找回了当时测试时用OpenResty Edgelang的代码。
uri contains "SQL"=>
set-upstream('HoneyPot_1');
req-header("Content-Type") contains "multipart/form-data",
req-header("Content-Type") !contains rx{^multipart/form-data[\s\S]+} =>
waf-mark-evil(message: "CVE-2017-5638 Struts", level: "super"),
set-upstream('HoneyPot_2');
uri("/shop"), client-province('Guangdong'),
ua-is-mobile() =>
limit-req-rate(key: client-addr, target-rate: 5 [r/s], reject-rate: 10 [r/s]), limit-resp-data-rate(441 [mB/s]);
uri("/shop"), client-country("US") =>
limit-req-rate(key: client-addr, target-rate: 5 [r/s], reject-rate: 10 [r/s]), sleep(0.5);
req-header(“Content-Type”) contains “multipart/form-data”,
req-header(“Content-Type”) !contains rx{^multipart/form-data[\s\S]+} =>
waf-mark-evil(message: "CVE-XXX-XXX ", level: "super"),