Created
January 13, 2018 05:02
-
-
Save rluisr/b468349f220cb90d3795222932d9d25f to your computer and use it in GitHub Desktop.
add waf blacklist using cloudfront log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'use strict'; | |
const aws = require('aws-sdk'); | |
const zlib = require('zlib'); | |
const Promise = require('bluebird'); | |
const waf = new aws.WAF({apiVersion: '2015-08-24'}); | |
const s3 = new aws.S3({apiVersion: '2006-03-01'}); | |
let banIPList = []; | |
// config here | |
const IP_SET_ID = ''; | |
// =========== // | |
const updateWaf = params => new Promise((resolve, reject) => { | |
waf.updateIPSet(params, (err, data) => { | |
if (err) reject(err); | |
else resolve(); | |
}); | |
}); | |
const getChangeToken = () => new Promise((resolve, reject) => { | |
const params = {}; | |
waf.getChangeToken(params, (err, data) => { | |
if (err) console.log(err, err.stack); | |
else resolve(data.ChangeToken); | |
}); | |
}); | |
const updateIPSet = token => new Promise((resolve, reject) => { | |
for (let i = 0; i < banIPList.length; i += 1) { | |
const params = { | |
ChangeToken: token, | |
IPSetId: IP_SET_ID, | |
Updates: [{ | |
Action: 'INSERT', | |
IPSetDescriptor: { | |
Type: 'IPV4', | |
Value: banIPList[i] + '/32' | |
} | |
}] | |
}; | |
updateWaf(params); | |
} | |
resolve(); | |
}); | |
exports.handler = (event, context, callback) => { | |
const bucket = event.Records[0].s3.bucket.name; | |
const key = decodeURIComponent(event.Records[0].s3.object.key.replace(/\+/g, | |
' ')); | |
const params = { | |
Bucket: bucket, | |
Key: key, | |
}; | |
s3.getObject(params, (err, data) => { | |
if (err) { | |
console.log(err); | |
const message = | |
`Error getting object ${key} from bucket ${bucket}. Make sure they exist and your bucket is in the same region as this function.`; | |
console.log(message); | |
callback(message); | |
} else { | |
const bodyBuf = zlib.gunzipSync(data.Body); | |
const body = bodyBuf.toString('UTF-8'); | |
const bodyArr = body.split(/\r\n|\r|\n/); | |
for (let i = 0; i < bodyArr.length; i += 1) { | |
const accessLogArr = bodyArr[i].split(/\s/); | |
const httpStatusCode = accessLogArr[8]; | |
if (typeof httpStatusCode !== 'undefined') { | |
if (httpStatusCode.indexOf(0) != -1 && httpStatusCode !== 200) | |
banIPList.push(accessLogArr[4]); | |
} | |
} | |
banIPList = banIPList.filter((x, i, self) => { | |
return self.indexOf(x) === i; | |
}); | |
if (banIPList.length > 0) { | |
getChangeToken() | |
.then(token => token) | |
.then(Promise.coroutine(function* (token) { | |
console.log('token is: ', token); | |
yield updateIPSet(token); | |
})) | |
.then(() => callback(null, null)) | |
.catch(err => console.log(err)); | |
} | |
callback(null, null); | |
} | |
}); | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment