可以单个服务中的WAF中设置出入站规则、黑白名单等

internal/web/actions/default/servers/server/settings/waf/group.go

@@ -0,0 +1,110 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+	"strconv"
+	"strings"
+)
+
+type GroupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *GroupAction) Init() {
+	this.Nav("", "setting", this.ParamString("type"))
+	this.SecondMenu("waf")
+}
+
+func (this *GroupAction) RunGet(params struct {
+	FirewallPolicyId int64
+	GroupId          int64
+	Type             string
+}) {
+	this.Data["type"] = params.Type
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+
+	// policy
+	firewallPolicy, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if firewallPolicy == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	// group config
+	groupConfig, err := dao.SharedHTTPFirewallRuleGroupDAO.FindRuleGroupConfig(this.AdminContext(), params.GroupId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if groupConfig == nil {
+		this.NotFound("firewallRuleGroup", params.GroupId)
+		return
+	}
+
+	this.Data["group"] = groupConfig
+
+	// rule sets
+	this.Data["sets"] = lists.Map(groupConfig.Sets, func(k int, v interface{}) interface{} {
+		set := v.(*firewallconfigs.HTTPFirewallRuleSet)
+
+		// 动作说明
+		actionLinks := []maps.Map{}
+		if set.Action == firewallconfigs.HTTPFirewallActionGoGroup {
+			nextGroup := firewallPolicy.FindRuleGroup(set.ActionOptions.GetInt64("groupId"))
+			if nextGroup != nil {
+				actionLinks = append(actionLinks, maps.Map{
+					"name": nextGroup.Name,
+					"url":  "/servers/components/waf/group?firewallPolicyId=" + strconv.FormatInt(params.FirewallPolicyId, 10) + "&type=" + params.Type + "&groupId=" + strconv.FormatInt(nextGroup.Id, 10),
+				})
+			}
+		} else if set.Action == firewallconfigs.HTTPFirewallActionGoSet {
+			nextGroup := firewallPolicy.FindRuleGroup(set.ActionOptions.GetInt64("groupId"))
+			if nextGroup != nil {
+				actionLinks = append(actionLinks, maps.Map{
+					"name": nextGroup.Name,
+					"url":  "/servers/components/waf/group?firewallPolicyId=" + strconv.FormatInt(params.FirewallPolicyId, 10) + "&type=" + params.Type + "&groupId=" + strconv.FormatInt(nextGroup.Id, 10),
+				})
+
+				nextSet := nextGroup.FindRuleSet(set.ActionOptions.GetInt64("setId"))
+				if nextSet != nil {
+					actionLinks = append(actionLinks, maps.Map{
+						"name": nextSet.Name,
+						"url":  "/servers/components/waf/group?firewallPolicyId=" + strconv.FormatInt(params.FirewallPolicyId, 10) + "&type=" + params.Type + "&groupId=" + strconv.FormatInt(nextGroup.Id, 10),
+					})
+				}
+			}
+		}
+
+		return maps.Map{
+			"id":   set.Id,
+			"name": set.Name,
+			"rules": lists.Map(set.Rules, func(k int, v interface{}) interface{} {
+				rule := v.(*firewallconfigs.HTTPFirewallRule)
+				return maps.Map{
+					"param":             rule.Param,
+					"paramFilters":      rule.ParamFilters,
+					"operator":          rule.Operator,
+					"value":             rule.Value,
+					"isCaseInsensitive": rule.IsCaseInsensitive,
+					"isComposed":        firewallconfigs.CheckCheckpointIsComposed(rule.Prefix()),
+				}
+			}),
+			"isOn":          set.IsOn,
+			"action":        strings.ToUpper(set.Action),
+			"actionOptions": set.ActionOptions,
+			"actionName":    firewallconfigs.FindActionName(set.Action),
+			"actionLinks":   actionLinks,
+			"connector":     strings.ToUpper(set.Connector),
+		}
+	})
+
+	this.Show()
+}

internal/web/actions/default/servers/server/settings/waf/groups.go

@@ -0,0 +1,74 @@
+package waf
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/iwind/TeaGo/maps"
+)
+
+type GroupsAction struct {
+	actionutils.ParentAction
+}
+
+func (this *GroupsAction) Init() {
+	this.Nav("", "setting", this.ParamString("type"))
+	this.SecondMenu("waf")
+}
+
+func (this *GroupsAction) RunGet(params struct {
+	FirewallPolicyId int64
+	Type             string
+}) {
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
+	this.Data["type"] = params.Type
+
+	firewallPolicy, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if firewallPolicy == nil {
+		this.NotFound("firewallPolicy", params.FirewallPolicyId)
+		return
+	}
+
+	groupMaps := []maps.Map{}
+
+	// inbound
+	if params.Type == "inbound" {
+		if firewallPolicy.Inbound != nil {
+			for _, g := range firewallPolicy.Inbound.Groups {
+				groupMaps = append(groupMaps, maps.Map{
+					"id":          g.Id,
+					"name":        g.Name,
+					"code":        g.Code,
+					"isOn":        g.IsOn,
+					"description": g.Description,
+					"countSets":   len(g.Sets),
+					"canDelete":   len(g.Code) == 0,
+				})
+			}
+		}
+	}
+
+	// outbound
+	if params.Type == "outbound" {
+		if firewallPolicy.Outbound != nil {
+			for _, g := range firewallPolicy.Outbound.Groups {
+				groupMaps = append(groupMaps, maps.Map{
+					"id":          g.Id,
+					"name":        g.Name,
+					"code":        g.Code,
+					"isOn":        g.IsOn,
+					"description": g.Description,
+					"countSets":   len(g.Sets),
+					"canDelete":   len(g.Code) == 0,
+				})
+			}
+		}
+	}
+
+	this.Data["groups"] = groupMaps
+
+	this.Show()
+}

internal/web/actions/default/servers/server/settings/waf/index.go

@@ -45,6 +45,18 @@ func (this *IndexAction) RunGet(params struct {
 		this.Data["firewallPolicy"] = nil
 	}
 
+	// 当前的Server独立设置
+	if webConfig.FirewallRef == nil || webConfig.FirewallRef.FirewallPolicyId == 0 {
+		firewallPolicyId, err := dao.SharedHTTPWebDAO.InitEmptyHTTPFirewallPolicy(this.AdminContext(), webConfig.Id, webConfig.FirewallRef != nil && webConfig.FirewallRef.IsOn)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		this.Data["firewallPolicyId"] = firewallPolicyId
+	} else {
+		this.Data["firewallPolicyId"] = webConfig.FirewallRef.FirewallPolicyId
+	}
+
 	this.Show()
 }
 

internal/web/actions/default/servers/server/settings/waf/init.go

@@ -22,6 +22,10 @@ func init() {
 			GetPost("/ipadmin/createIPPopup", new(ipadmin.CreateIPPopupAction)).
 			GetPost("/ipadmin/updateIPPopup", new(ipadmin.UpdateIPPopupAction)).
 			Post("/ipadmin/deleteIP", new(ipadmin.DeleteIPAction)).
+
+			// 规则相关
+			Get("/groups", new(GroupsAction)).
+			Get("/group", new(GroupAction)).
 			EndAll()
 	})
 }

internal/web/actions/default/servers/server/settings/waf/ipadmin/allowList.go

@@ -18,9 +18,11 @@ func (this *AllowListAction) Init() {
 }
 
 func (this *AllowListAction) RunGet(params struct {
-	ServerId int64
+	ServerId         int64
+	FirewallPolicyId int64
 }) {
 	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
 
 	listId, err := dao.SharedIPListDAO.FindAllowIPListIdWithServerId(this.AdminContext(), params.ServerId)
 	if err != nil {

internal/web/actions/default/servers/server/settings/waf/ipadmin/denyList.go

@@ -18,9 +18,11 @@ func (this *DenyListAction) Init() {
 }
 
 func (this *DenyListAction) RunGet(params struct {
-	ServerId int64
+	FirewallPolicyId int64
+	ServerId         int64
 }) {
 	this.Data["featureIsOn"] = true
+	this.Data["firewallPolicyId"] = params.FirewallPolicyId
 
 	listId, err := dao.SharedIPListDAO.FindDenyIPListIdWithServerId(this.AdminContext(), params.ServerId)
 	if err != nil {

web/views/@default/servers/server/settings/waf/@menu.html

@@ -1,5 +1,7 @@
 <first-menu>
     <menu-item :href="'/servers/server/settings/waf?serverId=' + serverId" code="index">设置</menu-item>
-    <menu-item :href="'/servers/server/settings/waf/ipadmin/allowList?serverId=' + serverId" code="allowList">白名单</menu-item>
+    <menu-item :href="'/servers/server/settings/waf/groups?serverId=' + serverId + '&type=inbound&firewallPolicyId='+firewallPolicyId" code="inbound">入站规则</menu-item>
-    <menu-item :href="'/servers/server/settings/waf/ipadmin/denyList?serverId=' + serverId" code="denyList">黑名单</menu-item>
+    <menu-item :href="'/servers/server/settings/waf/groups?serverId=' + serverId + '&type=outbound&firewallPolicyId='+firewallPolicyId" code="outbound">出站规则</menu-item>
+    <menu-item :href="'/servers/server/settings/waf/ipadmin/allowList?serverId=' + serverId + '&firewallPolicyId='+firewallPolicyId" code="allowList">白名单</menu-item>
+    <menu-item :href="'/servers/server/settings/waf/ipadmin/denyList?serverId=' + serverId + '&firewallPolicyId='+firewallPolicyId" code="denyList">黑名单</menu-item>
 </first-menu>

web/views/@default/servers/server/settings/waf/group.html

@@ -0,0 +1,69 @@
+{$layout}
+{$template "/left_menu"}
+
+<div class="right-box">
+    {$template "menu"}
+
+	<h3>分组<a href="" @click.prevent="updateGroup(group.id)">[修改]</a></h3>
+	<table class="ui table selectable definition">
+		<tr>
+			<td class="title">名称</td>
+			<td>{{group.name}}</td>
+		</tr>
+		<tr>
+			<td>描述</td>
+			<td>
+				<span v-if="group.description.length == 0" class="disabled">暂时还没有描述。</span>
+				<span v-if="group.description.length > 0">{{group.description}}</span>
+			</td>
+		</tr>
+		<tr>
+			<td>启用状态</td>
+			<td>
+				<label-on :v-is-on="group.isOn"></label-on>
+			</td>
+		</tr>
+	</table>
+
+	<h3 style="padding-top:0.8em">规则集<a href="" @click.prevent="createSet(group.id)">[添加规则集]</a> </h3>
+	<p class="comment" v-if="sets == null || sets.length == 0">暂时还没有规则。</p>
+	<table class="ui table selectable celled" id="sortable-table" v-if="sets != null && sets.length > 0">
+		<thead>
+			<tr>
+				<th style="width:3em"></th>
+				<th nowrap="">规则集名称</th>
+				<th nowrap="">规则</th>
+				<th nowrap="" class="center">关系</th>
+				<th nowrap="">动作</th>
+				<th class="three op">操作</th>
+			</tr>
+		</thead>
+		<tbody v-for="set in sets" :data-set-id="set.id">
+		<tr>
+			<td style="text-align: center;"><i class="icon bars handle grey"></i> </td>
+			<td nowrap=""><span :class="{disabled:!set.isOn}">{{set.name}}</span>
+				<p style="margin-top:0.5em">
+					<label-on :v-is-on="set.isOn"></label-on>
+				</p>
+			</td>
+			<td class="rules-box">
+				<div v-for="rule in set.rules" style="margin-top: 0.4em;margin-bottom:0.4em">
+					<span class="ui label tiny basic">{{rule.name}}[{{rule.param}}] <span v-if="rule.paramFilters != null && rule.paramFilters.length > 0" v-for="paramFilter in rule.paramFilters"> | {{paramFilter.code}}</span> <var :class="{dash:rule.isCaseInsensitive}" :title="rule.isCaseInsensitive ? '大小写不敏感':''" v-if="!rule.isComposed">{{rule.operator}}</var> {{rule.value}}</span>
+				</div>
+				<span class="ui disabled" v-if="set.rules.length == 0">暂时还没有规则</span>
+			</td>
+			<td class="center">{{set.connector.toUpperCase()}}</td>
+			<td nowrap=""><span :class="{red:set.action == 'BLOCK' || set.action == 'CAPTCHA', green:set.action != 'BLOCK' && set.action != 'CAPTCHA'}">{{set.actionName}}[{{set.action.toUpperCase()}}]</span>
+				<div v-if="set.actionLinks != null && set.actionLinks.length > 0" style="margin-top:0.3em">
+					<span class="disabled">-&gt;</span> <span v-for="link in set.actionLinks"><a :href="link.url"><span class="disabled">[{{link.name}}]</span></a> &nbsp;</span>
+				</div>
+			</td>
+			<td>
+				<a href="" @click.prevent="updateSet(set.id)">修改</a> &nbsp; <a href="" @click.prevent="updateSetOn(set.id, false)" v-if="set.isOn">停用</a><a href="" @click.prevent="updateSetOn(set.id, true)" v-if="!set.isOn">启用</a> &nbsp; <a href="" @click.prevent="deleteSet(set.id)">删除</a>
+			</td>
+		</tr>
+		</tbody>
+	</table>
+
+	<p class="comment" v-if="group.sets != null && group.sets.length > 1">所有规则匹配顺序为从上到下，可以拖动左侧的<i class="icon bars"></i>排序。</p>
+</div>

web/views/@default/servers/server/settings/waf/group.js

@@ -0,0 +1,82 @@
+Tea.context(function () {
+	this.$delay(function () {
+		let that = this
+		sortTable(function () {
+			let setIds = []
+			document
+				.querySelectorAll("tbody[data-set-id]")
+				.forEach(function (v) {
+					setIds.push(v.getAttribute("data-set-id"))
+				})
+			that.$post("/servers/components/waf/sortSets")
+				.params({
+					groupId: that.group.id,
+					setIds: setIds
+				})
+				.success(function () {
+					teaweb.successToast("排序保存成功")
+				})
+		})
+	})
+
+	// 更改分组
+	this.updateGroup = function (groupId) {
+		teaweb.popup("/servers/components/waf/updateGroupPopup?groupId=" + groupId, {
+			height: "16em",
+			callback: function () {
+				teaweb.success("保存成功", function () {
+					window.location.reload()
+				})
+			}
+		})
+	}
+
+	// 创建规则集
+	this.createSet = function (groupId) {
+		teaweb.popup("/servers/components/waf/createSetPopup?firewallPolicyId=" + this.firewallPolicyId + "&groupId=" + groupId + "&type=" + this.type, {
+			width: "50em",
+			height: "30em",
+			callback: function () {
+				teaweb.success("保存成功", function () {
+					window.location.reload()
+				})
+			}
+		})
+	}
+
+	// 修改规则集
+	this.updateSet = function (setId) {
+		teaweb.popup("/servers/components/waf/updateSetPopup?firewallPolicyId=" + this.firewallPolicyId + "&groupId=" + this.group.id + "&type=" + this.type + "&setId=" + setId, {
+			width: "50em",
+			height: "30em",
+			callback: function () {
+				teaweb.success("保存成功", function () {
+					window.location.reload()
+				})
+			}
+		})
+	}
+
+	// 停用|启用规则集
+	this.updateSetOn = function (setId, isOn) {
+		this.$post("/servers/components/waf/updateSetOn")
+			.params({
+				setId: setId,
+				isOn: isOn ? 1 : 0
+			})
+			.refresh()
+	}
+
+	// 删除规则集
+	this.deleteSet = function (setId) {
+		let that = this
+		teaweb.confirm("确定要删除此规则集吗？", function () {
+			that.$post("/servers/components/waf/deleteSet")
+				.params({
+					groupId: this.group.id,
+					setId: setId
+				})
+				.refresh()
+		})
+	}
+})

web/views/@default/servers/server/settings/waf/groups.html

@@ -0,0 +1,48 @@
+{$layout}
+{$template "/left_menu"}
+
+<div class="right-box">
+    {$template "menu"}
+
+	<second-menu>
+		<a href="" class="item" @click.prevent="createGroup(type)">[添加分组]</a>
+	</second-menu>
+
+	<p class="comment" v-if="groups.length == 0">暂时还没有规则分组。</p>
+
+	<table class="ui table selectable celled" v-if="groups.length > 0" id="sortable-table">
+		<thead>
+		<tr>
+			<th style="width:3em"></th>
+			<th>规则分组</th>
+			<th class="center">规则集</th>
+			<th class="three op">操作</th>
+		</tr>
+		</thead>
+		<tbody  v-for="group in groups" :data-group-id="group.id">
+			<tr>
+				<td style="text-align: center;"><i class="icon bars handle grey" title="拖动排序"></i> </td>
+				<td><span :class="{disabled:!group.isOn}">{{group.name}}</span>
+					<p class="comment" v-if="group.description.length > 0" style="padding-bottom:0">{{group.description}}</p>
+					<p>
+						<span v-if="group.isOn" class="ui label tiny basic green">启用</span>
+						<span v-if="!group.isOn" class="ui label tiny basic red">停用</span>
+						<span v-if="group.code.length > 0" class="ui label basic tiny">预置</span>
+						<span v-if="group.code.length == 0" class="ui label basic tiny">自定义</span>
+					</p>
+				</td>
+				<td class="center">
+					<a :href="'/servers/server/settings/waf/group?serverId=' + serverId + '&firewallPolicyId=' + firewallPolicyId + '&type=' + type + '&groupId=' + group.id">{{group.countSets}}</a>
+				</td>
+				<td>
+					<a :href="'/servers/server/settings/waf/group?serverId=' + serverId + '&firewallPolicyId=' + firewallPolicyId + '&type=' + type + '&groupId=' + group.id">详情</a> &nbsp;
+					<a href="" v-if="!group.isOn" @click.prevent="enableGroup(group.id)">启用</a><a href="" v-if="group.isOn" @click.prevent="disableGroup(group.id)">停用</a> &nbsp;
+					<a href="" @click.prevent="deleteGroup(group.id)" v-if="group.canDelete">删除</a>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+
+	<p class="comment" v-if="groups.length > 0">所有规则匹配顺序为从上到下，可以拖动左侧的<i class="icon bars"></i>排序。</p>
+
+</div>

web/views/@default/servers/server/settings/waf/groups.js

@@ -0,0 +1,68 @@
+Tea.context(function () {
+	// 排序
+	this.$delay(function () {
+		let that = this
+		sortTable(function () {
+			let groupIds = []
+			document.querySelectorAll("tbody[data-group-id]")
+				.forEach(function (v) {
+					groupIds.push(v.getAttribute("data-group-id"))
+				})
+
+			that.$post("/servers/components/waf/sortGroups")
+				.params({
+					firewallPolicyId: that.firewallPolicyId,
+					type: that.type,
+					groupIds: groupIds
+				})
+				.success(function () {
+					teaweb.successToast("排序保存成功")
+				})
+		})
+	})
+
+	// 启用
+	this.enableGroup = function (groupId) {
+		this.$post("/servers/components/waf/updateGroupOn")
+			.params({
+				groupId: groupId,
+				isOn: 1
+			})
+			.refresh()
+
+	}
+
+	// 停用
+	this.disableGroup = function (groupId) {
+		this.$post("/servers/components/waf/updateGroupOn")
+			.params({
+				groupId: groupId,
+				isOn: 0
+			})
+			.refresh()
+	}
+
+	// 删除
+	this.deleteGroup = function (groupId) {
+		teaweb.confirm("确定要删除此规则分组吗？", function () {
+			this.$post("/servers/components/waf/deleteGroup")
+				.params({
+					firewallPolicyId: this.firewallPolicyId,
+					groupId: groupId
+				})
+				.refresh()
+		})
+	}
+
+	// 添加分组
+	this.createGroup = function (type) {
+		teaweb.popup("/servers/components/waf/createGroupPopup?firewallPolicyId=" + this.firewallPolicyId + "&type=" + type, {
+			height: "16em",
+			callback: function () {
+				teaweb.success("保存成功", function () {
+					window.location.reload()
+				})
+			}
+		})
+	}
+})