Merge pull request #156 from PerimeterX/dev

Johnny Tordgeman · web-flow · commit 040230dfcdd1 · 2018-10-14T14:59:06.000+03:00
Version 5.2.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.2.0] - 2018-10-14
+### Added
+- Enrich Custom Parameters support
+- Refreshed documentation for NGINX plus and RHEL 7.5
+
 ## [5.1.0] - 2018-09-26
 ### Added
 - Support for Advanced Blocking Response
diff --git a/NGINXPLUS.md b/NGINXPLUS.md
@@ -0,0 +1,54 @@
+###### 1. Install the <a href="https://docs.nginx.com/nginx/admin-guide/dynamic-modules/lua/" onclick="window.open(this.href); return false;">Lua modules provided by NGINX</a>
+
+* For Amazon Linux, CentOS, and RHEL:
+  ```sh
+  yum install nginx-plus-module-lua
+  ```
+
+* For Ubuntu:
+  ```sh
+  apt-get install nginx-plus-module-lua
+  ```
+
+###### 2. Remove Pre-installed Nettle
+  ```sh
+  sudo yum -y remove nettle
+  ```
+
+###### 3. Install Nettle from Source
+Download and compile nettle using the version appropriate for your environment:
+
+For Amazon Linux, CentOS, and RHEL:
+  ```sh
+  yum -y install m4 # prerequisite for nettle
+  cd /tmp/
+  wget https://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gz
+  tar -xzf nettle-3.3.tar.gz
+  cd nettle-3.3
+  ./configure
+  make install
+  ```
+
+###### 4. Install Luarocks and Dependencies 
+  ```sh
+  sudo yum install luarocks
+  sudo luarocks install lua-cjson
+  sudo luarocks install lustache
+  sudo luarocks install lua-resty-nettle
+  sudo luarocks install luasocket
+  sudo luarocks install lua-resty-http
+  ```
+
+###### 5. Install PerimeterX NGINX Plugin
+  ```sh
+  sudo luarocks install perimeterx-nginx-plugin
+  ```
+
+###### 6. Modify Selinux (Consult with your internal System Administrator)
+On CentOS 7 and other Linux operating systems you may need to modify or disable Selinux. If you get the following error:
+
+`nginx: lua atpanic: Lua VM crashed, reason: runtime code generation failed, restricted kernel?`
+
+You will need to make one of the following changes:
+* To disable SELinux: `RUN setenforcer 0`
+* To enable execmem for httpd_t: `RUN setsebool httpd_execmem 1 -P` 
diff --git a/NGINXPLUS_RHEL7.4.md b/NGINXPLUS_RHEL7.4.md
@@ -0,0 +1,119 @@
+## <a name="installation_nginxplus_px_rhel"></a>Installing PerimeterX on NGINX+ With RHEL 7.4 And Above
+
+The PerimeterX NGINX plugin can be installed on **NGINX+ up to version R15**. <br/>
+There is currently a known bug in R16 which crashes NGINX when calling `init_worker_by_lua_block` (required by the PerimeterX plugin). Until this bug is fixed, PerimeterX will not support installations using R16.
+
+### Installation
+
+1. Install the NGINX+ lua module according to the version of NGINX+ installed. (The example shows R15):
+
+	```sh
+	sudo yum install -y nginx-plus-module-lua-r15
+	```
+
+2. Make sure Nettle is removed:
+
+	```sh
+	sudo yum -y remove nettle
+	```
+
+3. Install the development tools:
+
+	```sh
+	sudo yum groupinstall -y "Development Tools"
+	```
+
+4. Compile and install Nettle from source:
+
+	```sh
+	mkdir /tmp
+	cd /tmp/
+	wget https://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gz
+	tar -xzf nettle-3.3.tar.gz
+	cd nettle-3.3
+	./configure
+	make
+	sudo make install
+	```
+
+5. Install Luarocks and the PerimeterX Lua plugin dependencies:
+
+	```sh
+	sudo yum install -y luarocks lua-devel
+	sudo luarocks install lua-cjson
+	sudo luarocks install lustache
+	sudo luarocks install lua-resty-nettle
+	sudo luarocks install luasocket
+	sudo luarocks install lua-resty-http
+	```
+
+6. Install the PerimeterX Module:
+
+	```sh
+	sudo luarocks install perimeterx-nginx-plugin
+	```
+
+### Configuration
+
+1. Add the modules loading declaration at the top of the `nginx.conf` file:
+
+	```lua
+	load_module modules/ndk_http_module.so;
+	load_module modules/ngx_http_lua_module.so;
+	```
+
+2. Add the `lua_package_path` and `lua_package_cpath` declarations inside the `http` scope:
+
+	```lua
+	lua_package_path "/usr/local/lib/lua/?.lua;;";
+	lua_package_cpath "/usr/lib64/lua/5.1/?.so;;";
+	```
+
+3. Add the Resolver directive: 
+
+  The Resolver directive must be configured in the HTTP section of your NGINX configuration. <br/>
+  
+  * Set the Resolver, `resolver A.B.C.D;`, to an external DNS resolver, such as Google (`resolver 8.8.8.8;`), 
+   
+   _or_ 
+   
+  * Set the resolver, `resolver A.B.C.D;`, to the internal IP address of your DNS resolver (`resolver 10.1.1.1;`).   
+  
+  This is required for NGINX to resolve the PerimeterX API.
+
+4. Add the Lua CA Certificates:
+
+  For TLS to support PerimeterX servers, configure Lua to point to the trusted certificate location.
+  
+  ```lua
+  lua_ssl_trusted_certificate "/etc/pki/tls/certs/ca-bundle.crt";
+  lua_ssl_verify_depth 3;
+  ```
+
+5. Add the Lua Timer Initialization:
+
+  Add the init with a Lua script. The init is used by PerimeterX to hold and send metrics at regular intervals.
+  This section also defines the runtime path to the 'nettle' library.
+
+  ```lua
+  init_worker_by_lua_block {
+      _NETTLE_LIB_PATH = "/usr/local/lib64"
+      local pxconfig = require("px.pxconfig")
+      require ("px.utils.pxtimer").application(pxconfig)
+  }
+  ```
+
+6. Apply PerimeterX Enforcement:
+
+  Add the following line to your `location` block
+  
+  ```
+   #----- PerimeterX protect location -----#
+   access_by_lua_block {
+   	local pxconfig = require("px.pxconfig")
+  	require ("px.pxnginx").application(pxconfig)
+   }
+   #----- PerimeterX Module End  -----#
+  ```
+
+7. Continue with the [PerimeterX Plugin Configuration](https://github.com/PerimeterX/perimeterx-nginx-plugin#perimeterx-plugin-configuration) section.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 # [PerimeterX](http://www.perimeterx.com) NGINX Lua Plugin
 
-> Latest stable version: [v5.1.0](https://luarocks.org/modules/bendpx/perimeterx-nginx-plugin/5.1-0)
+> Latest stable version: [v5.2.0](https://luarocks.org/modules/bendpx/perimeterx-nginx-plugin/5.2-0)
 
 
 ## [Introduction](#introduction)
@@ -16,8 +16,8 @@
 * [Supported Operating Systems](#supported_os)
 * [Supported NGINX Versions](#supported_versions)
 * [Installing with Ubuntu](#ubuntu)
-* [Installing with CentOS7](centos7)
-* [Installing the PerimeterX NGINX Plugin for NGINX+](#nstallation_nginxplus_px)  
+* [Installing with CentOS7](#centos7)
+* [Installing the PerimeterX NGINX Plugin for NGINX+](#installation_nginxplus_px)  
 * [Required NGINX Configuration](#nginx_configuration)
   * [Resolver](#nginx_resolver)
   * [Lua Package Path](#nginx_lua_package_path)
@@ -34,7 +34,6 @@
 * [Optional Configuration](#advanced_configuration)
   * [Monitor / Block Mode](#monitoring_mode)
   * [Debug Mode](#debug-mode)
-  * [Extracting Real IP Address](#real-ip)
   * [Whitelisting](#whitelisting)
   * [Filter Sensitive Headers](#sensitive-headers)
   * [Remote Configurations](#remote-configurations)
@@ -45,6 +44,7 @@
   * [Redirect to a Custom Block Page URL](#redirect_to_custom_blockpage)
   * [Redirect on Custom URL](#redirect_on_custom_url)
   * [Additional Activity Handler](#add-activity-handler)
+  * [Enrich Custom Parameters](#custom-parameters)
   * [Blocking Score](#blocking-score)
 
 ## [Enrichment](#enrichment)
@@ -339,65 +339,11 @@ sudo luarocks install perimeterx-nginx-plugin
   ```
 
 ### <a name="installation_nginxplus_px"></a>Installing the PerimeterX NGINX Plugin for NGINX+
-If you are already using NGINX+ the following steps cover how to install the NGINX+ Lua Module & the PermimeterX NGINX Plugin. 
 
-###### 1. Install the <a href="https://docs.nginx.com/nginx/admin-guide/dynamic-modules/lua/" onclick="window.open(this.href); return false;">Lua modules provided by NGINX</a>
+If you are already using NGINX+, the following steps cover installing the NGINX+ Lua Module and the PermimeterX NGINX Plugin.
 
-* For Amazon Linux, CentOS, and RHEL:
-  ```sh
-  yum install nginx-plus-module-lua
-  ```
-
-* For Ubuntu:
-  ```sh
-  apt-get install nginx-plus-module-lua
-  ```
-
-###### 2. Remove Pre-installed Nettle
-  ```sh
-  sudo yum -y remove nettle
-  ```
-
-###### 3. Install Nettle from Source
-Download and compile nettle using the version appropriate for your environment:
-
-For Amazon Linux, CentOS, and RHEL:
-  ```sh
-  yum -y install m4 # prerequisite for nettle
-  cd /tmp/
-  wget https://ftp.gnu.org/gnu/nettle/nettle-3.3.tar.gz
-  tar -xzf nettle-3.3.tar.gz
-  cd nettle-3.3
-  ./configure
-  make clean && make install
-  cd /usr/lib64 && ln -s /usr/local/lib64/libnettle.so.
-  ```
-
-###### 4. Install Luarocks and Dependencies 
-  ```sh
-  sudo yum install luarocks
-  sudo luarocks install lua-cjson
-  sudo luarocks install lustache
-  sudo luarocks install lua-resty-nettle
-  sudo luarocks install luasocket
-  sudo luarocks install lua-resty-http
-
-  sudo ln -s /usr/lib64/lua /usr/lib/lua
-  ```
-
-###### 5. Install PerimeterX NGINX Plugin
-  ```sh
-  sudo luarocks install perimeterx-nginx-plugin
-  ```
-
-###### 6. Modify Selinux (Consult with your internal System Administrator)
-On CentOS 7 and other Linux operating systems you may need to modify or disable Selinux. If you get the following error:
-
-`nginx: lua atpanic: Lua VM crashed, reason: runtime code generation failed, restricted kernel?`
-
-You will need to make one of the following changes:
-* To disable SELinux: `RUN setenforcer 0`
-* To enable execmem for httpd_t: `RUN setsebool httpd_execmem 1 -P` 
+* [RHEL 7.4 and higher](NGINXPLUS_RHEL7.4.md)
+* [Amazon Linux, CentOS and RHEL 7.3 and lower](NGINXPLUS.md)
 
 ## <a name="configuration"></a>Configuration
 
@@ -784,6 +730,20 @@ Controls the timeouts for PerimeterX requests. The API is called when a Risk Coo
   end
   ```
 
+### <a name="custom-parameters"> Enrich Custom Parameters
+With the `enrich_custom_params` function you can add up to 10 custom parameters to be sent back to PerimeterX servers. When set, the function is called before seting the payload on every request to PerimetrX servers. The parameters should be passed according to the correct order (1-10).
+You must return the `px_cusom_params` object at the end of the function.
+
+ **Default:** nil
+
+Example: 
+```lua
+_M.enrich_custom_parameters = function(px_custom_params)
+  px_custom_params["custom_param1"] = "user_id"
+  return px_custom_params
+end
+```
+
 ### <a name="blocking-score"></a> Changing the Minimum Score for Blocking
 
 This value should not be changed from the default of 100 unless advised by PerimeterX.
diff --git a/lib/px/utils/config_builder.lua b/lib/px/utils/config_builder.lua
@@ -15,6 +15,7 @@ PX_DEFAULT_CONFIGURATIONS["score_header_enabled"] = { false, "boolean"}
 PX_DEFAULT_CONFIGURATIONS["sensitive_routes_prefix"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["sensitive_routes_suffix"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["additional_activity_handler"] = { nil, "function" }
+PX_DEFAULT_CONFIGURATIONS["enrich_custom_parameters"] = { nil, "function" }
 PX_DEFAULT_CONFIGURATIONS["enabled_routes"] = { {}, "table"}
 PX_DEFAULT_CONFIGURATIONS["first_party_enabled"] = { true, "boolean"}
 PX_DEFAULT_CONFIGURATIONS["reverse_xhr_enabled"] = { true, "boolean"}
diff --git a/lib/px/utils/pxapi.lua b/lib/px/utils/pxapi.lua
@@ -16,6 +16,12 @@ function M.load(px_config)
     local px_debug = px_config.px_debug
     local ngx_req_get_method = ngx.req.get_method
     local ngx_req_http_version = ngx.req.http_version
+    local px_custom_params = {}
+
+    -- initialize the px_custom_params table
+    for i = 1, 10 do
+        px_custom_params["custom_param" .. i] = ""
+    end
 
     -- new_request_object --
     -- takes no arguments
@@ -69,6 +75,16 @@ function M.load(px_config)
             risk.additional.px_cookie_hmac = ngx.ctx.px_cookie_hmac
         end
 
+        if px_config.enrich_custom_parameters ~= nil then
+            px_logger.debug("enrich_custom_parameters was triggered");
+            local px_risk_custom_params = px_config.enrich_custom_parameters(px_custom_params)
+            for key, value in pairs(px_risk_custom_params) do
+                if string.match(key,"^custom_param%d+$") and value ~= "" then
+                    risk.additional[key] = value
+                end
+            end
+        end
+
         risk.additional.http_version = ngx_req_http_version()
         risk.additional.http_method = ngx_req_get_method()
         risk.additional.module_version = px_constants.MODULE_VERSION
diff --git a/lib/px/utils/pxconstants.lua b/lib/px/utils/pxconstants.lua
@@ -3,7 +3,7 @@
 ----------------------------------------------
 
 local _M = {
-    MODULE_VERSION = "NGINX Module v5.1.0",
+    MODULE_VERSION = "NGINX Module v5.2.0",
     RISK_PATH = "/api/v3/risk",
     CAPTCHA_PATH = "/api/v2/risk/captcha",
     ACTIVITIES_PATH = "/api/v1/collector/s2s",
diff --git a/perimeterx-nginx-plugin-5.2-0.rockspec b/perimeterx-nginx-plugin-5.2-0.rockspec
@@ -1,8 +1,8 @@
  package = "perimeterx-nginx-plugin"
- version = "5.1-0"
+ version = "5.2-0"
  source = {
     url = "git://github.com/PerimeterX/perimeterx-nginx-plugin.git",
-    tag = "v5.1.0",
+    tag = "v5.2.0",
  }
  description = {
     summary = "PerimeterX NGINX Lua Middleware.",
