实现基础的DDoS防护

internal/web/actions/default/clusters/cluster/node/nodeutils/utils.go

@@ -23,6 +23,11 @@ func InitNodeInfo(parentAction *actionutils.ParentAction, nodeId int64) (*pb.Nod
 	}
 	var node = nodeResp.Node
 
+	info, err := parentAction.RPC().NodeRPC().FindEnabledNodeConfigInfo(parentAction.AdminContext(), &pb.FindEnabledNodeConfigInfoRequest{NodeId: nodeId})
+	if err != nil {
+		return nil, err
+	}
+
 	var groupMap maps.Map
 	if node.NodeGroup != nil {
 		groupMap = maps.Map{
@@ -60,30 +65,38 @@ func InitNodeInfo(parentAction *actionutils.ParentAction, nodeId int64) (*pb.Nod
 			"name":     "DNS设置",
 			"url":      prefix + "/settings/dns?" + query,
 			"isActive": menuItem == "dns",
-			"isOn":     len(node.DnsRoutes) > 0,
+			"isOn":     info.HasDNSInfo,
 		},
 		{
 			"name":     "缓存设置",
 			"url":      prefix + "/settings/cache?" + query,
 			"isActive": menuItem == "cache",
-			"isOn": len(node.CacheDiskDir) > 0 ||
-				(node.MaxCacheDiskCapacity != nil && node.MaxCacheDiskCapacity.Count > 0) ||
-				(node.MaxCacheMemoryCapacity != nil && node.MaxCacheMemoryCapacity.Count > 0),
+			"isOn":     info.HasCacheInfo,
+		},
+		{
+			"name":     "DDOS防护",
+			"url":      prefix + "/settings/ddos-protection?" + query,
+			"isActive": menuItem == "ddosProtection",
+			"isOn":     info.HasDDoSProtection,
+		},
+		{
+			"name": "-",
+			"url":  "",
 		},
 	}
-	menuItems = filterMenuItems(menuItems, menuItem, prefix, query)
+	menuItems = filterMenuItems(menuItems, menuItem, prefix, query, info)
 	menuItems = append(menuItems, []maps.Map{
 		{
 			"name":     "SSH设置",
 			"url":      prefix + "/settings/ssh?" + query,
 			"isActive": menuItem == "ssh",
-			"isOn":     node.NodeLogin != nil,
+			"isOn":     info.HasSSH,
 		},
 		{
 			"name":     "系统设置",
 			"url":      prefix + "/settings/system?" + query,
 			"isActive": menuItem == "system",
-			"isOn":     node.MaxCPU > 0,
+			"isOn":     info.HasSystemSettings,
 		},
 	}...)
 	parentAction.Data["leftMenuItems"] = menuItems

internal/web/actions/default/clusters/cluster/node/nodeutils/utils_ext.go

@@ -5,9 +5,10 @@
 package nodeutils
 
 import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/maps"
 )
 
-func filterMenuItems(menuItems []maps.Map, menuItem string, prefix string, query string) []maps.Map {
+func filterMenuItems(menuItems []maps.Map, menuItem string, prefix string, query string, info *pb.FindEnabledNodeConfigInfoResponse) []maps.Map {
 	return menuItems
 }

internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/index.go

@@ -0,0 +1,133 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package ddosProtection
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/node/nodeutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/types"
+	"net"
+)
+
+type IndexAction struct {
+	actionutils.ParentAction
+}
+
+func (this *IndexAction) Init() {
+	this.Nav("", "node", "update")
+	this.SecondMenu("ddosProtection")
+}
+
+func (this *IndexAction) RunGet(params struct {
+	ClusterId int64
+	NodeId    int64
+}) {
+	_, err := nodeutils.InitNodeInfo(this.Parent(), params.NodeId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Data["nodeId"] = params.NodeId
+
+	// 集群设置
+	clusterProtectionResp, err := this.RPC().NodeClusterRPC().FindNodeClusterDDoSProtection(this.AdminContext(), &pb.FindNodeClusterDDoSProtectionRequest{NodeClusterId: params.ClusterId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var clusterDDoSProtectionIsOn = false
+	if len(clusterProtectionResp.DdosProtectionJSON) > 0 {
+		var clusterDDoSProtection = &ddosconfigs.ProtectionConfig{}
+		err = json.Unmarshal(clusterProtectionResp.DdosProtectionJSON, clusterDDoSProtection)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		clusterDDoSProtectionIsOn = clusterDDoSProtection.IsOn()
+	}
+
+	this.Data["clusterDDoSProtectionIsOn"] = clusterDDoSProtectionIsOn
+
+	// 节点设置
+	ddosProtectionResp, err := this.RPC().NodeRPC().FindNodeDDoSProtection(this.AdminContext(), &pb.FindNodeDDoSProtectionRequest{NodeId: params.NodeId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var ddosProtectionConfig = ddosconfigs.DefaultProtectionConfig()
+	if len(ddosProtectionResp.DdosProtectionJSON) > 0 {
+		err = json.Unmarshal(ddosProtectionResp.DdosProtectionJSON, ddosProtectionConfig)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+	this.Data["config"] = ddosProtectionConfig
+	this.Data["defaultConfigs"] = nodeconfigs.DefaultConfigs
+
+	this.Show()
+}
+
+func (this *IndexAction) RunPost(params struct {
+	NodeId             int64
+	DdosProtectionJSON []byte
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	defer this.CreateLogInfo("修改节点 %d 的DDOS防护设置", params.NodeId)
+
+	var ddosProtectionConfig = &ddosconfigs.ProtectionConfig{}
+	err := json.Unmarshal(params.DdosProtectionJSON, ddosProtectionConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	err = ddosProtectionConfig.Init()
+	if err != nil {
+		this.Fail("配置校验失败：" + err.Error())
+	}
+
+	// 校验参数
+	if ddosProtectionConfig.TCP != nil {
+		var tcpConfig = ddosProtectionConfig.TCP
+		if tcpConfig.MaxConnectionsPerIP > 0 && tcpConfig.MaxConnectionsPerIP < nodeconfigs.DefaultTCPMinConnectionsPerIP {
+			this.FailField("tcpMaxConnectionsPerIP", "TCP: 单IP TCP最大连接数不能小于"+types.String(nodeconfigs.DefaultTCPMinConnectionsPerIP))
+		}
+
+		if tcpConfig.NewConnectionsRate > 0 && tcpConfig.NewConnectionsRate < nodeconfigs.DefaultTCPNewConnectionsMinRate {
+			this.FailField("tcpNewConnectionsRate", "TCP: 单IP连接速率不能小于"+types.String(nodeconfigs.DefaultTCPNewConnectionsMinRate))
+		}
+
+		// Port
+		for _, portConfig := range tcpConfig.Ports {
+			if portConfig.Port > 65535 {
+				this.Fail("端口号" + types.String(portConfig.Port) + "不能大于65535")
+			}
+		}
+
+		// IP
+		for _, ipConfig := range tcpConfig.AllowIPList {
+			if net.ParseIP(ipConfig.IP) == nil {
+				this.Fail("白名单IP '" + ipConfig.IP + "' 格式错误")
+			}
+		}
+	}
+
+	_, err = this.RPC().NodeRPC().UpdateNodeDDoSProtection(this.AdminContext(), &pb.UpdateNodeDDoSProtectionRequest{
+		NodeId:             params.NodeId,
+		DdosProtectionJSON: params.DdosProtectionJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Success()
+}

internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/status.go

@@ -0,0 +1,27 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package ddosProtection
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/nodes/nodeutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/messageconfigs"
+)
+
+type StatusAction struct {
+	actionutils.ParentAction
+}
+
+func (this *StatusAction) RunPost(params struct {
+	NodeId int64
+}) {
+	results, err := nodeutils.SendMessageToNodeIds(this.AdminContext(), []int64{params.NodeId}, messageconfigs.MessageCodeCheckLocalFirewall, &messageconfigs.CheckLocalFirewallMessage{
+		Name: "nftables",
+	}, 10)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["results"] = results
+	this.Success()
+}

internal/web/actions/default/clusters/cluster/node/settings/ssh/index.go

@@ -32,6 +32,8 @@ func (this *IndexAction) RunGet(params struct {
 		return
 	}
 
+	this.Data["hostIsAutoFilled"] = false
+
 	// 登录信息
 	var loginMap maps.Map = nil
 	if node.NodeLogin != nil {
@@ -79,6 +81,7 @@ func (this *IndexAction) RunGet(params struct {
 			return
 		}
 		if len(addressesResp.NodeIPAddresses) > 0 {
+			this.Data["hostIsAutoFilled"] = true
 			loginMap = maps.Map{
 				"id":   0,
 				"name": "",
@@ -100,6 +103,7 @@ func (this *IndexAction) RunGet(params struct {
 				return
 			}
 			if len(addressesResp.NodeIPAddresses) > 0 {
+				this.Data["hostIsAutoFilled"] = true
 				loginParams["host"] = addressesResp.NodeIPAddresses[0].Ip
 			}
 		}