优化WAF区域/省份封禁：增加仅允许、增加中国香港澳台、内地等特殊区域

2025-12-31 07:26:35 +08:00 · 2023-07-07 09:53:00 +08:00
parent 3b8a483933
commit e27c0280ff
30 changed files with 751 additions and 237 deletions
--- a/internal/web/actions/default/servers/server/settings/waf/init.go
+++ b/internal/web/actions/default/servers/server/settings/waf/init.go
@@ -18,6 +18,8 @@ func init() {
 			Get("/ipadmin/allowList", new(ipadmin.AllowListAction)).
 			Get("/ipadmin/denyList", new(ipadmin.DenyListAction)).
 			GetPost("/ipadmin/countries", new(ipadmin.CountriesAction)).
+			Get("/ipadmin/selectCountriesPopup", new(ipadmin.SelectCountriesPopupAction)).
+			Get("/ipadmin/selectProvincesPopup", new(ipadmin.SelectProvincesPopupAction)).
 			GetPost("/ipadmin/provinces", new(ipadmin.ProvincesAction)).
 			GetPost("/ipadmin/updateIPPopup", new(ipadmin.UpdateIPPopupAction)).
 			Post("/ipadmin/deleteIP", new(ipadmin.DeleteIPAction)).
--- a/internal/web/actions/default/servers/server/settings/waf/ipadmin/countries.go
+++ b/internal/web/actions/default/servers/server/settings/waf/ipadmin/countries.go
@@ -42,9 +42,11 @@ func (this *CountriesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	var selectedCountryIds = []int64{}
+	var deniedCountryIds = []int64{}
+	var allowedCountryIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		deniedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		allowedCountryIds = policyConfig.Inbound.Region.AllowCountryIds
 	}

 	countriesResp, err := this.RPC().RegionCountryRPC().FindAllRegionCountries(this.AdminContext(), &pb.FindAllRegionCountriesRequest{})
@@ -52,16 +54,23 @@ func (this *CountriesAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	var countryMaps = []maps.Map{}
+	var deniesCountryMaps = []maps.Map{}
+	var allowedCountryMaps = []maps.Map{}
 	for _, country := range countriesResp.RegionCountries {
-		countryMaps = append(countryMaps, maps.Map{
-			"id":        country.Id,
-			"name":      country.DisplayName,
-			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
-			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
-		})
+		var countryMap = maps.Map{
+			"id":     country.Id,
+			"name":   country.DisplayName,
+			"letter": strings.ToUpper(string(country.Pinyin[0][0])),
+		}
+		if lists.ContainsInt64(deniedCountryIds, country.Id) {
+			deniesCountryMaps = append(deniesCountryMaps, countryMap)
+		}
+		if lists.ContainsInt64(allowedCountryIds, country.Id) {
+			allowedCountryMaps = append(allowedCountryMaps, countryMap)
+		}
 	}
-	this.Data["countries"] = countryMaps
+	this.Data["deniedCountries"] = deniesCountryMaps
+	this.Data["allowedCountries"] = allowedCountryMaps

 	// except & only URL Patterns
 	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
@@ -88,7 +97,8 @@ func (this *CountriesAction) RunGet(params struct {

 func (this *CountriesAction) RunPost(params struct {
 	FirewallPolicyId int64
-	CountryIds       []int64
+	DenyCountryIds   []int64
+	AllowCountryIds  []int64

 	ExceptURLPatternsJSON []byte
 	OnlyURLPatternsJSON   []byte
@@ -98,6 +108,8 @@ func (this *CountriesAction) RunPost(params struct {
 	// 日志
 	defer this.CreateLogInfo(codes.WAF_LogUpdateForbiddenCountries, params.FirewallPolicyId)

+	// TODO validate denied and allowed countries
+
 	policyConfig, err := dao.SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicyConfig(this.AdminContext(), params.FirewallPolicyId)
 	if err != nil {
 		this.ErrorPage(err)
@@ -116,7 +128,8 @@ func (this *CountriesAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyCountryIds = params.CountryIds
+	policyConfig.Inbound.Region.DenyCountryIds = params.DenyCountryIds
+	policyConfig.Inbound.Region.AllowCountryIds = params.AllowCountryIds

 	// 例外URL
 	var exceptURLPatterns = []*shared.URLPattern{}
--- a/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go
+++ b/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go
@@ -7,14 +7,13 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
 )

-const ChinaCountryId = 1
-
 type ProvincesAction struct {
 	actionutils.ParentAction
 }
@@ -42,27 +41,36 @@ func (this *ProvincesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	var selectedProvinceIds = []int64{}
+	var deniedProvinceIds = []int64{}
+	var allowedProvinceIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		deniedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		allowedProvinceIds = policyConfig.Inbound.Region.AllowProvinceIds
 	}

 	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllRegionProvincesWithRegionCountryId(this.AdminContext(), &pb.FindAllRegionProvincesWithRegionCountryIdRequest{
-		RegionCountryId: int64(ChinaCountryId),
+		RegionCountryId: regionconfigs.RegionChinaId,
 	})
 	if err != nil {
 		this.ErrorPage(err)
 		return
 	}
-	var provinceMaps = []maps.Map{}
+	var deniedProvinceMaps = []maps.Map{}
+	var allowedProvinceMaps = []maps.Map{}
 	for _, province := range provincesResp.RegionProvinces {
-		provinceMaps = append(provinceMaps, maps.Map{
-			"id":        province.Id,
-			"name":      province.DisplayName,
-			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
-		})
+		var provinceMap = maps.Map{
+			"id":   province.Id,
+			"name": province.DisplayName,
+		}
+		if lists.ContainsInt64(deniedProvinceIds, province.Id) {
+			deniedProvinceMaps = append(deniedProvinceMaps, provinceMap)
+		}
+		if lists.ContainsInt64(allowedProvinceIds, province.Id) {
+			allowedProvinceMaps = append(allowedProvinceMaps, provinceMap)
+		}
 	}
-	this.Data["provinces"] = provinceMaps
+	this.Data["deniedProvinces"] = deniedProvinceMaps
+	this.Data["allowedProvinces"] = allowedProvinceMaps

 	// except & only URL Patterns
 	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
@@ -89,7 +97,8 @@ func (this *ProvincesAction) RunGet(params struct {

 func (this *ProvincesAction) RunPost(params struct {
 	FirewallPolicyId int64
-	ProvinceIds      []int64
+	DenyProvinceIds  []int64
+	AllowProvinceIds []int64

 	ExceptURLPatternsJSON []byte
 	OnlyURLPatternsJSON   []byte
@@ -117,7 +126,8 @@ func (this *ProvincesAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyProvinceIds = params.ProvinceIds
+	policyConfig.Inbound.Region.DenyProvinceIds = params.DenyProvinceIds
+	policyConfig.Inbound.Region.AllowProvinceIds = params.AllowProvinceIds

 	// 例外URL
 	var exceptURLPatterns = []*shared.URLPattern{}
--- a/internal/web/actions/default/servers/server/settings/waf/ipadmin/selectCountriesPopup.go
+++ b/internal/web/actions/default/servers/server/settings/waf/ipadmin/selectCountriesPopup.go
@@ -0,0 +1,53 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+	"strings"
+)
+
+type SelectCountriesPopupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *SelectCountriesPopupAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *SelectCountriesPopupAction) RunGet(params struct {
+	Type               string
+	SelectedCountryIds string
+}) {
+	this.Data["type"] = params.Type
+
+	var selectedCountryIds = utils.SplitNumbers(params.SelectedCountryIds)
+
+	countriesResp, err := this.RPC().RegionCountryRPC().FindAllRegionCountries(this.AdminContext(), &pb.FindAllRegionCountriesRequest{})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// special regions
+
+	var countryMaps = []maps.Map{}
+	for _, country := range countriesResp.RegionCountries {
+		countryMaps = append(countryMaps, maps.Map{
+			"id":        country.Id,
+			"name":      country.DisplayName,
+			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
+			"pinyin":    country.Pinyin,
+			"codes":     country.Codes,
+			"isCommon":  country.IsCommon,
+			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
+		})
+	}
+	this.Data["countries"] = countryMaps
+
+	this.Show()
+}
--- a/internal/web/actions/default/servers/server/settings/waf/ipadmin/selectProvincesPopup.go
+++ b/internal/web/actions/default/servers/server/settings/waf/ipadmin/selectProvincesPopup.go
@@ -0,0 +1,48 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package ipadmin
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
+)
+
+type SelectProvincesPopupAction struct {
+	actionutils.ParentAction
+}
+
+func (this *SelectProvincesPopupAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *SelectProvincesPopupAction) RunGet(params struct {
+	Type                string
+	SelectedProvinceIds string
+}) {
+	this.Data["type"] = params.Type
+
+	var selectedProvinceIds = utils.SplitNumbers(params.SelectedProvinceIds)
+
+	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllRegionProvincesWithRegionCountryId(this.AdminContext(), &pb.FindAllRegionProvincesWithRegionCountryIdRequest{
+		RegionCountryId: regionconfigs.RegionChinaId,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var provinceMaps = []maps.Map{}
+	for _, province := range provincesResp.RegionProvinces {
+		provinceMaps = append(provinceMaps, maps.Map{
+			"id":        province.Id,
+			"name":      province.DisplayName,
+			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
+		})
+	}
+	this.Data["provinces"] = provinceMaps
+
+	this.Show()
+}