bdsa/wafy
Composer 安装命令:
composer require bdsa/wafy
包简介
A Laravel package to automatically ban IP addresses and detect malicious requests.
README 文档
README
Wafy is a robust Laravel package developed by Bdsa designed to automatically ban IP addresses and detect malicious requests, including SQL Injection, XSS, and more.
Features
- 🛡️ IP Banning: Automatically block IPs engaging in suspicious activity.
- 🕵️ Malicious Request Detection: Detects SQLi, XSS, LFI, and RCE attempts.
- ⏱️ Temporary & Permanent Bans: Configurable ban durations.
- ⚙️ Customizable Patterns: Define your own regex patterns for detection.
- 🖥️ Artisan Commands: Easily manage banned IPs via CLI.
Installation
1. Require with Composer
Add the package to your project:
composer require bdsa/wafy
2. Publish Configuration
Publish the configuration file and migrations:
php artisan vendor:publish --provider="Bdsa\Wafy\WafyServiceProvider"
3. Run Migrations
Create the banned_ips table:
php artisan migrate
Usage
Middleware
Wafy provides two key middlewares : BlockBannedIp & DetectMaliciousRequests.
Protecting Routes
Apply the middleware to your routes or groups:
use Bdsa\Wafy\Middleware\BlockBannedIp; use Bdsa\Wafy\Middleware\DetectMaliciousRequests; Route::group(['middleware' => ['block.banned.ip', 'detect.malicious.requests']], function () { Route::get('/', function () { return view('welcome'); }); // Your protected routes });
Artisan Commands
Manage banned IPs directly from the terminal:
-
Ban an IP manually:
php artisan wafy:ban {ip_address} [--reason="Your reason"] -
Unban an IP:
php artisan wafy:unban {ip_address} -
List all banned IPs:
php artisan wafy:list
-
Enable/Disable WAF:
php artisan wafy:mode {enable|disable} -
Set Action Mode (Block or Log-Only):
php artisan wafy:action {block|log}
ℹ️ Note —
wafy:modeandwafy:actionare temporary runtime overrides. These two commands store their state in the cache, so they are meant for momentary situations (testing, incident response). Any cache flush (php artisan cache:clear,config:cache, a deploy, a Redis restart…) resets them, and Wafy falls back to the values inconfig/wafy.php. To change the behaviour permanently, editconfig/wafy.php(or the matchingWAFY_*environment variables) — that is the source of truth.
⚠️ Running behind a reverse proxy / CDN (read this first)
Wafy identifies clients by IP ($request->ip()) and can ban them. If your
application runs behind a reverse proxy, load balancer or CDN (Nginx, Traefik,
Cloudflare, AWS ALB…), you must configure Laravel's TrustProxies
middleware so that $request->ip() returns the real client IP.
- If you don't configure trusted proxies, every request appears to come from the proxy. The first malicious request then bans your own proxy, cutting off all traffic.
- If you trust proxies with a blanket
*, theX-Forwarded-Forheader becomes attacker-controlled: an attacker can spoof a clean IP to bypass bans, or forge a victim's IP to get it banned. Only trust the specific proxy ranges you use.
Also add your proxy / CDN ranges and any critical infrastructure to
wafy.allowed_ips (CIDR ranges are supported) so they can never be banned.
Configuration
The configuration file is located at config/wafy.php. Besides the detection
patterns, the following options control how bans are applied:
| Key | Default | Description |
|---|---|---|
ban_threshold |
1 |
Number of detections from one IP (within strike_window minutes) before it is banned. Raising this above 1 is strongly recommended so a single false positive doesn't lock out a legitimate (shared/NAT/mobile) IP. The offending request is always blocked regardless. |
strike_window |
60 |
Minutes over which strikes accumulate. |
ban_duration |
1440 |
Automatic ban lifetime in minutes (24h). Set to null for permanent bans. Manual wafy:ban bans are always permanent. |
max_scan_length |
16384 |
Max characters inspected per field — caps regex CPU cost (ReDoS protection). |
fail_open |
true |
If the ban database is unreachable, let requests through (true) instead of returning 503 for everyone (false). |
scan_headers |
['User-Agent', 'Referer'] |
Request headers inspected for patterns. |
sensitive_keys |
passwords, tokens, card fields… | Input keys whose values are redacted before a request is stored or notified. |
allowed_ips |
[] |
IPs / CIDR ranges (IPv4 & IPv6) that bypass Wafy entirely. |
Default protection covers:
- SQL Injection (SQLi):
UNION SELECT, common SQL verbs, hex encoding. - Local File Inclusion (LFI): Directory traversal (
../), system files (/etc/passwd). - Cross-Site Scripting (XSS): Script tags, event handlers (
onload,onerror). - Remote Code Execution (RCE): Shell commands (
cat,wget), PHP execution functions.
Example config/wafy.php:
return [ 'enabled' => env('WAFY_ENABLED', true), 'patterns' => [ '/(union(\s+all)?\s+select)/i', '/(select\s+.*\s+from|delete\s+from|update\s+.*\s+set)/i', '/(<script.*?>.*?<\/script>)/is', // Add your custom patterns here ], 'allowed_ips' => [ '127.0.0.1', // Localhost '192.168.1.1', // Office IP ], 'notifications' => [ 'enabled' => env('WAFY_NOTIFICATIONS_ENABLED', false), 'channels' => ['mail'], // Choose 'mail', 'slack' or both 'email' => env('WAFY_NOTIFICATION_EMAIL', 'admin@example.com'), 'slack_webhook' => env('WAFY_SLACK_WEBHOOK', ''), ], ];
Testing
To run the package tests:
vendor/bin/phpunit
License
This project is licensed under the MIT License.
bdsa/wafy 适用场景与选型建议
bdsa/wafy 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 52 次下载、GitHub Stars 达 1, 最近一次更新时间为 2024 年 09 月 25 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 bdsa/wafy 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 bdsa/wafy 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 52
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 2
- 点击次数: 20
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2024-09-25