mirror of
https://github.com/QYG2297248353/appstore-1panel.git
synced 2024-11-29 01:56:13 +08:00
feat: 修改 nginx WAF
This commit is contained in:
parent
11dc8bc7c8
commit
31fa8a0e6e
9
apps/nginx/versions/1.21.4/www/common/waf/.gitignore
vendored
Normal file
9
apps/nginx/versions/1.21.4/www/common/waf/.gitignore
vendored
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# Binaries for programs and plugins
|
||||||
|
*.exe
|
||||||
|
*.exe~
|
||||||
|
*.dll
|
||||||
|
*.so
|
||||||
|
*.dylib
|
||||||
|
.idea
|
||||||
|
|
||||||
|
|
674
apps/nginx/versions/1.21.4/www/common/waf/LICENSE
Normal file
674
apps/nginx/versions/1.21.4/www/common/waf/LICENSE
Normal file
@ -0,0 +1,674 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 3, 29 June 2007
|
||||||
|
|
||||||
|
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The GNU General Public License is a free, copyleft license for
|
||||||
|
software and other kinds of works.
|
||||||
|
|
||||||
|
The licenses for most software and other practical works are designed
|
||||||
|
to take away your freedom to share and change the works. By contrast,
|
||||||
|
the GNU General Public License is intended to guarantee your freedom to
|
||||||
|
share and change all versions of a program--to make sure it remains free
|
||||||
|
software for all its users. We, the Free Software Foundation, use the
|
||||||
|
GNU General Public License for most of our software; it applies also to
|
||||||
|
any other work released this way by its authors. You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
them if you wish), that you receive source code or can get it if you
|
||||||
|
want it, that you can change the software or use pieces of it in new
|
||||||
|
free programs, and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to prevent others from denying you
|
||||||
|
these rights or asking you to surrender the rights. Therefore, you have
|
||||||
|
certain responsibilities if you distribute copies of the software, or if
|
||||||
|
you modify it: responsibilities to respect the freedom of others.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must pass on to the recipients the same
|
||||||
|
freedoms that you received. You must make sure that they, too, receive
|
||||||
|
or can get the source code. And you must show them these terms so they
|
||||||
|
know their rights.
|
||||||
|
|
||||||
|
Developers that use the GNU GPL protect your rights with two steps:
|
||||||
|
(1) assert copyright on the software, and (2) offer you this License
|
||||||
|
giving you legal permission to copy, distribute and/or modify it.
|
||||||
|
|
||||||
|
For the developers' and authors' protection, the GPL clearly explains
|
||||||
|
that there is no warranty for this free software. For both users' and
|
||||||
|
authors' sake, the GPL requires that modified versions be marked as
|
||||||
|
changed, so that their problems will not be attributed erroneously to
|
||||||
|
authors of previous versions.
|
||||||
|
|
||||||
|
Some devices are designed to deny users access to install or run
|
||||||
|
modified versions of the software inside them, although the manufacturer
|
||||||
|
can do so. This is fundamentally incompatible with the aim of
|
||||||
|
protecting users' freedom to change the software. The systematic
|
||||||
|
pattern of such abuse occurs in the area of products for individuals to
|
||||||
|
use, which is precisely where it is most unacceptable. Therefore, we
|
||||||
|
have designed this version of the GPL to prohibit the practice for those
|
||||||
|
products. If such problems arise substantially in other domains, we
|
||||||
|
stand ready to extend this provision to those domains in future versions
|
||||||
|
of the GPL, as needed to protect the freedom of users.
|
||||||
|
|
||||||
|
Finally, every program is threatened constantly by software patents.
|
||||||
|
States should not allow patents to restrict development and use of
|
||||||
|
software on general-purpose computers, but in those that do, we wish to
|
||||||
|
avoid the special danger that patents applied to a free program could
|
||||||
|
make it effectively proprietary. To prevent this, the GPL assures that
|
||||||
|
patents cannot be used to render the program non-free.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
0. Definitions.
|
||||||
|
|
||||||
|
"This License" refers to version 3 of the GNU General Public License.
|
||||||
|
|
||||||
|
"Copyright" also means copyright-like laws that apply to other kinds of
|
||||||
|
works, such as semiconductor masks.
|
||||||
|
|
||||||
|
"The Program" refers to any copyrightable work licensed under this
|
||||||
|
License. Each licensee is addressed as "you". "Licensees" and
|
||||||
|
"recipients" may be individuals or organizations.
|
||||||
|
|
||||||
|
To "modify" a work means to copy from or adapt all or part of the work
|
||||||
|
in a fashion requiring copyright permission, other than the making of an
|
||||||
|
exact copy. The resulting work is called a "modified version" of the
|
||||||
|
earlier work or a work "based on" the earlier work.
|
||||||
|
|
||||||
|
A "covered work" means either the unmodified Program or a work based
|
||||||
|
on the Program.
|
||||||
|
|
||||||
|
To "propagate" a work means to do anything with it that, without
|
||||||
|
permission, would make you directly or secondarily liable for
|
||||||
|
infringement under applicable copyright law, except executing it on a
|
||||||
|
computer or modifying a private copy. Propagation includes copying,
|
||||||
|
distribution (with or without modification), making available to the
|
||||||
|
public, and in some countries other activities as well.
|
||||||
|
|
||||||
|
To "convey" a work means any kind of propagation that enables other
|
||||||
|
parties to make or receive copies. Mere interaction with a user through
|
||||||
|
a computer network, with no transfer of a copy, is not conveying.
|
||||||
|
|
||||||
|
An interactive user interface displays "Appropriate Legal Notices"
|
||||||
|
to the extent that it includes a convenient and prominently visible
|
||||||
|
feature that (1) displays an appropriate copyright notice, and (2)
|
||||||
|
tells the user that there is no warranty for the work (except to the
|
||||||
|
extent that warranties are provided), that licensees may convey the
|
||||||
|
work under this License, and how to view a copy of this License. If
|
||||||
|
the interface presents a list of user commands or options, such as a
|
||||||
|
menu, a prominent item in the list meets this criterion.
|
||||||
|
|
||||||
|
1. Source Code.
|
||||||
|
|
||||||
|
The "source code" for a work means the preferred form of the work
|
||||||
|
for making modifications to it. "Object code" means any non-source
|
||||||
|
form of a work.
|
||||||
|
|
||||||
|
A "Standard Interface" means an interface that either is an official
|
||||||
|
standard defined by a recognized standards body, or, in the case of
|
||||||
|
interfaces specified for a particular programming language, one that
|
||||||
|
is widely used among developers working in that language.
|
||||||
|
|
||||||
|
The "System Libraries" of an executable work include anything, other
|
||||||
|
than the work as a whole, that (a) is included in the normal form of
|
||||||
|
packaging a Major Component, but which is not part of that Major
|
||||||
|
Component, and (b) serves only to enable use of the work with that
|
||||||
|
Major Component, or to implement a Standard Interface for which an
|
||||||
|
implementation is available to the public in source code form. A
|
||||||
|
"Major Component", in this context, means a major essential component
|
||||||
|
(kernel, window system, and so on) of the specific operating system
|
||||||
|
(if any) on which the executable work runs, or a compiler used to
|
||||||
|
produce the work, or an object code interpreter used to run it.
|
||||||
|
|
||||||
|
The "Corresponding Source" for a work in object code form means all
|
||||||
|
the source code needed to generate, install, and (for an executable
|
||||||
|
work) run the object code and to modify the work, including scripts to
|
||||||
|
control those activities. However, it does not include the work's
|
||||||
|
System Libraries, or general-purpose tools or generally available free
|
||||||
|
programs which are used unmodified in performing those activities but
|
||||||
|
which are not part of the work. For example, Corresponding Source
|
||||||
|
includes interface definition files associated with source files for
|
||||||
|
the work, and the source code for shared libraries and dynamically
|
||||||
|
linked subprograms that the work is specifically designed to require,
|
||||||
|
such as by intimate data communication or control flow between those
|
||||||
|
subprograms and other parts of the work.
|
||||||
|
|
||||||
|
The Corresponding Source need not include anything that users
|
||||||
|
can regenerate automatically from other parts of the Corresponding
|
||||||
|
Source.
|
||||||
|
|
||||||
|
The Corresponding Source for a work in source code form is that
|
||||||
|
same work.
|
||||||
|
|
||||||
|
2. Basic Permissions.
|
||||||
|
|
||||||
|
All rights granted under this License are granted for the term of
|
||||||
|
copyright on the Program, and are irrevocable provided the stated
|
||||||
|
conditions are met. This License explicitly affirms your unlimited
|
||||||
|
permission to run the unmodified Program. The output from running a
|
||||||
|
covered work is covered by this License only if the output, given its
|
||||||
|
content, constitutes a covered work. This License acknowledges your
|
||||||
|
rights of fair use or other equivalent, as provided by copyright law.
|
||||||
|
|
||||||
|
You may make, run and propagate covered works that you do not
|
||||||
|
convey, without conditions so long as your license otherwise remains
|
||||||
|
in force. You may convey covered works to others for the sole purpose
|
||||||
|
of having them make modifications exclusively for you, or provide you
|
||||||
|
with facilities for running those works, provided that you comply with
|
||||||
|
the terms of this License in conveying all material for which you do
|
||||||
|
not control copyright. Those thus making or running the covered works
|
||||||
|
for you must do so exclusively on your behalf, under your direction
|
||||||
|
and control, on terms that prohibit them from making any copies of
|
||||||
|
your copyrighted material outside their relationship with you.
|
||||||
|
|
||||||
|
Conveying under any other circumstances is permitted solely under
|
||||||
|
the conditions stated below. Sublicensing is not allowed; section 10
|
||||||
|
makes it unnecessary.
|
||||||
|
|
||||||
|
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
|
||||||
|
|
||||||
|
No covered work shall be deemed part of an effective technological
|
||||||
|
measure under any applicable law fulfilling obligations under article
|
||||||
|
11 of the WIPO copyright treaty adopted on 20 December 1996, or
|
||||||
|
similar laws prohibiting or restricting circumvention of such
|
||||||
|
measures.
|
||||||
|
|
||||||
|
When you convey a covered work, you waive any legal power to forbid
|
||||||
|
circumvention of technological measures to the extent such circumvention
|
||||||
|
is effected by exercising rights under this License with respect to
|
||||||
|
the covered work, and you disclaim any intention to limit operation or
|
||||||
|
modification of the work as a means of enforcing, against the work's
|
||||||
|
users, your or third parties' legal rights to forbid circumvention of
|
||||||
|
technological measures.
|
||||||
|
|
||||||
|
4. Conveying Verbatim Copies.
|
||||||
|
|
||||||
|
You may convey verbatim copies of the Program's source code as you
|
||||||
|
receive it, in any medium, provided that you conspicuously and
|
||||||
|
appropriately publish on each copy an appropriate copyright notice;
|
||||||
|
keep intact all notices stating that this License and any
|
||||||
|
non-permissive terms added in accord with section 7 apply to the code;
|
||||||
|
keep intact all notices of the absence of any warranty; and give all
|
||||||
|
recipients a copy of this License along with the Program.
|
||||||
|
|
||||||
|
You may charge any price or no price for each copy that you convey,
|
||||||
|
and you may offer support or warranty protection for a fee.
|
||||||
|
|
||||||
|
5. Conveying Modified Source Versions.
|
||||||
|
|
||||||
|
You may convey a work based on the Program, or the modifications to
|
||||||
|
produce it from the Program, in the form of source code under the
|
||||||
|
terms of section 4, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) The work must carry prominent notices stating that you modified
|
||||||
|
it, and giving a relevant date.
|
||||||
|
|
||||||
|
b) The work must carry prominent notices stating that it is
|
||||||
|
released under this License and any conditions added under section
|
||||||
|
7. This requirement modifies the requirement in section 4 to
|
||||||
|
"keep intact all notices".
|
||||||
|
|
||||||
|
c) You must license the entire work, as a whole, under this
|
||||||
|
License to anyone who comes into possession of a copy. This
|
||||||
|
License will therefore apply, along with any applicable section 7
|
||||||
|
additional terms, to the whole of the work, and all its parts,
|
||||||
|
regardless of how they are packaged. This License gives no
|
||||||
|
permission to license the work in any other way, but it does not
|
||||||
|
invalidate such permission if you have separately received it.
|
||||||
|
|
||||||
|
d) If the work has interactive user interfaces, each must display
|
||||||
|
Appropriate Legal Notices; however, if the Program has interactive
|
||||||
|
interfaces that do not display Appropriate Legal Notices, your
|
||||||
|
work need not make them do so.
|
||||||
|
|
||||||
|
A compilation of a covered work with other separate and independent
|
||||||
|
works, which are not by their nature extensions of the covered work,
|
||||||
|
and which are not combined with it such as to form a larger program,
|
||||||
|
in or on a volume of a storage or distribution medium, is called an
|
||||||
|
"aggregate" if the compilation and its resulting copyright are not
|
||||||
|
used to limit the access or legal rights of the compilation's users
|
||||||
|
beyond what the individual works permit. Inclusion of a covered work
|
||||||
|
in an aggregate does not cause this License to apply to the other
|
||||||
|
parts of the aggregate.
|
||||||
|
|
||||||
|
6. Conveying Non-Source Forms.
|
||||||
|
|
||||||
|
You may convey a covered work in object code form under the terms
|
||||||
|
of sections 4 and 5, provided that you also convey the
|
||||||
|
machine-readable Corresponding Source under the terms of this License,
|
||||||
|
in one of these ways:
|
||||||
|
|
||||||
|
a) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by the
|
||||||
|
Corresponding Source fixed on a durable physical medium
|
||||||
|
customarily used for software interchange.
|
||||||
|
|
||||||
|
b) Convey the object code in, or embodied in, a physical product
|
||||||
|
(including a physical distribution medium), accompanied by a
|
||||||
|
written offer, valid for at least three years and valid for as
|
||||||
|
long as you offer spare parts or customer support for that product
|
||||||
|
model, to give anyone who possesses the object code either (1) a
|
||||||
|
copy of the Corresponding Source for all the software in the
|
||||||
|
product that is covered by this License, on a durable physical
|
||||||
|
medium customarily used for software interchange, for a price no
|
||||||
|
more than your reasonable cost of physically performing this
|
||||||
|
conveying of source, or (2) access to copy the
|
||||||
|
Corresponding Source from a network server at no charge.
|
||||||
|
|
||||||
|
c) Convey individual copies of the object code with a copy of the
|
||||||
|
written offer to provide the Corresponding Source. This
|
||||||
|
alternative is allowed only occasionally and noncommercially, and
|
||||||
|
only if you received the object code with such an offer, in accord
|
||||||
|
with subsection 6b.
|
||||||
|
|
||||||
|
d) Convey the object code by offering access from a designated
|
||||||
|
place (gratis or for a charge), and offer equivalent access to the
|
||||||
|
Corresponding Source in the same way through the same place at no
|
||||||
|
further charge. You need not require recipients to copy the
|
||||||
|
Corresponding Source along with the object code. If the place to
|
||||||
|
copy the object code is a network server, the Corresponding Source
|
||||||
|
may be on a different server (operated by you or a third party)
|
||||||
|
that supports equivalent copying facilities, provided you maintain
|
||||||
|
clear directions next to the object code saying where to find the
|
||||||
|
Corresponding Source. Regardless of what server hosts the
|
||||||
|
Corresponding Source, you remain obligated to ensure that it is
|
||||||
|
available for as long as needed to satisfy these requirements.
|
||||||
|
|
||||||
|
e) Convey the object code using peer-to-peer transmission, provided
|
||||||
|
you inform other peers where the object code and Corresponding
|
||||||
|
Source of the work are being offered to the general public at no
|
||||||
|
charge under subsection 6d.
|
||||||
|
|
||||||
|
A separable portion of the object code, whose source code is excluded
|
||||||
|
from the Corresponding Source as a System Library, need not be
|
||||||
|
included in conveying the object code work.
|
||||||
|
|
||||||
|
A "User Product" is either (1) a "consumer product", which means any
|
||||||
|
tangible personal property which is normally used for personal, family,
|
||||||
|
or household purposes, or (2) anything designed or sold for incorporation
|
||||||
|
into a dwelling. In determining whether a product is a consumer product,
|
||||||
|
doubtful cases shall be resolved in favor of coverage. For a particular
|
||||||
|
product received by a particular user, "normally used" refers to a
|
||||||
|
typical or common use of that class of product, regardless of the status
|
||||||
|
of the particular user or of the way in which the particular user
|
||||||
|
actually uses, or expects or is expected to use, the product. A product
|
||||||
|
is a consumer product regardless of whether the product has substantial
|
||||||
|
commercial, industrial or non-consumer uses, unless such uses represent
|
||||||
|
the only significant mode of use of the product.
|
||||||
|
|
||||||
|
"Installation Information" for a User Product means any methods,
|
||||||
|
procedures, authorization keys, or other information required to install
|
||||||
|
and execute modified versions of a covered work in that User Product from
|
||||||
|
a modified version of its Corresponding Source. The information must
|
||||||
|
suffice to ensure that the continued functioning of the modified object
|
||||||
|
code is in no case prevented or interfered with solely because
|
||||||
|
modification has been made.
|
||||||
|
|
||||||
|
If you convey an object code work under this section in, or with, or
|
||||||
|
specifically for use in, a User Product, and the conveying occurs as
|
||||||
|
part of a transaction in which the right of possession and use of the
|
||||||
|
User Product is transferred to the recipient in perpetuity or for a
|
||||||
|
fixed term (regardless of how the transaction is characterized), the
|
||||||
|
Corresponding Source conveyed under this section must be accompanied
|
||||||
|
by the Installation Information. But this requirement does not apply
|
||||||
|
if neither you nor any third party retains the ability to install
|
||||||
|
modified object code on the User Product (for example, the work has
|
||||||
|
been installed in ROM).
|
||||||
|
|
||||||
|
The requirement to provide Installation Information does not include a
|
||||||
|
requirement to continue to provide support service, warranty, or updates
|
||||||
|
for a work that has been modified or installed by the recipient, or for
|
||||||
|
the User Product in which it has been modified or installed. Access to a
|
||||||
|
network may be denied when the modification itself materially and
|
||||||
|
adversely affects the operation of the network or violates the rules and
|
||||||
|
protocols for communication across the network.
|
||||||
|
|
||||||
|
Corresponding Source conveyed, and Installation Information provided,
|
||||||
|
in accord with this section must be in a format that is publicly
|
||||||
|
documented (and with an implementation available to the public in
|
||||||
|
source code form), and must require no special password or key for
|
||||||
|
unpacking, reading or copying.
|
||||||
|
|
||||||
|
7. Additional Terms.
|
||||||
|
|
||||||
|
"Additional permissions" are terms that supplement the terms of this
|
||||||
|
License by making exceptions from one or more of its conditions.
|
||||||
|
Additional permissions that are applicable to the entire Program shall
|
||||||
|
be treated as though they were included in this License, to the extent
|
||||||
|
that they are valid under applicable law. If additional permissions
|
||||||
|
apply only to part of the Program, that part may be used separately
|
||||||
|
under those permissions, but the entire Program remains governed by
|
||||||
|
this License without regard to the additional permissions.
|
||||||
|
|
||||||
|
When you convey a copy of a covered work, you may at your option
|
||||||
|
remove any additional permissions from that copy, or from any part of
|
||||||
|
it. (Additional permissions may be written to require their own
|
||||||
|
removal in certain cases when you modify the work.) You may place
|
||||||
|
additional permissions on material, added by you to a covered work,
|
||||||
|
for which you have or can give appropriate copyright permission.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, for material you
|
||||||
|
add to a covered work, you may (if authorized by the copyright holders of
|
||||||
|
that material) supplement the terms of this License with terms:
|
||||||
|
|
||||||
|
a) Disclaiming warranty or limiting liability differently from the
|
||||||
|
terms of sections 15 and 16 of this License; or
|
||||||
|
|
||||||
|
b) Requiring preservation of specified reasonable legal notices or
|
||||||
|
author attributions in that material or in the Appropriate Legal
|
||||||
|
Notices displayed by works containing it; or
|
||||||
|
|
||||||
|
c) Prohibiting misrepresentation of the origin of that material, or
|
||||||
|
requiring that modified versions of such material be marked in
|
||||||
|
reasonable ways as different from the original version; or
|
||||||
|
|
||||||
|
d) Limiting the use for publicity purposes of names of licensors or
|
||||||
|
authors of the material; or
|
||||||
|
|
||||||
|
e) Declining to grant rights under trademark law for use of some
|
||||||
|
trade names, trademarks, or service marks; or
|
||||||
|
|
||||||
|
f) Requiring indemnification of licensors and authors of that
|
||||||
|
material by anyone who conveys the material (or modified versions of
|
||||||
|
it) with contractual assumptions of liability to the recipient, for
|
||||||
|
any liability that these contractual assumptions directly impose on
|
||||||
|
those licensors and authors.
|
||||||
|
|
||||||
|
All other non-permissive additional terms are considered "further
|
||||||
|
restrictions" within the meaning of section 10. If the Program as you
|
||||||
|
received it, or any part of it, contains a notice stating that it is
|
||||||
|
governed by this License along with a term that is a further
|
||||||
|
restriction, you may remove that term. If a license document contains
|
||||||
|
a further restriction but permits relicensing or conveying under this
|
||||||
|
License, you may add to a covered work material governed by the terms
|
||||||
|
of that license document, provided that the further restriction does
|
||||||
|
not survive such relicensing or conveying.
|
||||||
|
|
||||||
|
If you add terms to a covered work in accord with this section, you
|
||||||
|
must place, in the relevant source files, a statement of the
|
||||||
|
additional terms that apply to those files, or a notice indicating
|
||||||
|
where to find the applicable terms.
|
||||||
|
|
||||||
|
Additional terms, permissive or non-permissive, may be stated in the
|
||||||
|
form of a separately written license, or stated as exceptions;
|
||||||
|
the above requirements apply either way.
|
||||||
|
|
||||||
|
8. Termination.
|
||||||
|
|
||||||
|
You may not propagate or modify a covered work except as expressly
|
||||||
|
provided under this License. Any attempt otherwise to propagate or
|
||||||
|
modify it is void, and will automatically terminate your rights under
|
||||||
|
this License (including any patent licenses granted under the third
|
||||||
|
paragraph of section 11).
|
||||||
|
|
||||||
|
However, if you cease all violation of this License, then your
|
||||||
|
license from a particular copyright holder is reinstated (a)
|
||||||
|
provisionally, unless and until the copyright holder explicitly and
|
||||||
|
finally terminates your license, and (b) permanently, if the copyright
|
||||||
|
holder fails to notify you of the violation by some reasonable means
|
||||||
|
prior to 60 days after the cessation.
|
||||||
|
|
||||||
|
Moreover, your license from a particular copyright holder is
|
||||||
|
reinstated permanently if the copyright holder notifies you of the
|
||||||
|
violation by some reasonable means, this is the first time you have
|
||||||
|
received notice of violation of this License (for any work) from that
|
||||||
|
copyright holder, and you cure the violation prior to 30 days after
|
||||||
|
your receipt of the notice.
|
||||||
|
|
||||||
|
Termination of your rights under this section does not terminate the
|
||||||
|
licenses of parties who have received copies or rights from you under
|
||||||
|
this License. If your rights have been terminated and not permanently
|
||||||
|
reinstated, you do not qualify to receive new licenses for the same
|
||||||
|
material under section 10.
|
||||||
|
|
||||||
|
9. Acceptance Not Required for Having Copies.
|
||||||
|
|
||||||
|
You are not required to accept this License in order to receive or
|
||||||
|
run a copy of the Program. Ancillary propagation of a covered work
|
||||||
|
occurring solely as a consequence of using peer-to-peer transmission
|
||||||
|
to receive a copy likewise does not require acceptance. However,
|
||||||
|
nothing other than this License grants you permission to propagate or
|
||||||
|
modify any covered work. These actions infringe copyright if you do
|
||||||
|
not accept this License. Therefore, by modifying or propagating a
|
||||||
|
covered work, you indicate your acceptance of this License to do so.
|
||||||
|
|
||||||
|
10. Automatic Licensing of Downstream Recipients.
|
||||||
|
|
||||||
|
Each time you convey a covered work, the recipient automatically
|
||||||
|
receives a license from the original licensors, to run, modify and
|
||||||
|
propagate that work, subject to this License. You are not responsible
|
||||||
|
for enforcing compliance by third parties with this License.
|
||||||
|
|
||||||
|
An "entity transaction" is a transaction transferring control of an
|
||||||
|
organization, or substantially all assets of one, or subdividing an
|
||||||
|
organization, or merging organizations. If propagation of a covered
|
||||||
|
work results from an entity transaction, each party to that
|
||||||
|
transaction who receives a copy of the work also receives whatever
|
||||||
|
licenses to the work the party's predecessor in interest had or could
|
||||||
|
give under the previous paragraph, plus a right to possession of the
|
||||||
|
Corresponding Source of the work from the predecessor in interest, if
|
||||||
|
the predecessor has it or can get it with reasonable efforts.
|
||||||
|
|
||||||
|
You may not impose any further restrictions on the exercise of the
|
||||||
|
rights granted or affirmed under this License. For example, you may
|
||||||
|
not impose a license fee, royalty, or other charge for exercise of
|
||||||
|
rights granted under this License, and you may not initiate litigation
|
||||||
|
(including a cross-claim or counterclaim in a lawsuit) alleging that
|
||||||
|
any patent claim is infringed by making, using, selling, offering for
|
||||||
|
sale, or importing the Program or any portion of it.
|
||||||
|
|
||||||
|
11. Patents.
|
||||||
|
|
||||||
|
A "contributor" is a copyright holder who authorizes use under this
|
||||||
|
License of the Program or a work on which the Program is based. The
|
||||||
|
work thus licensed is called the contributor's "contributor version".
|
||||||
|
|
||||||
|
A contributor's "essential patent claims" are all patent claims
|
||||||
|
owned or controlled by the contributor, whether already acquired or
|
||||||
|
hereafter acquired, that would be infringed by some manner, permitted
|
||||||
|
by this License, of making, using, or selling its contributor version,
|
||||||
|
but do not include claims that would be infringed only as a
|
||||||
|
consequence of further modification of the contributor version. For
|
||||||
|
purposes of this definition, "control" includes the right to grant
|
||||||
|
patent sublicenses in a manner consistent with the requirements of
|
||||||
|
this License.
|
||||||
|
|
||||||
|
Each contributor grants you a non-exclusive, worldwide, royalty-free
|
||||||
|
patent license under the contributor's essential patent claims, to
|
||||||
|
make, use, sell, offer for sale, import and otherwise run, modify and
|
||||||
|
propagate the contents of its contributor version.
|
||||||
|
|
||||||
|
In the following three paragraphs, a "patent license" is any express
|
||||||
|
agreement or commitment, however denominated, not to enforce a patent
|
||||||
|
(such as an express permission to practice a patent or covenant not to
|
||||||
|
sue for patent infringement). To "grant" such a patent license to a
|
||||||
|
party means to make such an agreement or commitment not to enforce a
|
||||||
|
patent against the party.
|
||||||
|
|
||||||
|
If you convey a covered work, knowingly relying on a patent license,
|
||||||
|
and the Corresponding Source of the work is not available for anyone
|
||||||
|
to copy, free of charge and under the terms of this License, through a
|
||||||
|
publicly available network server or other readily accessible means,
|
||||||
|
then you must either (1) cause the Corresponding Source to be so
|
||||||
|
available, or (2) arrange to deprive yourself of the benefit of the
|
||||||
|
patent license for this particular work, or (3) arrange, in a manner
|
||||||
|
consistent with the requirements of this License, to extend the patent
|
||||||
|
license to downstream recipients. "Knowingly relying" means you have
|
||||||
|
actual knowledge that, but for the patent license, your conveying the
|
||||||
|
covered work in a country, or your recipient's use of the covered work
|
||||||
|
in a country, would infringe one or more identifiable patents in that
|
||||||
|
country that you have reason to believe are valid.
|
||||||
|
|
||||||
|
If, pursuant to or in connection with a single transaction or
|
||||||
|
arrangement, you convey, or propagate by procuring conveyance of, a
|
||||||
|
covered work, and grant a patent license to some of the parties
|
||||||
|
receiving the covered work authorizing them to use, propagate, modify
|
||||||
|
or convey a specific copy of the covered work, then the patent license
|
||||||
|
you grant is automatically extended to all recipients of the covered
|
||||||
|
work and works based on it.
|
||||||
|
|
||||||
|
A patent license is "discriminatory" if it does not include within
|
||||||
|
the scope of its coverage, prohibits the exercise of, or is
|
||||||
|
conditioned on the non-exercise of one or more of the rights that are
|
||||||
|
specifically granted under this License. You may not convey a covered
|
||||||
|
work if you are a party to an arrangement with a third party that is
|
||||||
|
in the business of distributing software, under which you make payment
|
||||||
|
to the third party based on the extent of your activity of conveying
|
||||||
|
the work, and under which the third party grants, to any of the
|
||||||
|
parties who would receive the covered work from you, a discriminatory
|
||||||
|
patent license (a) in connection with copies of the covered work
|
||||||
|
conveyed by you (or copies made from those copies), or (b) primarily
|
||||||
|
for and in connection with specific products or compilations that
|
||||||
|
contain the covered work, unless you entered into that arrangement,
|
||||||
|
or that patent license was granted, prior to 28 March 2007.
|
||||||
|
|
||||||
|
Nothing in this License shall be construed as excluding or limiting
|
||||||
|
any implied license or other defenses to infringement that may
|
||||||
|
otherwise be available to you under applicable patent law.
|
||||||
|
|
||||||
|
12. No Surrender of Others' Freedom.
|
||||||
|
|
||||||
|
If conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot convey a
|
||||||
|
covered work so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you may
|
||||||
|
not convey it at all. For example, if you agree to terms that obligate you
|
||||||
|
to collect a royalty for further conveying from those to whom you convey
|
||||||
|
the Program, the only way you could satisfy both those terms and this
|
||||||
|
License would be to refrain entirely from conveying the Program.
|
||||||
|
|
||||||
|
13. Use with the GNU Affero General Public License.
|
||||||
|
|
||||||
|
Notwithstanding any other provision of this License, you have
|
||||||
|
permission to link or combine any covered work with a work licensed
|
||||||
|
under version 3 of the GNU Affero General Public License into a single
|
||||||
|
combined work, and to convey the resulting work. The terms of this
|
||||||
|
License will continue to apply to the part which is the covered work,
|
||||||
|
but the special requirements of the GNU Affero General Public License,
|
||||||
|
section 13, concerning interaction through a network will apply to the
|
||||||
|
combination as such.
|
||||||
|
|
||||||
|
14. Revised Versions of this License.
|
||||||
|
|
||||||
|
The Free Software Foundation may publish revised and/or new versions of
|
||||||
|
the GNU General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the
|
||||||
|
Program specifies that a certain numbered version of the GNU General
|
||||||
|
Public License "or any later version" applies to it, you have the
|
||||||
|
option of following the terms and conditions either of that numbered
|
||||||
|
version or of any later version published by the Free Software
|
||||||
|
Foundation. If the Program does not specify a version number of the
|
||||||
|
GNU General Public License, you may choose any version ever published
|
||||||
|
by the Free Software Foundation.
|
||||||
|
|
||||||
|
If the Program specifies that a proxy can decide which future
|
||||||
|
versions of the GNU General Public License can be used, that proxy's
|
||||||
|
public statement of acceptance of a version permanently authorizes you
|
||||||
|
to choose that version for the Program.
|
||||||
|
|
||||||
|
Later license versions may give you additional or different
|
||||||
|
permissions. However, no additional obligations are imposed on any
|
||||||
|
author or copyright holder as a result of your choosing to follow a
|
||||||
|
later version.
|
||||||
|
|
||||||
|
15. Disclaimer of Warranty.
|
||||||
|
|
||||||
|
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
|
||||||
|
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
|
||||||
|
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
|
||||||
|
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
|
||||||
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||||
|
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
|
||||||
|
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
|
||||||
|
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
16. Limitation of Liability.
|
||||||
|
|
||||||
|
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
|
||||||
|
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
|
||||||
|
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
|
||||||
|
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
|
||||||
|
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
|
||||||
|
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
|
||||||
|
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
|
||||||
|
SUCH DAMAGES.
|
||||||
|
|
||||||
|
17. Interpretation of Sections 15 and 16.
|
||||||
|
|
||||||
|
If the disclaimer of warranty and limitation of liability provided
|
||||||
|
above cannot be given local legal effect according to their terms,
|
||||||
|
reviewing courts shall apply local law that most closely approximates
|
||||||
|
an absolute waiver of all civil liability in connection with the
|
||||||
|
Program, unless a warranty or assumption of liability accompanies a
|
||||||
|
copy of the Program in return for a fee.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
state the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program does terminal interaction, make it output a short
|
||||||
|
notice like this when it starts in an interactive mode:
|
||||||
|
|
||||||
|
<program> Copyright (C) <year> <name of author>
|
||||||
|
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, your program's commands
|
||||||
|
might be different; for a GUI interface, you would use an "about box".
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or school,
|
||||||
|
if any, to sign a "copyright disclaimer" for the program, if necessary.
|
||||||
|
For more information on this, and how to apply and follow the GNU GPL, see
|
||||||
|
<https://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
The GNU General Public License does not permit incorporating your program
|
||||||
|
into proprietary programs. If your program is a subroutine library, you
|
||||||
|
may consider it more useful to permit linking proprietary applications with
|
||||||
|
the library. If this is what you want to do, use the GNU Lesser General
|
||||||
|
Public License instead of this License. But first, please read
|
||||||
|
<https://www.gnu.org/licenses/why-not-lgpl.html>.
|
2
apps/nginx/versions/1.21.4/www/common/waf/README.md
Normal file
2
apps/nginx/versions/1.21.4/www/common/waf/README.md
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# waf
|
||||||
|
waf 是一个基于 lua-nginx-module(openresty) 的 web 应用防火墙
|
@ -8,7 +8,7 @@ local method=ngx.req.get_method()
|
|||||||
|
|
||||||
|
|
||||||
local function optionIsOn(options)
|
local function optionIsOn(options)
|
||||||
return options == "on" or options == "On" or options == "ON"
|
return options == "on" or options == "On" or options == "ON"
|
||||||
end
|
end
|
||||||
|
|
||||||
local logpath = ngx.var.logdir
|
local logpath = ngx.var.logdir
|
||||||
@ -26,273 +26,297 @@ local CookieDeny = optionIsOn(ngx.var.cookieDeny)
|
|||||||
local FileExtDeny = optionIsOn(ngx.var.fileExtDeny)
|
local FileExtDeny = optionIsOn(ngx.var.fileExtDeny)
|
||||||
|
|
||||||
local function getClientIp()
|
local function getClientIp()
|
||||||
IP = ngx.var.remote_addr
|
IP = ngx.var.remote_addr
|
||||||
if IP == nil then
|
if IP == nil then
|
||||||
IP = "unknown"
|
IP = "unknown"
|
||||||
end
|
end
|
||||||
return IP
|
return IP
|
||||||
end
|
end
|
||||||
local function write(logfile,msg)
|
local function write(logfile,msg)
|
||||||
local fd = io.open(logfile,"ab")
|
local fd = io.open(logfile,"ab")
|
||||||
if fd == nil then return end
|
if fd == nil then return end
|
||||||
fd:write(msg)
|
fd:write(msg)
|
||||||
fd:flush()
|
fd:flush()
|
||||||
fd:close()
|
fd:close()
|
||||||
end
|
end
|
||||||
local function log(method,url,data,ruletag)
|
local function log(method,url,data,ruletag)
|
||||||
if attacklog then
|
if attacklog then
|
||||||
local realIp = getClientIp()
|
local realIp = getClientIp()
|
||||||
local ua = ngx.var.http_user_agent
|
local ua = ngx.var.http_user_agent
|
||||||
local servername=ngx.var.server_name
|
local servername=ngx.var.server_name
|
||||||
local time=ngx.localtime()
|
local time=ngx.localtime()
|
||||||
local line = nil
|
local line = nil
|
||||||
if ua then
|
if ua then
|
||||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
|
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" \""..ua.."\" \""..ruletag.."\"\n"
|
||||||
else
|
else
|
||||||
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
|
line = realIp.." ["..time.."] \""..method.." "..servername..url.."\" \""..data.."\" - \""..ruletag.."\"\n"
|
||||||
end
|
end
|
||||||
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
|
local filename = logpath..'/'..servername.."_"..ngx.today().."_sec.log"
|
||||||
write(filename,line)
|
write(filename,line)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
------------------------------------规则读取函数-------------------------------------------------------------------
|
------------------------------------规则读取函数-------------------------------------------------------------------
|
||||||
local function read_rule(var)
|
--local function read_rule(var)
|
||||||
file = io.open(rulepath..'/'..var,"r")
|
-- file = io.open(rulepath..'/'..var,"r")
|
||||||
if file==nil then
|
-- if file==nil then
|
||||||
return
|
-- return
|
||||||
end
|
-- end
|
||||||
t = {}
|
-- t = {}
|
||||||
for line in file:lines() do
|
-- for line in file:lines() do
|
||||||
table.insert(t,line)
|
-- table.insert(t,line)
|
||||||
end
|
-- end
|
||||||
file:close()
|
-- file:close()
|
||||||
return(t)
|
-- return(t)
|
||||||
end
|
--end
|
||||||
|
|
||||||
|
--local function read_json(var)
|
||||||
|
-- file = io.open(rulepath..'/'..var,"r")
|
||||||
|
-- if file==nil then
|
||||||
|
-- return
|
||||||
|
-- end
|
||||||
|
-- str = file:read("*a")
|
||||||
|
-- file:close()
|
||||||
|
-- list = cjson.decode(str)
|
||||||
|
-- return list
|
||||||
|
--end
|
||||||
|
|
||||||
|
|
||||||
local function read_json(var)
|
local function read_json(var)
|
||||||
file = io.open(rulepath..'/'..var,"r")
|
file = io.open(rulepath..'/'..var .. '.json',"r")
|
||||||
if file==nil then
|
if file==nil then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
str = file:read("*a")
|
str = file:read("*a")
|
||||||
file:close()
|
file:close()
|
||||||
list = cjson.decode(str)
|
list = cjson.decode(str)
|
||||||
return list
|
return list
|
||||||
end
|
end
|
||||||
|
|
||||||
local function read_str(var)
|
|
||||||
file = io.open(rulepath..'/'..var,"r")
|
local function select_rules(rules)
|
||||||
if file==nil then
|
if not rules then return {} end
|
||||||
return
|
new_rules = {}
|
||||||
end
|
for i,v in ipairs(rules) do
|
||||||
local str = file:read("*a")
|
if v[1] == 1 then
|
||||||
file:close()
|
print("111")
|
||||||
return str
|
table.insert(new_rules,v[2])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return new_rules
|
||||||
end
|
end
|
||||||
|
|
||||||
|
local function read_str(var)
|
||||||
|
file = io.open(rulepath..'/'..var,"r")
|
||||||
|
if file==nil then
|
||||||
|
return
|
||||||
|
end
|
||||||
|
local str = file:read("*a")
|
||||||
|
file:close()
|
||||||
|
return str
|
||||||
|
end
|
||||||
|
|
||||||
|
local argsCheckList=select_rules(read_json('args_check'))
|
||||||
|
local postCheckList=select_rules(read_json('post_check'))
|
||||||
|
local cookieBlockList=select_rules(read_json('cookie_block'))
|
||||||
|
local uarules=select_rules(read_json('user_agent'))
|
||||||
|
|
||||||
local urlWhiteList=read_rule('urlWhiteList')
|
local urlWhiteList=read_json('url_white')
|
||||||
local urlBlockList=read_rule('urlBlockList')
|
local urlBlockList=read_json('url_block')
|
||||||
local argsCheckList=read_rule('argsCheckList')
|
local ipWhiteList=read_json('ip_white')
|
||||||
local postCheckList=read_rule('postCheckList')
|
local ipBlockList=read_json('ip_block')
|
||||||
local cookieBlockList=read_rule('cookieBlockList')
|
local fileExtBlockList = read_json('file_ext_block')
|
||||||
local ipWhiteList=read_json('ipWhiteList')
|
|
||||||
local ipBlockList=read_json('ipBlockList')
|
|
||||||
local ccRate=read_str('ccRate')
|
|
||||||
local fileExtBlockList = read_json('fileExtBlockList')
|
|
||||||
|
|
||||||
|
local ccRate=read_str('cc.json')
|
||||||
local html=read_str('html')
|
local html=read_str('html')
|
||||||
local uarules=read_rule('user-agent')
|
|
||||||
|
|
||||||
local function say_html()
|
local function say_html()
|
||||||
if Redirect then
|
if Redirect then
|
||||||
ngx.header.content_type = "text/html"
|
ngx.header.content_type = "text/html"
|
||||||
ngx.status = ngx.HTTP_FORBIDDEN
|
ngx.status = ngx.HTTP_FORBIDDEN
|
||||||
ngx.say(html)
|
ngx.say(html)
|
||||||
ngx.exit(ngx.status)
|
ngx.exit(ngx.status)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
local function whiteurl()
|
local function whiteurl()
|
||||||
if UrlWhiteAllow then
|
if UrlWhiteAllow then
|
||||||
if urlWhiteList ~=nil then
|
if urlWhiteList ~=nil then
|
||||||
for _,rule in pairs(urlWhiteList) do
|
for _,rule in pairs(urlWhiteList) do
|
||||||
if ngxmatch(ngx.var.uri,rule,"isjo") then
|
if ngxmatch(ngx.var.uri,rule,"isjo") then
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
local function fileExtCheck(ext)
|
local function fileExtCheck(ext)
|
||||||
if FileExtDeny then
|
if FileExtDeny then
|
||||||
local items = Set(fileExtBlockList)
|
local items = Set(fileExtBlockList)
|
||||||
ext=string.lower(ext)
|
ext=string.lower(ext)
|
||||||
if ext then
|
if ext then
|
||||||
for rule in pairs(items) do
|
for rule in pairs(items) do
|
||||||
if ngx.re.match(ext,rule,"isjo") then
|
if ngx.re.match(ext,rule,"isjo") then
|
||||||
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
|
log('POST',ngx.var.request_uri,"-","file attack with ext "..ext)
|
||||||
say_html()
|
say_html()
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
function Set (list)
|
function Set (list)
|
||||||
local set = {}
|
local set = {}
|
||||||
for _, l in ipairs(list) do set[l] = true end
|
for _, l in ipairs(list) do set[l] = true end
|
||||||
return set
|
return set
|
||||||
end
|
end
|
||||||
|
|
||||||
local function args()
|
local function args()
|
||||||
if ArgsDeny then
|
if ArgsDeny then
|
||||||
if argsCheckList then
|
if argsCheckList then
|
||||||
for _,rule in pairs(argsCheckList) do
|
for _,rule in pairs(argsCheckList) do
|
||||||
local uriArgs = ngx.req.get_uri_args()
|
local uriArgs = ngx.req.get_uri_args()
|
||||||
for key, val in pairs(uriArgs) do
|
for key, val in pairs(uriArgs) do
|
||||||
if type(val)=='table' then
|
if type(val)=='table' then
|
||||||
local t={}
|
local t={}
|
||||||
for k,v in pairs(val) do
|
for k,v in pairs(val) do
|
||||||
if v == true then
|
if v == true then
|
||||||
v=""
|
v=""
|
||||||
end
|
end
|
||||||
table.insert(t,v)
|
table.insert(t,v)
|
||||||
end
|
end
|
||||||
data=table.concat(t, " ")
|
data=table.concat(t, " ")
|
||||||
else
|
else
|
||||||
data=val
|
data=val
|
||||||
end
|
end
|
||||||
if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
|
if data and type(data) ~= "boolean" and rule ~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||||
log('GET',ngx.var.request_uri,"-",rule)
|
log('GET',ngx.var.request_uri,"-",rule)
|
||||||
say_html()
|
say_html()
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
local function url()
|
local function url()
|
||||||
if UrlBlockDeny then
|
if UrlBlockDeny then
|
||||||
for _,rule in pairs(urlBlockList) do
|
for _,rule in pairs(urlBlockList) do
|
||||||
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
|
if rule ~="" and ngxmatch(ngx.var.request_uri,rule,"isjo") then
|
||||||
log('GET',ngx.var.request_uri,"-",rule)
|
log('GET',ngx.var.request_uri,"-",rule)
|
||||||
say_html()
|
say_html()
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
function ua()
|
function ua()
|
||||||
local ua = ngx.var.http_user_agent
|
local ua = ngx.var.http_user_agent
|
||||||
if ua ~= nil then
|
if ua ~= nil then
|
||||||
for _,rule in pairs(uarules) do
|
for _,rule in pairs(uarules) do
|
||||||
if rule ~="" and ngxmatch(ua,rule,"isjo") then
|
if rule ~="" and ngxmatch(ua,rule,"isjo") then
|
||||||
log('UA',ngx.var.request_uri,"-",rule)
|
log('UA',ngx.var.request_uri,"-",rule)
|
||||||
say_html()
|
say_html()
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
function body(data)
|
function body(data)
|
||||||
for _,rule in pairs(postCheckList) do
|
for _,rule in pairs(postCheckList) do
|
||||||
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
|
if rule ~="" and data~="" and ngxmatch(unescape(data),rule,"isjo") then
|
||||||
log('POST',ngx.var.request_uri,data,rule)
|
log('POST',ngx.var.request_uri,data,rule)
|
||||||
say_html()
|
say_html()
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
local function cookie()
|
local function cookie()
|
||||||
local ck = ngx.var.http_cookie
|
local ck = ngx.var.http_cookie
|
||||||
if CookieDeny and ck then
|
if CookieDeny and ck then
|
||||||
for _,rule in pairs(cookieBlockList) do
|
for _,rule in pairs(cookieBlockList) do
|
||||||
if rule ~="" and ngxmatch(ck,rule,"isjo") then
|
if rule ~="" and ngxmatch(ck,rule,"isjo") then
|
||||||
log('Cookie',ngx.var.request_uri,"-",rule)
|
log('Cookie',ngx.var.request_uri,"-",rule)
|
||||||
say_html()
|
say_html()
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
local function denycc()
|
local function denycc()
|
||||||
if CCDeny and ccRate then
|
if CCDeny and ccRate then
|
||||||
local uri=ngx.var.uri
|
local uri=ngx.var.uri
|
||||||
CCcount=tonumber(string.match(ccRate,'(.*)/'))
|
CCcount=tonumber(string.match(ccRate,'(.*)/'))
|
||||||
CCseconds=tonumber(string.match(ccRate,'/(.*)'))
|
CCseconds=tonumber(string.match(ccRate,'/(.*)'))
|
||||||
local uri = getClientIp()..uri
|
local uri = getClientIp()..uri
|
||||||
local limit = ngx.shared.limit
|
local limit = ngx.shared.limit
|
||||||
local req,_=limit:get(uri)
|
local req,_=limit:get(uri)
|
||||||
if req then
|
if req then
|
||||||
if req > CCcount then
|
if req > CCcount then
|
||||||
ngx.exit(503)
|
ngx.exit(503)
|
||||||
return true
|
return true
|
||||||
else
|
else
|
||||||
limit:incr(token,1)
|
limit:incr(token,1)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
limit:set(uri,1,CCseconds)
|
limit:set(uri,1,CCseconds)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
local function get_boundary()
|
local function get_boundary()
|
||||||
local header = get_headers()["content-type"]
|
local header = get_headers()["content-type"]
|
||||||
if not header then
|
if not header then
|
||||||
return nil
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
if type(header) == "table" then
|
if type(header) == "table" then
|
||||||
header = header[1]
|
header = header[1]
|
||||||
end
|
end
|
||||||
|
|
||||||
local m = match(header, ";%s*boundary=\"([^\"]+)\"")
|
local m = match(header, ";%s*boundary=\"([^\"]+)\"")
|
||||||
if m then
|
if m then
|
||||||
return m
|
return m
|
||||||
end
|
end
|
||||||
|
|
||||||
return match(header, ";%s*boundary=([^\",;]+)")
|
return match(header, ";%s*boundary=([^\",;]+)")
|
||||||
end
|
end
|
||||||
|
|
||||||
local function whiteip()
|
local function whiteip()
|
||||||
if IpWhiteAllow then
|
if IpWhiteAllow then
|
||||||
if next(ipWhiteList) ~= nil then
|
if next(ipWhiteList) ~= nil then
|
||||||
for _,ip in pairs(ipWhiteList) do
|
for _,ip in pairs(ipWhiteList) do
|
||||||
if getClientIp()==ip then
|
if getClientIp()==ip then
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
local function blockip()
|
local function blockip()
|
||||||
if IpBlockDeny then
|
if IpBlockDeny then
|
||||||
if next(ipBlockList) ~= nil then
|
if next(ipBlockList) ~= nil then
|
||||||
for _,ip in pairs(ipBlockList) do
|
for _,ip in pairs(ipBlockList) do
|
||||||
if getClientIp()==ip then
|
if getClientIp()==ip then
|
||||||
ngx.exit(403)
|
ngx.exit(403)
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
@ -311,73 +335,73 @@ elseif args() then
|
|||||||
elseif cookie() then
|
elseif cookie() then
|
||||||
elseif PostDeny then
|
elseif PostDeny then
|
||||||
if method=="POST" then
|
if method=="POST" then
|
||||||
local boundary = get_boundary()
|
local boundary = get_boundary()
|
||||||
if boundary then
|
if boundary then
|
||||||
local len = string.len
|
local len = string.len
|
||||||
local sock, err = ngx.req.socket()
|
local sock, err = ngx.req.socket()
|
||||||
if not sock then
|
if not sock then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
ngx.req.init_body(128 * 1024)
|
ngx.req.init_body(128 * 1024)
|
||||||
sock:settimeout(0)
|
sock:settimeout(0)
|
||||||
local content_length = nil
|
local content_length = nil
|
||||||
content_length=tonumber(ngx.req.get_headers()['content-length'])
|
content_length=tonumber(ngx.req.get_headers()['content-length'])
|
||||||
local chunk_size = 4096
|
local chunk_size = 4096
|
||||||
if content_length < chunk_size then
|
if content_length < chunk_size then
|
||||||
chunk_size = content_length
|
chunk_size = content_length
|
||||||
end
|
end
|
||||||
local size = 0
|
local size = 0
|
||||||
while size < content_length do
|
while size < content_length do
|
||||||
local data, err, partial = sock:receive(chunk_size)
|
local data, err, partial = sock:receive(chunk_size)
|
||||||
data = data or partial
|
data = data or partial
|
||||||
if not data then
|
if not data then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
ngx.req.append_body(data)
|
ngx.req.append_body(data)
|
||||||
if body(data) then
|
if body(data) then
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
size = size + len(data)
|
size = size + len(data)
|
||||||
local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
|
local m = ngxmatch(data,[[Content-Disposition: form-data;(.+)filename="(.+)\\.(.*)"]],'ijo')
|
||||||
if m then
|
if m then
|
||||||
fileExtCheck(m[3])
|
fileExtCheck(m[3])
|
||||||
filetranslate = true
|
filetranslate = true
|
||||||
else
|
else
|
||||||
if ngxmatch(data,"Content-Disposition:",'isjo') then
|
if ngxmatch(data,"Content-Disposition:",'isjo') then
|
||||||
filetranslate = false
|
filetranslate = false
|
||||||
end
|
end
|
||||||
if filetranslate==false then
|
if filetranslate==false then
|
||||||
if body(data) then
|
if body(data) then
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
local less = content_length - size
|
local less = content_length - size
|
||||||
if less < chunk_size then
|
if less < chunk_size then
|
||||||
chunk_size = less
|
chunk_size = less
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
ngx.req.finish_body()
|
ngx.req.finish_body()
|
||||||
else
|
else
|
||||||
ngx.req.read_body()
|
ngx.req.read_body()
|
||||||
local args = ngx.req.get_post_args()
|
local args = ngx.req.get_post_args()
|
||||||
if not args then
|
if not args then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
for key, val in pairs(args) do
|
for key, val in pairs(args) do
|
||||||
if type(val) == "table" then
|
if type(val) == "table" then
|
||||||
if type(val[1]) == "boolean" then
|
if type(val[1]) == "boolean" then
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
data=table.concat(val, ", ")
|
data=table.concat(val, ", ")
|
||||||
else
|
else
|
||||||
data=val
|
data=val
|
||||||
end
|
end
|
||||||
if data and type(data) ~= "boolean" and body(data) then
|
if data and type(data) ~= "boolean" and body(data) then
|
||||||
body(key)
|
body(key)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
return
|
return
|
||||||
|
@ -1,22 +0,0 @@
|
|||||||
\.\./
|
|
||||||
\:\$
|
|
||||||
\$\{
|
|
||||||
select.+(from|limit)
|
|
||||||
(?:(union(.*?)select))
|
|
||||||
having|rongjitest
|
|
||||||
sleep\((\s*)(\d*)(\s*)\)
|
|
||||||
benchmark\((.*)\,(.*)\)
|
|
||||||
base64_decode\(
|
|
||||||
(?:from\W+information_schema\W)
|
|
||||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
|
||||||
(?:etc\/\W*passwd)
|
|
||||||
into(\s+)+(?:dump|out)file\s*
|
|
||||||
group\s+by.+\(
|
|
||||||
xwork.MethodAccessor
|
|
||||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
|
||||||
xwork\.MethodAccessor
|
|
||||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
|
||||||
java\.lang
|
|
||||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
|
||||||
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
|
|
||||||
(onmouseover|onerror|onload)\=
|
|
@ -0,0 +1,26 @@
|
|||||||
|
[
|
||||||
|
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1 ],
|
||||||
|
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1 ],
|
||||||
|
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1 ],
|
||||||
|
["base64_decode\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee43", 1],
|
||||||
|
["(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|char|chr|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\\(", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee44", 1 ],
|
||||||
|
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[", "\u4e00\u53e5\u8bdd\u6728\u9a6c\u8fc7\u6ee45", 1],
|
||||||
|
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1 ],
|
||||||
|
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1 ],
|
||||||
|
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||||
|
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||||
|
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1 ],
|
||||||
|
["\\<(iframe|script|body|img|layer|div|meta|style|base|object)", "XSS\u8fc7\u6ee41", 1],
|
||||||
|
["(invokefunction|call_user_func_array|\\\\think\\\\)", "ThinkPHP payload\u5c01\u5835", 1 ],
|
||||||
|
["^url_array\\[.*\\]$", "Metinfo6.x XSS\u6f0f\u6d1e", 1],
|
||||||
|
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||||
|
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||||
|
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||||
|
["(?:from.+?information_schema.+?)", "", 1],
|
||||||
|
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||||
|
["'$", "test", 1],
|
||||||
|
["\\${jndi:", "log4j2\u62e6\u622a", 1 ],
|
||||||
|
["terrewrewrwr", "", 1]
|
||||||
|
]
|
@ -1,20 +0,0 @@
|
|||||||
\.\./
|
|
||||||
\:\$
|
|
||||||
\$\{
|
|
||||||
select.+(from|limit)
|
|
||||||
(?:(union(.*?)select))
|
|
||||||
having|rongjitest
|
|
||||||
sleep\((\s*)(\d*)(\s*)\)
|
|
||||||
benchmark\((.*)\,(.*)\)
|
|
||||||
base64_decode\(
|
|
||||||
(?:from\W+information_schema\W)
|
|
||||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
|
||||||
(?:etc\/\W*passwd)
|
|
||||||
into(\s+)+(?:dump|out)file\s*
|
|
||||||
group\s+by.+\(
|
|
||||||
xwork.MethodAccessor
|
|
||||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
|
||||||
xwork\.MethodAccessor
|
|
||||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
|
||||||
java\.lang
|
|
||||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
|
@ -0,0 +1,12 @@
|
|||||||
|
[
|
||||||
|
["base64_decode\\(","一句话木马过滤3",1],
|
||||||
|
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\\[","一句话木马过滤5",1],
|
||||||
|
["select.+(from|limit)","SQL注入过滤2",1],
|
||||||
|
["(?:(union(.*?)select))","SQL注入过滤3",1],
|
||||||
|
["sleep\\((\\s*)(\\d*)(\\s*)\\)","SQL注入过滤5",1],
|
||||||
|
["benchmark\\((.*)\\,(.*)\\)","SQL注入过滤6",1],
|
||||||
|
["(?:from\\W+information_schema\\W)","SQL注入过滤7",1],
|
||||||
|
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(","SQL注入过滤8",1],
|
||||||
|
["into(\\s+)+(?:dump|out)file\\s*","SQL注入过滤9",1],
|
||||||
|
["group\\s+by.+\\(","SQL注入过滤10",1]
|
||||||
|
]
|
@ -0,0 +1 @@
|
|||||||
|
["1.1.1.1"]
|
@ -1,19 +0,0 @@
|
|||||||
select.+(from|limit)
|
|
||||||
(?:(union(.*?)select))
|
|
||||||
having|rongjitest
|
|
||||||
sleep\((\s*)(\d*)(\s*)\)
|
|
||||||
benchmark\((.*)\,(.*)\)
|
|
||||||
base64_decode\(
|
|
||||||
(?:from\W+information_schema\W)
|
|
||||||
(?:(?:current_)user|database|schema|connection_id)\s*\(
|
|
||||||
(?:etc\/\W*passwd)
|
|
||||||
into(\s+)+(?:dump|out)file\s*
|
|
||||||
group\s+by.+\(
|
|
||||||
xwork.MethodAccessor
|
|
||||||
(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
|
|
||||||
xwork\.MethodAccessor
|
|
||||||
(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
|
|
||||||
java\.lang
|
|
||||||
\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[
|
|
||||||
\<(iframe|script|body|img|layer|div|meta|style|base|object|input)
|
|
||||||
(onmouseover|onerror|onload)\=
|
|
@ -0,0 +1,22 @@
|
|||||||
|
[
|
||||||
|
["\\.\\./\\.\\./", "\u76ee\u5f55\u4fdd\u62a41", 1],
|
||||||
|
["(?:etc\\/\\W*passwd)", "\u76ee\u5f55\u4fdd\u62a43", 1],
|
||||||
|
["(gopher|doc|php|glob|^file|phar|zlib|ftp|ldap|dict|ogg|data)\\:\\/", "PHP\u6d41\u534f\u8bae\u8fc7\u6ee41", 1],
|
||||||
|
["base64_decode\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee41", 1],
|
||||||
|
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
|
||||||
|
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
|
||||||
|
["select.+(from|limit)", "SQL\u6ce8\u5165\u8fc7\u6ee42",1],
|
||||||
|
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43",1],
|
||||||
|
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||||
|
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||||
|
["(?:(?:current_)user|database|concat|extractvalue|polygon|updatexml|geometrycollection|schema|multipoint|multipolygon|connection_id|linestring|multilinestring|exp|right|sleep|group_concat|load_file|benchmark|file_put_contents|urldecode|system|file_get_contents|select|substring|substr|fopen|popen|phpinfo|user|alert|scandir|shell_exec|eval|execute|concat_ws|strcmp|right)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48",1],
|
||||||
|
["(extractvalue\\(|concat\\(|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||||
|
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\(|right\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||||
|
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
|
||||||
|
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(EXISTS\\(|SELECT\\#|\\(SELECT|select\\()", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||||
|
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||||
|
["(?:from.+?information_schema.+?)", "", 1],
|
||||||
|
["\\${jndi:", "log4j2\u62e6\u622a", 1]
|
||||||
|
]
|
@ -1,6 +0,0 @@
|
|||||||
\.(svn|htaccess|bash_history)
|
|
||||||
\.(bak|inc|old|mdb|sql|backup|java|class)$
|
|
||||||
(vhost|bbs|host|wwwroot|www|site|root|hytop|flashfxp).*\.rar
|
|
||||||
(phpmyadmin|jmx-console|jmxinvokerservlet)
|
|
||||||
java\.lang
|
|
||||||
/(attachments|upimg|images|css|uploadfiles|html|uploads|templets|static|template|data|inc|forumdata|upload|includes|cache|avatar)/(\\w+).(php|jsp)
|
|
@ -1 +0,0 @@
|
|||||||
^/123/$
|
|
@ -0,0 +1 @@
|
|||||||
|
[]
|
@ -1 +0,0 @@
|
|||||||
(HTTrack|harvest|audit|dirbuster|pangolin|nmap|sqln|-scan|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|PycURL|zmeu|BabyKrokodil|netsparker|httperf|bench| SF/)
|
|
@ -0,0 +1,17 @@
|
|||||||
|
[
|
||||||
|
["(WPScan|HTTrack|antSword|harvest|audit|dirbuster|pangolin|nmap|sqln|hydra|Parser|libwww|BBBike|sqlmap|w3af|owasp|Nikto|fimap|havij|zmeu|BabyKrokodil|netsparker|httperf| SF/)", "\u5173\u952e\u8bcd\u8fc7\u6ee41", 1],
|
||||||
|
["(?:define|eval|file_get_contents|include|require_once|shell_exec|phpinfo|system|passthru|chr|char|preg_\\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog|file_put_contents|fopen|urldecode|scandir)\\(", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee42", 1],
|
||||||
|
["\\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)", "\u4e00\u53e5\u8bdd*\u5c4f\u853d\u7684\u5173\u952e\u5b57*\u8fc7\u6ee43", 1],
|
||||||
|
["select\\s+.+(from|limit)\\s+", "SQL\u6ce8\u5165\u8fc7\u6ee42", 1],
|
||||||
|
["(?:(union(.*?)select))", "SQL\u6ce8\u5165\u8fc7\u6ee43", 1],
|
||||||
|
["benchmark\\((.*)\\,(.*)\\)", "SQL\u6ce8\u5165\u8fc7\u6ee46", 1],
|
||||||
|
["(?:from\\W+information_schema\\W)", "SQL\u6ce8\u5165\u8fc7\u6ee47", 1],
|
||||||
|
["(?:(?:current_)user|database|schema|connection_id)\\s*\\(", "SQL\u6ce8\u5165\u8fc7\u6ee48", 1],
|
||||||
|
["(extractvalue\\(|concat\\(0x|user\\(\\)|substring\\(|count\\(\\*\\)|substring\\(hex\\(|updatexml\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1],
|
||||||
|
["(@@version|load_file\\(|NAME_CONST\\(|exp\\(\\~|floor\\(rand\\(|geometrycollection\\(|multipoint\\(|polygon\\(|multipolygon\\(|linestring\\(|multilinestring\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee402", 1],
|
||||||
|
["(substr\\()", "SQL\u6ce8\u5165\u8fc7\u6ee410", 1],
|
||||||
|
["(ORD\\(|MID\\(|IFNULL\\(|CAST\\(|CHAR\\))", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(EXISTS\\(|SELECT\\#|\\(SELECT)", "SQL\u6ce8\u5165\u8fc7\u6ee41", 1],
|
||||||
|
["(array_map\\(\"ass)", "\u83dc\u5200\u6d41\u91cf\u8fc7\u6ee4", 1],
|
||||||
|
["(bin\\(|ascii\\(|benchmark\\(|concat_ws\\(|group_concat\\(|strcmp\\(|left\\(|datadir\\(|greatest\\()", "SQL\u62a5\u9519\u6ce8\u5165\u8fc7\u6ee401", 1]
|
||||||
|
]
|
35
apps/nginx/versions/1.21.4/www/common/waf/test.lua
Normal file
35
apps/nginx/versions/1.21.4/www/common/waf/test.lua
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
local cjson = require "cjson"
|
||||||
|
local rulepath = "rules"
|
||||||
|
|
||||||
|
local function read_json(var)
|
||||||
|
file = io.open(rulepath..'/'..var .. '.json',"r")
|
||||||
|
if file==nil then
|
||||||
|
return
|
||||||
|
end
|
||||||
|
str = file:read("*a")
|
||||||
|
file:close()
|
||||||
|
list = cjson.decode(str)
|
||||||
|
return list
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
local function select_rules(rules)
|
||||||
|
if not rules then return {} end
|
||||||
|
new_rules = {}
|
||||||
|
for i,v in ipairs(rules) do
|
||||||
|
if v[1] == 1 then
|
||||||
|
print("111")
|
||||||
|
table.insert(new_rules,v[2])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
return new_rules
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
local rules = select_rules(read_json('user_agent'))
|
||||||
|
|
||||||
|
for _,v in ipairs(rules) do
|
||||||
|
print(v)
|
||||||
|
end
|
||||||
|
|
@ -1,12 +1,3 @@
|
|||||||
# Redis configuration rewrite by 1Panel
|
|
||||||
timeout 0
|
|
||||||
# maxclients 10000
|
|
||||||
# maxmemory <bytes>
|
|
||||||
save 3600 1 300 100 60 10000
|
|
||||||
appendonly no
|
|
||||||
appendfsync everysec
|
|
||||||
# End Redis configuration rewrite by 1Panel
|
|
||||||
|
|
||||||
# Redis configuration file example.
|
# Redis configuration file example.
|
||||||
#
|
#
|
||||||
# Note that in order to read the configuration file, Redis must be
|
# Note that in order to read the configuration file, Redis must be
|
||||||
@ -41,17 +32,8 @@ appendfsync everysec
|
|||||||
# If instead you are interested in using includes to override configuration
|
# If instead you are interested in using includes to override configuration
|
||||||
# options, it is better to use include as the last line.
|
# options, it is better to use include as the last line.
|
||||||
#
|
#
|
||||||
# Included paths may contain wildcards. All files matching the wildcards will
|
|
||||||
# be included in alphabetical order.
|
|
||||||
# Note that if an include path contains a wildcards but no files match it when
|
|
||||||
# the server is started, the include statement will be ignored and no error will
|
|
||||||
# be emitted. It is safe, therefore, to include wildcard files from empty
|
|
||||||
# directories.
|
|
||||||
#
|
|
||||||
# include /path/to/local.conf
|
# include /path/to/local.conf
|
||||||
# include /path/to/other.conf
|
# include /path/to/other.conf
|
||||||
# include /path/to/fragments/*.conf
|
|
||||||
#
|
|
||||||
|
|
||||||
################################## MODULES #####################################
|
################################## MODULES #####################################
|
||||||
|
|
||||||
@ -67,80 +49,42 @@ appendfsync everysec
|
|||||||
# for connections from all available network interfaces on the host machine.
|
# for connections from all available network interfaces on the host machine.
|
||||||
# It is possible to listen to just one or multiple selected interfaces using
|
# It is possible to listen to just one or multiple selected interfaces using
|
||||||
# the "bind" configuration directive, followed by one or more IP addresses.
|
# the "bind" configuration directive, followed by one or more IP addresses.
|
||||||
# Each address can be prefixed by "-", which means that redis will not fail to
|
|
||||||
# start if the address is not available. Being not available only refers to
|
|
||||||
# addresses that does not correspond to any network interface. Addresses that
|
|
||||||
# are already in use will always fail, and unsupported protocols will always BE
|
|
||||||
# silently skipped.
|
|
||||||
#
|
#
|
||||||
# Examples:
|
# Examples:
|
||||||
#
|
#
|
||||||
# bind 192.168.1.100 10.0.0.1 # listens on two specific IPv4 addresses
|
# bind 192.168.1.100 10.0.0.1
|
||||||
# bind 127.0.0.1 ::1 # listens on loopback IPv4 and IPv6
|
# bind 127.0.0.1 ::1
|
||||||
# bind * -::* # like the default, all available interfaces
|
|
||||||
#
|
#
|
||||||
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
|
# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
|
||||||
# internet, binding to all the interfaces is dangerous and will expose the
|
# internet, binding to all the interfaces is dangerous and will expose the
|
||||||
# instance to everybody on the internet. So by default we uncomment the
|
# instance to everybody on the internet. So by default we uncomment the
|
||||||
# following bind directive, that will force Redis to listen only on the
|
# following bind directive, that will force Redis to listen only on the
|
||||||
# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis
|
# IPv4 loopback interface address (this means Redis will only be able to
|
||||||
# will only be able to accept client connections from the same host that it is
|
# accept client connections from the same host that it is running on).
|
||||||
# running on).
|
|
||||||
#
|
#
|
||||||
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
|
# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
|
||||||
# COMMENT OUT THE FOLLOWING LINE.
|
# JUST COMMENT OUT THE FOLLOWING LINE.
|
||||||
#
|
|
||||||
# You will also need to set a password unless you explicitly disable protected
|
|
||||||
# mode.
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
# bind 127.0.0.1 -::1
|
bind 0.0.0.0
|
||||||
|
|
||||||
# By default, outgoing connections (from replica to master, from Sentinel to
|
|
||||||
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
|
||||||
# most cases, this means the operating system will handle that based on routing
|
|
||||||
# and the interface through which the connection goes out.
|
|
||||||
#
|
|
||||||
# Using bind-source-addr it is possible to configure a specific address to bind
|
|
||||||
# to, which may also affect how the connection gets routed.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# bind-source-addr 10.0.0.1
|
|
||||||
|
|
||||||
# Protected mode is a layer of security protection, in order to avoid that
|
# Protected mode is a layer of security protection, in order to avoid that
|
||||||
# Redis instances left open on the internet are accessed and exploited.
|
# Redis instances left open on the internet are accessed and exploited.
|
||||||
#
|
#
|
||||||
# When protected mode is on and the default user has no password, the server
|
# When protected mode is on and if:
|
||||||
# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
|
#
|
||||||
# (::1) or Unix domain sockets.
|
# 1) The server is not binding explicitly to a set of addresses using the
|
||||||
|
# "bind" directive.
|
||||||
|
# 2) No password is configured.
|
||||||
|
#
|
||||||
|
# The server only accepts connections from clients connecting from the
|
||||||
|
# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
|
||||||
|
# sockets.
|
||||||
#
|
#
|
||||||
# By default protected mode is enabled. You should disable it only if
|
# By default protected mode is enabled. You should disable it only if
|
||||||
# you are sure you want clients from other hosts to connect to Redis
|
# you are sure you want clients from other hosts to connect to Redis
|
||||||
# even if no authentication is configured.
|
# even if no authentication is configured, nor a specific set of interfaces
|
||||||
protected-mode no
|
# are explicitly listed using the "bind" directive.
|
||||||
|
protected-mode yes
|
||||||
# Redis uses default hardened security configuration directives to reduce the
|
|
||||||
# attack surface on innocent users. Therefore, several sensitive configuration
|
|
||||||
# directives are immutable, and some potentially-dangerous commands are blocked.
|
|
||||||
#
|
|
||||||
# Configuration directives that control files that Redis writes to (e.g., 'dir'
|
|
||||||
# and 'dbfilename') and that aren't usually modified during runtime
|
|
||||||
# are protected by making them immutable.
|
|
||||||
#
|
|
||||||
# Commands that can increase the attack surface of Redis and that aren't usually
|
|
||||||
# called by users are blocked by default.
|
|
||||||
#
|
|
||||||
# These can be exposed to either all connections or just local ones by setting
|
|
||||||
# each of the configs listed below to either of these values:
|
|
||||||
#
|
|
||||||
# no - Block for any connection (remain immutable)
|
|
||||||
# yes - Allow for any connection (no protection)
|
|
||||||
# local - Allow only for local connections. Ones originating from the
|
|
||||||
# IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
|
|
||||||
#
|
|
||||||
# enable-protected-configs no
|
|
||||||
# enable-debug-command no
|
|
||||||
# enable-module-command no
|
|
||||||
|
|
||||||
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
# Accept connections on the specified port, default is 6379 (IANA #815344).
|
||||||
# If port 0 is specified Redis will not listen on a TCP socket.
|
# If port 0 is specified Redis will not listen on a TCP socket.
|
||||||
@ -161,11 +105,11 @@ tcp-backlog 511
|
|||||||
# incoming connections. There is no default, so Redis will not listen
|
# incoming connections. There is no default, so Redis will not listen
|
||||||
# on a unix socket when not specified.
|
# on a unix socket when not specified.
|
||||||
#
|
#
|
||||||
# unixsocket /run/redis.sock
|
# unixsocket /tmp/redis.sock
|
||||||
# unixsocketperm 700
|
# unixsocketperm 700
|
||||||
|
|
||||||
# Close the connection after a client is idle for N seconds (0 to disable)
|
# Close the connection after a client is idle for N seconds (0 to disable)
|
||||||
# timeout 0
|
timeout 0
|
||||||
|
|
||||||
# TCP keepalive.
|
# TCP keepalive.
|
||||||
#
|
#
|
||||||
@ -184,16 +128,6 @@ tcp-backlog 511
|
|||||||
# Redis default starting with Redis 3.2.1.
|
# Redis default starting with Redis 3.2.1.
|
||||||
tcp-keepalive 300
|
tcp-keepalive 300
|
||||||
|
|
||||||
# Apply OS-specific mechanism to mark the listening socket with the specified
|
|
||||||
# ID, to support advanced routing and filtering capabilities.
|
|
||||||
#
|
|
||||||
# On Linux, the ID represents a connection mark.
|
|
||||||
# On FreeBSD, the ID represents a socket cookie ID.
|
|
||||||
# On OpenBSD, the ID represents a route table ID.
|
|
||||||
#
|
|
||||||
# The default value is 0, which implies no marking is required.
|
|
||||||
# socket-mark-id 0
|
|
||||||
|
|
||||||
################################# TLS/SSL #####################################
|
################################# TLS/SSL #####################################
|
||||||
|
|
||||||
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
|
# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
|
||||||
@ -209,32 +143,8 @@ tcp-keepalive 300
|
|||||||
#
|
#
|
||||||
# tls-cert-file redis.crt
|
# tls-cert-file redis.crt
|
||||||
# tls-key-file redis.key
|
# tls-key-file redis.key
|
||||||
#
|
|
||||||
# If the key file is encrypted using a passphrase, it can be included here
|
|
||||||
# as well.
|
|
||||||
#
|
|
||||||
# tls-key-file-pass secret
|
|
||||||
|
|
||||||
# Normally Redis uses the same certificate for both server functions (accepting
|
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
|
||||||
# connections) and client functions (replicating from a master, establishing
|
|
||||||
# cluster bus connections, etc.).
|
|
||||||
#
|
|
||||||
# Sometimes certificates are issued with attributes that designate them as
|
|
||||||
# client-only or server-only certificates. In that case it may be desired to use
|
|
||||||
# different certificates for incoming (server) and outgoing (client)
|
|
||||||
# connections. To do that, use the following directives:
|
|
||||||
#
|
|
||||||
# tls-client-cert-file client.crt
|
|
||||||
# tls-client-key-file client.key
|
|
||||||
#
|
|
||||||
# If the key file is encrypted using a passphrase, it can be included here
|
|
||||||
# as well.
|
|
||||||
#
|
|
||||||
# tls-client-key-file-pass secret
|
|
||||||
|
|
||||||
# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
|
|
||||||
# required by older versions of OpenSSL (<3.0). Newer versions do not require
|
|
||||||
# this configuration and recommend against it.
|
|
||||||
#
|
#
|
||||||
# tls-dh-params-file redis.dh
|
# tls-dh-params-file redis.dh
|
||||||
|
|
||||||
@ -267,12 +177,9 @@ tcp-keepalive 300
|
|||||||
#
|
#
|
||||||
# tls-cluster yes
|
# tls-cluster yes
|
||||||
|
|
||||||
# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
|
# Explicitly specify TLS versions to support. Allowed values are case insensitive
|
||||||
# that older formally deprecated versions are kept disabled to reduce the attack surface.
|
# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
|
||||||
# You can explicitly specify TLS versions to support.
|
# any combination. To enable only TLSv1.2 and TLSv1.3, use:
|
||||||
# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
|
|
||||||
# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
|
|
||||||
# To enable only TLSv1.2 and TLSv1.3, use:
|
|
||||||
#
|
#
|
||||||
# tls-protocols "TLSv1.2 TLSv1.3"
|
# tls-protocols "TLSv1.2 TLSv1.3"
|
||||||
|
|
||||||
@ -314,7 +221,6 @@ tcp-keepalive 300
|
|||||||
|
|
||||||
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
||||||
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
|
# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
|
||||||
# When Redis is supervised by upstart or systemd, this parameter has no impact.
|
|
||||||
daemonize no
|
daemonize no
|
||||||
|
|
||||||
# If you run Redis from upstart or systemd, Redis can interact with your
|
# If you run Redis from upstart or systemd, Redis can interact with your
|
||||||
@ -323,17 +229,11 @@ daemonize no
|
|||||||
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
|
# supervised upstart - signal upstart by putting Redis into SIGSTOP mode
|
||||||
# requires "expect stop" in your upstart job config
|
# requires "expect stop" in your upstart job config
|
||||||
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
|
# supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
|
||||||
# on startup, and updating Redis status on a regular
|
|
||||||
# basis.
|
|
||||||
# supervised auto - detect upstart or systemd method based on
|
# supervised auto - detect upstart or systemd method based on
|
||||||
# UPSTART_JOB or NOTIFY_SOCKET environment variables
|
# UPSTART_JOB or NOTIFY_SOCKET environment variables
|
||||||
# Note: these supervision methods only signal "process is ready."
|
# Note: these supervision methods only signal "process is ready."
|
||||||
# They do not enable continuous pings back to your supervisor.
|
# They do not enable continuous pings back to your supervisor.
|
||||||
#
|
supervised no
|
||||||
# The default is "no". To run under upstart/systemd, you can simply uncomment
|
|
||||||
# the line below:
|
|
||||||
#
|
|
||||||
# supervised auto
|
|
||||||
|
|
||||||
# If a pid file is specified, Redis writes it where specified at startup
|
# If a pid file is specified, Redis writes it where specified at startup
|
||||||
# and removes it at exit.
|
# and removes it at exit.
|
||||||
@ -344,10 +244,7 @@ daemonize no
|
|||||||
#
|
#
|
||||||
# Creating a pid file is best effort: if Redis is not able to create it
|
# Creating a pid file is best effort: if Redis is not able to create it
|
||||||
# nothing bad happens, the server will start and run normally.
|
# nothing bad happens, the server will start and run normally.
|
||||||
#
|
pidfile /var/run/redis_6379.pid
|
||||||
# Note that on modern Linux systems "/run/redis.pid" is more conforming
|
|
||||||
# and should be used instead.
|
|
||||||
pidfile "/var/run/redis_6379.pid"
|
|
||||||
|
|
||||||
# Specify the server verbosity level.
|
# Specify the server verbosity level.
|
||||||
# This can be one of:
|
# This can be one of:
|
||||||
@ -372,74 +269,44 @@ logfile ""
|
|||||||
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
|
# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
|
||||||
# syslog-facility local0
|
# syslog-facility local0
|
||||||
|
|
||||||
# To disable the built in crash log, which will possibly produce cleaner core
|
|
||||||
# dumps when they are needed, uncomment the following:
|
|
||||||
#
|
|
||||||
# crash-log-enabled no
|
|
||||||
|
|
||||||
# To disable the fast memory check that's run as part of the crash log, which
|
|
||||||
# will possibly let redis terminate sooner, uncomment the following:
|
|
||||||
#
|
|
||||||
# crash-memcheck-enabled no
|
|
||||||
|
|
||||||
# Set the number of databases. The default database is DB 0, you can select
|
# Set the number of databases. The default database is DB 0, you can select
|
||||||
# a different one on a per-connection basis using SELECT <dbid> where
|
# a different one on a per-connection basis using SELECT <dbid> where
|
||||||
# dbid is a number between 0 and 'databases'-1
|
# dbid is a number between 0 and 'databases'-1
|
||||||
databases 16
|
databases 16
|
||||||
|
|
||||||
# By default Redis shows an ASCII art logo only when started to log to the
|
# By default Redis shows an ASCII art logo only when started to log to the
|
||||||
# standard output and if the standard output is a TTY and syslog logging is
|
# standard output and if the standard output is a TTY. Basically this means
|
||||||
# disabled. Basically this means that normally a logo is displayed only in
|
# that normally a logo is displayed only in interactive sessions.
|
||||||
# interactive sessions.
|
|
||||||
#
|
#
|
||||||
# However it is possible to force the pre-4.0 behavior and always show a
|
# However it is possible to force the pre-4.0 behavior and always show a
|
||||||
# ASCII art logo in startup logs by setting the following option to yes.
|
# ASCII art logo in startup logs by setting the following option to yes.
|
||||||
always-show-logo no
|
always-show-logo yes
|
||||||
|
|
||||||
# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
|
|
||||||
# provide some runtime information. It is possible to disable this and leave
|
|
||||||
# the process name as executed by setting the following to no.
|
|
||||||
set-proc-title yes
|
|
||||||
|
|
||||||
# When changing the process title, Redis uses the following template to construct
|
|
||||||
# the modified title.
|
|
||||||
#
|
|
||||||
# Template variables are specified in curly brackets. The following variables are
|
|
||||||
# supported:
|
|
||||||
#
|
|
||||||
# {title} Name of process as executed if parent, or type of child process.
|
|
||||||
# {listen-addr} Bind address or '*' followed by TCP or TLS port listening on, or
|
|
||||||
# Unix socket if only that's available.
|
|
||||||
# {server-mode} Special mode, i.e. "[sentinel]" or "[cluster]".
|
|
||||||
# {port} TCP port listening on, or 0.
|
|
||||||
# {tls-port} TLS port listening on, or 0.
|
|
||||||
# {unixsocket} Unix domain socket listening on, or "".
|
|
||||||
# {config-file} Name of configuration file used.
|
|
||||||
#
|
|
||||||
proc-title-template "{title} {listen-addr} {server-mode}"
|
|
||||||
|
|
||||||
################################ SNAPSHOTTING ################################
|
################################ SNAPSHOTTING ################################
|
||||||
|
#
|
||||||
|
# Save the DB on disk:
|
||||||
|
#
|
||||||
|
# save <seconds> <changes>
|
||||||
|
#
|
||||||
|
# Will save the DB if both the given number of seconds and the given
|
||||||
|
# number of write operations against the DB occurred.
|
||||||
|
#
|
||||||
|
# In the example below the behavior will be to save:
|
||||||
|
# after 900 sec (15 min) if at least 1 key changed
|
||||||
|
# after 300 sec (5 min) if at least 10 keys changed
|
||||||
|
# after 60 sec if at least 10000 keys changed
|
||||||
|
#
|
||||||
|
# Note: you can disable saving completely by commenting out all "save" lines.
|
||||||
|
#
|
||||||
|
# It is also possible to remove all the previously configured save
|
||||||
|
# points by adding a save directive with a single empty string argument
|
||||||
|
# like in the following example:
|
||||||
|
#
|
||||||
|
# save ""
|
||||||
|
|
||||||
# Save the DB to disk.
|
save 900 1
|
||||||
#
|
save 300 10
|
||||||
# save <seconds> <changes> [<seconds> <changes> ...]
|
save 60 10000
|
||||||
#
|
|
||||||
# Redis will save the DB if the given number of seconds elapsed and it
|
|
||||||
# surpassed the given number of write operations against the DB.
|
|
||||||
#
|
|
||||||
# Snapshotting can be completely disabled with a single empty string argument
|
|
||||||
# as in following example:
|
|
||||||
#
|
|
||||||
# save ""
|
|
||||||
#
|
|
||||||
# Unless specified otherwise, by default Redis will save the DB:
|
|
||||||
# * After 3600 seconds (an hour) if at least 1 change was performed
|
|
||||||
# * After 300 seconds (5 minutes) if at least 100 changes were performed
|
|
||||||
# * After 60 seconds if at least 10000 changes were performed
|
|
||||||
#
|
|
||||||
# You can set these explicitly by uncommenting the following line.
|
|
||||||
#
|
|
||||||
# save 3600 1 300 100 60 10000
|
|
||||||
|
|
||||||
# By default Redis will stop accepting writes if RDB snapshots are enabled
|
# By default Redis will stop accepting writes if RDB snapshots are enabled
|
||||||
# (at least one save point) and the latest background save failed.
|
# (at least one save point) and the latest background save failed.
|
||||||
@ -471,23 +338,8 @@ rdbcompression yes
|
|||||||
# tell the loading code to skip the check.
|
# tell the loading code to skip the check.
|
||||||
rdbchecksum yes
|
rdbchecksum yes
|
||||||
|
|
||||||
# Enables or disables full sanitization checks for ziplist and listpack etc when
|
|
||||||
# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
|
|
||||||
# crash later on while processing commands.
|
|
||||||
# Options:
|
|
||||||
# no - Never perform full sanitization
|
|
||||||
# yes - Always perform full sanitization
|
|
||||||
# clients - Perform full sanitization only for user connections.
|
|
||||||
# Excludes: RDB files, RESTORE commands received from the master
|
|
||||||
# connection, and client connections which have the
|
|
||||||
# skip-sanitize-payload ACL flag.
|
|
||||||
# The default should be 'clients' but since it currently affects cluster
|
|
||||||
# resharding via MIGRATE, it is temporarily set to 'no' by default.
|
|
||||||
#
|
|
||||||
# sanitize-dump-payload no
|
|
||||||
|
|
||||||
# The filename where to dump the DB
|
# The filename where to dump the DB
|
||||||
dbfilename "dump.rdb"
|
dbfilename dump.rdb
|
||||||
|
|
||||||
# Remove RDB files used by replication in instances without persistence
|
# Remove RDB files used by replication in instances without persistence
|
||||||
# enabled. By default this option is disabled, however there are environments
|
# enabled. By default this option is disabled, however there are environments
|
||||||
@ -510,7 +362,7 @@ rdb-del-sync-files no
|
|||||||
# The Append Only File will also be created inside this directory.
|
# The Append Only File will also be created inside this directory.
|
||||||
#
|
#
|
||||||
# Note that you must specify a directory here, not a file name.
|
# Note that you must specify a directory here, not a file name.
|
||||||
dir "/data"
|
dir ./
|
||||||
|
|
||||||
################################# REPLICATION #################################
|
################################# REPLICATION #################################
|
||||||
|
|
||||||
@ -560,10 +412,9 @@ dir "/data"
|
|||||||
# still reply to client requests, possibly with out of date data, or the
|
# still reply to client requests, possibly with out of date data, or the
|
||||||
# data set may just be empty if this is the first synchronization.
|
# data set may just be empty if this is the first synchronization.
|
||||||
#
|
#
|
||||||
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
|
# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
|
||||||
# "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
|
# an error "SYNC with master in progress" to all commands except:
|
||||||
# to all data access commands, excluding commands such as:
|
# INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
||||||
# INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
|
|
||||||
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
# UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
|
||||||
# HOST and LATENCY.
|
# HOST and LATENCY.
|
||||||
#
|
#
|
||||||
@ -612,7 +463,7 @@ replica-read-only yes
|
|||||||
#
|
#
|
||||||
# With slow disks and fast (large bandwidth) networks, diskless replication
|
# With slow disks and fast (large bandwidth) networks, diskless replication
|
||||||
# works better.
|
# works better.
|
||||||
repl-diskless-sync yes
|
repl-diskless-sync no
|
||||||
|
|
||||||
# When diskless replication is enabled, it is possible to configure the delay
|
# When diskless replication is enabled, it is possible to configure the delay
|
||||||
# the server waits in order to spawn the child that transfers the RDB via socket
|
# the server waits in order to spawn the child that transfers the RDB via socket
|
||||||
@ -626,18 +477,12 @@ repl-diskless-sync yes
|
|||||||
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
# it entirely just set it to 0 seconds and the transfer will start ASAP.
|
||||||
repl-diskless-sync-delay 5
|
repl-diskless-sync-delay 5
|
||||||
|
|
||||||
# When diskless replication is enabled with a delay, it is possible to let
|
|
||||||
# the replication start before the maximum delay is reached if the maximum
|
|
||||||
# number of replicas expected have connected. Default of 0 means that the
|
|
||||||
# maximum is not defined and Redis will wait the full delay.
|
|
||||||
repl-diskless-sync-max-replicas 0
|
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
# WARNING: RDB diskless load is experimental. Since in this setup the replica
|
# WARNING: RDB diskless load is experimental. Since in this setup the replica
|
||||||
# does not immediately store an RDB on disk, it may cause data loss during
|
# does not immediately store an RDB on disk, it may cause data loss during
|
||||||
# failovers. RDB diskless load + Redis modules not handling I/O reads may also
|
# failovers. RDB diskless load + Redis modules not handling I/O reads may also
|
||||||
# cause Redis to abort in case of I/O errors during the initial synchronization
|
# cause Redis to abort in case of I/O errors during the initial synchronization
|
||||||
# stage with the master. Use only if you know what you are doing.
|
# stage with the master. Use only if your do what you are doing.
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
#
|
#
|
||||||
# Replica can load the RDB it reads from the replication link directly from the
|
# Replica can load the RDB it reads from the replication link directly from the
|
||||||
@ -646,23 +491,19 @@ repl-diskless-sync-max-replicas 0
|
|||||||
#
|
#
|
||||||
# In many cases the disk is slower than the network, and storing and loading
|
# In many cases the disk is slower than the network, and storing and loading
|
||||||
# the RDB file may increase replication time (and even increase the master's
|
# the RDB file may increase replication time (and even increase the master's
|
||||||
# Copy on Write memory and replica buffers).
|
# Copy on Write memory and salve buffers).
|
||||||
# However, parsing the RDB file directly from the socket may mean that we have
|
# However, parsing the RDB file directly from the socket may mean that we have
|
||||||
# to flush the contents of the current database before the full rdb was
|
# to flush the contents of the current database before the full rdb was
|
||||||
# received. For this reason we have the following options:
|
# received. For this reason we have the following options:
|
||||||
#
|
#
|
||||||
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
# "disabled" - Don't use diskless load (store the rdb file to the disk first)
|
||||||
# "on-empty-db" - Use diskless load only when it is completely safe.
|
# "on-empty-db" - Use diskless load only when it is completely safe.
|
||||||
# "swapdb" - Keep current db contents in RAM while parsing the data directly
|
# "swapdb" - Keep a copy of the current db contents in RAM while parsing
|
||||||
# from the socket. Replicas in this mode can keep serving current
|
# the data directly from the socket. note that this requires
|
||||||
# data set while replication is in progress, except for cases where
|
# sufficient memory, if you don't have it, you risk an OOM kill.
|
||||||
# they can't recognize master as having a data set from same
|
|
||||||
# replication history.
|
|
||||||
# Note that this requires sufficient memory, if you don't have it,
|
|
||||||
# you risk an OOM kill.
|
|
||||||
repl-diskless-load disabled
|
repl-diskless-load disabled
|
||||||
|
|
||||||
# Master send PINGs to its replicas in a predefined interval. It's possible to
|
# Replicas send PINGs to server in a predefined interval. It's possible to
|
||||||
# change this interval with the repl_ping_replica_period option. The default
|
# change this interval with the repl_ping_replica_period option. The default
|
||||||
# value is 10 seconds.
|
# value is 10 seconds.
|
||||||
#
|
#
|
||||||
@ -737,43 +578,6 @@ repl-disable-tcp-nodelay no
|
|||||||
# By default the priority is 100.
|
# By default the priority is 100.
|
||||||
replica-priority 100
|
replica-priority 100
|
||||||
|
|
||||||
# The propagation error behavior controls how Redis will behave when it is
|
|
||||||
# unable to handle a command being processed in the replication stream from a master
|
|
||||||
# or processed while reading from an AOF file. Errors that occur during propagation
|
|
||||||
# are unexpected, and can cause data inconsistency. However, there are edge cases
|
|
||||||
# in earlier versions of Redis where it was possible for the server to replicate or persist
|
|
||||||
# commands that would fail on future versions. For this reason the default behavior
|
|
||||||
# is to ignore such errors and continue processing commands.
|
|
||||||
#
|
|
||||||
# If an application wants to ensure there is no data divergence, this configuration
|
|
||||||
# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
|
|
||||||
# to only panic when a replica encounters an error on the replication stream. One of
|
|
||||||
# these two panic values will become the default value in the future once there are
|
|
||||||
# sufficient safety mechanisms in place to prevent false positive crashes.
|
|
||||||
#
|
|
||||||
# propagation-error-behavior ignore
|
|
||||||
|
|
||||||
# Replica ignore disk write errors controls the behavior of a replica when it is
|
|
||||||
# unable to persist a write command received from its master to disk. By default,
|
|
||||||
# this configuration is set to 'no' and will crash the replica in this condition.
|
|
||||||
# It is not recommended to change this default, however in order to be compatible
|
|
||||||
# with older versions of Redis this config can be toggled to 'yes' which will just
|
|
||||||
# log a warning and execute the write command it got from the master.
|
|
||||||
#
|
|
||||||
# replica-ignore-disk-write-errors no
|
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
|
||||||
# By default, Redis Sentinel includes all replicas in its reports. A replica
|
|
||||||
# can be excluded from Redis Sentinel's announcements. An unannounced replica
|
|
||||||
# will be ignored by the 'sentinel replicas <master>' command and won't be
|
|
||||||
# exposed to Redis Sentinel's clients.
|
|
||||||
#
|
|
||||||
# This option does not change the behavior of replica-priority. Even with
|
|
||||||
# replica-announced set to 'no', the replica can be promoted to master. To
|
|
||||||
# prevent this behavior, set replica-priority to 0.
|
|
||||||
#
|
|
||||||
# replica-announced yes
|
|
||||||
|
|
||||||
# It is possible for a master to stop accepting writes if there are less than
|
# It is possible for a master to stop accepting writes if there are less than
|
||||||
# N replicas connected, having a lag less or equal than M seconds.
|
# N replicas connected, having a lag less or equal than M seconds.
|
||||||
#
|
#
|
||||||
@ -829,7 +633,7 @@ replica-priority 100
|
|||||||
|
|
||||||
# Redis implements server assisted support for client side caching of values.
|
# Redis implements server assisted support for client side caching of values.
|
||||||
# This is implemented using an invalidation table that remembers, using
|
# This is implemented using an invalidation table that remembers, using
|
||||||
# a radix key indexed by key name, what clients have which keys. In turn
|
# 16 millions of slots, what clients may have certain subsets of keys. In turn
|
||||||
# this is used in order to send invalidation messages to clients. Please
|
# this is used in order to send invalidation messages to clients. Please
|
||||||
# check this page to understand more about the feature:
|
# check this page to understand more about the feature:
|
||||||
#
|
#
|
||||||
@ -893,12 +697,8 @@ replica-priority 100
|
|||||||
# off Disable the user: it's no longer possible to authenticate
|
# off Disable the user: it's no longer possible to authenticate
|
||||||
# with this user, however the already authenticated connections
|
# with this user, however the already authenticated connections
|
||||||
# will still work.
|
# will still work.
|
||||||
# skip-sanitize-payload RESTORE dump-payload sanitization is skipped.
|
# +<command> Allow the execution of that command
|
||||||
# sanitize-payload RESTORE dump-payload is sanitized (default).
|
# -<command> Disallow the execution of that command
|
||||||
# +<command> Allow the execution of that command.
|
|
||||||
# May be used with `|` for allowing subcommands (e.g "+config|get")
|
|
||||||
# -<command> Disallow the execution of that command.
|
|
||||||
# May be used with `|` for blocking subcommands (e.g "-config|set")
|
|
||||||
# +@<category> Allow the execution of all the commands in such category
|
# +@<category> Allow the execution of all the commands in such category
|
||||||
# with valid categories are like @admin, @set, @sortedset, ...
|
# with valid categories are like @admin, @set, @sortedset, ...
|
||||||
# and so forth, see the full list in the server.c file where
|
# and so forth, see the full list in the server.c file where
|
||||||
@ -906,11 +706,10 @@ replica-priority 100
|
|||||||
# The special category @all means all the commands, but currently
|
# The special category @all means all the commands, but currently
|
||||||
# present in the server, and that will be loaded in the future
|
# present in the server, and that will be loaded in the future
|
||||||
# via modules.
|
# via modules.
|
||||||
# +<command>|first-arg Allow a specific first argument of an otherwise
|
# +<command>|subcommand Allow a specific subcommand of an otherwise
|
||||||
# disabled command. It is only supported on commands with
|
# disabled command. Note that this form is not
|
||||||
# no sub-commands, and is not allowed as negative form
|
# allowed as negative like -DEBUG|SEGFAULT, but
|
||||||
# like -SELECT|1, only additive starting with "+". This
|
# only additive starting with "+".
|
||||||
# feature is deprecated and may be removed in the future.
|
|
||||||
# allcommands Alias for +@all. Note that it implies the ability to execute
|
# allcommands Alias for +@all. Note that it implies the ability to execute
|
||||||
# all the future commands loaded via the modules system.
|
# all the future commands loaded via the modules system.
|
||||||
# nocommands Alias for -@all.
|
# nocommands Alias for -@all.
|
||||||
@ -918,17 +717,8 @@ replica-priority 100
|
|||||||
# commands. For instance ~* allows all the keys. The pattern
|
# commands. For instance ~* allows all the keys. The pattern
|
||||||
# is a glob-style pattern like the one of KEYS.
|
# is a glob-style pattern like the one of KEYS.
|
||||||
# It is possible to specify multiple patterns.
|
# It is possible to specify multiple patterns.
|
||||||
# %R~<pattern> Add key read pattern that specifies which keys can be read
|
|
||||||
# from.
|
|
||||||
# %W~<pattern> Add key write pattern that specifies which keys can be
|
|
||||||
# written to.
|
|
||||||
# allkeys Alias for ~*
|
# allkeys Alias for ~*
|
||||||
# resetkeys Flush the list of allowed keys patterns.
|
# resetkeys Flush the list of allowed keys patterns.
|
||||||
# &<pattern> Add a glob-style pattern of Pub/Sub channels that can be
|
|
||||||
# accessed by the user. It is possible to specify multiple channel
|
|
||||||
# patterns.
|
|
||||||
# allchannels Alias for &*
|
|
||||||
# resetchannels Flush the list of allowed channel patterns.
|
|
||||||
# ><password> Add this password to the list of valid password for the user.
|
# ><password> Add this password to the list of valid password for the user.
|
||||||
# For example >mypass will add "mypass" to the list.
|
# For example >mypass will add "mypass" to the list.
|
||||||
# This directive clears the "nopass" flag (see later).
|
# This directive clears the "nopass" flag (see later).
|
||||||
@ -947,14 +737,6 @@ replica-priority 100
|
|||||||
# reset Performs the following actions: resetpass, resetkeys, off,
|
# reset Performs the following actions: resetpass, resetkeys, off,
|
||||||
# -@all. The user returns to the same state it has immediately
|
# -@all. The user returns to the same state it has immediately
|
||||||
# after its creation.
|
# after its creation.
|
||||||
# (<options>) Create a new selector with the options specified within the
|
|
||||||
# parentheses and attach it to the user. Each option should be
|
|
||||||
# space separated. The first character must be ( and the last
|
|
||||||
# character must be ).
|
|
||||||
# clearselectors Remove all of the currently attached selectors.
|
|
||||||
# Note this does not change the "root" user permissions,
|
|
||||||
# which are the permissions directly applied onto the
|
|
||||||
# user (outside the parentheses).
|
|
||||||
#
|
#
|
||||||
# ACL rules can be specified in any order: for instance you can start with
|
# ACL rules can be specified in any order: for instance you can start with
|
||||||
# passwords, then flags, or key patterns. However note that the additive
|
# passwords, then flags, or key patterns. However note that the additive
|
||||||
@ -976,40 +758,6 @@ replica-priority 100
|
|||||||
#
|
#
|
||||||
# Basically ACL rules are processed left-to-right.
|
# Basically ACL rules are processed left-to-right.
|
||||||
#
|
#
|
||||||
# The following is a list of command categories and their meanings:
|
|
||||||
# * keyspace - Writing or reading from keys, databases, or their metadata
|
|
||||||
# in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
|
|
||||||
# KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
|
|
||||||
# key or metadata will also have `write` category. Commands that only read
|
|
||||||
# the keyspace, key or metadata will have the `read` category.
|
|
||||||
# * read - Reading from keys (values or metadata). Note that commands that don't
|
|
||||||
# interact with keys, will not have either `read` or `write`.
|
|
||||||
# * write - Writing to keys (values or metadata)
|
|
||||||
# * admin - Administrative commands. Normal applications will never need to use
|
|
||||||
# these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
|
|
||||||
# * dangerous - Potentially dangerous (each should be considered with care for
|
|
||||||
# various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
|
|
||||||
# CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
|
|
||||||
# * connection - Commands affecting the connection or other connections.
|
|
||||||
# This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
|
|
||||||
# * blocking - Potentially blocking the connection until released by another
|
|
||||||
# command.
|
|
||||||
# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
|
|
||||||
# number of elements in the key.
|
|
||||||
# * slow - All commands that are not Fast.
|
|
||||||
# * pubsub - PUBLISH / SUBSCRIBE related
|
|
||||||
# * transaction - WATCH / MULTI / EXEC related commands.
|
|
||||||
# * scripting - Scripting related.
|
|
||||||
# * set - Data type: sets related.
|
|
||||||
# * sortedset - Data type: zsets related.
|
|
||||||
# * list - Data type: lists related.
|
|
||||||
# * hash - Data type: hashes related.
|
|
||||||
# * string - Data type: strings related.
|
|
||||||
# * bitmap - Data type: bitmaps related.
|
|
||||||
# * hyperloglog - Data type: hyperloglog related.
|
|
||||||
# * geo - Data type: geo related.
|
|
||||||
# * stream - Data type: streams related.
|
|
||||||
#
|
|
||||||
# For more information about ACL configuration please refer to
|
# For more information about ACL configuration please refer to
|
||||||
# the Redis web site at https://redis.io/topics/acl
|
# the Redis web site at https://redis.io/topics/acl
|
||||||
|
|
||||||
@ -1039,24 +787,8 @@ acllog-max-len 128
|
|||||||
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
# AUTH <password> as usually, or more explicitly with AUTH default <password>
|
||||||
# if they follow the new protocol: both will work.
|
# if they follow the new protocol: both will work.
|
||||||
#
|
#
|
||||||
# The requirepass is not compatible with aclfile option and the ACL LOAD
|
|
||||||
# command, these will cause requirepass to be ignored.
|
|
||||||
#
|
|
||||||
# requirepass foobared
|
# requirepass foobared
|
||||||
|
|
||||||
# New users are initialized with restrictive permissions by default, via the
|
|
||||||
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
|
|
||||||
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
|
|
||||||
# default Pub/Sub channels permission if new users is controlled by the
|
|
||||||
# acl-pubsub-default configuration directive, which accepts one of these values:
|
|
||||||
#
|
|
||||||
# allchannels: grants access to all Pub/Sub channels
|
|
||||||
# resetchannels: revokes access to all Pub/Sub channels
|
|
||||||
#
|
|
||||||
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
|
|
||||||
#
|
|
||||||
# acl-pubsub-default resetchannels
|
|
||||||
|
|
||||||
# Command renaming (DEPRECATED).
|
# Command renaming (DEPRECATED).
|
||||||
#
|
#
|
||||||
# ------------------------------------------------------------------------
|
# ------------------------------------------------------------------------
|
||||||
@ -1145,12 +877,14 @@ acllog-max-len 128
|
|||||||
# Both LRU, LFU and volatile-ttl are implemented using approximated
|
# Both LRU, LFU and volatile-ttl are implemented using approximated
|
||||||
# randomized algorithms.
|
# randomized algorithms.
|
||||||
#
|
#
|
||||||
# Note: with any of the above policies, when there are no suitable keys for
|
# Note: with any of the above policies, Redis will return an error on write
|
||||||
# eviction, Redis will return an error on write operations that require
|
# operations, when there are no suitable keys for eviction.
|
||||||
# more memory. These are usually commands that create new keys, add data or
|
#
|
||||||
# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE,
|
# At the date of writing these commands are: set setnx setex append
|
||||||
# SORT (due to the STORE argument), and EXEC (if the transaction includes any
|
# incr decr rpush lpush rpushx lpushx linsert lset rpoplpush sadd
|
||||||
# command that requires memory).
|
# sinter sinterstore sunion sunionstore sdiff sdiffstore zadd zincrby
|
||||||
|
# zunionstore zinterstore hset hsetnx hmset hincrby incrby decrby
|
||||||
|
# getset mset msetnx exec sort
|
||||||
#
|
#
|
||||||
# The default is:
|
# The default is:
|
||||||
#
|
#
|
||||||
@ -1167,14 +901,6 @@ acllog-max-len 128
|
|||||||
#
|
#
|
||||||
# maxmemory-samples 5
|
# maxmemory-samples 5
|
||||||
|
|
||||||
# Eviction processing is designed to function well with the default setting.
|
|
||||||
# If there is an unusually large amount of write traffic, this value may need to
|
|
||||||
# be increased. Decreasing this value may reduce latency at the risk of
|
|
||||||
# eviction processing effectiveness
|
|
||||||
# 0 = minimum latency, 10 = default, 100 = process without regard to latency
|
|
||||||
#
|
|
||||||
# maxmemory-eviction-tenacity 10
|
|
||||||
|
|
||||||
# Starting from Redis 5, by default a replica will ignore its maxmemory setting
|
# Starting from Redis 5, by default a replica will ignore its maxmemory setting
|
||||||
# (unless it is promoted to master after a failover or manually). It means
|
# (unless it is promoted to master after a failover or manually). It means
|
||||||
# that the eviction of keys will be just handled by the master, sending the
|
# that the eviction of keys will be just handled by the master, sending the
|
||||||
@ -1268,13 +994,6 @@ replica-lazy-flush no
|
|||||||
|
|
||||||
lazyfree-lazy-user-del no
|
lazyfree-lazy-user-del no
|
||||||
|
|
||||||
# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
|
|
||||||
# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
|
|
||||||
# commands. When neither flag is passed, this directive will be used to determine
|
|
||||||
# if the data should be deleted asynchronously.
|
|
||||||
|
|
||||||
lazyfree-lazy-user-flush no
|
|
||||||
|
|
||||||
################################ THREADED I/O #################################
|
################################ THREADED I/O #################################
|
||||||
|
|
||||||
# Redis is mostly single threaded, however there are certain threaded
|
# Redis is mostly single threaded, however there are certain threaded
|
||||||
@ -1313,7 +1032,7 @@ lazyfree-lazy-user-flush no
|
|||||||
# Usually threading reads doesn't help much.
|
# Usually threading reads doesn't help much.
|
||||||
#
|
#
|
||||||
# NOTE 1: This configuration directive cannot be changed at runtime via
|
# NOTE 1: This configuration directive cannot be changed at runtime via
|
||||||
# CONFIG SET. Also, this feature currently does not work when SSL is
|
# CONFIG SET. Aso this feature currently does not work when SSL is
|
||||||
# enabled.
|
# enabled.
|
||||||
#
|
#
|
||||||
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
|
# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
|
||||||
@ -1331,7 +1050,7 @@ lazyfree-lazy-user-flush no
|
|||||||
# attempt to have background child processes killed before all others, and
|
# attempt to have background child processes killed before all others, and
|
||||||
# replicas killed before masters.
|
# replicas killed before masters.
|
||||||
#
|
#
|
||||||
# Redis supports these options:
|
# Redis supports three options:
|
||||||
#
|
#
|
||||||
# no: Don't make changes to oom-score-adj (default).
|
# no: Don't make changes to oom-score-adj (default).
|
||||||
# yes: Alias to "relative" see below.
|
# yes: Alias to "relative" see below.
|
||||||
@ -1352,18 +1071,6 @@ oom-score-adj no
|
|||||||
# oom-score-adj-values to positive values will always succeed.
|
# oom-score-adj-values to positive values will always succeed.
|
||||||
oom-score-adj-values 0 200 800
|
oom-score-adj-values 0 200 800
|
||||||
|
|
||||||
#################### KERNEL transparent hugepage CONTROL ######################
|
|
||||||
|
|
||||||
# Usually the kernel Transparent Huge Pages control is set to "madvise" or
|
|
||||||
# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
|
|
||||||
# case this config has no effect. On systems in which it is set to "always",
|
|
||||||
# redis will attempt to disable it specifically for the redis process in order
|
|
||||||
# to avoid latency problems specifically with fork(2) and CoW.
|
|
||||||
# If for some reason you prefer to keep it enabled, you can set this config to
|
|
||||||
# "no" and the kernel global to "always".
|
|
||||||
|
|
||||||
disable-thp yes
|
|
||||||
|
|
||||||
############################## APPEND ONLY MODE ###############################
|
############################## APPEND ONLY MODE ###############################
|
||||||
|
|
||||||
# By default Redis asynchronously dumps the dataset on disk. This mode is
|
# By default Redis asynchronously dumps the dataset on disk. This mode is
|
||||||
@ -1382,43 +1089,14 @@ disable-thp yes
|
|||||||
# If the AOF is enabled on startup Redis will load the AOF, that is the file
|
# If the AOF is enabled on startup Redis will load the AOF, that is the file
|
||||||
# with the better durability guarantees.
|
# with the better durability guarantees.
|
||||||
#
|
#
|
||||||
# Please check https://redis.io/topics/persistence for more information.
|
# Please check http://redis.io/topics/persistence for more information.
|
||||||
|
|
||||||
# appendonly no
|
appendonly no
|
||||||
|
|
||||||
# The base name of the append only file.
|
# The name of the append only file (default: "appendonly.aof")
|
||||||
#
|
|
||||||
# Redis 7 and newer use a set of append-only files to persist the dataset
|
|
||||||
# and changes applied to it. There are two basic types of files in use:
|
|
||||||
#
|
|
||||||
# - Base files, which are a snapshot representing the complete state of the
|
|
||||||
# dataset at the time the file was created. Base files can be either in
|
|
||||||
# the form of RDB (binary serialized) or AOF (textual commands).
|
|
||||||
# - Incremental files, which contain additional commands that were applied
|
|
||||||
# to the dataset following the previous file.
|
|
||||||
#
|
|
||||||
# In addition, manifest files are used to track the files and the order in
|
|
||||||
# which they were created and should be applied.
|
|
||||||
#
|
|
||||||
# Append-only file names are created by Redis following a specific pattern.
|
|
||||||
# The file name's prefix is based on the 'appendfilename' configuration
|
|
||||||
# parameter, followed by additional information about the sequence and type.
|
|
||||||
#
|
|
||||||
# For example, if appendfilename is set to appendonly.aof, the following file
|
|
||||||
# names could be derived:
|
|
||||||
#
|
|
||||||
# - appendonly.aof.1.base.rdb as a base file.
|
|
||||||
# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
|
|
||||||
# - appendonly.aof.manifest as a manifest file.
|
|
||||||
|
|
||||||
appendfilename "appendonly.aof"
|
appendfilename "appendonly.aof"
|
||||||
|
|
||||||
# For convenience, Redis stores all persistent append-only files in a dedicated
|
|
||||||
# directory. The name of the directory is determined by the appenddirname
|
|
||||||
# configuration parameter.
|
|
||||||
|
|
||||||
appenddirname "appendonlydir"
|
|
||||||
|
|
||||||
# The fsync() call tells the Operating System to actually write data on disk
|
# The fsync() call tells the Operating System to actually write data on disk
|
||||||
# instead of waiting for more data in the output buffer. Some OS will really flush
|
# instead of waiting for more data in the output buffer. Some OS will really flush
|
||||||
# data on disk, some other OS will just try to do it ASAP.
|
# data on disk, some other OS will just try to do it ASAP.
|
||||||
@ -1443,7 +1121,7 @@ appenddirname "appendonlydir"
|
|||||||
# If unsure, use "everysec".
|
# If unsure, use "everysec".
|
||||||
|
|
||||||
# appendfsync always
|
# appendfsync always
|
||||||
# appendfsync everysec
|
appendfsync everysec
|
||||||
# appendfsync no
|
# appendfsync no
|
||||||
|
|
||||||
# When the AOF fsync policy is set to always or everysec, and a background
|
# When the AOF fsync policy is set to always or everysec, and a background
|
||||||
@ -1458,7 +1136,7 @@ appenddirname "appendonlydir"
|
|||||||
# BGSAVE or BGREWRITEAOF is in progress.
|
# BGSAVE or BGREWRITEAOF is in progress.
|
||||||
#
|
#
|
||||||
# This means that while another child is saving, the durability of Redis is
|
# This means that while another child is saving, the durability of Redis is
|
||||||
# the same as "appendfsync no". In practical terms, this means that it is
|
# the same as "appendfsync none". In practical terms, this means that it is
|
||||||
# possible to lose up to 30 seconds of log in the worst scenario (with the
|
# possible to lose up to 30 seconds of log in the worst scenario (with the
|
||||||
# default Linux settings).
|
# default Linux settings).
|
||||||
#
|
#
|
||||||
@ -1511,69 +1189,34 @@ auto-aof-rewrite-min-size 64mb
|
|||||||
# will be found.
|
# will be found.
|
||||||
aof-load-truncated yes
|
aof-load-truncated yes
|
||||||
|
|
||||||
# Redis can create append-only base files in either RDB or AOF formats. Using
|
# When rewriting the AOF file, Redis is able to use an RDB preamble in the
|
||||||
# the RDB format is always faster and more efficient, and disabling it is only
|
# AOF file for faster rewrites and recoveries. When this option is turned
|
||||||
# supported for backward compatibility purposes.
|
# on the rewritten AOF file is composed of two different stanzas:
|
||||||
|
#
|
||||||
|
# [RDB file][AOF tail]
|
||||||
|
#
|
||||||
|
# When loading, Redis recognizes that the AOF file starts with the "REDIS"
|
||||||
|
# string and loads the prefixed RDB file, then continues loading the AOF
|
||||||
|
# tail.
|
||||||
aof-use-rdb-preamble yes
|
aof-use-rdb-preamble yes
|
||||||
|
|
||||||
# Redis supports recording timestamp annotations in the AOF to support restoring
|
################################ LUA SCRIPTING ###############################
|
||||||
# the data from a specific point-in-time. However, using this capability changes
|
|
||||||
# the AOF format in a way that may not be compatible with existing AOF parsers.
|
|
||||||
aof-timestamp-enabled no
|
|
||||||
|
|
||||||
################################ SHUTDOWN #####################################
|
# Max execution time of a Lua script in milliseconds.
|
||||||
|
|
||||||
# Maximum time to wait for replicas when shutting down, in seconds.
|
|
||||||
#
|
#
|
||||||
# During shut down, a grace period allows any lagging replicas to catch up with
|
# If the maximum execution time is reached Redis will log that a script is
|
||||||
# the latest replication offset before the master exists. This period can
|
# still in execution after the maximum allowed time and will start to
|
||||||
# prevent data loss, especially for deployments without configured disk backups.
|
# reply to queries with an error.
|
||||||
#
|
#
|
||||||
# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
|
# When a long running script exceeds the maximum execution time only the
|
||||||
# only applicable when the instance has replicas. To disable the feature, set
|
# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
|
||||||
# the value to 0.
|
# used to stop a script that did not yet call any write commands. The second
|
||||||
|
# is the only way to shut down the server in the case a write command was
|
||||||
|
# already issued by the script but the user doesn't want to wait for the natural
|
||||||
|
# termination of the script.
|
||||||
#
|
#
|
||||||
# shutdown-timeout 10
|
# Set it to 0 or a negative value for unlimited execution without warnings.
|
||||||
|
lua-time-limit 5000
|
||||||
# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
|
|
||||||
# an RDB snapshot is written to disk in a blocking operation if save points are configured.
|
|
||||||
# The options used on signaled shutdown can include the following values:
|
|
||||||
# default: Saves RDB snapshot only if save points are configured.
|
|
||||||
# Waits for lagging replicas to catch up.
|
|
||||||
# save: Forces a DB saving operation even if no save points are configured.
|
|
||||||
# nosave: Prevents DB saving operation even if one or more save points are configured.
|
|
||||||
# now: Skips waiting for lagging replicas.
|
|
||||||
# force: Ignores any errors that would normally prevent the server from exiting.
|
|
||||||
#
|
|
||||||
# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
|
|
||||||
# Example: "nosave force now"
|
|
||||||
#
|
|
||||||
# shutdown-on-sigint default
|
|
||||||
# shutdown-on-sigterm default
|
|
||||||
|
|
||||||
################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
|
|
||||||
|
|
||||||
# Maximum time in milliseconds for EVAL scripts, functions and in some cases
|
|
||||||
# modules' commands before Redis can start processing or rejecting other clients.
|
|
||||||
#
|
|
||||||
# If the maximum execution time is reached Redis will start to reply to most
|
|
||||||
# commands with a BUSY error.
|
|
||||||
#
|
|
||||||
# In this state Redis will only allow a handful of commands to be executed.
|
|
||||||
# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
|
|
||||||
# module specific 'allow-busy' commands.
|
|
||||||
#
|
|
||||||
# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
|
|
||||||
# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
|
|
||||||
# the server in the case a write command was already issued by the script when
|
|
||||||
# the user doesn't want to wait for the natural termination of the script.
|
|
||||||
#
|
|
||||||
# The default is 5 seconds. It is possible to set it to 0 or a negative value
|
|
||||||
# to disable this mechanism (uninterrupted execution). Note that in the past
|
|
||||||
# this config had a different name, which is now an alias, so both of these do
|
|
||||||
# the same:
|
|
||||||
# lua-time-limit 5000
|
|
||||||
# busy-reply-threshold 5000
|
|
||||||
|
|
||||||
################################ REDIS CLUSTER ###############################
|
################################ REDIS CLUSTER ###############################
|
||||||
|
|
||||||
@ -1597,11 +1240,6 @@ aof-timestamp-enabled no
|
|||||||
#
|
#
|
||||||
# cluster-node-timeout 15000
|
# cluster-node-timeout 15000
|
||||||
|
|
||||||
# The cluster port is the port that the cluster bus will listen for inbound connections on. When set
|
|
||||||
# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires
|
|
||||||
# you to specify the cluster bus port when executing cluster meet.
|
|
||||||
# cluster-port 0
|
|
||||||
|
|
||||||
# A replica of a failing master will avoid to start a failover if its data
|
# A replica of a failing master will avoid to start a failover if its data
|
||||||
# looks too old.
|
# looks too old.
|
||||||
#
|
#
|
||||||
@ -1660,21 +1298,12 @@ aof-timestamp-enabled no
|
|||||||
# master in your cluster.
|
# master in your cluster.
|
||||||
#
|
#
|
||||||
# Default is 1 (replicas migrate only if their masters remain with at least
|
# Default is 1 (replicas migrate only if their masters remain with at least
|
||||||
# one replica). To disable migration just set it to a very large value or
|
# one replica). To disable migration just set it to a very large value.
|
||||||
# set cluster-allow-replica-migration to 'no'.
|
|
||||||
# A value of 0 can be set but is useful only for debugging and dangerous
|
# A value of 0 can be set but is useful only for debugging and dangerous
|
||||||
# in production.
|
# in production.
|
||||||
#
|
#
|
||||||
# cluster-migration-barrier 1
|
# cluster-migration-barrier 1
|
||||||
|
|
||||||
# Turning off this option allows to use less automatic cluster configuration.
|
|
||||||
# It both disables migration to orphaned masters and migration from masters
|
|
||||||
# that became empty.
|
|
||||||
#
|
|
||||||
# Default is 'yes' (allow automatic migrations).
|
|
||||||
#
|
|
||||||
# cluster-allow-replica-migration yes
|
|
||||||
|
|
||||||
# By default Redis Cluster nodes stop accepting queries if they detect there
|
# By default Redis Cluster nodes stop accepting queries if they detect there
|
||||||
# is at least a hash slot uncovered (no available node is serving it).
|
# is at least a hash slot uncovered (no available node is serving it).
|
||||||
# This way if the cluster is partially down (for example a range of hash slots
|
# This way if the cluster is partially down (for example a range of hash slots
|
||||||
@ -1689,7 +1318,7 @@ aof-timestamp-enabled no
|
|||||||
# cluster-require-full-coverage yes
|
# cluster-require-full-coverage yes
|
||||||
|
|
||||||
# This option, when set to yes, prevents replicas from trying to failover its
|
# This option, when set to yes, prevents replicas from trying to failover its
|
||||||
# master during master failures. However the replica can still perform a
|
# master during master failures. However the master can still perform a
|
||||||
# manual failover, if forced to do so.
|
# manual failover, if forced to do so.
|
||||||
#
|
#
|
||||||
# This is useful in different scenarios, especially in the case of multiple
|
# This is useful in different scenarios, especially in the case of multiple
|
||||||
@ -1699,7 +1328,7 @@ aof-timestamp-enabled no
|
|||||||
# cluster-replica-no-failover no
|
# cluster-replica-no-failover no
|
||||||
|
|
||||||
# This option, when set to yes, allows nodes to serve read traffic while the
|
# This option, when set to yes, allows nodes to serve read traffic while the
|
||||||
# cluster is in a down state, as long as it believes it owns the slots.
|
# the cluster is in a down state, as long as it believes it owns the slots.
|
||||||
#
|
#
|
||||||
# This is useful for two cases. The first case is for when an application
|
# This is useful for two cases. The first case is for when an application
|
||||||
# doesn't require consistency of data during node failures or network partitions.
|
# doesn't require consistency of data during node failures or network partitions.
|
||||||
@ -1714,54 +1343,8 @@ aof-timestamp-enabled no
|
|||||||
#
|
#
|
||||||
# cluster-allow-reads-when-down no
|
# cluster-allow-reads-when-down no
|
||||||
|
|
||||||
# This option, when set to yes, allows nodes to serve pubsub shard traffic while
|
|
||||||
# the cluster is in a down state, as long as it believes it owns the slots.
|
|
||||||
#
|
|
||||||
# This is useful if the application would like to use the pubsub feature even when
|
|
||||||
# the cluster global stable state is not OK. If the application wants to make sure only
|
|
||||||
# one shard is serving a given channel, this feature should be kept as yes.
|
|
||||||
#
|
|
||||||
# cluster-allow-pubsubshard-when-down yes
|
|
||||||
|
|
||||||
# Cluster link send buffer limit is the limit on the memory usage of an individual
|
|
||||||
# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
|
|
||||||
# this limit. This is to primarily prevent send buffers from growing unbounded on links
|
|
||||||
# toward slow peers (E.g. PubSub messages being piled up).
|
|
||||||
# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
|
|
||||||
# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
|
|
||||||
# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
|
|
||||||
# PubSub message by default. (client-query-buffer-limit default value is 1gb)
|
|
||||||
#
|
|
||||||
# cluster-link-sendbuf-limit 0
|
|
||||||
|
|
||||||
# Clusters can configure their announced hostname using this config. This is a common use case for
|
|
||||||
# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
|
|
||||||
# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
|
|
||||||
# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is
|
|
||||||
# communicated along the clusterbus to all nodes, setting it to an empty string will remove
|
|
||||||
# the hostname and also propagate the removal.
|
|
||||||
#
|
|
||||||
# cluster-announce-hostname ""
|
|
||||||
|
|
||||||
# Clusters can advertise how clients should connect to them using either their IP address,
|
|
||||||
# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
|
|
||||||
# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
|
|
||||||
# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
|
|
||||||
# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS.
|
|
||||||
# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?'
|
|
||||||
# will be returned instead.
|
|
||||||
#
|
|
||||||
# When a cluster advertises itself as having an unknown endpoint, it's indicating that
|
|
||||||
# the server doesn't know how clients can reach the cluster. This can happen in certain
|
|
||||||
# networking situations where there are multiple possible routes to the node, and the
|
|
||||||
# server doesn't know which one the client took. In this case, the server is expecting
|
|
||||||
# the client to reach out on the same endpoint it used for making the last request, but use
|
|
||||||
# the port provided in the response.
|
|
||||||
#
|
|
||||||
# cluster-preferred-endpoint-type ip
|
|
||||||
|
|
||||||
# In order to setup your cluster make sure to read the documentation
|
# In order to setup your cluster make sure to read the documentation
|
||||||
# available at https://redis.io web site.
|
# available at http://redis.io web site.
|
||||||
|
|
||||||
########################## CLUSTER DOCKER/NAT support ########################
|
########################## CLUSTER DOCKER/NAT support ########################
|
||||||
|
|
||||||
@ -1771,21 +1354,16 @@ aof-timestamp-enabled no
|
|||||||
#
|
#
|
||||||
# In order to make Redis Cluster working in such environments, a static
|
# In order to make Redis Cluster working in such environments, a static
|
||||||
# configuration where each node knows its public address is needed. The
|
# configuration where each node knows its public address is needed. The
|
||||||
# following four options are used for this scope, and are:
|
# following two options are used for this scope, and are:
|
||||||
#
|
#
|
||||||
# * cluster-announce-ip
|
# * cluster-announce-ip
|
||||||
# * cluster-announce-port
|
# * cluster-announce-port
|
||||||
# * cluster-announce-tls-port
|
|
||||||
# * cluster-announce-bus-port
|
# * cluster-announce-bus-port
|
||||||
#
|
#
|
||||||
# Each instructs the node about its address, client ports (for connections
|
# Each instructs the node about its address, client port, and cluster message
|
||||||
# without and with TLS) and cluster message bus port. The information is then
|
# bus port. The information is then published in the header of the bus packets
|
||||||
# published in the header of the bus packets so that other nodes will be able to
|
# so that other nodes will be able to correctly map the address of the node
|
||||||
# correctly map the address of the node publishing the information.
|
# publishing the information.
|
||||||
#
|
|
||||||
# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set
|
|
||||||
# to zero, then cluster-announce-port refers to the TLS port. Note also that
|
|
||||||
# cluster-announce-tls-port has no effect if cluster-tls is set to no.
|
|
||||||
#
|
#
|
||||||
# If the above options are not used, the normal Redis Cluster auto-detection
|
# If the above options are not used, the normal Redis Cluster auto-detection
|
||||||
# will be used instead.
|
# will be used instead.
|
||||||
@ -1798,8 +1376,7 @@ aof-timestamp-enabled no
|
|||||||
# Example:
|
# Example:
|
||||||
#
|
#
|
||||||
# cluster-announce-ip 10.1.1.5
|
# cluster-announce-ip 10.1.1.5
|
||||||
# cluster-announce-tls-port 6379
|
# cluster-announce-port 6379
|
||||||
# cluster-announce-port 0
|
|
||||||
# cluster-announce-bus-port 6380
|
# cluster-announce-bus-port 6380
|
||||||
|
|
||||||
################################## SLOW LOG ###################################
|
################################## SLOW LOG ###################################
|
||||||
@ -1824,7 +1401,7 @@ slowlog-log-slower-than 10000
|
|||||||
|
|
||||||
# There is no limit to this length. Just be aware that it will consume memory.
|
# There is no limit to this length. Just be aware that it will consume memory.
|
||||||
# You can reclaim memory used by the slow log with SLOWLOG RESET.
|
# You can reclaim memory used by the slow log with SLOWLOG RESET.
|
||||||
slowlog-max-len 10086
|
slowlog-max-len 128
|
||||||
|
|
||||||
################################ LATENCY MONITOR ##############################
|
################################ LATENCY MONITOR ##############################
|
||||||
|
|
||||||
@ -1847,24 +1424,10 @@ slowlog-max-len 10086
|
|||||||
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
|
||||||
latency-monitor-threshold 0
|
latency-monitor-threshold 0
|
||||||
|
|
||||||
################################ LATENCY TRACKING ##############################
|
|
||||||
|
|
||||||
# The Redis extended latency monitoring tracks the per command latencies and enables
|
|
||||||
# exporting the percentile distribution via the INFO latencystats command,
|
|
||||||
# and cumulative latency distributions (histograms) via the LATENCY command.
|
|
||||||
#
|
|
||||||
# By default, the extended latency monitoring is enabled since the overhead
|
|
||||||
# of keeping track of the command latency is very small.
|
|
||||||
# latency-tracking yes
|
|
||||||
|
|
||||||
# By default the exported latency percentiles via the INFO latencystats command
|
|
||||||
# are the p50, p99, and p999.
|
|
||||||
# latency-tracking-info-percentiles 50 99 99.9
|
|
||||||
|
|
||||||
############################# EVENT NOTIFICATION ##############################
|
############################# EVENT NOTIFICATION ##############################
|
||||||
|
|
||||||
# Redis can notify Pub/Sub clients about events happening in the key space.
|
# Redis can notify Pub/Sub clients about events happening in the key space.
|
||||||
# This feature is documented at https://redis.io/topics/notifications
|
# This feature is documented at http://redis.io/topics/notifications
|
||||||
#
|
#
|
||||||
# For instance if keyspace events notification is enabled, and a client
|
# For instance if keyspace events notification is enabled, and a client
|
||||||
# performs a DEL operation on key "foo" stored in the Database 0, two
|
# performs a DEL operation on key "foo" stored in the Database 0, two
|
||||||
@ -1886,11 +1449,9 @@ latency-monitor-threshold 0
|
|||||||
# z Sorted set commands
|
# z Sorted set commands
|
||||||
# x Expired events (events generated every time a key expires)
|
# x Expired events (events generated every time a key expires)
|
||||||
# e Evicted events (events generated when a key is evicted for maxmemory)
|
# e Evicted events (events generated when a key is evicted for maxmemory)
|
||||||
# n New key events (Note: not included in the 'A' class)
|
|
||||||
# t Stream commands
|
# t Stream commands
|
||||||
# d Module key type events
|
|
||||||
# m Key-miss events (Note: It is not included in the 'A' class)
|
# m Key-miss events (Note: It is not included in the 'A' class)
|
||||||
# A Alias for g$lshzxetd, so that the "AKE" string means all the events
|
# A Alias for g$lshzxet, so that the "AKE" string means all the events
|
||||||
# (Except key-miss events which are excluded from 'A' due to their
|
# (Except key-miss events which are excluded from 'A' due to their
|
||||||
# unique nature).
|
# unique nature).
|
||||||
#
|
#
|
||||||
@ -1913,13 +1474,71 @@ latency-monitor-threshold 0
|
|||||||
# specify at least one of K or E, no events will be delivered.
|
# specify at least one of K or E, no events will be delivered.
|
||||||
notify-keyspace-events ""
|
notify-keyspace-events ""
|
||||||
|
|
||||||
|
############################### GOPHER SERVER #################################
|
||||||
|
|
||||||
|
# Redis contains an implementation of the Gopher protocol, as specified in
|
||||||
|
# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
|
||||||
|
#
|
||||||
|
# The Gopher protocol was very popular in the late '90s. It is an alternative
|
||||||
|
# to the web, and the implementation both server and client side is so simple
|
||||||
|
# that the Redis server has just 100 lines of code in order to implement this
|
||||||
|
# support.
|
||||||
|
#
|
||||||
|
# What do you do with Gopher nowadays? Well Gopher never *really* died, and
|
||||||
|
# lately there is a movement in order for the Gopher more hierarchical content
|
||||||
|
# composed of just plain text documents to be resurrected. Some want a simpler
|
||||||
|
# internet, others believe that the mainstream internet became too much
|
||||||
|
# controlled, and it's cool to create an alternative space for people that
|
||||||
|
# want a bit of fresh air.
|
||||||
|
#
|
||||||
|
# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
|
||||||
|
# as a gift.
|
||||||
|
#
|
||||||
|
# --- HOW IT WORKS? ---
|
||||||
|
#
|
||||||
|
# The Redis Gopher support uses the inline protocol of Redis, and specifically
|
||||||
|
# two kind of inline requests that were anyway illegal: an empty request
|
||||||
|
# or any request that starts with "/" (there are no Redis commands starting
|
||||||
|
# with such a slash). Normal RESP2/RESP3 requests are completely out of the
|
||||||
|
# path of the Gopher protocol implementation and are served as usual as well.
|
||||||
|
#
|
||||||
|
# If you open a connection to Redis when Gopher is enabled and send it
|
||||||
|
# a string like "/foo", if there is a key named "/foo" it is served via the
|
||||||
|
# Gopher protocol.
|
||||||
|
#
|
||||||
|
# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
|
||||||
|
# talking), you likely need a script like the following:
|
||||||
|
#
|
||||||
|
# https://github.com/antirez/gopher2redis
|
||||||
|
#
|
||||||
|
# --- SECURITY WARNING ---
|
||||||
|
#
|
||||||
|
# If you plan to put Redis on the internet in a publicly accessible address
|
||||||
|
# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
|
||||||
|
# Once a password is set:
|
||||||
|
#
|
||||||
|
# 1. The Gopher server (when enabled, not by default) will still serve
|
||||||
|
# content via Gopher.
|
||||||
|
# 2. However other commands cannot be called before the client will
|
||||||
|
# authenticate.
|
||||||
|
#
|
||||||
|
# So use the 'requirepass' option to protect your instance.
|
||||||
|
#
|
||||||
|
# Note that Gopher is not currently supported when 'io-threads-do-reads'
|
||||||
|
# is enabled.
|
||||||
|
#
|
||||||
|
# To enable Gopher support, uncomment the following line and set the option
|
||||||
|
# from no (the default) to yes.
|
||||||
|
#
|
||||||
|
# gopher-enabled no
|
||||||
|
|
||||||
############################### ADVANCED CONFIG ###############################
|
############################### ADVANCED CONFIG ###############################
|
||||||
|
|
||||||
# Hashes are encoded using a memory efficient data structure when they have a
|
# Hashes are encoded using a memory efficient data structure when they have a
|
||||||
# small number of entries, and the biggest entry does not exceed a given
|
# small number of entries, and the biggest entry does not exceed a given
|
||||||
# threshold. These thresholds can be configured using the following directives.
|
# threshold. These thresholds can be configured using the following directives.
|
||||||
hash-max-listpack-entries 512
|
hash-max-ziplist-entries 512
|
||||||
hash-max-listpack-value 64
|
hash-max-ziplist-value 64
|
||||||
|
|
||||||
# Lists are also encoded in a special way to save a lot of space.
|
# Lists are also encoded in a special way to save a lot of space.
|
||||||
# The number of entries allowed per internal list node can be specified
|
# The number of entries allowed per internal list node can be specified
|
||||||
@ -1934,7 +1553,7 @@ hash-max-listpack-value 64
|
|||||||
# per list node.
|
# per list node.
|
||||||
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
|
||||||
# but if your use case is unique, adjust the settings as necessary.
|
# but if your use case is unique, adjust the settings as necessary.
|
||||||
list-max-listpack-size -2
|
list-max-ziplist-size -2
|
||||||
|
|
||||||
# Lists may also be compressed.
|
# Lists may also be compressed.
|
||||||
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
# Compress depth is the number of quicklist ziplist nodes from *each* side of
|
||||||
@ -1962,8 +1581,8 @@ set-max-intset-entries 512
|
|||||||
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
# Similarly to hashes and lists, sorted sets are also specially encoded in
|
||||||
# order to save a lot of space. This encoding is only used when the length and
|
# order to save a lot of space. This encoding is only used when the length and
|
||||||
# elements of a sorted set are below the following limits:
|
# elements of a sorted set are below the following limits:
|
||||||
zset-max-listpack-entries 128
|
zset-max-ziplist-entries 128
|
||||||
zset-max-listpack-value 64
|
zset-max-ziplist-value 64
|
||||||
|
|
||||||
# HyperLogLog sparse representation bytes limit. The limit includes the
|
# HyperLogLog sparse representation bytes limit. The limit includes the
|
||||||
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
|
# 16 bytes header. When an HyperLogLog using the sparse representation crosses
|
||||||
@ -1985,9 +1604,9 @@ hll-sparse-max-bytes 3000
|
|||||||
# maximum number of items it may contain before switching to a new node when
|
# maximum number of items it may contain before switching to a new node when
|
||||||
# appending new stream entries. If any of the following settings are set to
|
# appending new stream entries. If any of the following settings are set to
|
||||||
# zero, the limit is ignored, so for instance it is possible to set just a
|
# zero, the limit is ignored, so for instance it is possible to set just a
|
||||||
# max entries limit by setting max-bytes to 0 and max-entries to the desired
|
# max entires limit by setting max-bytes to 0 and max-entries to the desired
|
||||||
# value.
|
# value.
|
||||||
stream-node-max-bytes 4kb
|
stream-node-max-bytes 4096
|
||||||
stream-node-max-entries 100
|
stream-node-max-entries 100
|
||||||
|
|
||||||
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
|
# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
|
||||||
@ -2018,7 +1637,7 @@ activerehashing yes
|
|||||||
# The limit can be set differently for the three different classes of clients:
|
# The limit can be set differently for the three different classes of clients:
|
||||||
#
|
#
|
||||||
# normal -> normal clients including MONITOR clients
|
# normal -> normal clients including MONITOR clients
|
||||||
# replica -> replica clients
|
# replica -> replica clients
|
||||||
# pubsub -> clients subscribed to at least one pubsub channel or pattern
|
# pubsub -> clients subscribed to at least one pubsub channel or pattern
|
||||||
#
|
#
|
||||||
# The syntax of every client-output-buffer-limit directive is the following:
|
# The syntax of every client-output-buffer-limit directive is the following:
|
||||||
@ -2042,13 +1661,6 @@ activerehashing yes
|
|||||||
# Instead there is a default limit for pubsub and replica clients, since
|
# Instead there is a default limit for pubsub and replica clients, since
|
||||||
# subscribers and replicas receive data in a push fashion.
|
# subscribers and replicas receive data in a push fashion.
|
||||||
#
|
#
|
||||||
# Note that it doesn't make sense to set the replica clients output buffer
|
|
||||||
# limit lower than the repl-backlog-size config (partial sync will succeed
|
|
||||||
# and then replica will get disconnected).
|
|
||||||
# Such a configuration is ignored (the size of repl-backlog-size will be used).
|
|
||||||
# This doesn't have memory consumption implications since the replica client
|
|
||||||
# will share the backlog buffers memory.
|
|
||||||
#
|
|
||||||
# Both the hard or the soft limit can be disabled by setting them to zero.
|
# Both the hard or the soft limit can be disabled by setting them to zero.
|
||||||
client-output-buffer-limit normal 0 0 0
|
client-output-buffer-limit normal 0 0 0
|
||||||
client-output-buffer-limit replica 256mb 64mb 60
|
client-output-buffer-limit replica 256mb 64mb 60
|
||||||
@ -2062,25 +1674,6 @@ client-output-buffer-limit pubsub 32mb 8mb 60
|
|||||||
#
|
#
|
||||||
# client-query-buffer-limit 1gb
|
# client-query-buffer-limit 1gb
|
||||||
|
|
||||||
# In some scenarios client connections can hog up memory leading to OOM
|
|
||||||
# errors or data eviction. To avoid this we can cap the accumulated memory
|
|
||||||
# used by all client connections (all pubsub and normal clients). Once we
|
|
||||||
# reach that limit connections will be dropped by the server freeing up
|
|
||||||
# memory. The server will attempt to drop the connections using the most
|
|
||||||
# memory first. We call this mechanism "client eviction".
|
|
||||||
#
|
|
||||||
# Client eviction is configured using the maxmemory-clients setting as follows:
|
|
||||||
# 0 - client eviction is disabled (default)
|
|
||||||
#
|
|
||||||
# A memory value can be used for the client eviction threshold,
|
|
||||||
# for example:
|
|
||||||
# maxmemory-clients 1g
|
|
||||||
#
|
|
||||||
# A percentage value (between 1% and 100%) means the client eviction threshold
|
|
||||||
# is based on a percentage of the maxmemory setting. For example to set client
|
|
||||||
# eviction at 5% of maxmemory:
|
|
||||||
# maxmemory-clients 5%
|
|
||||||
|
|
||||||
# In the Redis protocol, bulk requests, that are, elements representing single
|
# In the Redis protocol, bulk requests, that are, elements representing single
|
||||||
# strings, are normally limited to 512 mb. However you can change this limit
|
# strings, are normally limited to 512 mb. However you can change this limit
|
||||||
# here, but must be 1mb or greater
|
# here, but must be 1mb or greater
|
||||||
@ -2121,13 +1714,13 @@ hz 10
|
|||||||
dynamic-hz yes
|
dynamic-hz yes
|
||||||
|
|
||||||
# When a child rewrites the AOF file, if the following option is enabled
|
# When a child rewrites the AOF file, if the following option is enabled
|
||||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
||||||
# in order to commit the file to the disk more incrementally and avoid
|
# in order to commit the file to the disk more incrementally and avoid
|
||||||
# big latency spikes.
|
# big latency spikes.
|
||||||
aof-rewrite-incremental-fsync yes
|
aof-rewrite-incremental-fsync yes
|
||||||
|
|
||||||
# When redis saves RDB file, if the following option is enabled
|
# When redis saves RDB file, if the following option is enabled
|
||||||
# the file will be fsync-ed every 4 MB of data generated. This is useful
|
# the file will be fsync-ed every 32 MB of data generated. This is useful
|
||||||
# in order to commit the file to the disk more incrementally and avoid
|
# in order to commit the file to the disk more incrementally and avoid
|
||||||
# big latency spikes.
|
# big latency spikes.
|
||||||
rdb-save-incremental-fsync yes
|
rdb-save-incremental-fsync yes
|
||||||
@ -2224,7 +1817,7 @@ rdb-save-incremental-fsync yes
|
|||||||
# defragmentation process. If you are not sure about what they mean it is
|
# defragmentation process. If you are not sure about what they mean it is
|
||||||
# a good idea to leave the defaults untouched.
|
# a good idea to leave the defaults untouched.
|
||||||
|
|
||||||
# Active defragmentation is disabled by default
|
# Enabled active defragmentation
|
||||||
# activedefrag no
|
# activedefrag no
|
||||||
|
|
||||||
# Minimum amount of fragmentation waste to start active defrag
|
# Minimum amount of fragmentation waste to start active defrag
|
||||||
@ -2282,10 +1875,3 @@ jemalloc-bg-thread yes
|
|||||||
# to suppress
|
# to suppress
|
||||||
#
|
#
|
||||||
# ignore-warnings ARM64-COW-BUG
|
# ignore-warnings ARM64-COW-BUG
|
||||||
|
|
||||||
# Generated by CONFIG REWRITE
|
|
||||||
save 3600 1
|
|
||||||
save 300 100
|
|
||||||
save 60 10000
|
|
||||||
latency-tracking-info-percentiles 50 99 99.9
|
|
||||||
user default on nopass ~* &* +@all
|
|
@ -1,12 +1,3 @@
|
|||||||
# Redis configuration rewrite by 1Panel
|
|
||||||
timeout 0
|
|
||||||
# maxclients 10000
|
|
||||||
# maxmemory <bytes>
|
|
||||||
save 3600 1 300 100 60 10000
|
|
||||||
appendonly no
|
|
||||||
appendfsync everysec
|
|
||||||
# End Redis configuration rewrite by 1Panel
|
|
||||||
|
|
||||||
# Redis configuration file example.
|
# Redis configuration file example.
|
||||||
#
|
#
|
||||||
# Note that in order to read the configuration file, Redis must be
|
# Note that in order to read the configuration file, Redis must be
|
||||||
@ -93,7 +84,7 @@ appendfsync everysec
|
|||||||
# You will also need to set a password unless you explicitly disable protected
|
# You will also need to set a password unless you explicitly disable protected
|
||||||
# mode.
|
# mode.
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
# bind 127.0.0.1 -::1
|
bind 0.0.0.0
|
||||||
|
|
||||||
# By default, outgoing connections (from replica to master, from Sentinel to
|
# By default, outgoing connections (from replica to master, from Sentinel to
|
||||||
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
# instances, cluster bus, etc.) are not bound to a specific local address. In
|
||||||
@ -165,7 +156,7 @@ tcp-backlog 511
|
|||||||
# unixsocketperm 700
|
# unixsocketperm 700
|
||||||
|
|
||||||
# Close the connection after a client is idle for N seconds (0 to disable)
|
# Close the connection after a client is idle for N seconds (0 to disable)
|
||||||
# timeout 0
|
timeout 0
|
||||||
|
|
||||||
# TCP keepalive.
|
# TCP keepalive.
|
||||||
#
|
#
|
||||||
@ -1385,7 +1376,7 @@ disable-thp yes
|
|||||||
#
|
#
|
||||||
# Please check https://redis.io/topics/persistence for more information.
|
# Please check https://redis.io/topics/persistence for more information.
|
||||||
|
|
||||||
# appendonly no
|
appendonly no
|
||||||
|
|
||||||
# The base name of the append only file.
|
# The base name of the append only file.
|
||||||
#
|
#
|
||||||
@ -1444,7 +1435,7 @@ appenddirname "appendonlydir"
|
|||||||
# If unsure, use "everysec".
|
# If unsure, use "everysec".
|
||||||
|
|
||||||
# appendfsync always
|
# appendfsync always
|
||||||
# appendfsync everysec
|
appendfsync everysec
|
||||||
# appendfsync no
|
# appendfsync no
|
||||||
|
|
||||||
# When the AOF fsync policy is set to always or everysec, and a background
|
# When the AOF fsync policy is set to always or everysec, and a background
|
||||||
|
Loading…
Reference in New Issue
Block a user