From 16c729085ece41767916f17ac4fc552c24154a2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Thu, 23 Sep 2021 15:01:12 +0800
Subject: [PATCH] =?UTF-8?q?=E8=B0=83=E6=95=B4CC2=E5=8F=82=E6=95=B0?=
 =?UTF-8?q?=EF=BC=8C=E5=A2=9E=E5=8A=A0=E5=8D=95IP=E8=AF=B7=E6=B1=82?=
 =?UTF-8?q?=E6=95=B0=E9=99=90=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../firewallconfigs/http_firewall_template.go | 63 +++++++++++++++++--
 1 file changed, 59 insertions(+), 4 deletions(-)

diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
index 137086e..56b768b 100644
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
@@ -445,8 +445,8 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 		{
 			set := &HTTPFirewallRuleSet{}
 			set.IsOn = true
-			set.Name = "CC请求数"
-			set.Description = "限制单IP在一定时间内的请求数"
+			set.Name = "CC单URL请求数"
+			set.Description = "限制单IP在一定时间内对单URL的请求数"
 			set.Code = "8001"
 			set.Connector = HTTPFirewallRuleConnectorAnd
 			set.Actions = []*HTTPFirewallActionConfig{
@@ -458,11 +458,66 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 				IsOn:     true,
 				Param:    "${cc2}",
 				Operator: HTTPFirewallRuleOperatorGt,
-				Value:    "1000",
+				Value:    "120",
 				CheckpointOptions: map[string]interface{}{
 					"keys":      []string{"${remoteAddr}", "${requestPath}"},
 					"period":    "60",
-					"threshold": 1000,
+					"threshold": 120,
+				},
+				IsCaseInsensitive: false,
+			})
+			set.AddRule(&HTTPFirewallRule{
+				IsOn:              true,
+				Param:             "${remoteAddr}",
+				Operator:          HTTPFirewallRuleOperatorNotIPRange,
+				Value:             `127.0.0.1/8`,
+				IsCaseInsensitive: false,
+			})
+			set.AddRule(&HTTPFirewallRule{
+				IsOn:              true,
+				Param:             "${remoteAddr}",
+				Operator:          HTTPFirewallRuleOperatorNotIPRange,
+				Value:             `192.168.0.1/16`,
+				IsCaseInsensitive: false,
+			})
+			set.AddRule(&HTTPFirewallRule{
+				IsOn:              true,
+				Param:             "${remoteAddr}",
+				Operator:          HTTPFirewallRuleOperatorNotIPRange,
+				Value:             `10.0.0.1/8`,
+				IsCaseInsensitive: false,
+			})
+			set.AddRule(&HTTPFirewallRule{
+				IsOn:              true,
+				Param:             "${remoteAddr}",
+				Operator:          HTTPFirewallRuleOperatorNotIPRange,
+				Value:             `172.16.0.1/12`,
+				IsCaseInsensitive: false,
+			})
+
+			group.AddRuleSet(set)
+		}
+		{
+			set := &HTTPFirewallRuleSet{}
+			set.IsOn = true
+			set.Name = "CC请求数"
+			set.Description = "限制单IP在一定时间内的总体请求数"
+			set.Code = "8001"
+			set.Connector = HTTPFirewallRuleConnectorAnd
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
+			set.AddRule(&HTTPFirewallRule{
+				IsOn:     true,
+				Param:    "${cc2}",
+				Operator: HTTPFirewallRuleOperatorGt,
+				Value:    "1200",
+				CheckpointOptions: map[string]interface{}{
+					"keys":      []string{"${remoteAddr}"},
+					"period":    "60",
+					"threshold": 1200,
 				},
 				IsCaseInsensitive: false,
 			})