找回了当时测试时用OpenResty Edgelang的代码。

uri contains "SQL"=>
	set-upstream('HoneyPot_1');	
	req-header("Content-Type") contains "multipart/form-data",
	req-header("Content-Type") !contains rx{^multipart/form-data[\s\S]+} =>
	waf-mark-evil(message: "CVE-2017-5638 Struts", level: "super"),
	set-upstream('HoneyPot_2');

uri("/shop"), client-province('Guangdong'),
	ua-is-mobile() =>
	limit-req-rate(key: client-addr, target-rate: 5 [r/s], reject-rate: 10 [r/s]), limit-resp-data-rate(441 [mB/s]);

uri("/shop"), client-country("US") =>
	limit-req-rate(key: client-addr, target-rate: 5 [r/s], reject-rate: 10 [r/s]), sleep(0.5);

req-header(“Content-Type”) contains “multipart/form-data”,
req-header(“Content-Type”) !contains rx{^multipart/form-data[\s\S]+} =>
	waf-mark-evil(message: "CVE-XXX-XXX ", level: "super"),