feat: 修改 nginx WAF

This commit is contained in:
zhengkunwang223 2023-02-20 16:31:16 +08:00
parent 11dc8bc7c8
commit 31fa8a0e6e
23 changed files with 1308 additions and 977 deletions

View File

@ -0,0 +1,9 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
.idea

View File

@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<https://www.gnu.org/licenses/why-not-lgpl.html>.

View File

@ -0,0 +1,2 @@
# waf
waf 是一个基于 lua-nginx-module(openresty) 的 web 应用防火墙

View File

@ -8,7 +8,7 @@ local method=ngx.req.get_method()
local function optionIsOn(options) local function optionIsOn(options)
return options == "on" or options == "On" or options == "ON" return options == "on" or options == "On" or options == "ON"
end end
local logpath = ngx.var.logdir local logpath = ngx.var.logdir
@ -26,273 +26,297 @@ local CookieDeny = optionIsOn(ngx.var.cookieDeny)
local FileExtDeny = optionIsOn(ngx.var.fileExtDeny) local FileExtDeny = optionIsOn(ngx.var.fileExtDeny)
local function getClientIp() local function getClientIp()
IP = ngx.var.remote_addr IP = ngx.var.remote_addr
if IP == nil then if IP == nil then
IP = "unknown" IP = "unknown"
end end
return IP return IP
end end
local function write(logfile,msg) local function write(logfile,msg)
local fd = io.open(logfile,"ab") local fd = io.open(logfile,"ab")
if fd == nil then return end if fd == nil then return end
fd:write(msg) fd:write(msg)
fd:flush() fd:flush()
fd:close() fd:close()
end end
local function log(method,url,data,ruletag) local function log(method,url,data,ruletag)
if attacklog then if attacklog then
local realIp = getClientIp() local realIp = getClientIp()
local ua = ngx.var.http_user_agent local ua = ngx.var.http_user_agent
local servername=ngx.var.server_name local servername=ngx.var.server_name
local time=ngx.localtime() local time=ngx.localtime()
local line = nil local line = nil
if ua then if ua then
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n" line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
else else
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n" line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
end end
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log" local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
write(filename,line) write(filename,line)
end end
end end
------------------------------------规则读取函数------------------------------------------------------------------- ------------------------------------规则读取函数-------------------------------------------------------------------
local function read_rule(var) --local function read_rule(var)
file = io.open(rulepath..'/'..var,"r") -- file = io.open(rulepath..'/'..var,"r")
if file==nil then -- if file==nil then
return -- return
end -- end
t = {} -- t = {}
for line in file:lines() do -- for line in file:lines() do
table.insert(t,line) -- table.insert(t,line)
end -- end
file:close() -- file:close()
return(t) -- return(t)
end --end
--local function read_json(var)
-- file = io.open(rulepath..'/'..var,"r")
-- if file==nil then
-- return
-- end
-- str = file:read("*a")
-- file:close()
-- list = cjson.decode(str)
-- return list
--end
local function read_json(var) local function read_json(var)
file = io.open(rulepath..'/'..var,"r") file = io.open(rulepath..'/'..var .. '.json',"r")
if file==nil then if file==nil then
return return
end end
str = file:read("*a") str = file:read("*a")
file:close() file:close()
list = cjson.decode(str) list = cjson.decode(str)
return list return list
end end
local function read_str(var)
file = io.open(rulepath..'/'..var,"r") local function select_rules(rules)
if file==nil then if not rules then return {} end
return new_rules = {}
end for i,v in ipairs(rules) do
local str = file:read("*a") if v[1] == 1 then
file:close() print("111")
return str table.insert(new_rules,v[2])
end
end
return new_rules
end end
local function read_str(var)
file = io.open(rulepath..'/'..var,"r")
if file==nil then
return
end
local str = file:read("*a")
file:close()
return str
end
local argsCheckList=select_rules(read_json('args_check'))
local postCheckList=select_rules(read_json('post_check'))
local cookieBlockList=select_rules(read_json('cookie_block'))
local uarules=select_rules(read_json('user_agent'))
local urlWhiteList=read_rule('urlWhiteList') local urlWhiteList=read_json('url_white')
local urlBlockList=read_rule('urlBlockList') local urlBlockList=read_json('url_block')
local argsCheckList=read_rule('argsCheckList') local ipWhiteList=read_json('ip_white')
local postCheckList=read_rule('postCheckList') local ipBlockList=read_json('ip_block')
local cookieBlockList=read_rule('cookieBlockList') local fileExtBlockList = read_json('file_ext_block')
local ipWhiteList=read_json('ipWhiteList')
local ipBlockList=read_json('ipBlockList')
local ccRate=read_str('ccRate')
local fileExtBlockList = read_json('fileExtBlockList')
local ccRate=read_str('cc.json')
local html=read_str('html') local html=read_str('html')
local uarules=read_rule('user-agent')
local function say_html() local function say_html()
if Redirect then if Redirect then
ngx.header.content_type = "text/html" ngx.header.content_type = "text/html"
ngx.status = ngx.HTTP_FORBIDDEN ngx.status = ngx.HTTP_FORBIDDEN
ngx.say(html) ngx.say(html)
ngx.exit(ngx.status) ngx.exit(ngx.status)
end end
end end
local function whiteurl() local function whiteurl()
if UrlWhiteAllow then if UrlWhiteAllow then
if urlWhiteList ~=nil then if urlWhiteList ~=nil then
for _,rule in pairs(urlWhiteList) do for _,rule in pairs(urlWhiteList) do
if ngxmatch(ngx.var.uri,rule,"isjo") then if ngxmatch(ngx.var.uri,rule,"isjo") then
return true return true
end end
end end
end end
end end
return false return false
end end
local function fileExtCheck(ext) local function fileExtCheck(ext)
if FileExtDeny then if FileExtDeny then
local items = Set(fileExtBlockList) local items = Set(fileExtBlockList)
ext=string.lower(ext) ext=string.lower(ext)
if ext then if ext then
for rule in pairs(items) do for rule in pairs(items) do
if ngx.re.match(ext,rule,"isjo") then if ngx.re.match(ext,rule,"isjo") then
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext) log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
say_html() say_html()
end end
end end
end end
end end
return false return false
end end
function Set (list) function Set (list)
local set = {} local set = {}
for _, l in ipairs(list) do set[l] = true end for _, l in ipairs(list) do set[l] = true end
return set return set
end end
local function args() local function args()
if ArgsDeny then if ArgsDeny then
if argsCheckList then if argsCheckList then
for _,rule in pairs(argsCheckList) do for _,rule in pairs(argsCheckList) do
local uriArgs = ngx.req.get_uri_args() local uriArgs = ngx.req.get_uri_args()
for key, val in pairs(uriArgs) do for key, val in pairs(uriArgs) do
if type(val)=='table' then if type(val)=='table' then
local t={} local t={}
for k,v in pairs(val) do for k,v in pairs(val) do
if v == true then if v == true then
v="" v=""
end end
table.insert(t,v) table.insert(t,v)
end end
data=table.concat(t, " ") data=table.concat(t, " ")
else else
data=val data=val
end end
if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
log('GET',ngx.var.request_uri,"-",rule) log('GET',ngx.var.request_uri,"-",rule)
say_html() say_html()
return true return true
end end
end end
end end
end end
end end
return false return false
end end
local function url() local function url()
if UrlBlockDeny then if UrlBlockDeny then
for _,rule in pairs(urlBlockList) do for _,rule in pairs(urlBlockList) do
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
log('GET',ngx.var.request_uri,"-",rule) log('GET',ngx.var.request_uri,"-",rule)
say_html() say_html()
return true return true
end end
end end
end end
return false return false
end end
function ua() function ua()
local ua = ngx.var.http_user_agent local ua = ngx.var.http_user_agent
if ua ~= nil then if ua ~= nil then
for _,rule in pairs(uarules) do for _,rule in pairs(uarules) do
if rule ~="" and ngxmatch(ua,rule,"isjo") then if rule ~="" and ngxmatch(ua,rule,"isjo") then
log('UA',ngx.var.request_uri,"-",rule) log('UA',ngx.var.request_uri,"-",rule)
say_html() say_html()
return true return true
end end
end end
end end
return false return false
end end
function body(data) function body(data)
for _,rule in pairs(postCheckList) do for _,rule in pairs(postCheckList) do
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
log('POST',ngx.var.request_uri,data,rule) log('POST',ngx.var.request_uri,data,rule)
say_html() say_html()
return true return true
end end
end end
return false return false
end end
local function cookie() local function cookie()
local ck = ngx.var.http_cookie local ck = ngx.var.http_cookie
if CookieDeny and ck then if CookieDeny and ck then
for _,rule in pairs(cookieBlockList) do for _,rule in pairs(cookieBlockList) do
if rule ~="" and ngxmatch(ck,rule,"isjo") then if rule ~="" and ngxmatch(ck,rule,"isjo") then
log('Cookie',ngx.var.request_uri,"-",rule) log('Cookie',ngx.var.request_uri,"-",rule)
say_html() say_html()
return true return true
end end
end end
end end
return false return false
end end
local function denycc() local function denycc()
if CCDeny and ccRate then if CCDeny and ccRate then
local uri=ngx.var.uri local uri=ngx.var.uri
CCcount=tonumber(string.match(ccRate,'(.*)/')) CCcount=tonumber(string.match(ccRate,'(.*)/'))
CCseconds=tonumber(string.match(ccRate,'/(.*)')) CCseconds=tonumber(string.match(ccRate,'/(.*)'))
local uri = getClientIp()..uri local uri = getClientIp()..uri
local limit = ngx.shared.limit local limit = ngx.shared.limit
local req,_=limit:get(uri) local req,_=limit:get(uri)
if req then if req then
if req > CCcount then if req > CCcount then
ngx.exit(503) ngx.exit(503)
return true return true
else else
limit:incr(token,1) limit:incr(token,1)
end end
else else
limit:set(uri,1,CCseconds) limit:set(uri,1,CCseconds)
end end
end end
return false return false
end end
local function get_boundary() local function get_boundary()
local header = get_headers()["content-type"] local header = get_headers()["content-type"]
if not header then if not header then
return nil return nil
end end
if type(header) == "table" then if type(header) == "table" then
header = header[1] header = header[1]
end end
local m = match(header, ";%s*boundary=\"([^\"]+)\"") local m = match(header, ";%s*boundary=\"([^\"]+)\"")
if m then if m then
return m return m
end end
return match(header, ";%s*boundary=([^\",;]+)") return match(header, ";%s*boundary=([^\",;]+)")
end end
local function whiteip() local function whiteip()
if IpWhiteAllow then if IpWhiteAllow then
if next(ipWhiteList) ~= nil then if next(ipWhiteList) ~= nil then
for _,ip in pairs(ipWhiteList) do for _,ip in pairs(ipWhiteList) do
if getClientIp()==ip then if getClientIp()==ip then
return true return true
end end
end end
end end
end end
return false return false
end end
local function blockip() local function blockip()
if IpBlockDeny then if IpBlockDeny then
if next(ipBlockList) ~= nil then if next(ipBlockList) ~= nil then
for _,ip in pairs(ipBlockList) do for _,ip in pairs(ipBlockList) do
if getClientIp()==ip then if getClientIp()==ip then
ngx.exit(403) ngx.exit(403)
return true return true
end end
end end
end end
end end
return false return false
end end
@ -311,73 +335,73 @@ elseif args() then
elseif cookie() then elseif cookie() then
elseif PostDeny then elseif PostDeny then
if method=="POST" then if method=="POST" then
local boundary = get_boundary() local boundary = get_boundary()
if boundary then if boundary then
local len = string.len local len = string.len
local sock, err = ngx.req.socket() local sock, err = ngx.req.socket()
if not sock then if not sock then
return return
end end
ngx.req.init_body(128 * 1024) ngx.req.init_body(128 * 1024)
sock:settimeout(0) sock:settimeout(0)
local content_length = nil local content_length = nil
content_length=tonumber(ngx.req.get_headers()['content-length']) content_length=tonumber(ngx.req.get_headers()['content-length'])
local chunk_size = 4096 local chunk_size = 4096
if content_length < chunk_size then if content_length < chunk_size then
chunk_size = content_length chunk_size = content_length
end end
local size = 0 local size = 0
while size < content_length do while size < content_length do
local data, err, partial = sock:receive(chunk_size) local data, err, partial = sock:receive(chunk_size)
data = data or partial data = data or partial
if not data then if not data then
return return
end end
ngx.req.append_body(data) ngx.req.append_body(data)
if body(data) then if body(data) then
return true return true
end end
size = size + len(data) size = size + len(data)
local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo') local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
if m then if m then
fileExtCheck(m[3]) fileExtCheck(m[3])
filetranslate = true filetranslate = true
else else
if ngxmatch(data,"Content-Disposition:",'isjo') then if ngxmatch(data,"Content-Disposition:",'isjo') then
filetranslate = false filetranslate = false
end end
if filetranslate==false then if filetranslate==false then
if body(data) then if body(data) then
return true return true
end end
end end
end end
local less = content_length - size local less = content_length - size
if less < chunk_size then if less < chunk_size then
chunk_size = less chunk_size = less
end end
end end
ngx.req.finish_body() ngx.req.finish_body()
else else
ngx.req.read_body() ngx.req.read_body()
local args = ngx.req.get_post_args() local args = ngx.req.get_post_args()
if not args then if not args then
return return
end end
for key, val in pairs(args) do for key, val in pairs(args) do
if type(val) == "table" then if type(val) == "table" then
if type(val[1]) == "boolean" then if type(val[1]) == "boolean" then
return return
end end
data=table.concat(val, ", ") data=table.concat(val, ", ")
else else
data=val data=val
end end
if data and type(data) ~= "boolean" and body(data) then if data and type(data) ~= "boolean" and body(data) then
body(key) body(key)
end end
end end
end end
end end
else else
return return

View File

@ -1,22 +0,0 @@
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=

View File

@ -0,0 +1,26 @@
[
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1 ],
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1 ],
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1 ],
["base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 1],
["(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee44", 1 ],
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 1],
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1 ],
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1 ],
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1 ],
["\\<(iframe|script|body|img|layer|div|meta|style|base|object)", "XSS\u8fc7\u6ee41", 1],
["(invokefunction|call_user_func_array|\\\\think\\\\)", "ThinkPHP payload\u5c01\u5835", 1 ],
["^url_array\\[.*\\]$", "Metinfo6.x XSS\u6f0f\u6d1e", 1],
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
["(?:from.+?information_schema.+?)", "", 1],
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
["'$", "test", 1],
["\\${jndi:", "log4j2\u62e6\u622a", 1 ],
["terrewrewrwr", "", 1]
]

View File

@ -1,20 +0,0 @@
\.\./
\:\$
\$\{
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[

View File

@ -0,0 +1,12 @@
[
["base64_decode\\(","一句话木马过滤3",1],
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[","一句话木马过滤5",1],
["select.+(from|limit)","SQL注入过滤2",1],
["(?:(union(.*?)select))","SQL注入过滤3",1],
["sleep\\((\\s*)(\\d*)(\\s*)\\)","SQL注入过滤5",1],
["benchmark\\((.*)\\,(.*)\\)","SQL注入过滤6",1],
["(?:from\\W+information_schema\\W)","SQL注入过滤7",1],
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(","SQL注入过滤8",1],
["into(\\s+)+(?:dump|out)file\\s*","SQL注入过滤9",1],
["group\\s+by.+\\(","SQL注入过滤10",1]
]

View File

@ -0,0 +1 @@
["1.1.1.1"]

View File

@ -1,19 +0,0 @@
select.+(from|limit)
(?:(union(.*?)select))
having|rongjitest
sleep\((\s*)(\d*)(\s*)\)
benchmark\((.*)\,(.*)\)
base64_decode\(
(?:from\W+information_schema\W)
(?:(?:current_)user|database|schema|connection_id)\s*\(
(?:etc\/\W*passwd)
into(\s+)+(?:dump|out)file\s*
group\s+by.+\(
xwork.MethodAccessor
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
xwork\.MethodAccessor
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
java\.lang
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
(onmouseover|onerror|onload)\=

View File

@ -0,0 +1,22 @@
[
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1],
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1],
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1],
["base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 1],
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42",1],
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43",1],
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48",1],
["(extractvalue\\(|concat\\(|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\(|right\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(EXISTS\\(|SELECT\\#|\\(SELECT|select\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
["(?:from.+?information_schema.+?)", "", 1],
["\\${jndi:", "log4j2\u62e6\u622a", 1]
]

View File

@ -1,6 +0,0 @@
\.(svn|htaccess|bash_history)
\.(bak|inc|old|mdb|sql|backup|java|class)$
(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
(phpmyadmin|jmx-console|jmxinvokerservlet)
java\.lang
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)

View File

@ -0,0 +1 @@
[]

View File

@ -1 +0,0 @@
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)

View File

@ -0,0 +1,17 @@
[
["(WPScan|HTTrack|antSword|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 1],
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
["select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1],
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1],
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1],
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1]
]

View File

@ -0,0 +1,35 @@
local cjson = require "cjson"
local rulepath = "rules"
local function read_json(var)
file = io.open(rulepath..'/'..var .. '.json',"r")
if file==nil then
return
end
str = file:read("*a")
file:close()
list = cjson.decode(str)
return list
end
local function select_rules(rules)
if not rules then return {} end
new_rules = {}
for i,v in ipairs(rules) do
if v[1] == 1 then
print("111")
table.insert(new_rules,v[2])
end
end
return new_rules
end
local rules = select_rules(read_json('user_agent'))
for _,v in ipairs(rules) do
print(v)
end

View File

@ -1,12 +1,3 @@
# Redis configuration rewrite by 1Panel
timeout 0
# maxclients 10000
# maxmemory <bytes>
save 3600 1 300 100 60 10000
appendonly no
appendfsync everysec
# End Redis configuration rewrite by 1Panel
# Redis configuration file example. # Redis configuration file example.
# #
# Note that in order to read the configuration file, Redis must be # Note that in order to read the configuration file, Redis must be
@ -41,17 +32,8 @@ appendfsync everysec
# If instead you are interested in using includes to override configuration # If instead you are interested in using includes to override configuration
# options, it is better to use include as the last line. # options, it is better to use include as the last line.
# #
# Included paths may contain wildcards. All files matching the wildcards will
# be included in alphabetical order.
# Note that if an include path contains a wildcards but no files match it when
# the server is started, the include statement will be ignored and no error will
# be emitted. It is safe, therefore, to include wildcard files from empty
# directories.
#
# include /path/to/local.conf # include /path/to/local.conf
# include /path/to/other.conf # include /path/to/other.conf
# include /path/to/fragments/*.conf
#
################################## MODULES ##################################### ################################## MODULES #####################################
@ -67,80 +49,42 @@ appendfsync everysec
# for connections from all available network interfaces on the host machine. # for connections from all available network interfaces on the host machine.
# It is possible to listen to just one or multiple selected interfaces using # It is possible to listen to just one or multiple selected interfaces using
# the "bind" configuration directive, followed by one or more IP addresses. # the "bind" configuration directive, followed by one or more IP addresses.
# Each address can be prefixed by "-", which means that redis will not fail to
# start if the address is not available. Being not available only refers to
# addresses that does not correspond to any network interface. Addresses that
# are already in use will always fail, and unsupported protocols will always BE
# silently skipped.
# #
# Examples: # Examples:
# #
# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses # bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6 # bind 127.0.0.1 ::1
# bind * -::* # like the default, all available interfaces
# #
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the # ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
# internet, binding to all the interfaces is dangerous and will expose the # internet, binding to all the interfaces is dangerous and will expose the
# instance to everybody on the internet. So by default we uncomment the # instance to everybody on the internet. So by default we uncomment the
# following bind directive, that will force Redis to listen only on the # following bind directive, that will force Redis to listen only on the
# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis # IPv4 loopback interface address (this means Redis will only be able to
# will only be able to accept client connections from the same host that it is # accept client connections from the same host that it is running on).
# running on).
# #
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
# COMMENT OUT THE FOLLOWING LINE. # JUST COMMENT OUT THE FOLLOWING LINE.
#
# You will also need to set a password unless you explicitly disable protected
# mode.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# bind 127.0.0.1 -::1 bind 0.0.0.0
# By default, outgoing connections (from replica to master, from Sentinel to
# instances, cluster bus, etc.) are not bound to a specific local address. In
# most cases, this means the operating system will handle that based on routing
# and the interface through which the connection goes out.
#
# Using bind-source-addr it is possible to configure a specific address to bind
# to, which may also affect how the connection gets routed.
#
# Example:
#
# bind-source-addr 10.0.0.1
# Protected mode is a layer of security protection, in order to avoid that # Protected mode is a layer of security protection, in order to avoid that
# Redis instances left open on the internet are accessed and exploited. # Redis instances left open on the internet are accessed and exploited.
# #
# When protected mode is on and the default user has no password, the server # When protected mode is on and if:
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address #
# (::1) or Unix domain sockets. # 1) The server is not binding explicitly to a set of addresses using the
# "bind" directive.
# 2) No password is configured.
#
# The server only accepts connections from clients connecting from the
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
# sockets.
# #
# By default protected mode is enabled. You should disable it only if # By default protected mode is enabled. You should disable it only if
# you are sure you want clients from other hosts to connect to Redis # you are sure you want clients from other hosts to connect to Redis
# even if no authentication is configured. # even if no authentication is configured, nor a specific set of interfaces
protected-mode no # are explicitly listed using the "bind" directive.
protected-mode yes
# Redis uses default hardened security configuration directives to reduce the
# attack surface on innocent users. Therefore, several sensitive configuration
# directives are immutable, and some potentially-dangerous commands are blocked.
#
# Configuration directives that control files that Redis writes to (e.g., 'dir'
# and 'dbfilename') and that aren't usually modified during runtime
# are protected by making them immutable.
#
# Commands that can increase the attack surface of Redis and that aren't usually
# called by users are blocked by default.
#
# These can be exposed to either all connections or just local ones by setting
# each of the configs listed below to either of these values:
#
# no - Block for any connection (remain immutable)
# yes - Allow for any connection (no protection)
# local - Allow only for local connections. Ones originating from the
# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
#
# enable-protected-configs no
# enable-debug-command no
# enable-module-command no
# Accept connections on the specified port, default is 6379 (IANA #815344). # Accept connections on the specified port, default is 6379 (IANA #815344).
# If port 0 is specified Redis will not listen on a TCP socket. # If port 0 is specified Redis will not listen on a TCP socket.
@ -161,11 +105,11 @@ tcp-backlog 511
# incoming connections. There is no default, so Redis will not listen # incoming connections. There is no default, so Redis will not listen
# on a unix socket when not specified. # on a unix socket when not specified.
# #
# unixsocket /run/redis.sock # unixsocket /tmp/redis.sock
# unixsocketperm 700 # unixsocketperm 700
# Close the connection after a client is idle for N seconds (0 to disable) # Close the connection after a client is idle for N seconds (0 to disable)
# timeout 0 timeout 0
# TCP keepalive. # TCP keepalive.
# #
@ -184,16 +128,6 @@ tcp-backlog 511
# Redis default starting with Redis 3.2.1. # Redis default starting with Redis 3.2.1.
tcp-keepalive 300 tcp-keepalive 300
# Apply OS-specific mechanism to mark the listening socket with the specified
# ID, to support advanced routing and filtering capabilities.
#
# On Linux, the ID represents a connection mark.
# On FreeBSD, the ID represents a socket cookie ID.
# On OpenBSD, the ID represents a route table ID.
#
# The default value is 0, which implies no marking is required.
# socket-mark-id 0
################################# TLS/SSL ##################################### ################################# TLS/SSL #####################################
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
@ -209,32 +143,8 @@ tcp-keepalive 300
# #
# tls-cert-file redis.crt # tls-cert-file redis.crt
# tls-key-file redis.key # tls-key-file redis.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-key-file-pass secret
# Normally Redis uses the same certificate for both server functions (accepting # Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
# connections) and client functions (replicating from a master, establishing
# cluster bus connections, etc.).
#
# Sometimes certificates are issued with attributes that designate them as
# client-only or server-only certificates. In that case it may be desired to use
# different certificates for incoming (server) and outgoing (client)
# connections. To do that, use the following directives:
#
# tls-client-cert-file client.crt
# tls-client-key-file client.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-client-key-file-pass secret
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
# required by older versions of OpenSSL (<3.0). Newer versions do not require
# this configuration and recommend against it.
# #
# tls-dh-params-file redis.dh # tls-dh-params-file redis.dh
@ -267,12 +177,9 @@ tcp-keepalive 300
# #
# tls-cluster yes # tls-cluster yes
# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended # Explicitly specify TLS versions to support. Allowed values are case insensitive
# that older formally deprecated versions are kept disabled to reduce the attack surface. # and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
# You can explicitly specify TLS versions to support. # any combination. To enable only TLSv1.2 and TLSv1.3, use:
# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
# To enable only TLSv1.2 and TLSv1.3, use:
# #
# tls-protocols "TLSv1.2 TLSv1.3" # tls-protocols "TLSv1.2 TLSv1.3"
@ -314,7 +221,6 @@ tcp-keepalive 300
# By default Redis does not run as a daemon. Use 'yes' if you need it. # By default Redis does not run as a daemon. Use 'yes' if you need it.
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized. # Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
# When Redis is supervised by upstart or systemd, this parameter has no impact.
daemonize no daemonize no
# If you run Redis from upstart or systemd, Redis can interact with your # If you run Redis from upstart or systemd, Redis can interact with your
@ -323,17 +229,11 @@ daemonize no
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode # supervised upstart - signal upstart by putting Redis into SIGSTOP mode
# requires "expect stop" in your upstart job config # requires "expect stop" in your upstart job config
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET # supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
# on startup, and updating Redis status on a regular
# basis.
# supervised auto - detect upstart or systemd method based on # supervised auto - detect upstart or systemd method based on
# UPSTART_JOB or NOTIFY_SOCKET environment variables # UPSTART_JOB or NOTIFY_SOCKET environment variables
# Note: these supervision methods only signal "process is ready." # Note: these supervision methods only signal "process is ready."
# They do not enable continuous pings back to your supervisor. # They do not enable continuous pings back to your supervisor.
# supervised no
# The default is "no". To run under upstart/systemd, you can simply uncomment
# the line below:
#
# supervised auto
# If a pid file is specified, Redis writes it where specified at startup # If a pid file is specified, Redis writes it where specified at startup
# and removes it at exit. # and removes it at exit.
@ -344,10 +244,7 @@ daemonize no
# #
# Creating a pid file is best effort: if Redis is not able to create it # Creating a pid file is best effort: if Redis is not able to create it
# nothing bad happens, the server will start and run normally. # nothing bad happens, the server will start and run normally.
# pidfile /var/run/redis_6379.pid
# Note that on modern Linux systems "/run/redis.pid" is more conforming
# and should be used instead.
pidfile "/var/run/redis_6379.pid"
# Specify the server verbosity level. # Specify the server verbosity level.
# This can be one of: # This can be one of:
@ -372,74 +269,44 @@ logfile ""
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7. # Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
# syslog-facility local0 # syslog-facility local0
# To disable the built in crash log, which will possibly produce cleaner core
# dumps when they are needed, uncomment the following:
#
# crash-log-enabled no
# To disable the fast memory check that's run as part of the crash log, which
# will possibly let redis terminate sooner, uncomment the following:
#
# crash-memcheck-enabled no
# Set the number of databases. The default database is DB 0, you can select # Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where # a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1 # dbid is a number between 0 and 'databases'-1
databases 16 databases 16
# By default Redis shows an ASCII art logo only when started to log to the # By default Redis shows an ASCII art logo only when started to log to the
# standard output and if the standard output is a TTY and syslog logging is # standard output and if the standard output is a TTY. Basically this means
# disabled. Basically this means that normally a logo is displayed only in # that normally a logo is displayed only in interactive sessions.
# interactive sessions.
# #
# However it is possible to force the pre-4.0 behavior and always show a # However it is possible to force the pre-4.0 behavior and always show a
# ASCII art logo in startup logs by setting the following option to yes. # ASCII art logo in startup logs by setting the following option to yes.
always-show-logo no always-show-logo yes
# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
# provide some runtime information. It is possible to disable this and leave
# the process name as executed by setting the following to no.
set-proc-title yes
# When changing the process title, Redis uses the following template to construct
# the modified title.
#
# Template variables are specified in curly brackets. The following variables are
# supported:
#
# {title} Name of process as executed if parent, or type of child process.
# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or
# Unix socket if only that's available.
# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]".
# {port} TCP port listening on, or 0.
# {tls-port} TLS port listening on, or 0.
# {unixsocket} Unix domain socket listening on, or "".
# {config-file} Name of configuration file used.
#
proc-title-template "{title} {listen-addr} {server-mode}"
################################ SNAPSHOTTING ################################ ################################ SNAPSHOTTING ################################
#
# Save the DB on disk:
#
# save <seconds> <changes>
#
# Will save the DB if both the given number of seconds and the given
# number of write operations against the DB occurred.
#
# In the example below the behavior will be to save:
# after 900 sec (15 min) if at least 1 key changed
# after 300 sec (5 min) if at least 10 keys changed
# after 60 sec if at least 10000 keys changed
#
# Note: you can disable saving completely by commenting out all "save" lines.
#
# It is also possible to remove all the previously configured save
# points by adding a save directive with a single empty string argument
# like in the following example:
#
# save ""
# Save the DB to disk. save 900 1
# save 300 10
# save <seconds> <changes> [<seconds> <changes> ...] save 60 10000
#
# Redis will save the DB if the given number of seconds elapsed and it
# surpassed the given number of write operations against the DB.
#
# Snapshotting can be completely disabled with a single empty string argument
# as in following example:
#
# save ""
#
# Unless specified otherwise, by default Redis will save the DB:
# * After 3600 seconds (an hour) if at least 1 change was performed
# * After 300 seconds (5 minutes) if at least 100 changes were performed
# * After 60 seconds if at least 10000 changes were performed
#
# You can set these explicitly by uncommenting the following line.
#
# save 3600 1 300 100 60 10000
# By default Redis will stop accepting writes if RDB snapshots are enabled # By default Redis will stop accepting writes if RDB snapshots are enabled
# (at least one save point) and the latest background save failed. # (at least one save point) and the latest background save failed.
@ -471,23 +338,8 @@ rdbcompression yes
# tell the loading code to skip the check. # tell the loading code to skip the check.
rdbchecksum yes rdbchecksum yes
# Enables or disables full sanitization checks for ziplist and listpack etc when
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
# crash later on while processing commands.
# Options:
# no - Never perform full sanitization
# yes - Always perform full sanitization
# clients - Perform full sanitization only for user connections.
# Excludes: RDB files, RESTORE commands received from the master
# connection, and client connections which have the
# skip-sanitize-payload ACL flag.
# The default should be 'clients' but since it currently affects cluster
# resharding via MIGRATE, it is temporarily set to 'no' by default.
#
# sanitize-dump-payload no
# The filename where to dump the DB # The filename where to dump the DB
dbfilename "dump.rdb" dbfilename dump.rdb
# Remove RDB files used by replication in instances without persistence # Remove RDB files used by replication in instances without persistence
# enabled. By default this option is disabled, however there are environments # enabled. By default this option is disabled, however there are environments
@ -510,7 +362,7 @@ rdb-del-sync-files no
# The Append Only File will also be created inside this directory. # The Append Only File will also be created inside this directory.
# #
# Note that you must specify a directory here, not a file name. # Note that you must specify a directory here, not a file name.
dir "/data" dir ./
################################# REPLICATION ################################# ################################# REPLICATION #################################
@ -560,10 +412,9 @@ dir "/data"
# still reply to client requests, possibly with out of date data, or the # still reply to client requests, possibly with out of date data, or the
# data set may just be empty if this is the first synchronization. # data set may just be empty if this is the first synchronization.
# #
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error # 2) If replica-serve-stale-data is set to 'no' the replica will reply with
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'" # an error "SYNC with master in progress" to all commands except:
# to all data access commands, excluding commands such as: # INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST, # UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
# HOST and LATENCY. # HOST and LATENCY.
# #
@ -612,7 +463,7 @@ replica-read-only yes
# #
# With slow disks and fast (large bandwidth) networks, diskless replication # With slow disks and fast (large bandwidth) networks, diskless replication
# works better. # works better.
repl-diskless-sync yes repl-diskless-sync no
# When diskless replication is enabled, it is possible to configure the delay # When diskless replication is enabled, it is possible to configure the delay
# the server waits in order to spawn the child that transfers the RDB via socket # the server waits in order to spawn the child that transfers the RDB via socket
@ -626,18 +477,12 @@ repl-diskless-sync yes
# it entirely just set it to 0 seconds and the transfer will start ASAP. # it entirely just set it to 0 seconds and the transfer will start ASAP.
repl-diskless-sync-delay 5 repl-diskless-sync-delay 5
# When diskless replication is enabled with a delay, it is possible to let
# the replication start before the maximum delay is reached if the maximum
# number of replicas expected have connected. Default of 0 means that the
# maximum is not defined and Redis will wait the full delay.
repl-diskless-sync-max-replicas 0
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# WARNING: RDB diskless load is experimental. Since in this setup the replica # WARNING: RDB diskless load is experimental. Since in this setup the replica
# does not immediately store an RDB on disk, it may cause data loss during # does not immediately store an RDB on disk, it may cause data loss during
# failovers. RDB diskless load + Redis modules not handling I/O reads may also # failovers. RDB diskless load + Redis modules not handling I/O reads may also
# cause Redis to abort in case of I/O errors during the initial synchronization # cause Redis to abort in case of I/O errors during the initial synchronization
# stage with the master. Use only if you know what you are doing. # stage with the master. Use only if your do what you are doing.
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# #
# Replica can load the RDB it reads from the replication link directly from the # Replica can load the RDB it reads from the replication link directly from the
@ -646,23 +491,19 @@ repl-diskless-sync-max-replicas 0
# #
# In many cases the disk is slower than the network, and storing and loading # In many cases the disk is slower than the network, and storing and loading
# the RDB file may increase replication time (and even increase the master's # the RDB file may increase replication time (and even increase the master's
# Copy on Write memory and replica buffers). # Copy on Write memory and salve buffers).
# However, parsing the RDB file directly from the socket may mean that we have # However, parsing the RDB file directly from the socket may mean that we have
# to flush the contents of the current database before the full rdb was # to flush the contents of the current database before the full rdb was
# received. For this reason we have the following options: # received. For this reason we have the following options:
# #
# "disabled" - Don't use diskless load (store the rdb file to the disk first) # "disabled" - Don't use diskless load (store the rdb file to the disk first)
# "on-empty-db" - Use diskless load only when it is completely safe. # "on-empty-db" - Use diskless load only when it is completely safe.
# "swapdb" - Keep current db contents in RAM while parsing the data directly # "swapdb" - Keep a copy of the current db contents in RAM while parsing
# from the socket. Replicas in this mode can keep serving current # the data directly from the socket. note that this requires
# data set while replication is in progress, except for cases where # sufficient memory, if you don't have it, you risk an OOM kill.
# they can't recognize master as having a data set from same
# replication history.
# Note that this requires sufficient memory, if you don't have it,
# you risk an OOM kill.
repl-diskless-load disabled repl-diskless-load disabled
# Master send PINGs to its replicas in a predefined interval. It's possible to # Replicas send PINGs to server in a predefined interval. It's possible to
# change this interval with the repl_ping_replica_period option. The default # change this interval with the repl_ping_replica_period option. The default
# value is 10 seconds. # value is 10 seconds.
# #
@ -737,43 +578,6 @@ repl-disable-tcp-nodelay no
# By default the priority is 100. # By default the priority is 100.
replica-priority 100 replica-priority 100
# The propagation error behavior controls how Redis will behave when it is
# unable to handle a command being processed in the replication stream from a master
# or processed while reading from an AOF file. Errors that occur during propagation
# are unexpected, and can cause data inconsistency. However, there are edge cases
# in earlier versions of Redis where it was possible for the server to replicate or persist
# commands that would fail on future versions. For this reason the default behavior
# is to ignore such errors and continue processing commands.
#
# If an application wants to ensure there is no data divergence, this configuration
# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
# to only panic when a replica encounters an error on the replication stream. One of
# these two panic values will become the default value in the future once there are
# sufficient safety mechanisms in place to prevent false positive crashes.
#
# propagation-error-behavior ignore
# Replica ignore disk write errors controls the behavior of a replica when it is
# unable to persist a write command received from its master to disk. By default,
# this configuration is set to 'no' and will crash the replica in this condition.
# It is not recommended to change this default, however in order to be compatible
# with older versions of Redis this config can be toggled to 'yes' which will just
# log a warning and execute the write command it got from the master.
#
# replica-ignore-disk-write-errors no
# -----------------------------------------------------------------------------
# By default, Redis Sentinel includes all replicas in its reports. A replica
# can be excluded from Redis Sentinel's announcements. An unannounced replica
# will be ignored by the 'sentinel replicas <master>' command and won't be
# exposed to Redis Sentinel's clients.
#
# This option does not change the behavior of replica-priority. Even with
# replica-announced set to 'no', the replica can be promoted to master. To
# prevent this behavior, set replica-priority to 0.
#
# replica-announced yes
# It is possible for a master to stop accepting writes if there are less than # It is possible for a master to stop accepting writes if there are less than
# N replicas connected, having a lag less or equal than M seconds. # N replicas connected, having a lag less or equal than M seconds.
# #
@ -829,7 +633,7 @@ replica-priority 100
# Redis implements server assisted support for client side caching of values. # Redis implements server assisted support for client side caching of values.
# This is implemented using an invalidation table that remembers, using # This is implemented using an invalidation table that remembers, using
# a radix key indexed by key name, what clients have which keys. In turn # 16 millions of slots, what clients may have certain subsets of keys. In turn
# this is used in order to send invalidation messages to clients. Please # this is used in order to send invalidation messages to clients. Please
# check this page to understand more about the feature: # check this page to understand more about the feature:
# #
@ -893,12 +697,8 @@ replica-priority 100
# off Disable the user: it's no longer possible to authenticate # off Disable the user: it's no longer possible to authenticate
# with this user, however the already authenticated connections # with this user, however the already authenticated connections
# will still work. # will still work.
# skip-sanitize-payload RESTORE dump-payload sanitization is skipped. # +<command> Allow the execution of that command
# sanitize-payload RESTORE dump-payload is sanitized (default). # -<command> Disallow the execution of that command
# +<command> Allow the execution of that command.
# May be used with `|` for allowing subcommands (e.g "+config|get")
# -<command> Disallow the execution of that command.
# May be used with `|` for blocking subcommands (e.g "-config|set")
# +@<category> Allow the execution of all the commands in such category # +@<category> Allow the execution of all the commands in such category
# with valid categories are like @admin, @set, @sortedset, ... # with valid categories are like @admin, @set, @sortedset, ...
# and so forth, see the full list in the server.c file where # and so forth, see the full list in the server.c file where
@ -906,11 +706,10 @@ replica-priority 100
# The special category @all means all the commands, but currently # The special category @all means all the commands, but currently
# present in the server, and that will be loaded in the future # present in the server, and that will be loaded in the future
# via modules. # via modules.
# +<command>|first-arg Allow a specific first argument of an otherwise # +<command>|subcommand Allow a specific subcommand of an otherwise
# disabled command. It is only supported on commands with # disabled command. Note that this form is not
# no sub-commands, and is not allowed as negative form # allowed as negative like -DEBUG|SEGFAULT, but
# like -SELECT|1, only additive starting with "+". This # only additive starting with "+".
# feature is deprecated and may be removed in the future.
# allcommands Alias for +@all. Note that it implies the ability to execute # allcommands Alias for +@all. Note that it implies the ability to execute
# all the future commands loaded via the modules system. # all the future commands loaded via the modules system.
# nocommands Alias for -@all. # nocommands Alias for -@all.
@ -918,17 +717,8 @@ replica-priority 100
# commands. For instance ~* allows all the keys. The pattern # commands. For instance ~* allows all the keys. The pattern
# is a glob-style pattern like the one of KEYS. # is a glob-style pattern like the one of KEYS.
# It is possible to specify multiple patterns. # It is possible to specify multiple patterns.
# %R~<pattern> Add key read pattern that specifies which keys can be read
# from.
# %W~<pattern> Add key write pattern that specifies which keys can be
# written to.
# allkeys Alias for ~* # allkeys Alias for ~*
# resetkeys Flush the list of allowed keys patterns. # resetkeys Flush the list of allowed keys patterns.
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
# accessed by the user. It is possible to specify multiple channel
# patterns.
# allchannels Alias for &*
# resetchannels Flush the list of allowed channel patterns.
# ><password> Add this password to the list of valid password for the user. # ><password> Add this password to the list of valid password for the user.
# For example >mypass will add "mypass" to the list. # For example >mypass will add "mypass" to the list.
# This directive clears the "nopass" flag (see later). # This directive clears the "nopass" flag (see later).
@ -947,14 +737,6 @@ replica-priority 100
# reset Performs the following actions: resetpass, resetkeys, off, # reset Performs the following actions: resetpass, resetkeys, off,
# -@all. The user returns to the same state it has immediately # -@all. The user returns to the same state it has immediately
# after its creation. # after its creation.
# (<options>) Create a new selector with the options specified within the
# parentheses and attach it to the user. Each option should be
# space separated. The first character must be ( and the last
# character must be ).
# clearselectors Remove all of the currently attached selectors.
# Note this does not change the "root" user permissions,
# which are the permissions directly applied onto the
# user (outside the parentheses).
# #
# ACL rules can be specified in any order: for instance you can start with # ACL rules can be specified in any order: for instance you can start with
# passwords, then flags, or key patterns. However note that the additive # passwords, then flags, or key patterns. However note that the additive
@ -976,40 +758,6 @@ replica-priority 100
# #
# Basically ACL rules are processed left-to-right. # Basically ACL rules are processed left-to-right.
# #
# The following is a list of command categories and their meanings:
# * keyspace - Writing or reading from keys, databases, or their metadata
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
# key or metadata will also have `write` category. Commands that only read
# the keyspace, key or metadata will have the `read` category.
# * read - Reading from keys (values or metadata). Note that commands that don't
# interact with keys, will not have either `read` or `write`.
# * write - Writing to keys (values or metadata)
# * admin - Administrative commands. Normal applications will never need to use
# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
# * dangerous - Potentially dangerous (each should be considered with care for
# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
# * connection - Commands affecting the connection or other connections.
# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
# * blocking - Potentially blocking the connection until released by another
# command.
# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
# number of elements in the key.
# * slow - All commands that are not Fast.
# * pubsub - PUBLISH / SUBSCRIBE related
# * transaction - WATCH / MULTI / EXEC related commands.
# * scripting - Scripting related.
# * set - Data type: sets related.
# * sortedset - Data type: zsets related.
# * list - Data type: lists related.
# * hash - Data type: hashes related.
# * string - Data type: strings related.
# * bitmap - Data type: bitmaps related.
# * hyperloglog - Data type: hyperloglog related.
# * geo - Data type: geo related.
# * stream - Data type: streams related.
#
# For more information about ACL configuration please refer to # For more information about ACL configuration please refer to
# the Redis web site at https://redis.io/topics/acl # the Redis web site at https://redis.io/topics/acl
@ -1039,24 +787,8 @@ acllog-max-len 128
# AUTH <password> as usually, or more explicitly with AUTH default <password> # AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work. # if they follow the new protocol: both will work.
# #
# The requirepass is not compatible with aclfile option and the ACL LOAD
# command, these will cause requirepass to be ignored.
#
# requirepass foobared # requirepass foobared
# New users are initialized with restrictive permissions by default, via the
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
# default Pub/Sub channels permission if new users is controlled by the
# acl-pubsub-default configuration directive, which accepts one of these values:
#
# allchannels: grants access to all Pub/Sub channels
# resetchannels: revokes access to all Pub/Sub channels
#
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
#
# acl-pubsub-default resetchannels
# Command renaming (DEPRECATED). # Command renaming (DEPRECATED).
# #
# ------------------------------------------------------------------------ # ------------------------------------------------------------------------
@ -1145,12 +877,14 @@ acllog-max-len 128
# Both LRU, LFU and volatile-ttl are implemented using approximated # Both LRU, LFU and volatile-ttl are implemented using approximated
# randomized algorithms. # randomized algorithms.
# #
# Note: with any of the above policies, when there are no suitable keys for # Note: with any of the above policies, Redis will return an error on write
# eviction, Redis will return an error on write operations that require # operations, when there are no suitable keys for eviction.
# more memory. These are usually commands that create new keys, add data or #
# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE, # At the date of writing these commands are: set setnx setex append
# SORT (due to the STORE argument), and EXEC (if the transaction includes any # incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
# command that requires memory). # sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
# getset mset msetnx exec sort
# #
# The default is: # The default is:
# #
@ -1167,14 +901,6 @@ acllog-max-len 128
# #
# maxmemory-samples 5 # maxmemory-samples 5
# Eviction processing is designed to function well with the default setting.
# If there is an unusually large amount of write traffic, this value may need to
# be increased. Decreasing this value may reduce latency at the risk of
# eviction processing effectiveness
# 0 = minimum latency, 10 = default, 100 = process without regard to latency
#
# maxmemory-eviction-tenacity 10
# Starting from Redis 5, by default a replica will ignore its maxmemory setting # Starting from Redis 5, by default a replica will ignore its maxmemory setting
# (unless it is promoted to master after a failover or manually). It means # (unless it is promoted to master after a failover or manually). It means
# that the eviction of keys will be just handled by the master, sending the # that the eviction of keys will be just handled by the master, sending the
@ -1268,13 +994,6 @@ replica-lazy-flush no
lazyfree-lazy-user-del no lazyfree-lazy-user-del no
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
# commands. When neither flag is passed, this directive will be used to determine
# if the data should be deleted asynchronously.
lazyfree-lazy-user-flush no
################################ THREADED I/O ################################# ################################ THREADED I/O #################################
# Redis is mostly single threaded, however there are certain threaded # Redis is mostly single threaded, however there are certain threaded
@ -1313,7 +1032,7 @@ lazyfree-lazy-user-flush no
# Usually threading reads doesn't help much. # Usually threading reads doesn't help much.
# #
# NOTE 1: This configuration directive cannot be changed at runtime via # NOTE 1: This configuration directive cannot be changed at runtime via
# CONFIG SET. Also, this feature currently does not work when SSL is # CONFIG SET. Aso this feature currently does not work when SSL is
# enabled. # enabled.
# #
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make # NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
@ -1331,7 +1050,7 @@ lazyfree-lazy-user-flush no
# attempt to have background child processes killed before all others, and # attempt to have background child processes killed before all others, and
# replicas killed before masters. # replicas killed before masters.
# #
# Redis supports these options: # Redis supports three options:
# #
# no: Don't make changes to oom-score-adj (default). # no: Don't make changes to oom-score-adj (default).
# yes: Alias to "relative" see below. # yes: Alias to "relative" see below.
@ -1352,18 +1071,6 @@ oom-score-adj no
# oom-score-adj-values to positive values will always succeed. # oom-score-adj-values to positive values will always succeed.
oom-score-adj-values 0 200 800 oom-score-adj-values 0 200 800
#################### KERNEL transparent hugepage CONTROL ######################
# Usually the kernel Transparent Huge Pages control is set to "madvise" or
# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
# case this config has no effect. On systems in which it is set to "always",
# redis will attempt to disable it specifically for the redis process in order
# to avoid latency problems specifically with fork(2) and CoW.
# If for some reason you prefer to keep it enabled, you can set this config to
# "no" and the kernel global to "always".
disable-thp yes
############################## APPEND ONLY MODE ############################### ############################## APPEND ONLY MODE ###############################
# By default Redis asynchronously dumps the dataset on disk. This mode is # By default Redis asynchronously dumps the dataset on disk. This mode is
@ -1382,43 +1089,14 @@ disable-thp yes
# If the AOF is enabled on startup Redis will load the AOF, that is the file # If the AOF is enabled on startup Redis will load the AOF, that is the file
# with the better durability guarantees. # with the better durability guarantees.
# #
# Please check https://redis.io/topics/persistence for more information. # Please check http://redis.io/topics/persistence for more information.
# appendonly no appendonly no
# The base name of the append only file. # The name of the append only file (default: "appendonly.aof")
#
# Redis 7 and newer use a set of append-only files to persist the dataset
# and changes applied to it. There are two basic types of files in use:
#
# - Base files, which are a snapshot representing the complete state of the
# dataset at the time the file was created. Base files can be either in
# the form of RDB (binary serialized) or AOF (textual commands).
# - Incremental files, which contain additional commands that were applied
# to the dataset following the previous file.
#
# In addition, manifest files are used to track the files and the order in
# which they were created and should be applied.
#
# Append-only file names are created by Redis following a specific pattern.
# The file name's prefix is based on the 'appendfilename' configuration
# parameter, followed by additional information about the sequence and type.
#
# For example, if appendfilename is set to appendonly.aof, the following file
# names could be derived:
#
# - appendonly.aof.1.base.rdb as a base file.
# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
# - appendonly.aof.manifest as a manifest file.
appendfilename "appendonly.aof" appendfilename "appendonly.aof"
# For convenience, Redis stores all persistent append-only files in a dedicated
# directory. The name of the directory is determined by the appenddirname
# configuration parameter.
appenddirname "appendonlydir"
# The fsync() call tells the Operating System to actually write data on disk # The fsync() call tells the Operating System to actually write data on disk
# instead of waiting for more data in the output buffer. Some OS will really flush # instead of waiting for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP. # data on disk, some other OS will just try to do it ASAP.
@ -1443,7 +1121,7 @@ appenddirname "appendonlydir"
# If unsure, use "everysec". # If unsure, use "everysec".
# appendfsync always # appendfsync always
# appendfsync everysec appendfsync everysec
# appendfsync no # appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background # When the AOF fsync policy is set to always or everysec, and a background
@ -1458,7 +1136,7 @@ appenddirname "appendonlydir"
# BGSAVE or BGREWRITEAOF is in progress. # BGSAVE or BGREWRITEAOF is in progress.
# #
# This means that while another child is saving, the durability of Redis is # This means that while another child is saving, the durability of Redis is
# the same as "appendfsync no". In practical terms, this means that it is # the same as "appendfsync none". In practical terms, this means that it is
# possible to lose up to 30 seconds of log in the worst scenario (with the # possible to lose up to 30 seconds of log in the worst scenario (with the
# default Linux settings). # default Linux settings).
# #
@ -1511,69 +1189,34 @@ auto-aof-rewrite-min-size 64mb
# will be found. # will be found.
aof-load-truncated yes aof-load-truncated yes
# Redis can create append-only base files in either RDB or AOF formats. Using # When rewriting the AOF file, Redis is able to use an RDB preamble in the
# the RDB format is always faster and more efficient, and disabling it is only # AOF file for faster rewrites and recoveries. When this option is turned
# supported for backward compatibility purposes. # on the rewritten AOF file is composed of two different stanzas:
#
# [RDB file][AOF tail]
#
# When loading, Redis recognizes that the AOF file starts with the "REDIS"
# string and loads the prefixed RDB file, then continues loading the AOF
# tail.
aof-use-rdb-preamble yes aof-use-rdb-preamble yes
# Redis supports recording timestamp annotations in the AOF to support restoring ################################ LUA SCRIPTING ###############################
# the data from a specific point-in-time. However, using this capability changes
# the AOF format in a way that may not be compatible with existing AOF parsers.
aof-timestamp-enabled no
################################ SHUTDOWN ##################################### # Max execution time of a Lua script in milliseconds.
# Maximum time to wait for replicas when shutting down, in seconds.
# #
# During shut down, a grace period allows any lagging replicas to catch up with # If the maximum execution time is reached Redis will log that a script is
# the latest replication offset before the master exists. This period can # still in execution after the maximum allowed time and will start to
# prevent data loss, especially for deployments without configured disk backups. # reply to queries with an error.
# #
# The 'shutdown-timeout' value is the grace period's duration in seconds. It is # When a long running script exceeds the maximum execution time only the
# only applicable when the instance has replicas. To disable the feature, set # SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
# the value to 0. # used to stop a script that did not yet call any write commands. The second
# is the only way to shut down the server in the case a write command was
# already issued by the script but the user doesn't want to wait for the natural
# termination of the script.
# #
# shutdown-timeout 10 # Set it to 0 or a negative value for unlimited execution without warnings.
lua-time-limit 5000
# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
# an RDB snapshot is written to disk in a blocking operation if save points are configured.
# The options used on signaled shutdown can include the following values:
# default: Saves RDB snapshot only if save points are configured.
# Waits for lagging replicas to catch up.
# save: Forces a DB saving operation even if no save points are configured.
# nosave: Prevents DB saving operation even if one or more save points are configured.
# now: Skips waiting for lagging replicas.
# force: Ignores any errors that would normally prevent the server from exiting.
#
# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
# Example: "nosave force now"
#
# shutdown-on-sigint default
# shutdown-on-sigterm default
################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
# Maximum time in milliseconds for EVAL scripts, functions and in some cases
# modules' commands before Redis can start processing or rejecting other clients.
#
# If the maximum execution time is reached Redis will start to reply to most
# commands with a BUSY error.
#
# In this state Redis will only allow a handful of commands to be executed.
# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
# module specific 'allow-busy' commands.
#
# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
# the server in the case a write command was already issued by the script when
# the user doesn't want to wait for the natural termination of the script.
#
# The default is 5 seconds. It is possible to set it to 0 or a negative value
# to disable this mechanism (uninterrupted execution). Note that in the past
# this config had a different name, which is now an alias, so both of these do
# the same:
# lua-time-limit 5000
# busy-reply-threshold 5000
################################ REDIS CLUSTER ############################### ################################ REDIS CLUSTER ###############################
@ -1597,11 +1240,6 @@ aof-timestamp-enabled no
# #
# cluster-node-timeout 15000 # cluster-node-timeout 15000
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
# you to specify the cluster bus port when executing cluster meet.
# cluster-port 0
# A replica of a failing master will avoid to start a failover if its data # A replica of a failing master will avoid to start a failover if its data
# looks too old. # looks too old.
# #
@ -1660,21 +1298,12 @@ aof-timestamp-enabled no
# master in your cluster. # master in your cluster.
# #
# Default is 1 (replicas migrate only if their masters remain with at least # Default is 1 (replicas migrate only if their masters remain with at least
# one replica). To disable migration just set it to a very large value or # one replica). To disable migration just set it to a very large value.
# set cluster-allow-replica-migration to 'no'.
# A value of 0 can be set but is useful only for debugging and dangerous # A value of 0 can be set but is useful only for debugging and dangerous
# in production. # in production.
# #
# cluster-migration-barrier 1 # cluster-migration-barrier 1
# Turning off this option allows to use less automatic cluster configuration.
# It both disables migration to orphaned masters and migration from masters
# that became empty.
#
# Default is 'yes' (allow automatic migrations).
#
# cluster-allow-replica-migration yes
# By default Redis Cluster nodes stop accepting queries if they detect there # By default Redis Cluster nodes stop accepting queries if they detect there
# is at least a hash slot uncovered (no available node is serving it). # is at least a hash slot uncovered (no available node is serving it).
# This way if the cluster is partially down (for example a range of hash slots # This way if the cluster is partially down (for example a range of hash slots
@ -1689,7 +1318,7 @@ aof-timestamp-enabled no
# cluster-require-full-coverage yes # cluster-require-full-coverage yes
# This option, when set to yes, prevents replicas from trying to failover its # This option, when set to yes, prevents replicas from trying to failover its
# master during master failures. However the replica can still perform a # master during master failures. However the master can still perform a
# manual failover, if forced to do so. # manual failover, if forced to do so.
# #
# This is useful in different scenarios, especially in the case of multiple # This is useful in different scenarios, especially in the case of multiple
@ -1699,7 +1328,7 @@ aof-timestamp-enabled no
# cluster-replica-no-failover no # cluster-replica-no-failover no
# This option, when set to yes, allows nodes to serve read traffic while the # This option, when set to yes, allows nodes to serve read traffic while the
# cluster is in a down state, as long as it believes it owns the slots. # the cluster is in a down state, as long as it believes it owns the slots.
# #
# This is useful for two cases. The first case is for when an application # This is useful for two cases. The first case is for when an application
# doesn't require consistency of data during node failures or network partitions. # doesn't require consistency of data during node failures or network partitions.
@ -1714,54 +1343,8 @@ aof-timestamp-enabled no
# #
# cluster-allow-reads-when-down no # cluster-allow-reads-when-down no
# This option, when set to yes, allows nodes to serve pubsub shard traffic while
# the cluster is in a down state, as long as it believes it owns the slots.
#
# This is useful if the application would like to use the pubsub feature even when
# the cluster global stable state is not OK. If the application wants to make sure only
# one shard is serving a given channel, this feature should be kept as yes.
#
# cluster-allow-pubsubshard-when-down yes
# Cluster link send buffer limit is the limit on the memory usage of an individual
# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
# this limit. This is to primarily prevent send buffers from growing unbounded on links
# toward slow peers (E.g. PubSub messages being piled up).
# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
#
# cluster-link-sendbuf-limit 0
# Clusters can configure their announced hostname using this config. This is a common use case for
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
# the hostname and also propagate the removal.
#
# cluster-announce-hostname ""
# Clusters can advertise how clients should connect to them using either their IP address,
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
# will be returned instead.
#
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
# the server doesn't know how clients can reach the cluster. This can happen in certain
# networking situations where there are multiple possible routes to the node, and the
# server doesn't know which one the client took. In this case, the server is expecting
# the client to reach out on the same endpoint it used for making the last request, but use
# the port provided in the response.
#
# cluster-preferred-endpoint-type ip
# In order to setup your cluster make sure to read the documentation # In order to setup your cluster make sure to read the documentation
# available at https://redis.io web site. # available at http://redis.io web site.
########################## CLUSTER DOCKER/NAT support ######################## ########################## CLUSTER DOCKER/NAT support ########################
@ -1771,21 +1354,16 @@ aof-timestamp-enabled no
# #
# In order to make Redis Cluster working in such environments, a static # In order to make Redis Cluster working in such environments, a static
# configuration where each node knows its public address is needed. The # configuration where each node knows its public address is needed. The
# following four options are used for this scope, and are: # following two options are used for this scope, and are:
# #
# * cluster-announce-ip # * cluster-announce-ip
# * cluster-announce-port # * cluster-announce-port
# * cluster-announce-tls-port
# * cluster-announce-bus-port # * cluster-announce-bus-port
# #
# Each instructs the node about its address, client ports (for connections # Each instructs the node about its address, client port, and cluster message
# without and with TLS) and cluster message bus port. The information is then # bus port. The information is then published in the header of the bus packets
# published in the header of the bus packets so that other nodes will be able to # so that other nodes will be able to correctly map the address of the node
# correctly map the address of the node publishing the information. # publishing the information.
#
# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set
# to zero, then cluster-announce-port refers to the TLS port. Note also that
# cluster-announce-tls-port has no effect if cluster-tls is set to no.
# #
# If the above options are not used, the normal Redis Cluster auto-detection # If the above options are not used, the normal Redis Cluster auto-detection
# will be used instead. # will be used instead.
@ -1798,8 +1376,7 @@ aof-timestamp-enabled no
# Example: # Example:
# #
# cluster-announce-ip 10.1.1.5 # cluster-announce-ip 10.1.1.5
# cluster-announce-tls-port 6379 # cluster-announce-port 6379
# cluster-announce-port 0
# cluster-announce-bus-port 6380 # cluster-announce-bus-port 6380
################################## SLOW LOG ################################### ################################## SLOW LOG ###################################
@ -1824,7 +1401,7 @@ slowlog-log-slower-than 10000
# There is no limit to this length. Just be aware that it will consume memory. # There is no limit to this length. Just be aware that it will consume memory.
# You can reclaim memory used by the slow log with SLOWLOG RESET. # You can reclaim memory used by the slow log with SLOWLOG RESET.
slowlog-max-len 10086 slowlog-max-len 128
################################ LATENCY MONITOR ############################## ################################ LATENCY MONITOR ##############################
@ -1847,24 +1424,10 @@ slowlog-max-len 10086
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed. # "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
latency-monitor-threshold 0 latency-monitor-threshold 0
################################ LATENCY TRACKING ##############################
# The Redis extended latency monitoring tracks the per command latencies and enables
# exporting the percentile distribution via the INFO latencystats command,
# and cumulative latency distributions (histograms) via the LATENCY command.
#
# By default, the extended latency monitoring is enabled since the overhead
# of keeping track of the command latency is very small.
# latency-tracking yes
# By default the exported latency percentiles via the INFO latencystats command
# are the p50, p99, and p999.
# latency-tracking-info-percentiles 50 99 99.9
############################# EVENT NOTIFICATION ############################## ############################# EVENT NOTIFICATION ##############################
# Redis can notify Pub/Sub clients about events happening in the key space. # Redis can notify Pub/Sub clients about events happening in the key space.
# This feature is documented at https://redis.io/topics/notifications # This feature is documented at http://redis.io/topics/notifications
# #
# For instance if keyspace events notification is enabled, and a client # For instance if keyspace events notification is enabled, and a client
# performs a DEL operation on key "foo" stored in the Database 0, two # performs a DEL operation on key "foo" stored in the Database 0, two
@ -1886,11 +1449,9 @@ latency-monitor-threshold 0
# z Sorted set commands # z Sorted set commands
# x Expired events (events generated every time a key expires) # x Expired events (events generated every time a key expires)
# e Evicted events (events generated when a key is evicted for maxmemory) # e Evicted events (events generated when a key is evicted for maxmemory)
# n New key events (Note: not included in the 'A' class)
# t Stream commands # t Stream commands
# d Module key type events
# m Key-miss events (Note: It is not included in the 'A' class) # m Key-miss events (Note: It is not included in the 'A' class)
# A Alias for g$lshzxetd, so that the "AKE" string means all the events # A Alias for g$lshzxet, so that the "AKE" string means all the events
# (Except key-miss events which are excluded from 'A' due to their # (Except key-miss events which are excluded from 'A' due to their
# unique nature). # unique nature).
# #
@ -1913,13 +1474,71 @@ latency-monitor-threshold 0
# specify at least one of K or E, no events will be delivered. # specify at least one of K or E, no events will be delivered.
notify-keyspace-events "" notify-keyspace-events ""
############################### GOPHER SERVER #################################
# Redis contains an implementation of the Gopher protocol, as specified in
# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
#
# The Gopher protocol was very popular in the late '90s. It is an alternative
# to the web, and the implementation both server and client side is so simple
# that the Redis server has just 100 lines of code in order to implement this
# support.
#
# What do you do with Gopher nowadays? Well Gopher never *really* died, and
# lately there is a movement in order for the Gopher more hierarchical content
# composed of just plain text documents to be resurrected. Some want a simpler
# internet, others believe that the mainstream internet became too much
# controlled, and it's cool to create an alternative space for people that
# want a bit of fresh air.
#
# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
# as a gift.
#
# --- HOW IT WORKS? ---
#
# The Redis Gopher support uses the inline protocol of Redis, and specifically
# two kind of inline requests that were anyway illegal: an empty request
# or any request that starts with "/" (there are no Redis commands starting
# with such a slash). Normal RESP2/RESP3 requests are completely out of the
# path of the Gopher protocol implementation and are served as usual as well.
#
# If you open a connection to Redis when Gopher is enabled and send it
# a string like "/foo", if there is a key named "/foo" it is served via the
# Gopher protocol.
#
# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
# talking), you likely need a script like the following:
#
# https://github.com/antirez/gopher2redis
#
# --- SECURITY WARNING ---
#
# If you plan to put Redis on the internet in a publicly accessible address
# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
# Once a password is set:
#
# 1. The Gopher server (when enabled, not by default) will still serve
# content via Gopher.
# 2. However other commands cannot be called before the client will
# authenticate.
#
# So use the 'requirepass' option to protect your instance.
#
# Note that Gopher is not currently supported when 'io-threads-do-reads'
# is enabled.
#
# To enable Gopher support, uncomment the following line and set the option
# from no (the default) to yes.
#
# gopher-enabled no
############################### ADVANCED CONFIG ############################### ############################### ADVANCED CONFIG ###############################
# Hashes are encoded using a memory efficient data structure when they have a # Hashes are encoded using a memory efficient data structure when they have a
# small number of entries, and the biggest entry does not exceed a given # small number of entries, and the biggest entry does not exceed a given
# threshold. These thresholds can be configured using the following directives. # threshold. These thresholds can be configured using the following directives.
hash-max-listpack-entries 512 hash-max-ziplist-entries 512
hash-max-listpack-value 64 hash-max-ziplist-value 64
# Lists are also encoded in a special way to save a lot of space. # Lists are also encoded in a special way to save a lot of space.
# The number of entries allowed per internal list node can be specified # The number of entries allowed per internal list node can be specified
@ -1934,7 +1553,7 @@ hash-max-listpack-value 64
# per list node. # per list node.
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size), # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
# but if your use case is unique, adjust the settings as necessary. # but if your use case is unique, adjust the settings as necessary.
list-max-listpack-size -2 list-max-ziplist-size -2
# Lists may also be compressed. # Lists may also be compressed.
# Compress depth is the number of quicklist ziplist nodes from *each* side of # Compress depth is the number of quicklist ziplist nodes from *each* side of
@ -1962,8 +1581,8 @@ set-max-intset-entries 512
# Similarly to hashes and lists, sorted sets are also specially encoded in # Similarly to hashes and lists, sorted sets are also specially encoded in
# order to save a lot of space. This encoding is only used when the length and # order to save a lot of space. This encoding is only used when the length and
# elements of a sorted set are below the following limits: # elements of a sorted set are below the following limits:
zset-max-listpack-entries 128 zset-max-ziplist-entries 128
zset-max-listpack-value 64 zset-max-ziplist-value 64
# HyperLogLog sparse representation bytes limit. The limit includes the # HyperLogLog sparse representation bytes limit. The limit includes the
# 16 bytes header. When an HyperLogLog using the sparse representation crosses # 16 bytes header. When an HyperLogLog using the sparse representation crosses
@ -1985,9 +1604,9 @@ hll-sparse-max-bytes 3000
# maximum number of items it may contain before switching to a new node when # maximum number of items it may contain before switching to a new node when
# appending new stream entries. If any of the following settings are set to # appending new stream entries. If any of the following settings are set to
# zero, the limit is ignored, so for instance it is possible to set just a # zero, the limit is ignored, so for instance it is possible to set just a
# max entries limit by setting max-bytes to 0 and max-entries to the desired # max entires limit by setting max-bytes to 0 and max-entries to the desired
# value. # value.
stream-node-max-bytes 4kb stream-node-max-bytes 4096
stream-node-max-entries 100 stream-node-max-entries 100
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in # Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
@ -2018,7 +1637,7 @@ activerehashing yes
# The limit can be set differently for the three different classes of clients: # The limit can be set differently for the three different classes of clients:
# #
# normal -> normal clients including MONITOR clients # normal -> normal clients including MONITOR clients
# replica -> replica clients # replica -> replica clients
# pubsub -> clients subscribed to at least one pubsub channel or pattern # pubsub -> clients subscribed to at least one pubsub channel or pattern
# #
# The syntax of every client-output-buffer-limit directive is the following: # The syntax of every client-output-buffer-limit directive is the following:
@ -2042,13 +1661,6 @@ activerehashing yes
# Instead there is a default limit for pubsub and replica clients, since # Instead there is a default limit for pubsub and replica clients, since
# subscribers and replicas receive data in a push fashion. # subscribers and replicas receive data in a push fashion.
# #
# Note that it doesn't make sense to set the replica clients output buffer
# limit lower than the repl-backlog-size config (partial sync will succeed
# and then replica will get disconnected).
# Such a configuration is ignored (the size of repl-backlog-size will be used).
# This doesn't have memory consumption implications since the replica client
# will share the backlog buffers memory.
#
# Both the hard or the soft limit can be disabled by setting them to zero. # Both the hard or the soft limit can be disabled by setting them to zero.
client-output-buffer-limit normal 0 0 0 client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60 client-output-buffer-limit replica 256mb 64mb 60
@ -2062,25 +1674,6 @@ client-output-buffer-limit pubsub 32mb 8mb 60
# #
# client-query-buffer-limit 1gb # client-query-buffer-limit 1gb
# In some scenarios client connections can hog up memory leading to OOM
# errors or data eviction. To avoid this we can cap the accumulated memory
# used by all client connections (all pubsub and normal clients). Once we
# reach that limit connections will be dropped by the server freeing up
# memory. The server will attempt to drop the connections using the most
# memory first. We call this mechanism "client eviction".
#
# Client eviction is configured using the maxmemory-clients setting as follows:
# 0 - client eviction is disabled (default)
#
# A memory value can be used for the client eviction threshold,
# for example:
# maxmemory-clients 1g
#
# A percentage value (between 1% and 100%) means the client eviction threshold
# is based on a percentage of the maxmemory setting. For example to set client
# eviction at 5% of maxmemory:
# maxmemory-clients 5%
# In the Redis protocol, bulk requests, that are, elements representing single # In the Redis protocol, bulk requests, that are, elements representing single
# strings, are normally limited to 512 mb. However you can change this limit # strings, are normally limited to 512 mb. However you can change this limit
# here, but must be 1mb or greater # here, but must be 1mb or greater
@ -2121,13 +1714,13 @@ hz 10
dynamic-hz yes dynamic-hz yes
# When a child rewrites the AOF file, if the following option is enabled # When a child rewrites the AOF file, if the following option is enabled
# the file will be fsync-ed every 4 MB of data generated. This is useful # the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid # in order to commit the file to the disk more incrementally and avoid
# big latency spikes. # big latency spikes.
aof-rewrite-incremental-fsync yes aof-rewrite-incremental-fsync yes
# When redis saves RDB file, if the following option is enabled # When redis saves RDB file, if the following option is enabled
# the file will be fsync-ed every 4 MB of data generated. This is useful # the file will be fsync-ed every 32 MB of data generated. This is useful
# in order to commit the file to the disk more incrementally and avoid # in order to commit the file to the disk more incrementally and avoid
# big latency spikes. # big latency spikes.
rdb-save-incremental-fsync yes rdb-save-incremental-fsync yes
@ -2224,7 +1817,7 @@ rdb-save-incremental-fsync yes
# defragmentation process. If you are not sure about what they mean it is # defragmentation process. If you are not sure about what they mean it is
# a good idea to leave the defaults untouched. # a good idea to leave the defaults untouched.
# Active defragmentation is disabled by default # Enabled active defragmentation
# activedefrag no # activedefrag no
# Minimum amount of fragmentation waste to start active defrag # Minimum amount of fragmentation waste to start active defrag
@ -2282,10 +1875,3 @@ jemalloc-bg-thread yes
# to suppress # to suppress
# #
# ignore-warnings ARM64-COW-BUG # ignore-warnings ARM64-COW-BUG
# Generated by CONFIG REWRITE
save 3600 1
save 300 100
save 60 10000
latency-tracking-info-percentiles 50 99 99.9
user default on nopass ~* &* +@all

View File

@ -1,12 +1,3 @@
# Redis configuration rewrite by 1Panel
timeout 0
# maxclients 10000
# maxmemory <bytes>
save 3600 1 300 100 60 10000
appendonly no
appendfsync everysec
# End Redis configuration rewrite by 1Panel
# Redis configuration file example. # Redis configuration file example.
# #
# Note that in order to read the configuration file, Redis must be # Note that in order to read the configuration file, Redis must be
@ -93,7 +84,7 @@ appendfsync everysec
# You will also need to set a password unless you explicitly disable protected # You will also need to set a password unless you explicitly disable protected
# mode. # mode.
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# bind 127.0.0.1 -::1 bind 0.0.0.0
# By default, outgoing connections (from replica to master, from Sentinel to # By default, outgoing connections (from replica to master, from Sentinel to
# instances, cluster bus, etc.) are not bound to a specific local address. In # instances, cluster bus, etc.) are not bound to a specific local address. In
@ -165,7 +156,7 @@ tcp-backlog 511
# unixsocketperm 700 # unixsocketperm 700
# Close the connection after a client is idle for N seconds (0 to disable) # Close the connection after a client is idle for N seconds (0 to disable)
# timeout 0 timeout 0
# TCP keepalive. # TCP keepalive.
# #
@ -1385,7 +1376,7 @@ disable-thp yes
# #
# Please check https://redis.io/topics/persistence for more information. # Please check https://redis.io/topics/persistence for more information.
# appendonly no appendonly no
# The base name of the append only file. # The base name of the append only file.
# #
@ -1444,7 +1435,7 @@ appenddirname "appendonlydir"
# If unsure, use "everysec". # If unsure, use "everysec".
# appendfsync always # appendfsync always
# appendfsync everysec appendfsync everysec
# appendfsync no # appendfsync no
# When the AOF fsync policy is set to always or everysec, and a background # When the AOF fsync policy is set to always or everysec, and a background