mitigate-log4shell.conf

# LUA block to detect, block and log Log4Shell attacks (C) Infiniroot 2021 (@infiniroot)
# with lua fixes and other enhancements from Andreas Nanko (@andreasnanko)
rewrite_by_lua_block {

function decipher(v)
    local s = tostring(v)
    s=ngx.unescape_uri(s)
    if string.find(s, "${base64:") then
      t=(string.gsub(s, "${${base64:([%d%a%=]+)}}", "%1"))
      s=string.gsub(s, "${base64:([%d%a%=]+)}", tostring(ngx.decode_base64(t)))
    end
    s=string.gsub(s, "${lower:(%a+)}", "%1")
    s=string.gsub(s, "${upper:(%a+)}", "%1")
    s=string.gsub(s, "${env:[%a_-]+:%-([%a:])}", "%1")
    s=string.gsub(s, "${::%-(%a+)}", "%1")
    if string.lower(s) == string.lower(tostring(v)) then
      return string.lower(s)
    else
      return decipher(s)
    end
end

local req_headers = "Headers: ";
local h, err = ngx.req.get_headers()
for k, v in pairs(h) do
  req_headers = req_headers .. k .. ": " .. tostring(v) .. "\n";
  if v then
    if string.match(decipher(v), "{jndi:") then
      ngx.log(ngx.ERR, 'Found potential log4j attack in header ' .. k .. ':' .. tostring(v))
      ngx.exit(ngx.HTTP_FORBIDDEN)
    end
  else
    if err then
      ngx.log(ngx.ERR, "error: ", err)
      return
    end
  end
end
local uri = tostring(ngx.var.request_uri)
if string.match(decipher(uri), "{jndi:") then
      ngx.log(ngx.ERR, 'Found potential log4j attack in request: ' .. uri )
      ngx.exit(ngx.HTTP_FORBIDDEN)
end
}