An example of PHP code for integrating Nemesida WAF with reCAPTCHA functionality (unblocking from IP addresses identified by Nemesida WAF as sources of DDoS, brute-force and flood attacks). nw-captcha along with configured Nginx is also available as a Docker-image.
In the control panel Google reCAPTCHA get the site and secret keys for reCAPTCHA v2 and make changes in the file settings.php.
Create an SQLite file, initiate its structure. Navigate to the directory where the file will be stored (for example, /opt/nw-captcha/) and create it:
mkdir -p /opt/nw-captcha/ sqlite3 /opt/nw-captcha/nw.db
Create the required table:
create table client
(
url text,
token text,
uuid text,
waf_id text
);
create unique index client_uuid_uindex
on client (uuid);
Description of parameters:
url- URL of the server with the Nemesida WAF dynamic module installed (e.g. SCHEMA://HOST[:PORT]);token- the value of the nwaf_ban_captcha_token parameter;uuidis a unique instance ID Nemesida WAF;waf_id- the ID of the group license keys.
Add records to the database for each server with Nemesida WAF.
Example:
INSERT INTO client(url, token, uuid, waf_id) VALUES ("https://example.ru","token","uuid","waf_id");
The UUID and WAF ID are available in the Nginx service's error.log log.
Example:
# cat /var/log/nginx/error.log | grep 'WAF ID' 2022/01/01 00:00:00 [info] ...: Nemesida WAF: UUID: XXX; WAF ID: XXX. ...
Update the DB_PATH parameter in settings.php.
On a server with Nemesida WAF installed, in the settings nwaf.conf, set the parameter nwaf_ban_captcha_token, which defines the secret string for unlocking the IP address.
To deploy a container with nw-captcha, follow these steps:
- Upload an image containing
nw-captchaalong with the configured Nginx:
# docker pull nemesida/nw-captcha
- Create a directory:
# mkdir -p /opt/nwaf/nw-captcha
- In the configuration files directory, create a file
first-launch:
# touch /opt/nwaf/nw-captcha/first-launch
- Launch the container with
nw-captchausing the commands:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/nw-captcha:/nw-captcha -p 80:80 nemesida/nw-captcha
where:
--rm- deleting the container after completion of work;-d- running the container in the background;/opt/nwaf/nw-captcha:/nw-captcha- mounting a directory with configuration files inside the container;-p 80:80- port forwarding80of the container to the external port80.
To view the container ID (the CONTAINER ID column), you can use the command:
# docker ps -a
You can stop the container with the command:
# docker stop /container ID/
- Allow read access for everyone for the
nw-captchadirectory:
# chmod -R 0555 /opt/nwaf/nw-captcha
-
Install
SQLite3and make configuration changes. -
To launch the container, run the following commands:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/nw-captcha:/nw-captcha -p 80:80 nemesida/nw-captcha
where:
--rm- deleting the container after completion of work;-d- running the container in the background;/opt/nwaf/nw-captcha:/nw-captcha- mounting a directory with configuration files inside the container;-p 80:80- port forwarding80of the container to the external port80.
- Before updating the image
nw-captcha, check whether the container is running. To do this, you need to view the container ID (the CONTAINER ID column) using the command:
# docker ps -a
- If the container is running, stop it using the command:
# docker stop /container ID/
- When the container is stopped, delete the image:
# rm docker image nemesida/nw-captcha
- Upload an image containing
nw-captcha:
# docker pull nemesida/nw-captcha
- Launch the container with the image
nw-captchausing the command:
# iptables -t filter -N DOCKER # docker run --rm -d -v /opt/nwaf/nw-captcha/:/nw-captcha nemesida/nw-captcha