优化WAF策略默认设置

* 增加JSCookie动作选项 * 拦截动作增加“失败全局封禁”选项 * 人机识别动作增加“失败全局封禁”选项 * IP名单中的“服务”文字改为“网站”
2025-12-03 10:20:25 +08:00 · 2024-04-07 14:20:17 +08:00
parent 9f123b9a26
commit 37441b26f1
12 changed files with 253 additions and 42 deletions
--- a/internal/web/actions/default/servers/components/waf/update.go
+++ b/internal/web/actions/default/servers/components/waf/update.go
@@ -10,7 +10,6 @@ import (
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
-	"net/http"
 )

 type UpdateAction struct {
@@ -36,17 +35,17 @@ func (this *UpdateAction) RunGet(params struct {

 	// block options
 	if firewallPolicy.BlockOptions == nil {
-		firewallPolicy.BlockOptions = &firewallconfigs.HTTPFirewallBlockAction{
-			StatusCode: http.StatusForbidden,
-			Body:       "Blocked By WAF",
-			URL:        "",
-			Timeout:    60,
-		}
+		firewallPolicy.BlockOptions = firewallconfigs.NewHTTPFirewallBlockAction()
 	}

 	// page options
 	if firewallPolicy.PageOptions == nil {
-		firewallPolicy.PageOptions = firewallconfigs.DefaultHTTPFirewallPageAction()
+		firewallPolicy.PageOptions = firewallconfigs.NewHTTPFirewallPageAction()
+	}
+
+	// jscookie options
+	if firewallPolicy.JSCookieOptions == nil {
+		firewallPolicy.JSCookieOptions = firewallconfigs.NewHTTPFirewallJavascriptCookieAction()
 	}

 	// mode
@@ -79,6 +78,7 @@ func (this *UpdateAction) RunGet(params struct {
 		"blockOptions":       firewallPolicy.BlockOptions,
 		"pageOptions":        firewallPolicy.PageOptions,
 		"captchaOptions":     firewallPolicy.CaptchaOptions,
+		"jsCookieOptions":    firewallPolicy.JSCookieOptions,
 		"useLocalFirewall":   firewallPolicy.UseLocalFirewall,
 		"synFloodConfig":     firewallPolicy.SYNFlood,
 		"log":                firewallPolicy.Log,
@@ -110,21 +110,22 @@ func (this *UpdateAction) RunGet(params struct {
 }

 func (this *UpdateAction) RunPost(params struct {
-	FirewallPolicyId   int64
-	Name               string
-	GroupCodes         []string
-	BlockOptionsJSON   []byte
-	PageOptionsJSON    []byte
-	CaptchaOptionsJSON []byte
-	Description        string
-	IsOn               bool
-	Mode               string
-	UseLocalFirewall   bool
-	SynFloodJSON       []byte
-	LogJSON            []byte
-	MaxRequestBodySize int64
-	DenyCountryHTML    string
-	DenyProvinceHTML   string
+	FirewallPolicyId    int64
+	Name                string
+	GroupCodes          []string
+	BlockOptionsJSON    []byte
+	PageOptionsJSON     []byte
+	CaptchaOptionsJSON  []byte
+	JsCookieOptionsJSON []byte
+	Description         string
+	IsOn                bool
+	Mode                string
+	UseLocalFirewall    bool
+	SynFloodJSON        []byte
+	LogJSON             []byte
+	MaxRequestBodySize  int64
+	DenyCountryHTML     string
+	DenyProvinceHTML    string

 	Must *actions.Must
 }) {
@@ -136,7 +137,7 @@ func (this *UpdateAction) RunPost(params struct {
 		Require("请输入策略名称")

 	// 校验拦截选项JSON
-	var blockOptions = &firewallconfigs.HTTPFirewallBlockAction{}
+	var blockOptions = firewallconfigs.NewHTTPFirewallBlockAction()
 	err := json.Unmarshal(params.BlockOptionsJSON, blockOptions)
 	if err != nil {
 		this.Fail("拦截动作参数校验失败：" + err.Error())
@@ -144,7 +145,7 @@ func (this *UpdateAction) RunPost(params struct {
 	}

 	// 校验显示页面选项JSON
-	var pageOptions = &firewallconfigs.HTTPFirewallPageAction{}
+	var pageOptions = firewallconfigs.NewHTTPFirewallPageAction()
 	err = json.Unmarshal(params.PageOptionsJSON, pageOptions)
 	if err != nil {
 		this.Fail("校验显示页面动作配置失败：" + err.Error())
@@ -156,7 +157,7 @@ func (this *UpdateAction) RunPost(params struct {
 	}

 	// 校验验证码选项JSON
-	var captchaOptions = &firewallconfigs.HTTPFirewallCaptchaAction{}
+	var captchaOptions = firewallconfigs.NewHTTPFirewallCaptchaAction()
 	err = json.Unmarshal(params.CaptchaOptionsJSON, captchaOptions)
 	if err != nil {
 		this.Fail("验证码动作参数校验失败：" + err.Error())
@@ -180,6 +181,16 @@ func (this *UpdateAction) RunPost(params struct {
 		}
 	}

+	// 校验JSCookie选项JSON
+	var jsCookieOptions = firewallconfigs.NewHTTPFirewallJavascriptCookieAction()
+	if len(params.JsCookieOptionsJSON) > 0 {
+		err = json.Unmarshal(params.JsCookieOptionsJSON, jsCookieOptions)
+		if err != nil {
+			this.Fail("JSCookie动作参数校验失败：" + err.Error())
+			return
+		}
+	}
+
 	// 最大内容尺寸
 	if params.MaxRequestBodySize < 0 {
 		params.MaxRequestBodySize = 0
@@ -194,6 +205,7 @@ func (this *UpdateAction) RunPost(params struct {
 		BlockOptionsJSON:     params.BlockOptionsJSON,
 		PageOptionsJSON:      params.PageOptionsJSON,
 		CaptchaOptionsJSON:   params.CaptchaOptionsJSON,
+		JsCookieOptionsJSON:  params.JsCookieOptionsJSON,
 		Mode:                 params.Mode,
 		UseLocalFirewall:     params.UseLocalFirewall,
 		SynFloodJSON:         params.SynFloodJSON,