bdsa/wafy 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

bdsa/wafy

Composer 安装命令:

composer require bdsa/wafy

包简介

A Laravel package to automatically ban IP addresses and detect malicious requests.

README 文档

README

License PHP Laravel

Wafy is a robust Laravel package developed by Bdsa designed to automatically ban IP addresses and detect malicious requests, including SQL Injection, XSS, and more.

Features

  • 🛡️ IP Banning: Automatically block IPs engaging in suspicious activity.
  • 🕵️ Malicious Request Detection: Detects SQLi, XSS, LFI, and RCE attempts.
  • ⏱️ Temporary & Permanent Bans: Configurable ban durations.
  • ⚙️ Customizable Patterns: Define your own regex patterns for detection.
  • 🖥️ Artisan Commands: Easily manage banned IPs via CLI.

Installation

1. Require with Composer

Add the package to your project:

composer require bdsa/wafy

2. Publish Configuration

Publish the configuration file and migrations:

php artisan vendor:publish --provider="Bdsa\Wafy\WafyServiceProvider"

3. Run Migrations

Create the banned_ips table:

php artisan migrate

Usage

Middleware

Wafy provides two key middlewares : BlockBannedIp & DetectMaliciousRequests.

Protecting Routes

Apply the middleware to your routes or groups:

use Bdsa\Wafy\Middleware\BlockBannedIp;
use Bdsa\Wafy\Middleware\DetectMaliciousRequests;

Route::group(['middleware' => ['block.banned.ip', 'detect.malicious.requests']], function () {
    Route::get('/', function () {
        return view('welcome');
    });
    
    // Your protected routes
});

Artisan Commands

Manage banned IPs directly from the terminal:

  • Ban an IP manually:

    php artisan wafy:ban {ip_address} [--reason="Your reason"]
  • Unban an IP:

    php artisan wafy:unban {ip_address}
  • List all banned IPs:

    php artisan wafy:list
  • Enable/Disable WAF:

    php artisan wafy:mode {enable|disable}
  • Set Action Mode (Block or Log-Only):

    php artisan wafy:action {block|log}

ℹ️ Note — wafy:mode and wafy:action are temporary runtime overrides. These two commands store their state in the cache, so they are meant for momentary situations (testing, incident response). Any cache flush (php artisan cache:clear, config:cache, a deploy, a Redis restart…) resets them, and Wafy falls back to the values in config/wafy.php. To change the behaviour permanently, edit config/wafy.php (or the matching WAFY_* environment variables) — that is the source of truth.

⚠️ Running behind a reverse proxy / CDN (read this first)

Wafy identifies clients by IP ($request->ip()) and can ban them. If your application runs behind a reverse proxy, load balancer or CDN (Nginx, Traefik, Cloudflare, AWS ALB…), you must configure Laravel's TrustProxies middleware so that $request->ip() returns the real client IP.

  • If you don't configure trusted proxies, every request appears to come from the proxy. The first malicious request then bans your own proxy, cutting off all traffic.
  • If you trust proxies with a blanket *, the X-Forwarded-For header becomes attacker-controlled: an attacker can spoof a clean IP to bypass bans, or forge a victim's IP to get it banned. Only trust the specific proxy ranges you use.

Also add your proxy / CDN ranges and any critical infrastructure to wafy.allowed_ips (CIDR ranges are supported) so they can never be banned.

Configuration

The configuration file is located at config/wafy.php. Besides the detection patterns, the following options control how bans are applied:

Key Default Description
ban_threshold 1 Number of detections from one IP (within strike_window minutes) before it is banned. Raising this above 1 is strongly recommended so a single false positive doesn't lock out a legitimate (shared/NAT/mobile) IP. The offending request is always blocked regardless.
strike_window 60 Minutes over which strikes accumulate.
ban_duration 1440 Automatic ban lifetime in minutes (24h). Set to null for permanent bans. Manual wafy:ban bans are always permanent.
max_scan_length 16384 Max characters inspected per field — caps regex CPU cost (ReDoS protection).
fail_open true If the ban database is unreachable, let requests through (true) instead of returning 503 for everyone (false).
scan_headers ['User-Agent', 'Referer'] Request headers inspected for patterns.
sensitive_keys passwords, tokens, card fields… Input keys whose values are redacted before a request is stored or notified.
allowed_ips [] IPs / CIDR ranges (IPv4 & IPv6) that bypass Wafy entirely.

Default protection covers:

  • SQL Injection (SQLi): UNION SELECT, common SQL verbs, hex encoding.
  • Local File Inclusion (LFI): Directory traversal (../), system files (/etc/passwd).
  • Cross-Site Scripting (XSS): Script tags, event handlers (onload, onerror).
  • Remote Code Execution (RCE): Shell commands (cat, wget), PHP execution functions.

Example config/wafy.php:

return [
    'enabled' => env('WAFY_ENABLED', true),
    'patterns' => [
        '/(union(\s+all)?\s+select)/i',
        '/(select\s+.*\s+from|delete\s+from|update\s+.*\s+set)/i',
        '/(<script.*?>.*?<\/script>)/is',
        // Add your custom patterns here
    ],
    'allowed_ips' => [
        '127.0.0.1', // Localhost
        '192.168.1.1', // Office IP
    ],
    'notifications' => [
        'enabled' => env('WAFY_NOTIFICATIONS_ENABLED', false),
        'channels' => ['mail'], // Choose 'mail', 'slack' or both
        'email' => env('WAFY_NOTIFICATION_EMAIL', 'admin@example.com'),
        'slack_webhook' => env('WAFY_SLACK_WEBHOOK', ''),
    ],
];

Testing

To run the package tests:

vendor/bin/phpunit

License

This project is licensed under the MIT License.

bdsa/wafy 适用场景与选型建议

bdsa/wafy 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 52 次下载、GitHub Stars 达 1, 最近一次更新时间为 2024 年 09 月 25 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 bdsa/wafy 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 bdsa/wafy 我们能提供哪些服务?
定制开发 / 二次开发

基于 bdsa/wafy 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 52
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 2
  • 点击次数: 20
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 2
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2024-09-25