList) do + if rule ~="" and ngxmatch(ck,rule,"isjo") then + log('Cookie',ngx.var.request_uri,"-",rule) + say_html() + return true + end + end + end + return false end local function denycc() - if CCDeny and ccRate then - local uri=ngx.var.uri - CCcount=tonumber(string.match(ccRate,'(.*)/')) - CCseconds=tonumber(string.match(ccRate,'/(.*)')) - local uri = getClientIp()..uri - local limit = ngx.shared.limit - local req,_=limit:get(uri) - if req then - if req > CCcount then - ngx.exit(503) - return true - else - limit:incr(token,1) - end - else - limit:set(uri,1,CCseconds) - end - end - return false + if CCDeny and ccRate then + local uri=ngx.var.uri + CCcount=tonumber(string.match(ccRate,'(.*)/')) + CCseconds=tonumber(string.match(ccRate,'/(.*)')) + local uri = getClientIp()..uri + local limit = ngx.shared.limit + local req,_=limit:get(uri) + if req then + if req > CCcount then + ngx.exit(503) + return true + else + limit:incr(token,1) + end + else + limit:set(uri,1,CCseconds) + end + end + return false end local function get_boundary() - local header = get_headers()["content-type"] - if not header then - return nil - end + local header = get_headers()["content-type"] + if not header then + return nil + end - if type(header) == "table" then - header = header[1] - end + if type(header) == "table" then + header = header[1] + end - local m = match(header, ";%s*boundary=\"([^\"]+)\"") - if m then - return m - end + local m = match(header, ";%s*boundary=\"([^\"]+)\"") + if m then + return m + end - return match(header, ";%s*boundary=([^\",;]+)") + return match(header, ";%s*boundary=([^\",;]+)") end local function whiteip() - if IpWhiteAllow then - if next(ipWhiteList) ~= nil then - for _,ip in pairs(ipWhiteList) do - if getClientIp()==ip then - return true - end - end - end - end - return false + if IpWhiteAllow then + if next(ipWhiteList) ~= nil then + for _,ip in pairs(ipWhiteList) do + if getClientIp()==ip then + return true + end + end + end + end + return false end local function blockip() - if IpBlockDeny then - if next(ipBlockList) ~= nil then - for _,ip in pairs(ipBlockList) do - if getClientIp()==ip then - ngx.exit(403) - return true - end - end - end - end - return false + if IpBlockDeny then + if next(ipBlockList) ~= nil then + for _,ip in pairs(ipBlockList) do + if getClientIp()==ip then + ngx.exit(403) + return true + end + end + end + end + return false end @@ -310,74 +334,74 @@ elseif url() then elseif args() then elseif cookie() then elseif PostDeny then - if method=="POST" then - local boundary = get_boundary() - if boundary then - local len = string.len + if method=="POST" then + local boundary = get_boundary() + if boundary then + local len = string.len local sock, err = ngx.req.socket() - if not sock then - return + if not sock then + return end - ngx.req.init_body(128 * 1024) + ngx.req.init_body(128 * 1024) sock:settimeout(0) - local content_length = nil - content_length=tonumber(ngx.req.get_headers()['content-length']) - local chunk_size = 4096 + local content_length = nil + content_length=tonumber(ngx.req.get_headers()['content-length']) + local chunk_size = 4096 if content_length < chunk_size then - chunk_size = content_length - end + chunk_size = content_length + end local size = 0 - while size < content_length do - local data, err, partial = sock:receive(chunk_size) - data = data or partial - if not data then - return - end - ngx.req.append_body(data) - if body(data) then - return true - end - size = size + len(data) - local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo') - if m then - fileExtCheck(m[3]) - filetranslate = true - else - if ngxmatch(data,"Content-Disposition:",'isjo') then - filetranslate = false - end - if filetranslate==false then - if body(data) then - return true - end - end - end - local less = content_length - size - if less < chunk_size then - chunk_size = less - end - end - ngx.req.finish_body() - else - ngx.req.read_body() - local args = ngx.req.get_post_args() - if not args then - return - end - for key, val in pairs(args) do - if type(val) == "table" then - if type(val[1]) == "boolean" then - return - end - data=table.concat(val, ", ") - else - data=val - end - if data and type(data) ~= "boolean" and body(data) then - body(key) - end - end - end + while size < content_length do + local data, err, partial = sock:receive(chunk_size) + data = data or partial + if not data then + return + end + ngx.req.append_body(data) + if body(data) then + return true + end + size = size + len(data) + local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo') + if m then + fileExtCheck(m[3]) + filetranslate = true + else + if ngxmatch(data,"Content-Disposition:",'isjo') then + filetranslate = false + end + if filetranslate==false then + if body(data) then + return true + end + end + end + local less = content_length - size + if less < chunk_size then + chunk_size = less + end + end + ngx.req.finish_body() + else + ngx.req.read_body() + local args = ngx.req.get_post_args() + if not args then + return + end + for key, val in pairs(args) do + if type(val) == "table" then + if type(val[1]) == "boolean" then + return + end + data=table.concat(val, ", ") + else + data=val + end + if data and type(data) ~= "boolean" and body(data) then + body(key) + end + end + end end else return diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList b/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList deleted file mode 100644 index d5bf8e80..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/argsCheckList +++ /dev/null @@ -1,22 +0,0 @@ -\.\./ -\:\$ -\$\{ -select.+(from|limit) -(?:(union(.*?)select)) -having|rongjitest -sleep\((\s*)(\d*)(\s*)\) -benchmark\((.*)\,(.*)\) -base64_decode\( -(?:from\W+information_schema\W) -(?:(?:current_)user|database|schema|connection_id)\s*\( -(?:etc\/\W*passwd) -into(\s+)+(?:dump|out)file\s* -group\s+by.+\( -xwork.MethodAccessor -(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( -xwork\.MethodAccessor -(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ -java\.lang -\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ -\<(iframe|script|body|img|layer|div|meta|style|base|object|input) -(onmouseover|onerror|onload)\= diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json new file mode 100644 index 00000000..0b1767cb --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/args_check.json @@ -0,0 +1,26 @@ +[ + ["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1 ], + ["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1 ], + ["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1 ], + ["base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 1], + ["(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee44", 1 ], + ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 1], + ["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1 ], + ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1 ], + ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1], + ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1], + ["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1 ], + ["\\<(iframe|script|body|img|layer|div|meta|style|base|object)", "XSS\u8fc7\u6ee41", 1], + ["(invokefunction|call_user_func_array|\\\\think\\\\)", "ThinkPHP payload\u5c01\u5835", 1 ], + ["^url_array\\[.*\\]$", "Metinfo6.x XSS\u6f0f\u6d1e", 1], + ["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1], + ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1], + ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1], + ["(?:from.+?information_schema.+?)", "", 1], + ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1], + ["'$", "test", 1], + ["\\${jndi:", "log4j2\u62e6\u622a", 1 ], + ["terrewrewrwr", "", 1] +] \ No newline at end of file diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ccRate b/apps/nginx/versions/1.21.4/www/common/waf/rules/cc.json similarity index 100% rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ccRate rename to apps/nginx/versions/1.21.4/www/common/waf/rules/cc.json diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList deleted file mode 100644 index 30554cac..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookieBlockList +++ /dev/null @@ -1,20 +0,0 @@ -\.\./ -\:\$ -\$\{ -select.+(from|limit) -(?:(union(.*?)select)) -having|rongjitest -sleep\((\s*)(\d*)(\s*)\) -benchmark\((.*)\,(.*)\) -base64_decode\( -(?:from\W+information_schema\W) -(?:(?:current_)user|database|schema|connection_id)\s*\( -(?:etc\/\W*passwd) -into(\s+)+(?:dump|out)file\s* -group\s+by.+\( -xwork.MethodAccessor -(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( -xwork\.MethodAccessor -(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ -java\.lang -\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json new file mode 100644 index 00000000..659a58c0 --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/cookie_block.json @@ -0,0 +1,12 @@ +[ + ["base64_decode\\(","一句话木马过滤3",1], + ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[","一句话木马过滤5",1], + ["select.+(from|limit)","SQL注入过滤2",1], + ["(?:(union(.*?)select))","SQL注入过滤3",1], + ["sleep\\((\\s*)(\\d*)(\\s*)\\)","SQL注入过滤5",1], + ["benchmark\\((.*)\\,(.*)\\)","SQL注入过滤6",1], + ["(?:from\\W+information_schema\\W)","SQL注入过滤7",1], + ["(?:(?:current_)user|database|schema|connection_id)\\s*\\(","SQL注入过滤8",1], + ["into(\\s+)+(?:dump|out)file\\s*","SQL注入过滤9",1], + ["group\\s+by.+\\(","SQL注入过滤10",1] +] diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/fileExtBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/file_ext_block.json similarity index 100% rename from apps/nginx/versions/1.21.4/www/common/waf/rules/fileExtBlockList rename to apps/nginx/versions/1.21.4/www/common/waf/rules/file_ext_block.json diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ipBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_block.json similarity index 100% rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ipBlockList rename to apps/nginx/versions/1.21.4/www/common/waf/rules/ip_block.json diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json new file mode 100644 index 00000000..0c01f2ac --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/ip_white.json @@ -0,0 +1 @@ +["1.1.1.1"] \ No newline at end of file diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList b/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList deleted file mode 100644 index 87d09465..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/postCheckList +++ /dev/null @@ -1,19 +0,0 @@ -select.+(from|limit) -(?:(union(.*?)select)) -having|rongjitest -sleep\((\s*)(\d*)(\s*)\) -benchmark\((.*)\,(.*)\) -base64_decode\( -(?:from\W+information_schema\W) -(?:(?:current_)user|database|schema|connection_id)\s*\( -(?:etc\/\W*passwd) -into(\s+)+(?:dump|out)file\s* -group\s+by.+\( -xwork.MethodAccessor -(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\( -xwork\.MethodAccessor -(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/ -java\.lang -\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[ -\<(iframe|script|body|img|layer|div|meta|style|base|object|input) -(onmouseover|onerror|onload)\= diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json new file mode 100644 index 00000000..22d80c6e --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/post_check.json @@ -0,0 +1,22 @@ +[ + ["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1], + ["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1], + ["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1], + ["base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 1], + ["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1], + ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1], + ["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42",1], + ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43",1], + ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1], + ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1], + ["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48",1], + ["(extractvalue\\(|concat\\(|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1], + ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\(|right\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1], + ["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1], + ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(EXISTS\\(|SELECT\\#|\\(SELECT|select\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1], + ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1], + ["(?:from.+?information_schema.+?)", "", 1], + ["\\${jndi:", "log4j2\u62e6\u622a", 1] +] \ No newline at end of file diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList b/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList deleted file mode 100644 index 31130d34..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlBlockList +++ /dev/null @@ -1,6 +0,0 @@ -\.(svn|htaccess|bash_history) -\.(bak|inc|old|mdb|sql|backup|java|class)$ -(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar -(phpmyadmin|jmx-console|jmxinvokerservlet) -java\.lang -/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp) diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList b/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList deleted file mode 100644 index 4e3c6543..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/urlWhiteList +++ /dev/null @@ -1 +0,0 @@ -^/123/$ diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/ipWhiteList b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_block.json similarity index 100% rename from apps/nginx/versions/1.21.4/www/common/waf/rules/ipWhiteList rename to apps/nginx/versions/1.21.4/www/common/waf/rules/url_block.json diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json new file mode 100644 index 00000000..0637a088 --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/url_white.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent b/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent deleted file mode 100644 index f929be2a..00000000 --- a/apps/nginx/versions/1.21.4/www/common/waf/rules/user-agent +++ /dev/null @@ -1 +0,0 @@ -(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/) diff --git a/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json b/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json new file mode 100644 index 00000000..1f812573 --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/rules/user_agent.json @@ -0,0 +1,17 @@ +[ + ["(WPScan|HTTrack|antSword|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 1], + ["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1], + ["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1], + ["select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1], + ["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1], + ["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1], + ["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1], + ["(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1], + ["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1], + ["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1], + ["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1], + ["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1], + ["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1], + ["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1] +] \ No newline at end of file diff --git a/apps/nginx/versions/1.21.4/www/common/waf/test.lua b/apps/nginx/versions/1.21.4/www/common/waf/test.lua new file mode 100644 index 00000000..8236677f --- /dev/null +++ b/apps/nginx/versions/1.21.4/www/common/waf/test.lua @@ -0,0 +1,35 @@ +local cjson = require "cjson" +local rulepath = "rules" + +local function read_json(var) + file = io.open(rulepath..'/'..var .. '.json',"r") + if file==nil then + return + end + str = file:read("*a") + file:close() + list = cjson.decode(str) + return list +end + + +local function select_rules(rules) + if not rules then return {} end + new_rules = {} + for i,v in ipairs(rules) do + if v[1] == 1 then + print("111") + table.insert(new_rules,v[2]) + end + end + return new_rules +end + + + +local rules = select_rules(read_json('user_agent')) + +for _,v in ipairs(rules) do + print(v) +end + diff --git a/apps/redis/versions/6.0.16/conf/redis.conf b/apps/redis/versions/6.0.16/conf/redis.conf index bea41848..218c4b0a 100644 --- a/apps/redis/versions/6.0.16/conf/redis.conf +++ b/apps/redis/versions/6.0.16/conf/redis.conf @@ -1,12 +1,3 @@ -# Redis configuration rewrite by 1Panel -timeout 0 -# maxclients 10000 -# maxmemory -save 3600 1 300 100 60 10000 -appendonly no -appendfsync everysec -# End Redis configuration rewrite by 1Panel - # Redis configuration file example. # # Note that in order to read the configuration file, Redis must be @@ -41,17 +32,8 @@ appendfsync everysec # If instead you are interested in using includes to override configuration # options, it is better to use include as the last line. # -# Included paths may contain wildcards. All files matching the wildcards will -# be included in alphabetical order. -# Note that if an include path contains a wildcards but no files match it when -# the server is started, the include statement will be ignored and no error will -# be emitted. It is safe, therefore, to include wildcard files from empty -# directories. -# # include /path/to/local.conf # include /path/to/other.conf -# include /path/to/fragments/*.conf -# ################################## MODULES ##################################### @@ -67,80 +49,42 @@ appendfsync everysec # for connections from all available network interfaces on the host machine. # It is possible to listen to just one or multiple selected interfaces using # the "bind" configuration directive, followed by one or more IP addresses. -# Each address can be prefixed by "-", which means that redis will not fail to -# start if the address is not available. Being not available only refers to -# addresses that does not correspond to any network interface. Addresses that -# are already in use will always fail, and unsupported protocols will always BE -# silently skipped. # # Examples: # -# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses -# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 -# bind * -::* # like the default, all available interfaces +# bind 192.168.1.100 10.0.0.1 +# bind 127.0.0.1 ::1 # # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the # internet, binding to all the interfaces is dangerous and will expose the # instance to everybody on the internet. So by default we uncomment the # following bind directive, that will force Redis to listen only on the -# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis -# will only be able to accept client connections from the same host that it is -# running on). +# IPv4 loopback interface address (this means Redis will only be able to +# accept client connections from the same host that it is running on). # # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES -# COMMENT OUT THE FOLLOWING LINE. -# -# You will also need to set a password unless you explicitly disable protected -# mode. +# JUST COMMENT OUT THE FOLLOWING LINE. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# bind 127.0.0.1 -::1 - -# By default, outgoing connections (from replica to master, from Sentinel to -# instances, cluster bus, etc.) are not bound to a specific local address. In -# most cases, this means the operating system will handle that based on routing -# and the interface through which the connection goes out. -# -# Using bind-source-addr it is possible to configure a specific address to bind -# to, which may also affect how the connection gets routed. -# -# Example: -# -# bind-source-addr 10.0.0.1 +bind 0.0.0.0 # Protected mode is a layer of security protection, in order to avoid that # Redis instances left open on the internet are accessed and exploited. # -# When protected mode is on and the default user has no password, the server -# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address -# (::1) or Unix domain sockets. +# When protected mode is on and if: +# +# 1) The server is not binding explicitly to a set of addresses using the +# "bind" directive. +# 2) No password is configured. +# +# The server only accepts connections from clients connecting from the +# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain +# sockets. # # By default protected mode is enabled. You should disable it only if # you are sure you want clients from other hosts to connect to Redis -# even if no authentication is configured. -protected-mode no - -# Redis uses default hardened security configuration directives to reduce the -# attack surface on innocent users. Therefore, several sensitive configuration -# directives are immutable, and some potentially-dangerous commands are blocked. -# -# Configuration directives that control files that Redis writes to (e.g., 'dir' -# and 'dbfilename') and that aren't usually modified during runtime -# are protected by making them immutable. -# -# Commands that can increase the attack surface of Redis and that aren't usually -# called by users are blocked by default. -# -# These can be exposed to either all connections or just local ones by setting -# each of the configs listed below to either of these values: -# -# no - Block for any connection (remain immutable) -# yes - Allow for any connection (no protection) -# local - Allow only for local connections. Ones originating from the -# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets. -# -# enable-protected-configs no -# enable-debug-command no -# enable-module-command no +# even if no authentication is configured, nor a specific set of interfaces +# are explicitly listed using the "bind" directive. +protected-mode yes # Accept connections on the specified port, default is 6379 (IANA #815344). # If port 0 is specified Redis will not listen on a TCP socket. @@ -161,11 +105,11 @@ tcp-backlog 511 # incoming connections. There is no default, so Redis will not listen # on a unix socket when not specified. # -# unixsocket /run/redis.sock +# unixsocket /tmp/redis.sock # unixsocketperm 700 # Close the connection after a client is idle for N seconds (0 to disable) -# timeout 0 +timeout 0 # TCP keepalive. # @@ -184,16 +128,6 @@ tcp-backlog 511 # Redis default starting with Redis 3.2.1. tcp-keepalive 300 -# Apply OS-specific mechanism to mark the listening socket with the specified -# ID, to support advanced routing and filtering capabilities. -# -# On Linux, the ID represents a connection mark. -# On FreeBSD, the ID represents a socket cookie ID. -# On OpenBSD, the ID represents a route table ID. -# -# The default value is 0, which implies no marking is required. -# socket-mark-id 0 - ################################# TLS/SSL ##################################### # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration @@ -209,32 +143,8 @@ tcp-keepalive 300 # # tls-cert-file redis.crt # tls-key-file redis.key -# -# If the key file is encrypted using a passphrase, it can be included here -# as well. -# -# tls-key-file-pass secret -# Normally Redis uses the same certificate for both server functions (accepting -# connections) and client functions (replicating from a master, establishing -# cluster bus connections, etc.). -# -# Sometimes certificates are issued with attributes that designate them as -# client-only or server-only certificates. In that case it may be desired to use -# different certificates for incoming (server) and outgoing (client) -# connections. To do that, use the following directives: -# -# tls-client-cert-file client.crt -# tls-client-key-file client.key -# -# If the key file is encrypted using a passphrase, it can be included here -# as well. -# -# tls-client-key-file-pass secret - -# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange, -# required by older versions of OpenSSL (<3.0). Newer versions do not require -# this configuration and recommend against it. +# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange: # # tls-dh-params-file redis.dh @@ -267,12 +177,9 @@ tcp-keepalive 300 # # tls-cluster yes -# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended -# that older formally deprecated versions are kept disabled to reduce the attack surface. -# You can explicitly specify TLS versions to support. -# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2", -# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination. -# To enable only TLSv1.2 and TLSv1.3, use: +# Explicitly specify TLS versions to support. Allowed values are case insensitive +# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or +# any combination. To enable only TLSv1.2 and TLSv1.3, use: # # tls-protocols "TLSv1.2 TLSv1.3" @@ -314,7 +221,6 @@ tcp-keepalive 300 # By default Redis does not run as a daemon. Use 'yes' if you need it. # Note that Redis will write a pid file in /var/run/redis.pid when daemonized. -# When Redis is supervised by upstart or systemd, this parameter has no impact. daemonize no # If you run Redis from upstart or systemd, Redis can interact with your @@ -323,17 +229,11 @@ daemonize no # supervised upstart - signal upstart by putting Redis into SIGSTOP mode # requires "expect stop" in your upstart job config # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET -# on startup, and updating Redis status on a regular -# basis. # supervised auto - detect upstart or systemd method based on # UPSTART_JOB or NOTIFY_SOCKET environment variables # Note: these supervision methods only signal "process is ready." # They do not enable continuous pings back to your supervisor. -# -# The default is "no". To run under upstart/systemd, you can simply uncomment -# the line below: -# -# supervised auto +supervised no # If a pid file is specified, Redis writes it where specified at startup # and removes it at exit. @@ -344,10 +244,7 @@ daemonize no # # Creating a pid file is best effort: if Redis is not able to create it # nothing bad happens, the server will start and run normally. -# -# Note that on modern Linux systems "/run/redis.pid" is more conforming -# and should be used instead. -pidfile "/var/run/redis_6379.pid" +pidfile /var/run/redis_6379.pid # Specify the server verbosity level. # This can be one of: @@ -372,74 +269,44 @@ logfile "" # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. # syslog-facility local0 -# To disable the built in crash log, which will possibly produce cleaner core -# dumps when they are needed, uncomment the following: -# -# crash-log-enabled no - -# To disable the fast memory check that's run as part of the crash log, which -# will possibly let redis terminate sooner, uncomment the following: -# -# crash-memcheck-enabled no - # Set the number of databases. The default database is DB 0, you can select # a different one on a per-connection basis using SELECT where # dbid is a number between 0 and 'databases'-1 databases 16 # By default Redis shows an ASCII art logo only when started to log to the -# standard output and if the standard output is a TTY and syslog logging is -# disabled. Basically this means that normally a logo is displayed only in -# interactive sessions. +# standard output and if the standard output is a TTY. Basically this means +# that normally a logo is displayed only in interactive sessions. # # However it is possible to force the pre-4.0 behavior and always show a # ASCII art logo in startup logs by setting the following option to yes. -always-show-logo no - -# By default, Redis modifies the process title (as seen in 'top' and 'ps') to -# provide some runtime information. It is possible to disable this and leave -# the process name as executed by setting the following to no. -set-proc-title yes - -# When changing the process title, Redis uses the following template to construct -# the modified title. -# -# Template variables are specified in curly brackets. The following variables are -# supported: -# -# {title} Name of process as executed if parent, or type of child process. -# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or -# Unix socket if only that's available. -# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]". -# {port} TCP port listening on, or 0. -# {tls-port} TLS port listening on, or 0. -# {unixsocket} Unix domain socket listening on, or "". -# {config-file} Name of configuration file used. -# -proc-title-template "{title} {listen-addr} {server-mode}" +always-show-logo yes ################################ SNAPSHOTTING ################################ +# +# Save the DB on disk: +# +# save +# +# Will save the DB if both the given number of seconds and the given +# number of write operations against the DB occurred. +# +# In the example below the behavior will be to save: +# after 900 sec (15 min) if at least 1 key changed +# after 300 sec (5 min) if at least 10 keys changed +# after 60 sec if at least 10000 keys changed +# +# Note: you can disable saving completely by commenting out all "save" lines. +# +# It is also possible to remove all the previously configured save +# points by adding a save directive with a single empty string argument +# like in the following example: +# +# save "" -# Save the DB to disk. -# -# save [ ...] -# -# Redis will save the DB if the given number of seconds elapsed and it -# surpassed the given number of write operations against the DB. -# -# Snapshotting can be completely disabled with a single empty string argument -# as in following example: -# -# save "" -# -# Unless specified otherwise, by default Redis will save the DB: -# * After 3600 seconds (an hour) if at least 1 change was performed -# * After 300 seconds (5 minutes) if at least 100 changes were performed -# * After 60 seconds if at least 10000 changes were performed -# -# You can set these explicitly by uncommenting the following line. -# -# save 3600 1 300 100 60 10000 +save 900 1 +save 300 10 +save 60 10000 # By default Redis will stop accepting writes if RDB snapshots are enabled # (at least one save point) and the latest background save failed. @@ -471,23 +338,8 @@ rdbcompression yes # tell the loading code to skip the check. rdbchecksum yes -# Enables or disables full sanitization checks for ziplist and listpack etc when -# loading an RDB or RESTORE payload. This reduces the chances of a assertion or -# crash later on while processing commands. -# Options: -# no - Never perform full sanitization -# yes - Always perform full sanitization -# clients - Perform full sanitization only for user connections. -# Excludes: RDB files, RESTORE commands received from the master -# connection, and client connections which have the -# skip-sanitize-payload ACL flag. -# The default should be 'clients' but since it currently affects cluster -# resharding via MIGRATE, it is temporarily set to 'no' by default. -# -# sanitize-dump-payload no - # The filename where to dump the DB -dbfilename "dump.rdb" +dbfilename dump.rdb # Remove RDB files used by replication in instances without persistence # enabled. By default this option is disabled, however there are environments @@ -510,7 +362,7 @@ rdb-del-sync-files no # The Append Only File will also be created inside this directory. # # Note that you must specify a directory here, not a file name. -dir "/data" +dir ./ ################################# REPLICATION ################################# @@ -560,10 +412,9 @@ dir "/data" # still reply to client requests, possibly with out of date data, or the # data set may just be empty if this is the first synchronization. # -# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error -# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" -# to all data access commands, excluding commands such as: -# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, +# 2) If replica-serve-stale-data is set to 'no' the replica will reply with +# an error "SYNC with master in progress" to all commands except: +# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE, # UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, # HOST and LATENCY. # @@ -612,7 +463,7 @@ replica-read-only yes # # With slow disks and fast (large bandwidth) networks, diskless replication # works better. -repl-diskless-sync yes +repl-diskless-sync no # When diskless replication is enabled, it is possible to configure the delay # the server waits in order to spawn the child that transfers the RDB via socket @@ -626,18 +477,12 @@ repl-diskless-sync yes # it entirely just set it to 0 seconds and the transfer will start ASAP. repl-diskless-sync-delay 5 -# When diskless replication is enabled with a delay, it is possible to let -# the replication start before the maximum delay is reached if the maximum -# number of replicas expected have connected. Default of 0 means that the -# maximum is not defined and Redis will wait the full delay. -repl-diskless-sync-max-replicas 0 - # ----------------------------------------------------------------------------- # WARNING: RDB diskless load is experimental. Since in this setup the replica # does not immediately store an RDB on disk, it may cause data loss during # failovers. RDB diskless load + Redis modules not handling I/O reads may also # cause Redis to abort in case of I/O errors during the initial synchronization -# stage with the master. Use only if you know what you are doing. +# stage with the master. Use only if your do what you are doing. # ----------------------------------------------------------------------------- # # Replica can load the RDB it reads from the replication link directly from the @@ -646,23 +491,19 @@ repl-diskless-sync-max-replicas 0 # # In many cases the disk is slower than the network, and storing and loading # the RDB file may increase replication time (and even increase the master's -# Copy on Write memory and replica buffers). +# Copy on Write memory and salve buffers). # However, parsing the RDB file directly from the socket may mean that we have # to flush the contents of the current database before the full rdb was # received. For this reason we have the following options: # # "disabled" - Don't use diskless load (store the rdb file to the disk first) # "on-empty-db" - Use diskless load only when it is completely safe. -# "swapdb" - Keep current db contents in RAM while parsing the data directly -# from the socket. Replicas in this mode can keep serving current -# data set while replication is in progress, except for cases where -# they can't recognize master as having a data set from same -# replication history. -# Note that this requires sufficient memory, if you don't have it, -# you risk an OOM kill. +# "swapdb" - Keep a copy of the current db contents in RAM while parsing +# the data directly from the socket. note that this requires +# sufficient memory, if you don't have it, you risk an OOM kill. repl-diskless-load disabled -# Master send PINGs to its replicas in a predefined interval. It's possible to +# Replicas send PINGs to server in a predefined interval. It's possible to # change this interval with the repl_ping_replica_period option. The default # value is 10 seconds. # @@ -737,43 +578,6 @@ repl-disable-tcp-nodelay no # By default the priority is 100. replica-priority 100 -# The propagation error behavior controls how Redis will behave when it is -# unable to handle a command being processed in the replication stream from a master -# or processed while reading from an AOF file. Errors that occur during propagation -# are unexpected, and can cause data inconsistency. However, there are edge cases -# in earlier versions of Redis where it was possible for the server to replicate or persist -# commands that would fail on future versions. For this reason the default behavior -# is to ignore such errors and continue processing commands. -# -# If an application wants to ensure there is no data divergence, this configuration -# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas' -# to only panic when a replica encounters an error on the replication stream. One of -# these two panic values will become the default value in the future once there are -# sufficient safety mechanisms in place to prevent false positive crashes. -# -# propagation-error-behavior ignore - -# Replica ignore disk write errors controls the behavior of a replica when it is -# unable to persist a write command received from its master to disk. By default, -# this configuration is set to 'no' and will crash the replica in this condition. -# It is not recommended to change this default, however in order to be compatible -# with older versions of Redis this config can be toggled to 'yes' which will just -# log a warning and execute the write command it got from the master. -# -# replica-ignore-disk-write-errors no - -# ----------------------------------------------------------------------------- -# By default, Redis Sentinel includes all replicas in its reports. A replica -# can be excluded from Redis Sentinel's announcements. An unannounced replica -# will be ignored by the 'sentinel replicas ' command and won't be -# exposed to Redis Sentinel's clients. -# -# This option does not change the behavior of replica-priority. Even with -# replica-announced set to 'no', the replica can be promoted to master. To -# prevent this behavior, set replica-priority to 0. -# -# replica-announced yes - # It is possible for a master to stop accepting writes if there are less than # N replicas connected, having a lag less or equal than M seconds. # @@ -829,7 +633,7 @@ replica-priority 100 # Redis implements server assisted support for client side caching of values. # This is implemented using an invalidation table that remembers, using -# a radix key indexed by key name, what clients have which keys. In turn +# 16 millions of slots, what clients may have certain subsets of keys. In turn # this is used in order to send invalidation messages to clients. Please # check this page to understand more about the feature: # @@ -893,12 +697,8 @@ replica-priority 100 # off Disable the user: it's no longer possible to authenticate # with this user, however the already authenticated connections # will still work. -# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. -# sanitize-payload RESTORE dump-payload is sanitized (default). -# + Allow the execution of that command. -# May be used with `|` for allowing subcommands (e.g "+config|get") -# - Disallow the execution of that command. -# May be used with `|` for blocking subcommands (e.g "-config|set") +# + Allow the execution of that command +# - Disallow the execution of that command # +@ Allow the execution of all the commands in such category # with valid categories are like @admin, @set, @sortedset, ... # and so forth, see the full list in the server.c file where @@ -906,11 +706,10 @@ replica-priority 100 # The special category @all means all the commands, but currently # present in the server, and that will be loaded in the future # via modules. -# +|first-arg Allow a specific first argument of an otherwise -# disabled command. It is only supported on commands with -# no sub-commands, and is not allowed as negative form -# like -SELECT|1, only additive starting with "+". This -# feature is deprecated and may be removed in the future. +# +|subcommand Allow a specific subcommand of an otherwise +# disabled command. Note that this form is not +# allowed as negative like -DEBUG|SEGFAULT, but +# only additive starting with "+". # allcommands Alias for +@all. Note that it implies the ability to execute # all the future commands loaded via the modules system. # nocommands Alias for -@all. @@ -918,17 +717,8 @@ replica-priority 100 # commands. For instance ~* allows all the keys. The pattern # is a glob-style pattern like the one of KEYS. # It is possible to specify multiple patterns. -# %R~ Add key read pattern that specifies which keys can be read -# from. -# %W~ Add key write pattern that specifies which keys can be -# written to. # allkeys Alias for ~* # resetkeys Flush the list of allowed keys patterns. -# & Add a glob-style pattern of Pub/Sub channels that can be -# accessed by the user. It is possible to specify multiple channel -# patterns. -# allchannels Alias for &* -# resetchannels Flush the list of allowed channel patterns. # > Add this password to the list of valid password for the user. # For example >mypass will add "mypass" to the list. # This directive clears the "nopass" flag (see later). @@ -947,14 +737,6 @@ replica-priority 100 # reset Performs the following actions: resetpass, resetkeys, off, # -@all. The user returns to the same state it has immediately # after its creation. -# () Create a new selector with the options specified within the -# parentheses and attach it to the user. Each option should be -# space separated. The first character must be ( and the last -# character must be ). -# clearselectors Remove all of the currently attached selectors. -# Note this does not change the "root" user permissions, -# which are the permissions directly applied onto the -# user (outside the parentheses). # # ACL rules can be specified in any order: for instance you can start with # passwords, then flags, or key patterns. However note that the additive @@ -976,40 +758,6 @@ replica-priority 100 # # Basically ACL rules are processed left-to-right. # -# The following is a list of command categories and their meanings: -# * keyspace - Writing or reading from keys, databases, or their metadata -# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, -# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, -# key or metadata will also have `write` category. Commands that only read -# the keyspace, key or metadata will have the `read` category. -# * read - Reading from keys (values or metadata). Note that commands that don't -# interact with keys, will not have either `read` or `write`. -# * write - Writing to keys (values or metadata) -# * admin - Administrative commands. Normal applications will never need to use -# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc. -# * dangerous - Potentially dangerous (each should be considered with care for -# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS, -# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc. -# * connection - Commands affecting the connection or other connections. -# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc. -# * blocking - Potentially blocking the connection until released by another -# command. -# * fast - Fast O(1) commands. May loop on the number of arguments, but not the -# number of elements in the key. -# * slow - All commands that are not Fast. -# * pubsub - PUBLISH / SUBSCRIBE related -# * transaction - WATCH / MULTI / EXEC related commands. -# * scripting - Scripting related. -# * set - Data type: sets related. -# * sortedset - Data type: zsets related. -# * list - Data type: lists related. -# * hash - Data type: hashes related. -# * string - Data type: strings related. -# * bitmap - Data type: bitmaps related. -# * hyperloglog - Data type: hyperloglog related. -# * geo - Data type: geo related. -# * stream - Data type: streams related. -# # For more information about ACL configuration please refer to # the Redis web site at https://redis.io/topics/acl @@ -1039,24 +787,8 @@ acllog-max-len 128 # AUTH as usually, or more explicitly with AUTH default # if they follow the new protocol: both will work. # -# The requirepass is not compatible with aclfile option and the ACL LOAD -# command, these will cause requirepass to be ignored. -# # requirepass foobared -# New users are initialized with restrictive permissions by default, via the -# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it -# is possible to manage access to Pub/Sub channels with ACL rules as well. The -# default Pub/Sub channels permission if new users is controlled by the -# acl-pubsub-default configuration directive, which accepts one of these values: -# -# allchannels: grants access to all Pub/Sub channels -# resetchannels: revokes access to all Pub/Sub channels -# -# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission. -# -# acl-pubsub-default resetchannels - # Command renaming (DEPRECATED). # # ------------------------------------------------------------------------ @@ -1145,12 +877,14 @@ acllog-max-len 128 # Both LRU, LFU and volatile-ttl are implemented using approximated # randomized algorithms. # -# Note: with any of the above policies, when there are no suitable keys for -# eviction, Redis will return an error on write operations that require -# more memory. These are usually commands that create new keys, add data or -# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, -# SORT (due to the STORE argument), and EXEC (if the transaction includes any -# command that requires memory). +# Note: with any of the above policies, Redis will return an error on write +# operations, when there are no suitable keys for eviction. +# +# At the date of writing these commands are: set setnx setex append +# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd +# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby +# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby +# getset mset msetnx exec sort # # The default is: # @@ -1167,14 +901,6 @@ acllog-max-len 128 # # maxmemory-samples 5 -# Eviction processing is designed to function well with the default setting. -# If there is an unusually large amount of write traffic, this value may need to -# be increased. Decreasing this value may reduce latency at the risk of -# eviction processing effectiveness -# 0 = minimum latency, 10 = default, 100 = process without regard to latency -# -# maxmemory-eviction-tenacity 10 - # Starting from Redis 5, by default a replica will ignore its maxmemory setting # (unless it is promoted to master after a failover or manually). It means # that the eviction of keys will be just handled by the master, sending the @@ -1268,13 +994,6 @@ replica-lazy-flush no lazyfree-lazy-user-del no -# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous -# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the -# commands. When neither flag is passed, this directive will be used to determine -# if the data should be deleted asynchronously. - -lazyfree-lazy-user-flush no - ################################ THREADED I/O ################################# # Redis is mostly single threaded, however there are certain threaded @@ -1313,7 +1032,7 @@ lazyfree-lazy-user-flush no # Usually threading reads doesn't help much. # # NOTE 1: This configuration directive cannot be changed at runtime via -# CONFIG SET. Also, this feature currently does not work when SSL is +# CONFIG SET. Aso this feature currently does not work when SSL is # enabled. # # NOTE 2: If you want to test the Redis speedup using redis-benchmark, make @@ -1331,7 +1050,7 @@ lazyfree-lazy-user-flush no # attempt to have background child processes killed before all others, and # replicas killed before masters. # -# Redis supports these options: +# Redis supports three options: # # no: Don't make changes to oom-score-adj (default). # yes: Alias to "relative" see below. @@ -1352,18 +1071,6 @@ oom-score-adj no # oom-score-adj-values to positive values will always succeed. oom-score-adj-values 0 200 800 -#################### KERNEL transparent hugepage CONTROL ###################### - -# Usually the kernel Transparent Huge Pages control is set to "madvise" or -# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which -# case this config has no effect. On systems in which it is set to "always", -# redis will attempt to disable it specifically for the redis process in order -# to avoid latency problems specifically with fork(2) and CoW. -# If for some reason you prefer to keep it enabled, you can set this config to -# "no" and the kernel global to "always". - -disable-thp yes - ############################## APPEND ONLY MODE ############################### # By default Redis asynchronously dumps the dataset on disk. This mode is @@ -1382,43 +1089,14 @@ disable-thp yes # If the AOF is enabled on startup Redis will load the AOF, that is the file # with the better durability guarantees. # -# Please check https://redis.io/topics/persistence for more information. +# Please check http://redis.io/topics/persistence for more information. -# appendonly no +appendonly no -# The base name of the append only file. -# -# Redis 7 and newer use a set of append-only files to persist the dataset -# and changes applied to it. There are two basic types of files in use: -# -# - Base files, which are a snapshot representing the complete state of the -# dataset at the time the file was created. Base files can be either in -# the form of RDB (binary serialized) or AOF (textual commands). -# - Incremental files, which contain additional commands that were applied -# to the dataset following the previous file. -# -# In addition, manifest files are used to track the files and the order in -# which they were created and should be applied. -# -# Append-only file names are created by Redis following a specific pattern. -# The file name's prefix is based on the 'appendfilename' configuration -# parameter, followed by additional information about the sequence and type. -# -# For example, if appendfilename is set to appendonly.aof, the following file -# names could be derived: -# -# - appendonly.aof.1.base.rdb as a base file. -# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files. -# - appendonly.aof.manifest as a manifest file. +# The name of the append only file (default: "appendonly.aof") appendfilename "appendonly.aof" -# For convenience, Redis stores all persistent append-only files in a dedicated -# directory. The name of the directory is determined by the appenddirname -# configuration parameter. - -appenddirname "appendonlydir" - # The fsync() call tells the Operating System to actually write data on disk # instead of waiting for more data in the output buffer. Some OS will really flush # data on disk, some other OS will just try to do it ASAP. @@ -1443,7 +1121,7 @@ appenddirname "appendonlydir" # If unsure, use "everysec". # appendfsync always -# appendfsync everysec +appendfsync everysec # appendfsync no # When the AOF fsync policy is set to always or everysec, and a background @@ -1458,7 +1136,7 @@ appenddirname "appendonlydir" # BGSAVE or BGREWRITEAOF is in progress. # # This means that while another child is saving, the durability of Redis is -# the same as "appendfsync no". In practical terms, this means that it is +# the same as "appendfsync none". In practical terms, this means that it is # possible to lose up to 30 seconds of log in the worst scenario (with the # default Linux settings). # @@ -1511,69 +1189,34 @@ auto-aof-rewrite-min-size 64mb # will be found. aof-load-truncated yes -# Redis can create append-only base files in either RDB or AOF formats. Using -# the RDB format is always faster and more efficient, and disabling it is only -# supported for backward compatibility purposes. +# When rewriting the AOF file, Redis is able to use an RDB preamble in the +# AOF file for faster rewrites and recoveries. When this option is turned +# on the rewritten AOF file is composed of two different stanzas: +# +# [RDB file][AOF tail] +# +# When loading, Redis recognizes that the AOF file starts with the "REDIS" +# string and loads the prefixed RDB file, then continues loading the AOF +# tail. aof-use-rdb-preamble yes -# Redis supports recording timestamp annotations in the AOF to support restoring -# the data from a specific point-in-time. However, using this capability changes -# the AOF format in a way that may not be compatible with existing AOF parsers. -aof-timestamp-enabled no +################################ LUA SCRIPTING ############################### -################################ SHUTDOWN ##################################### - -# Maximum time to wait for replicas when shutting down, in seconds. +# Max execution time of a Lua script in milliseconds. # -# During shut down, a grace period allows any lagging replicas to catch up with -# the latest replication offset before the master exists. This period can -# prevent data loss, especially for deployments without configured disk backups. +# If the maximum execution time is reached Redis will log that a script is +# still in execution after the maximum allowed time and will start to +# reply to queries with an error. # -# The 'shutdown-timeout' value is the grace period's duration in seconds. It is -# only applicable when the instance has replicas. To disable the feature, set -# the value to 0. +# When a long running script exceeds the maximum execution time only the +# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be +# used to stop a script that did not yet call any write commands. The second +# is the only way to shut down the server in the case a write command was +# already issued by the script but the user doesn't want to wait for the natural +# termination of the script. # -# shutdown-timeout 10 - -# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default -# an RDB snapshot is written to disk in a blocking operation if save points are configured. -# The options used on signaled shutdown can include the following values: -# default: Saves RDB snapshot only if save points are configured. -# Waits for lagging replicas to catch up. -# save: Forces a DB saving operation even if no save points are configured. -# nosave: Prevents DB saving operation even if one or more save points are configured. -# now: Skips waiting for lagging replicas. -# force: Ignores any errors that would normally prevent the server from exiting. -# -# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously. -# Example: "nosave force now" -# -# shutdown-on-sigint default -# shutdown-on-sigterm default - -################ NON-DETERMINISTIC LONG BLOCKING COMMANDS ##################### - -# Maximum time in milliseconds for EVAL scripts, functions and in some cases -# modules' commands before Redis can start processing or rejecting other clients. -# -# If the maximum execution time is reached Redis will start to reply to most -# commands with a BUSY error. -# -# In this state Redis will only allow a handful of commands to be executed. -# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some -# module specific 'allow-busy' commands. -# -# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not -# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop -# the server in the case a write command was already issued by the script when -# the user doesn't want to wait for the natural termination of the script. -# -# The default is 5 seconds. It is possible to set it to 0 or a negative value -# to disable this mechanism (uninterrupted execution). Note that in the past -# this config had a different name, which is now an alias, so both of these do -# the same: -# lua-time-limit 5000 -# busy-reply-threshold 5000 +# Set it to 0 or a negative value for unlimited execution without warnings. +lua-time-limit 5000 ################################ REDIS CLUSTER ############################### @@ -1597,11 +1240,6 @@ aof-timestamp-enabled no # # cluster-node-timeout 15000 -# The cluster port is the port that the cluster bus will listen for inbound connections on. When set -# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires -# you to specify the cluster bus port when executing cluster meet. -# cluster-port 0 - # A replica of a failing master will avoid to start a failover if its data # looks too old. # @@ -1660,21 +1298,12 @@ aof-timestamp-enabled no # master in your cluster. # # Default is 1 (replicas migrate only if their masters remain with at least -# one replica). To disable migration just set it to a very large value or -# set cluster-allow-replica-migration to 'no'. +# one replica). To disable migration just set it to a very large value. # A value of 0 can be set but is useful only for debugging and dangerous # in production. # # cluster-migration-barrier 1 -# Turning off this option allows to use less automatic cluster configuration. -# It both disables migration to orphaned masters and migration from masters -# that became empty. -# -# Default is 'yes' (allow automatic migrations). -# -# cluster-allow-replica-migration yes - # By default Redis Cluster nodes stop accepting queries if they detect there # is at least a hash slot uncovered (no available node is serving it). # This way if the cluster is partially down (for example a range of hash slots @@ -1689,7 +1318,7 @@ aof-timestamp-enabled no # cluster-require-full-coverage yes # This option, when set to yes, prevents replicas from trying to failover its -# master during master failures. However the replica can still perform a +# master during master failures. However the master can still perform a # manual failover, if forced to do so. # # This is useful in different scenarios, especially in the case of multiple @@ -1699,7 +1328,7 @@ aof-timestamp-enabled no # cluster-replica-no-failover no # This option, when set to yes, allows nodes to serve read traffic while the -# cluster is in a down state, as long as it believes it owns the slots. +# the cluster is in a down state, as long as it believes it owns the slots. # # This is useful for two cases. The first case is for when an application # doesn't require consistency of data during node failures or network partitions. @@ -1714,54 +1343,8 @@ aof-timestamp-enabled no # # cluster-allow-reads-when-down no -# This option, when set to yes, allows nodes to serve pubsub shard traffic while -# the cluster is in a down state, as long as it believes it owns the slots. -# -# This is useful if the application would like to use the pubsub feature even when -# the cluster global stable state is not OK. If the application wants to make sure only -# one shard is serving a given channel, this feature should be kept as yes. -# -# cluster-allow-pubsubshard-when-down yes - -# Cluster link send buffer limit is the limit on the memory usage of an individual -# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed -# this limit. This is to primarily prevent send buffers from growing unbounded on links -# toward slow peers (E.g. PubSub messages being piled up). -# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field -# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase. -# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single -# PubSub message by default. (client-query-buffer-limit default value is 1gb) -# -# cluster-link-sendbuf-limit 0 - -# Clusters can configure their announced hostname using this config. This is a common use case for -# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based -# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS -# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is -# communicated along the clusterbus to all nodes, setting it to an empty string will remove -# the hostname and also propagate the removal. -# -# cluster-announce-hostname "" - -# Clusters can advertise how clients should connect to them using either their IP address, -# a user defined hostname, or by declaring they have no endpoint. Which endpoint is -# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type -# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how -# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. -# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' -# will be returned instead. -# -# When a cluster advertises itself as having an unknown endpoint, it's indicating that -# the server doesn't know how clients can reach the cluster. This can happen in certain -# networking situations where there are multiple possible routes to the node, and the -# server doesn't know which one the client took. In this case, the server is expecting -# the client to reach out on the same endpoint it used for making the last request, but use -# the port provided in the response. -# -# cluster-preferred-endpoint-type ip - # In order to setup your cluster make sure to read the documentation -# available at https://redis.io web site. +# available at http://redis.io web site. ########################## CLUSTER DOCKER/NAT support ######################## @@ -1771,21 +1354,16 @@ aof-timestamp-enabled no # # In order to make Redis Cluster working in such environments, a static # configuration where each node knows its public address is needed. The -# following four options are used for this scope, and are: +# following two options are used for this scope, and are: # # * cluster-announce-ip # * cluster-announce-port -# * cluster-announce-tls-port # * cluster-announce-bus-port # -# Each instructs the node about its address, client ports (for connections -# without and with TLS) and cluster message bus port. The information is then -# published in the header of the bus packets so that other nodes will be able to -# correctly map the address of the node publishing the information. -# -# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set -# to zero, then cluster-announce-port refers to the TLS port. Note also that -# cluster-announce-tls-port has no effect if cluster-tls is set to no. +# Each instructs the node about its address, client port, and cluster message +# bus port. The information is then published in the header of the bus packets +# so that other nodes will be able to correctly map the address of the node +# publishing the information. # # If the above options are not used, the normal Redis Cluster auto-detection # will be used instead. @@ -1798,8 +1376,7 @@ aof-timestamp-enabled no # Example: # # cluster-announce-ip 10.1.1.5 -# cluster-announce-tls-port 6379 -# cluster-announce-port 0 +# cluster-announce-port 6379 # cluster-announce-bus-port 6380 ################################## SLOW LOG ################################### @@ -1824,7 +1401,7 @@ slowlog-log-slower-than 10000 # There is no limit to this length. Just be aware that it will consume memory. # You can reclaim memory used by the slow log with SLOWLOG RESET. -slowlog-max-len 10086 +slowlog-max-len 128 ################################ LATENCY MONITOR ############################## @@ -1847,24 +1424,10 @@ slowlog-max-len 10086 # "CONFIG SET latency-monitor-threshold " if needed. latency-monitor-threshold 0 -################################ LATENCY TRACKING ############################## - -# The Redis extended latency monitoring tracks the per command latencies and enables -# exporting the percentile distribution via the INFO latencystats command, -# and cumulative latency distributions (histograms) via the LATENCY command. -# -# By default, the extended latency monitoring is enabled since the overhead -# of keeping track of the command latency is very small. -# latency-tracking yes - -# By default the exported latency percentiles via the INFO latencystats command -# are the p50, p99, and p999. -# latency-tracking-info-percentiles 50 99 99.9 - ############################# EVENT NOTIFICATION ############################## # Redis can notify Pub/Sub clients about events happening in the key space. -# This feature is documented at https://redis.io/topics/notifications +# This feature is documented at http://redis.io/topics/notifications # # For instance if keyspace events notification is enabled, and a client # performs a DEL operation on key "foo" stored in the Database 0, two @@ -1886,11 +1449,9 @@ latency-monitor-threshold 0 # z Sorted set commands # x Expired events (events generated every time a key expires) # e Evicted events (events generated when a key is evicted for maxmemory) -# n New key events (Note: not included in the 'A' class) # t Stream commands -# d Module key type events # m Key-miss events (Note: It is not included in the 'A' class) -# A Alias for g$lshzxetd, so that the "AKE" string means all the events +# A Alias for g$lshzxet, so that the "AKE" string means all the events # (Except key-miss events which are excluded from 'A' due to their # unique nature). # @@ -1913,13 +1474,71 @@ latency-monitor-threshold 0 # specify at least one of K or E, no events will be delivered. notify-keyspace-events "" +############################### GOPHER SERVER ################################# + +# Redis contains an implementation of the Gopher protocol, as specified in +# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt). +# +# The Gopher protocol was very popular in the late '90s. It is an alternative +# to the web, and the implementation both server and client side is so simple +# that the Redis server has just 100 lines of code in order to implement this +# support. +# +# What do you do with Gopher nowadays? Well Gopher never *really* died, and +# lately there is a movement in order for the Gopher more hierarchical content +# composed of just plain text documents to be resurrected. Some want a simpler +# internet, others believe that the mainstream internet became too much +# controlled, and it's cool to create an alternative space for people that +# want a bit of fresh air. +# +# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol +# as a gift. +# +# --- HOW IT WORKS? --- +# +# The Redis Gopher support uses the inline protocol of Redis, and specifically +# two kind of inline requests that were anyway illegal: an empty request +# or any request that starts with "/" (there are no Redis commands starting +# with such a slash). Normal RESP2/RESP3 requests are completely out of the +# path of the Gopher protocol implementation and are served as usual as well. +# +# If you open a connection to Redis when Gopher is enabled and send it +# a string like "/foo", if there is a key named "/foo" it is served via the +# Gopher protocol. +# +# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher +# talking), you likely need a script like the following: +# +# https://github.com/antirez/gopher2redis +# +# --- SECURITY WARNING --- +# +# If you plan to put Redis on the internet in a publicly accessible address +# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance. +# Once a password is set: +# +# 1. The Gopher server (when enabled, not by default) will still serve +# content via Gopher. +# 2. However other commands cannot be called before the client will +# authenticate. +# +# So use the 'requirepass' option to protect your instance. +# +# Note that Gopher is not currently supported when 'io-threads-do-reads' +# is enabled. +# +# To enable Gopher support, uncomment the following line and set the option +# from no (the default) to yes. +# +# gopher-enabled no + ############################### ADVANCED CONFIG ############################### # Hashes are encoded using a memory efficient data structure when they have a # small number of entries, and the biggest entry does not exceed a given # threshold. These thresholds can be configured using the following directives. -hash-max-listpack-entries 512 -hash-max-listpack-value 64 +hash-max-ziplist-entries 512 +hash-max-ziplist-value 64 # Lists are also encoded in a special way to save a lot of space. # The number of entries allowed per internal list node can be specified @@ -1934,7 +1553,7 @@ hash-max-listpack-value 64 # per list node. # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), # but if your use case is unique, adjust the settings as necessary. -list-max-listpack-size -2 +list-max-ziplist-size -2 # Lists may also be compressed. # Compress depth is the number of quicklist ziplist nodes from *each* side of @@ -1962,8 +1581,8 @@ set-max-intset-entries 512 # Similarly to hashes and lists, sorted sets are also specially encoded in # order to save a lot of space. This encoding is only used when the length and # elements of a sorted set are below the following limits: -zset-max-listpack-entries 128 -zset-max-listpack-value 64 +zset-max-ziplist-entries 128 +zset-max-ziplist-value 64 # HyperLogLog sparse representation bytes limit. The limit includes the # 16 bytes header. When an HyperLogLog using the sparse representation crosses @@ -1985,9 +1604,9 @@ hll-sparse-max-bytes 3000 # maximum number of items it may contain before switching to a new node when # appending new stream entries. If any of the following settings are set to # zero, the limit is ignored, so for instance it is possible to set just a -# max entries limit by setting max-bytes to 0 and max-entries to the desired +# max entires limit by setting max-bytes to 0 and max-entries to the desired # value. -stream-node-max-bytes 4kb +stream-node-max-bytes 4096 stream-node-max-entries 100 # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in @@ -2018,7 +1637,7 @@ activerehashing yes # The limit can be set differently for the three different classes of clients: # # normal -> normal clients including MONITOR clients -# replica -> replica clients +# replica -> replica clients # pubsub -> clients subscribed to at least one pubsub channel or pattern # # The syntax of every client-output-buffer-limit directive is the following: @@ -2042,13 +1661,6 @@ activerehashing yes # Instead there is a default limit for pubsub and replica clients, since # subscribers and replicas receive data in a push fashion. # -# Note that it doesn't make sense to set the replica clients output buffer -# limit lower than the repl-backlog-size config (partial sync will succeed -# and then replica will get disconnected). -# Such a configuration is ignored (the size of repl-backlog-size will be used). -# This doesn't have memory consumption implications since the replica client -# will share the backlog buffers memory. -# # Both the hard or the soft limit can be disabled by setting them to zero. client-output-buffer-limit normal 0 0 0 client-output-buffer-limit replica 256mb 64mb 60 @@ -2062,25 +1674,6 @@ client-output-buffer-limit pubsub 32mb 8mb 60 # # client-query-buffer-limit 1gb -# In some scenarios client connections can hog up memory leading to OOM -# errors or data eviction. To avoid this we can cap the accumulated memory -# used by all client connections (all pubsub and normal clients). Once we -# reach that limit connections will be dropped by the server freeing up -# memory. The server will attempt to drop the connections using the most -# memory first. We call this mechanism "client eviction". -# -# Client eviction is configured using the maxmemory-clients setting as follows: -# 0 - client eviction is disabled (default) -# -# A memory value can be used for the client eviction threshold, -# for example: -# maxmemory-clients 1g -# -# A percentage value (between 1% and 100%) means the client eviction threshold -# is based on a percentage of the maxmemory setting. For example to set client -# eviction at 5% of maxmemory: -# maxmemory-clients 5% - # In the Redis protocol, bulk requests, that are, elements representing single # strings, are normally limited to 512 mb. However you can change this limit # here, but must be 1mb or greater @@ -2121,13 +1714,13 @@ hz 10 dynamic-hz yes # When a child rewrites the AOF file, if the following option is enabled -# the file will be fsync-ed every 4 MB of data generated. This is useful +# the file will be fsync-ed every 32 MB of data generated. This is useful # in order to commit the file to the disk more incrementally and avoid # big latency spikes. aof-rewrite-incremental-fsync yes # When redis saves RDB file, if the following option is enabled -# the file will be fsync-ed every 4 MB of data generated. This is useful +# the file will be fsync-ed every 32 MB of data generated. This is useful # in order to commit the file to the disk more incrementally and avoid # big latency spikes. rdb-save-incremental-fsync yes @@ -2224,7 +1817,7 @@ rdb-save-incremental-fsync yes # defragmentation process. If you are not sure about what they mean it is # a good idea to leave the defaults untouched. -# Active defragmentation is disabled by default +# Enabled active defragmentation # activedefrag no # Minimum amount of fragmentation waste to start active defrag @@ -2281,11 +1874,4 @@ jemalloc-bg-thread yes # by setting the following config which takes a space delimited list of warnings # to suppress # -# ignore-warnings ARM64-COW-BUG - -# Generated by CONFIG REWRITE -save 3600 1 -save 300 100 -save 60 10000 -latency-tracking-info-percentiles 50 99 99.9 -user default on nopass ~* &* +@all \ No newline at end of file +# ignore-warnings ARM64-COW-BUG \ No newline at end of file diff --git a/apps/redis/versions/7.0.5/conf/redis.conf b/apps/redis/versions/7.0.5/conf/redis.conf index f7340d00..f5c61103 100644 --- a/apps/redis/versions/7.0.5/conf/redis.conf +++ b/apps/redis/versions/7.0.5/conf/redis.conf @@ -1,12 +1,3 @@ -# Redis configuration rewrite by 1Panel -timeout 0 -# maxclients 10000 -# maxmemory -save 3600 1 300 100 60 10000 -appendonly no -appendfsync everysec -# End Redis configuration rewrite by 1Panel - # Redis configuration file example. # # Note that in order to read the configuration file, Redis must be @@ -93,7 +84,7 @@ appendfsync everysec # You will also need to set a password unless you explicitly disable protected # mode. # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# bind 127.0.0.1 -::1 +bind 0.0.0.0 # By default, outgoing connections (from replica to master, from Sentinel to # instances, cluster bus, etc.) are not bound to a specific local address. In @@ -165,7 +156,7 @@ tcp-backlog 511 # unixsocketperm 700 # Close the connection after a client is idle for N seconds (0 to disable) -# timeout 0 +timeout 0 # TCP keepalive. # @@ -918,10 +909,10 @@ replica-priority 100 # commands. For instance ~* allows all the keys. The pattern # is a glob-style pattern like the one of KEYS. # It is possible to specify multiple patterns. -# %R~ Add key read pattern that specifies which keys can be read +# %R~ Add key read pattern that specifies which keys can be read # from. # %W~ Add key write pattern that specifies which keys can be -# written to. +# written to. # allkeys Alias for ~* # resetkeys Flush the list of allowed keys patterns. # & Add a glob-style pattern of Pub/Sub channels that can be @@ -948,10 +939,10 @@ replica-priority 100 # -@all. The user returns to the same state it has immediately # after its creation. # () Create a new selector with the options specified within the -# parentheses and attach it to the user. Each option should be -# space separated. The first character must be ( and the last +# parentheses and attach it to the user. Each option should be +# space separated. The first character must be ( and the last # character must be ). -# clearselectors Remove all of the currently attached selectors. +# clearselectors Remove all of the currently attached selectors. # Note this does not change the "root" user permissions, # which are the permissions directly applied onto the # user (outside the parentheses). @@ -977,7 +968,7 @@ replica-priority 100 # Basically ACL rules are processed left-to-right. # # The following is a list of command categories and their meanings: -# * keyspace - Writing or reading from keys, databases, or their metadata +# * keyspace - Writing or reading from keys, databases, or their metadata # in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE, # KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace, # key or metadata will also have `write` category. Commands that only read @@ -1385,7 +1376,7 @@ disable-thp yes # # Please check https://redis.io/topics/persistence for more information. -# appendonly no +appendonly no # The base name of the append only file. # @@ -1444,7 +1435,7 @@ appenddirname "appendonlydir" # If unsure, use "everysec". # appendfsync always -# appendfsync everysec +appendfsync everysec # appendfsync no # When the AOF fsync policy is set to always or everysec, and a background @@ -1598,8 +1589,8 @@ aof-timestamp-enabled no # # cluster-node-timeout 15000 -# The cluster port is the port that the cluster bus will listen for inbound connections on. When set -# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires +# The cluster port is the port that the cluster bus will listen for inbound connections on. When set +# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires # you to specify the cluster bus port when executing cluster meet. # cluster-port 0 @@ -1734,12 +1725,12 @@ aof-timestamp-enabled no # PubSub message by default. (client-query-buffer-limit default value is 1gb) # # cluster-link-sendbuf-limit 0 - -# Clusters can configure their announced hostname using this config. This is a common use case for + +# Clusters can configure their announced hostname using this config. This is a common use case for # applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based # routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS -# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is -# communicated along the clusterbus to all nodes, setting it to an empty string will remove +# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is +# communicated along the clusterbus to all nodes, setting it to an empty string will remove # the hostname and also propagate the removal. # # cluster-announce-hostname "" @@ -1748,13 +1739,13 @@ aof-timestamp-enabled no # a user defined hostname, or by declaring they have no endpoint. Which endpoint is # shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type # config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how -# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. -# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' +# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. +# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' # will be returned instead. # # When a cluster advertises itself as having an unknown endpoint, it's indicating that -# the server doesn't know how clients can reach the cluster. This can happen in certain -# networking situations where there are multiple possible routes to the node, and the +# the server doesn't know how clients can reach the cluster. This can happen in certain +# networking situations where there are multiple possible routes to the node, and the # server doesn't know which one the client took. In this case, the server is expecting # the client to reach out on the same endpoint it used for making the last request, but use # the port provided in the response. @@ -2067,7 +2058,7 @@ client-output-buffer-limit pubsub 32mb 8mb 60 # errors or data eviction. To avoid this we can cap the accumulated memory # used by all client connections (all pubsub and normal clients). Once we # reach that limit connections will be dropped by the server freeing up -# memory. The server will attempt to drop the connections using the most +# memory. The server will attempt to drop the connections using the most # memory first. We call this mechanism "client eviction". # # Client eviction is configured using the maxmemory-clients setting as follows: @@ -2282,4 +2273,4 @@ jemalloc-bg-thread yes # by setting the following config which takes a space delimited list of warnings # to suppress # -# ignore-warnings ARM64-COW-BUG +# ignore-warnings ARM64-COW-BUG \ No newline at end of file