实现基础的DDoS防护

2025-12-27 21:06:35 +08:00 · 2022-05-18 21:02:47 +08:00
parent d46bf37726
commit 6cd182b858
29 changed files with 939 additions and 48 deletions
--- a/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go
+++ b/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go
@@ -0,0 +1,106 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package ddosProtection
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/types"
+	"net"
+)
+
+type IndexAction struct {
+	actionutils.ParentAction
+}
+
+func (this *IndexAction) Init() {
+	this.Nav("", "setting", "")
+	this.SecondMenu("ddosProtection")
+}
+
+func (this *IndexAction) RunGet(params struct {
+	ClusterId int64
+}) {
+	this.Data["clusterId"] = params.ClusterId
+
+	protectionResp, err := this.RPC().NodeClusterRPC().FindNodeClusterDDoSProtection(this.AdminContext(), &pb.FindNodeClusterDDoSProtectionRequest{NodeClusterId: params.ClusterId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	var ddosProtectionConfig = ddosconfigs.DefaultProtectionConfig()
+	if len(protectionResp.DdosProtectionJSON) > 0 {
+		err = json.Unmarshal(protectionResp.DdosProtectionJSON, ddosProtectionConfig)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+	}
+	this.Data["config"] = ddosProtectionConfig
+	this.Data["defaultConfigs"] = nodeconfigs.DefaultConfigs
+
+	this.Show()
+}
+
+func (this *IndexAction) RunPost(params struct {
+	ClusterId          int64
+	DdosProtectionJSON []byte
+
+	Must *actions.Must
+	CSRF *actionutils.CSRF
+}) {
+	defer this.CreateLogInfo("修改集群 %d 的DDOS防护设置", params.ClusterId)
+
+	var ddosProtectionConfig = &ddosconfigs.ProtectionConfig{}
+	err := json.Unmarshal(params.DdosProtectionJSON, ddosProtectionConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	err = ddosProtectionConfig.Init()
+	if err != nil {
+		this.Fail("配置校验失败：" + err.Error())
+	}
+
+	// 校验参数
+	if ddosProtectionConfig.TCP != nil {
+		var tcpConfig = ddosProtectionConfig.TCP
+		if tcpConfig.MaxConnectionsPerIP > 0 && tcpConfig.MaxConnectionsPerIP < nodeconfigs.DefaultTCPMinConnectionsPerIP {
+			this.FailField("tcpMaxConnectionsPerIP", "TCP: 单IP TCP最大连接数不能小于"+types.String(nodeconfigs.DefaultTCPMinConnectionsPerIP))
+		}
+
+		if tcpConfig.NewConnectionsRate > 0 && tcpConfig.NewConnectionsRate < nodeconfigs.DefaultTCPNewConnectionsMinRate {
+			this.FailField("tcpNewConnectionsRate", "TCP: 单IP连接速率不能小于"+types.String(nodeconfigs.DefaultTCPNewConnectionsMinRate))
+		}
+
+		// Port
+		for _, portConfig := range tcpConfig.Ports {
+			if portConfig.Port > 65535 {
+				this.Fail("端口号" + types.String(portConfig.Port) + "不能大于65535")
+			}
+		}
+
+		// IP
+		for _, ipConfig := range tcpConfig.AllowIPList {
+			if net.ParseIP(ipConfig.IP) == nil {
+				this.Fail("白名单IP '" + ipConfig.IP + "' 格式错误")
+			}
+		}
+	}
+
+	_, err = this.RPC().NodeClusterRPC().UpdateNodeClusterDDoSProtection(this.AdminContext(), &pb.UpdateNodeClusterDDoSProtectionRequest{
+		NodeClusterId:      params.ClusterId,
+		DdosProtectionJSON: params.DdosProtectionJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Success()
+}
--- a/internal/web/actions/default/clusters/cluster/settings/ddos-protection/status.go
+++ b/internal/web/actions/default/clusters/cluster/settings/ddos-protection/status.go
@@ -0,0 +1,71 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package ddosProtection
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/nodes/nodeutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/messageconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
+	"github.com/iwind/TeaGo/maps"
+)
+
+type StatusAction struct {
+	actionutils.ParentAction
+}
+
+func (this *StatusAction) Init() {
+	this.Nav("", "setting", "")
+	this.SecondMenu("ddosProtection")
+}
+
+func (this *StatusAction) RunGet(params struct {
+	ClusterId int64
+}) {
+	this.Data["clusterId"] = params.ClusterId
+
+	this.Show()
+}
+
+func (this *StatusAction) RunPost(params struct {
+	ClusterId int64
+}) {
+	results, err := nodeutils.SendMessageToCluster(this.AdminContext(), params.ClusterId, messageconfigs.MessageCodeCheckLocalFirewall, &messageconfigs.CheckLocalFirewallMessage{
+		Name: "nftables",
+	}, 10)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	var resultMaps = []maps.Map{}
+	for _, result := range results {
+		var resultMap = maps.Map{
+			"isOk":     result.IsOK,
+			"message":  result.Message,
+			"nodeId":   result.NodeId,
+			"nodeName": result.NodeName,
+		}
+
+		nodeResp, err := this.RPC().NodeRPC().FindNodeDDoSProtection(this.AdminContext(), &pb.FindNodeDDoSProtectionRequest{NodeId: result.NodeId})
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		if len(nodeResp.DdosProtectionJSON) > 0 {
+			var ddosProtection = ddosconfigs.DefaultProtectionConfig()
+			err = json.Unmarshal(nodeResp.DdosProtectionJSON, ddosProtection)
+			if err != nil {
+				this.ErrorPage(err)
+				return
+			}
+			resultMap["isPrior"] = !ddosProtection.IsPriorEmpty()
+		}
+		resultMaps = append(resultMaps, resultMap)
+	}
+
+	this.Data["results"] = resultMaps
+	this.Success()
+}
--- a/internal/web/actions/default/clusters/cluster/settings/index.go
+++ b/internal/web/actions/default/clusters/cluster/settings/index.go
@@ -66,34 +66,31 @@ func (this *IndexAction) RunGet(params struct {
 	this.Data["timeZoneLocation"] = nodeconfigs.FindTimeZoneLocation(cluster.TimeZone)

 	this.Data["cluster"] = maps.Map{
-		"id":                    cluster.Id,
-		"name":                  cluster.Name,
-		"installDir":            cluster.InstallDir,
-		"timeZone":              cluster.TimeZone,
-		"nodeMaxThreads":        cluster.NodeMaxThreads,
-		"nodeTCPMaxConnections": cluster.NodeTCPMaxConnections,
-		"autoOpenPorts":         cluster.AutoOpenPorts,
+		"id":             cluster.Id,
+		"name":           cluster.Name,
+		"installDir":     cluster.InstallDir,
+		"timeZone":       cluster.TimeZone,
+		"nodeMaxThreads": cluster.NodeMaxThreads,
+		"autoOpenPorts":  cluster.AutoOpenPorts,
 	}

 	// 默认值
 	this.Data["defaultNodeMaxThreads"] = nodeconfigs.DefaultMaxThreads
 	this.Data["defaultNodeMaxThreadsMin"] = nodeconfigs.DefaultMaxThreadsMin
 	this.Data["defaultNodeMaxThreadsMax"] = nodeconfigs.DefaultMaxThreadsMax
-	this.Data["defaultNodeTCPMaxConnections"] = nodeconfigs.DefaultTCPMaxConnections

 	this.Show()
 }

 // RunPost 保存设置
 func (this *IndexAction) RunPost(params struct {
-	ClusterId             int64
-	Name                  string
-	GrantId               int64
-	InstallDir            string
-	TimeZone              string
-	NodeMaxThreads        int32
-	NodeTCPMaxConnections int32
-	AutoOpenPorts         bool
+	ClusterId      int64
+	Name           string
+	GrantId        int64
+	InstallDir     string
+	TimeZone       string
+	NodeMaxThreads int32
+	AutoOpenPorts  bool

 	Must *actions.Must
 }) {
@@ -112,14 +109,13 @@ func (this *IndexAction) RunPost(params struct {
 	}

 	_, err := this.RPC().NodeClusterRPC().UpdateNodeCluster(this.AdminContext(), &pb.UpdateNodeClusterRequest{
-		NodeClusterId:         params.ClusterId,
-		Name:                  params.Name,
-		NodeGrantId:           params.GrantId,
-		InstallDir:            params.InstallDir,
-		TimeZone:              params.TimeZone,
-		NodeMaxThreads:        params.NodeMaxThreads,
-		NodeTCPMaxConnections: params.NodeTCPMaxConnections,
-		AutoOpenPorts:         params.AutoOpenPorts,
+		NodeClusterId:  params.ClusterId,
+		Name:           params.Name,
+		NodeGrantId:    params.GrantId,
+		InstallDir:     params.InstallDir,
+		TimeZone:       params.TimeZone,
+		NodeMaxThreads: params.NodeMaxThreads,
+		AutoOpenPorts:  params.AutoOpenPorts,
 	})
 	if err != nil {
 		this.ErrorPage(err)
--- a/internal/web/actions/default/clusters/cluster/settings/init.go
+++ b/internal/web/actions/default/clusters/cluster/settings/init.go
@@ -3,6 +3,7 @@ package settings
 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings/cache"
+	ddosProtection "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings/ddos-protection"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings/dns"
 	firewallActions "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings/firewall-actions"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings/health"
@@ -79,6 +80,13 @@ func init() {
 			// WebP
 			Prefix("/clusters/cluster/settings/webp").
 			GetPost("", new(webp.IndexAction)).
+
+			// DDOS Protection
+			Prefix("/clusters/cluster/settings/ddos-protection").
+			GetPost("", new(ddosProtection.IndexAction)).
+			GetPost("/status", new(ddosProtection.StatusAction)).
+
+			//
 			EndAll()
 	})
 }