支持更多的分组全局设置功能

2026-05-04 22:55:20 +08:00 · 2021-10-07 16:47:14 +08:00
parent 870f1aaaec
commit 0b5a27e674
126 changed files with 3969 additions and 220 deletions
--- a/internal/web/actions/default/servers/groups/group/settings/waf/group.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/group.go
@@ -0,0 +1,100 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+	"strings"
+)
+
+type GroupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *GroupAction) Init() {
+	this.Nav("", "setting", this.ParamString("type"))
+	this.SecondMenu("waf")
+}
+
+func (this *GroupAction) RunGet(params struct {
+	FirewallPolicyId int64
+	GroupId          int64
+	Type             string
+}) {
+	this.Data["type"] = params.Type
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+
+	// policy
+	firewallPolicy, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if firewallPolicy == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	// group config
+	groupConfig, err := dao.SharedHTTPFirewallRuleGroupDAO.FindRuleGroupConfig(this.AdminContext(), params.GroupId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if groupConfig == nil {
+		this.NotFound("firewallRuleGroup", params.GroupId)
+		return
+	}
+
+	this.Data["group"] = groupConfig
+
+	// rule sets
+	this.Data["sets"] = lists.Map(groupConfig.Sets, func(k int, v interface{}) interface{} {
+		set := v.(*firewallconfigs.HTTPFirewallRuleSet)
+
+		var actionMaps = []maps.Map{}
+		for _, action := range set.Actions {
+			def := firewallconfigs.FindActionDefinition(action.Code)
+			if def == nil {
+				continue
+			}
+
+			actionMaps = append(actionMaps, maps.Map{
+				"code":     strings.ToUpper(action.Code),
+				"name":     def.Name,
+				"category": def.Category,
+				"options":  action.Options,
+			})
+		}
+
+		return maps.Map{
+			"id":   set.Id,
+			"name": set.Name,
+			"rules": lists.Map(set.Rules, func(k int, v interface{}) interface{} {
+				rule := v.(*firewallconfigs.HTTPFirewallRule)
+				var errString = ""
+				var err = rule.Init()
+				if err != nil {
+					errString = err.Error()
+				}
+				return maps.Map{
+					"param":             rule.Param,
+					"paramFilters":      rule.ParamFilters,
+					"operator":          rule.Operator,
+					"value":             rule.Value,
+					"isCaseInsensitive": rule.IsCaseInsensitive,
+					"isComposed":        firewallconfigs.CheckCheckpointIsComposed(rule.Prefix()),
+					"checkpointOptions": rule.CheckpointOptions,
+					"err":               errString,
+				}
+			}),
+			"isOn":      set.IsOn,
+			"actions":   actionMaps,
+			"connector": strings.ToUpper(set.Connector),
+		}
+	})
+
+	this.Show()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/groups.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/groups.go
@@ -0,0 +1,83 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/iwind/TeaGo/maps"
+)
+
+type GroupsAction struct {
+	actionutils.ParentAction
+}
+
+func (this *GroupsAction) Init() {
+	this.Nav("", "setting", this.ParamString("type"))
+	this.SecondMenu("waf")
+}
+
+func (this *GroupsAction) RunGet(params struct {
+	ServerId         int64
+	FirewallPolicyId int64
+	Type             string
+}) {
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+	this.Data["type"] = params.Type
+
+	firewallPolicy, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if firewallPolicy == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	groupMaps := []maps.Map{}
+
+	// inbound
+	if params.Type == "inbound" {
+		if firewallPolicy.Inbound != nil {
+			for _, g := range firewallPolicy.Inbound.Groups {
+				groupMaps = append(groupMaps, maps.Map{
+					"id":          g.Id,
+					"name":        g.Name,
+					"code":        g.Code,
+					"isOn":        g.IsOn,
+					"description": g.Description,
+					"countSets":   len(g.Sets),
+					"canDelete":   len(g.Code) == 0,
+				})
+			}
+		}
+	}
+
+	// outbound
+	if params.Type == "outbound" {
+		if firewallPolicy.Outbound != nil {
+			for _, g := range firewallPolicy.Outbound.Groups {
+				groupMaps = append(groupMaps, maps.Map{
+					"id":          g.Id,
+					"name":        g.Name,
+					"code":        g.Code,
+					"isOn":        g.IsOn,
+					"description": g.Description,
+					"countSets":   len(g.Sets),
+					"canDelete":   len(g.Code) == 0,
+				})
+			}
+		}
+	}
+
+	this.Data["groups"] = groupMaps
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/index.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/index.go
@@ -0,0 +1,76 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/servers/groups/group/servergrouputils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+)
+
+type IndexAction struct {
+	actionutils.ParentAction
+}
+
+func (this *IndexAction) Init() {
+	this.Nav("", "setting", "index")
+	this.SecondMenu("waf")
+}
+
+func (this *IndexAction) RunGet(params struct {
+	GroupId int64
+}) {
+	_, err := servergrouputils.InitGroup(this.Parent(), params.GroupId, "waf")
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerGroupId(this.AdminContext(), params.GroupId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Data["webId"] = webConfig.Id
+	this.Data["firewallConfig"] = webConfig.FirewallRef
+
+	// 获取当前服务所在集群的WAF设置
+	this.Data["firewallPolicy"] = nil
+
+	// 当前的Server独立设置
+	if webConfig.FirewallRef == nil || webConfig.FirewallRef.FirewallPolicyId == 0 {
+		firewallPolicyId, err := dao.SharedHTTPWebDAO.InitEmptyHTTPFirewallPolicy(this.AdminContext(), params.GroupId, 0, webConfig.Id, webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		this.Data["firewallPolicyId"] = firewallPolicyId
+	} else {
+		this.Data["firewallPolicyId"] = webConfig.FirewallRef.FirewallPolicyId
+	}
+
+	this.Show()
+}
+
+func (this *IndexAction) RunPost(params struct {
+	WebId        int64
+	FirewallJSON []byte
+
+	Must *actions.Must
+}) {
+	defer this.CreateLogInfo("修改Web %d 的WAF设置", params.WebId)
+
+	// TODO 检查配置
+
+	_, err := this.RPC().HTTPWebRPC().UpdateHTTPWebFirewall(this.AdminContext(), &pb.UpdateHTTPWebFirewallRequest{
+		WebId:        params.WebId,
+		FirewallJSON: params.FirewallJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/init.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/init.go
@@ -0,0 +1,33 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/servers/server/settings/waf/ipadmin"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/servers/serverutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
+	"github.com/iwind/TeaGo"
+)
+
+func init() {
+	TeaGo.BeforeStart(func(server *TeaGo.Server) {
+		server.
+			Helper(helpers.NewUserMustAuth(configloaders.AdminModuleCodeServer)).
+			Helper(serverutils.NewServerHelper()).
+			Data("teaMenu", "servers").
+			Data("teaSubMenu", "group").
+			Prefix("/servers/groups/group/settings/waf").
+			GetPost("", new(IndexAction)).
+			Get("/ipadmin/allowList", new(ipadmin.AllowListAction)).
+			Get("/ipadmin/denyList", new(ipadmin.DenyListAction)).
+			GetPost("/ipadmin/countries", new(ipadmin.CountriesAction)).
+			GetPost("/ipadmin/provinces", new(ipadmin.ProvincesAction)).
+			GetPost("/ipadmin/updateIPPopup", new(ipadmin.UpdateIPPopupAction)).
+			Post("/ipadmin/deleteIP", new(ipadmin.DeleteIPAction)).
+			GetPost("/ipadmin/test", new(ipadmin.TestAction)).
+
+			// 规则相关
+			Get("/groups", new(GroupsAction)).
+			Get("/group", new(GroupAction)).
+			EndAll()
+	})
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/allowList.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/allowList.go
@@ -0,0 +1,95 @@
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/maps"
+	timeutil "github.com/iwind/TeaGo/utils/time"
+	"time"
+)
+
+type AllowListAction struct {
+	actionutils.ParentAction
+}
+
+func (this *AllowListAction) Init() {
+	this.Nav("", "setting", "allowList")
+	this.SecondMenu("waf")
+}
+
+func (this *AllowListAction) RunGet(params struct {
+	ServerId         int64
+	FirewallPolicyId int64
+}) {
+	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+
+	listId, err := dao.SharedIPListDAO.FindAllowIPListIdWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 创建
+	if listId == 0 {
+		listId, err = dao.SharedIPListDAO.CreateIPListForServerId(this.AdminContext(), params.ServerId, "white")
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+
+	this.Data["listId"] = listId
+
+	// 数量
+	countResp, err := this.RPC().IPItemRPC().CountIPItemsWithListId(this.AdminContext(), &pb.CountIPItemsWithListIdRequest{IpListId: listId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	count := countResp.Count
+	page := this.NewPage(count)
+	this.Data["page"] = page.AsHTML()
+
+	// 列表
+	itemsResp, err := this.RPC().IPItemRPC().ListIPItemsWithListId(this.AdminContext(), &pb.ListIPItemsWithListIdRequest{
+		IpListId: listId,
+		Offset:   page.Offset,
+		Size:     page.Size,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	itemMaps := []maps.Map{}
+	for _, item := range itemsResp.IpItems {
+		expiredTime := ""
+		if item.ExpiredAt > 0 {
+			expiredTime = timeutil.FormatTime("Y-m-d H:i:s", item.ExpiredAt)
+		}
+
+		itemMaps = append(itemMaps, maps.Map{
+			"id":             item.Id,
+			"ipFrom":         item.IpFrom,
+			"ipTo":           item.IpTo,
+			"expiredTime":    expiredTime,
+			"reason":         item.Reason,
+			"type":           item.Type,
+			"isExpired":      item.ExpiredAt > 0 && item.ExpiredAt < time.Now().Unix(),
+			"eventLevelName": firewallconfigs.FindFirewallEventLevelName(item.EventLevel),
+		})
+	}
+	this.Data["items"] = itemMaps
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go
@@ -0,0 +1,121 @@
+package ipadmin
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+	"strings"
+)
+
+type CountriesAction struct {
+	actionutils.ParentAction
+}
+
+func (this *CountriesAction) Init() {
+	this.Nav("", "setting", "country")
+	this.SecondMenu("waf")
+}
+
+func (this *CountriesAction) RunGet(params struct {
+	FirewallPolicyId int64
+	ServerId         int64
+}) {
+	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+
+	this.Data["subMenuItem"] = "region"
+
+	// 当前选中的地区
+	policyConfig, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if policyConfig == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+	selectedCountryIds := []int64{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		selectedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+	}
+
+	countriesResp, err := this.RPC().RegionCountryRPC().FindAllEnabledRegionCountries(this.AdminContext(), &pb.FindAllEnabledRegionCountriesRequest{})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	countryMaps := []maps.Map{}
+	for _, country := range countriesResp.Countries {
+		countryMaps = append(countryMaps, maps.Map{
+			"id":        country.Id,
+			"name":      country.Name,
+			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
+			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
+		})
+	}
+	this.Data["countries"] = countryMaps
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
+
+func (this *CountriesAction) RunPost(params struct {
+	FirewallPolicyId int64
+	CountryIds       []int64
+
+	Must *actions.Must
+}) {
+	// 日志
+	defer this.CreateLog(oplogs.LevelInfo, "WAF策略 %d 设置禁止访问的国家和地区", params.FirewallPolicyId)
+
+	policyConfig, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if policyConfig == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	if policyConfig.Inbound == nil {
+		policyConfig.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
+	}
+	if policyConfig.Inbound.Region == nil {
+		policyConfig.Inbound.Region = &firewallconfigs.HTTPFirewallRegionConfig{
+			IsOn: true,
+		}
+	}
+	policyConfig.Inbound.Region.DenyCountryIds = params.CountryIds
+
+	inboundJSON, err := json.Marshal(policyConfig.Inbound)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	_, err = this.RPC().HTTPFirewallPolicyRPC().UpdateHTTPFirewallInboundConfig(this.AdminContext(), &pb.UpdateHTTPFirewallInboundConfigRequest{
+		HttpFirewallPolicyId: params.FirewallPolicyId,
+		InboundJSON:          inboundJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/deleteIP.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/deleteIP.go
@@ -0,0 +1,29 @@
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+)
+
+type DeleteIPAction struct {
+	actionutils.ParentAction
+}
+
+func (this *DeleteIPAction) RunPost(params struct {
+	FirewallPolicyId int64
+	ItemId           int64
+}) {
+	// 日志
+	defer this.CreateLog(oplogs.LevelInfo, "从WAF策略 %d 名单中删除IP %d", params.FirewallPolicyId, params.ItemId)
+
+	// TODO 判断权限
+
+	_, err := this.RPC().IPItemRPC().DeleteIPItem(this.AdminContext(), &pb.DeleteIPItemRequest{IpItemId: params.ItemId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/denyList.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/denyList.go
@@ -0,0 +1,95 @@
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/maps"
+	timeutil "github.com/iwind/TeaGo/utils/time"
+	"time"
+)
+
+type DenyListAction struct {
+	actionutils.ParentAction
+}
+
+func (this *DenyListAction) Init() {
+	this.Nav("", "setting", "denyList")
+	this.SecondMenu("waf")
+}
+
+func (this *DenyListAction) RunGet(params struct {
+	FirewallPolicyId int64
+	ServerId         int64
+}) {
+	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+
+	listId, err := dao.SharedIPListDAO.FindDenyIPListIdWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 创建
+	if listId == 0 {
+		listId, err = dao.SharedIPListDAO.CreateIPListForServerId(this.AdminContext(), params.ServerId, "black")
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+
+	this.Data["listId"] = listId
+
+	// 数量
+	countResp, err := this.RPC().IPItemRPC().CountIPItemsWithListId(this.AdminContext(), &pb.CountIPItemsWithListIdRequest{IpListId: listId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	count := countResp.Count
+	page := this.NewPage(count)
+	this.Data["page"] = page.AsHTML()
+
+	// 列表
+	itemsResp, err := this.RPC().IPItemRPC().ListIPItemsWithListId(this.AdminContext(), &pb.ListIPItemsWithListIdRequest{
+		IpListId: listId,
+		Offset:   page.Offset,
+		Size:     page.Size,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	itemMaps := []maps.Map{}
+	for _, item := range itemsResp.IpItems {
+		expiredTime := ""
+		if item.ExpiredAt > 0 {
+			expiredTime = timeutil.FormatTime("Y-m-d H:i:s", item.ExpiredAt)
+		}
+
+		itemMaps = append(itemMaps, maps.Map{
+			"id":             item.Id,
+			"ipFrom":         item.IpFrom,
+			"ipTo":           item.IpTo,
+			"expiredTime":    expiredTime,
+			"reason":         item.Reason,
+			"type":           item.Type,
+			"isExpired":      item.ExpiredAt > 0 && item.ExpiredAt < time.Now().Unix(),
+			"eventLevelName": firewallconfigs.FindFirewallEventLevelName(item.EventLevel),
+		})
+	}
+	this.Data["items"] = itemMaps
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go
@@ -0,0 +1,122 @@
+package ipadmin
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+)
+
+const ChinaCountryId = 1
+
+type ProvincesAction struct {
+	actionutils.ParentAction
+}
+
+func (this *ProvincesAction) Init() {
+	this.Nav("", "setting", "province")
+	this.SecondMenu("waf")
+}
+
+func (this *ProvincesAction) RunGet(params struct {
+	FirewallPolicyId int64
+	ServerId         int64
+}) {
+	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+	this.Data["subMenuItem"] = "province"
+
+	// 当前选中的省份
+	policyConfig, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if policyConfig == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+	selectedProvinceIds := []int64{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		selectedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+	}
+
+	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllEnabledRegionProvincesWithCountryId(this.AdminContext(), &pb.FindAllEnabledRegionProvincesWithCountryIdRequest{
+		CountryId: int64(ChinaCountryId),
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	provinceMaps := []maps.Map{}
+	for _, province := range provincesResp.Provinces {
+		provinceMaps = append(provinceMaps, maps.Map{
+			"id":        province.Id,
+			"name":      province.Name,
+			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
+		})
+	}
+	this.Data["provinces"] = provinceMaps
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
+
+func (this *ProvincesAction) RunPost(params struct {
+	FirewallPolicyId int64
+	ProvinceIds      []int64
+
+	Must *actions.Must
+}) {
+	// 日志
+	defer this.CreateLog(oplogs.LevelInfo, "WAF策略 %d 设置禁止访问的省份", params.FirewallPolicyId)
+
+	policyConfig, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if policyConfig == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	if policyConfig.Inbound == nil {
+		policyConfig.Inbound = &firewallconfigs.HTTPFirewallInboundConfig{IsOn: true}
+	}
+	if policyConfig.Inbound.Region == nil {
+		policyConfig.Inbound.Region = &firewallconfigs.HTTPFirewallRegionConfig{
+			IsOn: true,
+		}
+	}
+	policyConfig.Inbound.Region.DenyProvinceIds = params.ProvinceIds
+
+	inboundJSON, err := json.Marshal(policyConfig.Inbound)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	_, err = this.RPC().HTTPFirewallPolicyRPC().UpdateHTTPFirewallInboundConfig(this.AdminContext(), &pb.UpdateHTTPFirewallInboundConfigRequest{
+		HttpFirewallPolicyId: params.FirewallPolicyId,
+		InboundJSON:          inboundJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/test.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/test.go
@@ -0,0 +1,100 @@
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
+	timeutil "github.com/iwind/TeaGo/utils/time"
+)
+
+type TestAction struct {
+	actionutils.ParentAction
+}
+
+func (this *TestAction) Init() {
+	this.Nav("", "setting", "test")
+	this.SecondMenu("waf")
+}
+
+func (this *TestAction) RunGet(params struct {
+	ServerId         int64
+	FirewallPolicyId int64
+}) {
+	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+	this.Data["subMenuItem"] = "province"
+
+	// WAF是否启用
+	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["wafIsOn"] = webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn
+
+	this.Show()
+}
+
+func (this *TestAction) RunPost(params struct {
+	FirewallPolicyId int64
+	Ip               string
+
+	Must *actions.Must
+}) {
+	resp, err := this.RPC().HTTPFirewallPolicyRPC().CheckHTTPFirewallPolicyIPStatus(this.AdminContext(), &pb.CheckHTTPFirewallPolicyIPStatusRequest{
+		HttpFirewallPolicyId: params.FirewallPolicyId,
+		Ip:                   params.Ip,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	resultMap := maps.Map{
+		"isDone":    true,
+		"isFound":   resp.IsFound,
+		"isOk":      resp.IsOk,
+		"error":     resp.Error,
+		"isAllowed": resp.IsAllowed,
+	}
+
+	if resp.IpList != nil {
+		resultMap["list"] = maps.Map{
+			"id":   resp.IpList.Id,
+			"name": resp.IpList.Name,
+		}
+	}
+	if resp.IpItem != nil {
+		resultMap["item"] = maps.Map{
+			"id":             resp.IpItem.Id,
+			"ipFrom":         resp.IpItem.IpFrom,
+			"ipTo":           resp.IpItem.IpTo,
+			"reason":         resp.IpItem.Reason,
+			"expiredAt":      resp.IpItem.ExpiredAt,
+			"expiredTime":    timeutil.FormatTime("Y-m-d H:i:s", resp.IpItem.ExpiredAt),
+			"type":           resp.IpItem.Type,
+			"eventLevelName": firewallconfigs.FindFirewallEventLevelName(resp.IpItem.EventLevel),
+		}
+	}
+
+	if resp.RegionCountry != nil {
+		resultMap["country"] = maps.Map{
+			"id":   resp.RegionCountry.Id,
+			"name": resp.RegionCountry.Name,
+		}
+	}
+
+	if resp.RegionProvince != nil {
+		resultMap["province"] = maps.Map{
+			"id":   resp.RegionProvince.Id,
+			"name": resp.RegionProvince.Name,
+		}
+	}
+
+	this.Data["result"] = resultMap
+
+	this.Success()
+}
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/updateIPPopup.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/updateIPPopup.go
@@ -0,0 +1,117 @@
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
+)
+
+type UpdateIPPopupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *UpdateIPPopupAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *UpdateIPPopupAction) RunGet(params struct {
+	ItemId int64
+}) {
+	itemResp, err := this.RPC().IPItemRPC().FindEnabledIPItem(this.AdminContext(), &pb.FindEnabledIPItemRequest{IpItemId: params.ItemId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	item := itemResp.IpItem
+	if item == nil {
+		this.NotFound("ipItem", params.ItemId)
+		return
+	}
+
+	this.Data["item"] = maps.Map{
+		"id":         item.Id,
+		"ipFrom":     item.IpFrom,
+		"ipTo":       item.IpTo,
+		"expiredAt":  item.ExpiredAt,
+		"reason":     item.Reason,
+		"type":       item.Type,
+		"eventLevel": item.EventLevel,
+	}
+
+	this.Data["type"] = item.Type
+
+	this.Show()
+}
+
+func (this *UpdateIPPopupAction) RunPost(params struct {
+	ItemId int64
+
+	IpFrom     string
+	IpTo       string
+	ExpiredAt  int64
+	Reason     string
+	Type       string
+	EventLevel string
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	// 日志
+	defer this.CreateLog(oplogs.LevelInfo, "修改WAF策略名单中的IP %d", params.ItemId)
+
+	// TODO 校验ItemId所属用户
+
+	switch params.Type {
+	case "ipv4":
+		params.Must.
+			Field("ipFrom", params.IpFrom).
+			Require("请输入开始IP")
+
+		// 校验IP格式（ipFrom/ipTo）
+		var ipFromLong uint64
+		if !utils.IsIPv4(params.IpFrom) {
+			this.Fail("请输入正确的开始IP")
+		}
+		ipFromLong = utils.IP2Long(params.IpFrom)
+
+		var ipToLong uint64
+		if len(params.IpTo) > 0 && !utils.IsIPv4(params.IpTo) {
+			ipToLong = utils.IP2Long(params.IpTo)
+			this.Fail("请输入正确的结束IP")
+		}
+
+		if ipFromLong > 0 && ipToLong > 0 && ipFromLong > ipToLong {
+			params.IpTo, params.IpFrom = params.IpFrom, params.IpTo
+		}
+	case "ipv6":
+		params.Must.
+			Field("ipFrom", params.IpFrom).
+			Require("请输入IP")
+
+		// 校验IP格式（ipFrom）
+		if !utils.IsIPv6(params.IpFrom) {
+			this.Fail("请输入正确的IPv6地址")
+		}
+	case "all":
+		params.IpFrom = "0.0.0.0"
+	}
+
+	_, err := this.RPC().IPItemRPC().UpdateIPItem(this.AdminContext(), &pb.UpdateIPItemRequest{
+		IpItemId:   params.ItemId,
+		IpFrom:     params.IpFrom,
+		IpTo:       params.IpTo,
+		ExpiredAt:  params.ExpiredAt,
+		Reason:     params.Reason,
+		Type:       params.Type,
+		EventLevel: params.EventLevel,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}