diff --git a/pkg/rpc/dao/http_firewall_policy_dao.go b/pkg/rpc/dao/http_firewall_policy_dao.go index 5aa9308..0fb61ec 100644 --- a/pkg/rpc/dao/http_firewall_policy_dao.go +++ b/pkg/rpc/dao/http_firewall_policy_dao.go @@ -7,16 +7,17 @@ import ( "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs" + "github.com/iwind/TeaGo/maps" ) var SharedHTTPFirewallPolicyDAO = new(HTTPFirewallPolicyDAO) -// WAF策略相关 +// HTTPFirewallPolicyDAO WAF策略相关 type HTTPFirewallPolicyDAO struct { BaseDAO } -// 查找WAF策略基本信息 +// FindEnabledHTTPFirewallPolicy 查找WAF策略基本信息 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Context, policyId int64) (*pb.HTTPFirewallPolicy, error) { resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicy(ctx, &pb.FindEnabledHTTPFirewallPolicyRequest{HttpFirewallPolicyId: policyId}) if err != nil { @@ -25,7 +26,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Con return resp.HttpFirewallPolicy, nil } -// 查找WAF策略配置 +// FindEnabledHTTPFirewallPolicyConfig 查找WAF策略配置 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallPolicy, error) { resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicyConfig(ctx, &pb.FindEnabledHTTPFirewallPolicyConfigRequest{HttpFirewallPolicyId: policyId}) if err != nil { @@ -42,7 +43,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx conte return firewallPolicy, nil } -// 查找WAF的Inbound +// FindEnabledHTTPFirewallPolicyInboundConfig 查找WAF的Inbound func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallInboundConfig, error) { config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId) if err != nil { @@ -54,7 +55,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ct return config.Inbound, nil } -// 根据类型查找WAF的IP名单 +// FindEnabledPolicyIPListIdWithType 根据类型查找WAF的IP名单 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context.Context, policyId int64, listType ipconfigs.IPListType) (int64, error) { switch listType { case ipconfigs.IPListTypeWhite: @@ -66,7 +67,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context } } -// 查找WAF的白名单 +// FindEnabledPolicyWhiteIPListId 查找WAF的白名单 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Context, policyId int64) (int64, error) { config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId) if err != nil { @@ -110,7 +111,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co return config.Inbound.AllowListRef.ListId, nil } -// 查找WAF的黑名单 +// FindEnabledPolicyBlackIPListId 查找WAF的黑名单 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Context, policyId int64) (int64, error) { config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId) if err != nil { @@ -154,7 +155,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co return config.Inbound.DenyListRef.ListId, nil } -// 根据服务Id查找WAF策略 +// FindEnabledHTTPFirewallPolicyWithServerId 根据服务Id查找WAF策略 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx context.Context, serverId int64) (*pb.HTTPFirewallPolicy, error) { serverResp, err := this.RPC().ServerRPC().FindEnabledServer(ctx, &pb.FindEnabledServerRequest{ServerId: serverId}) if err != nil { @@ -180,3 +181,72 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx } return SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicy(ctx, cluster.HttpFirewallPolicyId) } + +// FindHTTPFirewallActionConfigs 查找动作相关信息 +func (this *HTTPFirewallPolicyDAO) FindHTTPFirewallActionConfigs(ctx context.Context, actions []*firewallconfigs.HTTPFirewallActionConfig) ([]maps.Map, error) { + var actionConfigs = []maps.Map{} + for _, action := range actions { + def := firewallconfigs.FindActionDefinition(action.Code) + if def == nil { + continue + } + if action.Options == nil { + action.Options = maps.Map{} + } + + switch action.Code { + case firewallconfigs.HTTPFirewallActionRecordIP: + listId := action.Options.GetInt64("ipListId") + listResp, err := this.RPC().IPListRPC().FindEnabledIPList(ctx, &pb.FindEnabledIPListRequest{IpListId: listId}) + if err != nil { + return nil, err + } + if listResp.IpList != nil { + action.Options["ipListName"] = listResp.IpList.Name + } else { + action.Options["ipListName"] = action.Options.GetString("ipListName") + "(已删除)" + } + case firewallconfigs.HTTPFirewallActionGoGroup: + groupId := action.Options.GetInt64("groupId") + groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId}) + if err != nil { + return nil, err + } + if groupResp.FirewallRuleGroup != nil { + action.Options["groupName"] = groupResp.FirewallRuleGroup.Name + } else { + action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)" + } + case firewallconfigs.HTTPFirewallActionGoSet: + groupId := action.Options.GetInt64("groupId") + groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId}) + if err != nil { + return nil, err + } + if groupResp.FirewallRuleGroup != nil { + action.Options["groupName"] = groupResp.FirewallRuleGroup.Name + } else { + action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)" + } + + setId := action.Options.GetInt64("setId") + setResp, err := this.RPC().HTTPFirewallRuleSetRPC().FindEnabledHTTPFirewallRuleSet(ctx, &pb.FindEnabledHTTPFirewallRuleSetRequest{FirewallRuleSetId: setId}) + if err != nil { + return nil, err + } + if setResp.FirewallRuleSet != nil { + action.Options["setName"] = setResp.FirewallRuleSet.Name + } else { + action.Options["setName"] = action.Options.GetString("setName") + "(已删除)" + } + } + + actionConfigs = append(actionConfigs, maps.Map{ + "name": def.Name, + "code": def.Code, + "category": def.Category, + "options": action.Options, + }) + } + return actionConfigs, nil +} diff --git a/pkg/rpc/dao/ip_list_dao.go b/pkg/rpc/dao/ip_list_dao.go index 549c9bb..b3d6ec1 100644 --- a/pkg/rpc/dao/ip_list_dao.go +++ b/pkg/rpc/dao/ip_list_dao.go @@ -15,7 +15,7 @@ type IPListDAO struct { BaseDAO } -// 查找服务的允许IP列表 +// FindAllowIPListIdWithServerId 查找服务的允许IP列表 func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) { webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId) if err != nil { @@ -30,7 +30,7 @@ func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, server return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil } -// 查找服务的禁止IP列表 +// FindDenyIPListIdWithServerId 查找服务的禁止IP列表 func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) { webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId) if err != nil { @@ -45,7 +45,7 @@ func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverI return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil } -// 为服务创建IP名单 +// CreateIPListForServerId 为服务创建IP名单 func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) { webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId) if err != nil { diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go index 747b72d..f90a006 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go @@ -1,4 +1,5 @@ package firewallconfigs type HTTPFirewallAllowAction struct { + Life int64 `yaml:"life" json:"life"` } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go index 213b518..f57fc08 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go @@ -1,8 +1,9 @@ package firewallconfigs -// url client configure +// HTTPFirewallBlockAction url client configure type HTTPFirewallBlockAction struct { StatusCode int `yaml:"statusCode" json:"statusCode"` Body string `yaml:"body" json:"body"` // supports HTML URL string `yaml:"url" json:"url"` + Life int64 `yaml:"life" json:"life"` } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go index 873591d..15dee3f 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go @@ -1,4 +1,5 @@ package firewallconfigs type HTTPFirewallCaptchaAction struct { + Life int64 `yaml:"life" json:"life"` } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go index 9693b47..d38a0a8 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go @@ -2,10 +2,19 @@ package firewallconfigs import "reflect" -// action definition +type HTTPFirewallActionCategory = string + +const ( + HTTPFirewallActionCategoryBlock HTTPFirewallActionCategory = "block" + HTTPFirewallActionCategoryAllow HTTPFirewallActionCategory = "allow" + HTTPFirewallActionCategoryVerify HTTPFirewallActionCategory = "verify" +) + +// HTTPFirewallActionDefinition action definition type HTTPFirewallActionDefinition struct { - Name string - Code HTTPFirewallActionString - Description string - Type reflect.Type + Name string `json:"name"` + Code HTTPFirewallActionString `json:"code"` + Description string `json:"description"` + Type reflect.Type `json:"type"` + Category HTTPFirewallActionCategory `json:"category"` } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_get_302.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_get_302.go new file mode 100644 index 0000000..bd24e6b --- /dev/null +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_get_302.go @@ -0,0 +1,7 @@ +// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved. + +package firewallconfigs + +type HTTPFirewallGet302Action struct { + Life int64 `yaml:"life" json:"life"` +} diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_post_307.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_post_307.go new file mode 100644 index 0000000..fea85d9 --- /dev/null +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_post_307.go @@ -0,0 +1,7 @@ +// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved. + +package firewallconfigs + +type HTTPFirewallPost307Action struct { + Life int64 `yaml:"life" json:"life"` +} diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_record_ip.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_record_ip.go new file mode 100644 index 0000000..d40b24e --- /dev/null +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_record_ip.go @@ -0,0 +1,10 @@ +// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved. + +package firewallconfigs + +type HTTPFirewallRecordIPAction struct { + Type string `yaml:"type" json:"type"` + IPListId int64 `yaml:"ipListId" json:"ipListId"` + Level string `yaml:"level" json:"level"` + Timeout int64 `yaml:"timeout" json:"timeout"` +} diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_tag.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_tag.go new file mode 100644 index 0000000..5d357e4 --- /dev/null +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_tag.go @@ -0,0 +1,7 @@ +// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved. + +package firewallconfigs + +type HTTPFirewallTagAction struct { + Tags []string `yaml:"tags" json:"tags"` +} diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go index fc8f676..2aa9f03 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go @@ -3,10 +3,15 @@ package firewallconfigs type HTTPFirewallActionString = string const ( - HTTPFirewallActionLog = "log" // allow and log - HTTPFirewallActionBlock = "block" // block - HTTPFirewallActionCaptcha = "captcha" // block and show captcha - HTTPFirewallActionAllow = "allow" // allow - HTTPFirewallActionGoGroup = "go_group" // go to next rule group - HTTPFirewallActionGoSet = "go_set" // go to next rule set + HTTPFirewallActionLog HTTPFirewallActionString = "log" // allow and log + HTTPFirewallActionBlock HTTPFirewallActionString = "block" // block + HTTPFirewallActionCaptcha HTTPFirewallActionString = "captcha" // block and show captcha + HTTPFirewallActionNotify HTTPFirewallActionString = "notify" // 告警 + HTTPFirewallActionGet302 HTTPFirewallActionString = "get_302" // 针对GET的302重定向认证 + HTTPFirewallActionPost307 HTTPFirewallActionString = "post_307" // 针对POST的307重定向认证 + HTTPFirewallActionRecordIP HTTPFirewallActionString = "record_ip" // 记录IP + HTTPFirewallActionTag HTTPFirewallActionString = "tag" // 标签 + HTTPFirewallActionAllow HTTPFirewallActionString = "allow" // allow + HTTPFirewallActionGoGroup HTTPFirewallActionString = "go_group" // go to next rule group + HTTPFirewallActionGoSet HTTPFirewallActionString = "go_set" // go to next rule set ) diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go b/pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go index 23ae262..f227727 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go @@ -6,38 +6,78 @@ import ( var AllActions = []*HTTPFirewallActionDefinition{ { - Name: "阻止", - Code: HTTPFirewallActionBlock, + Name: "阻止", + Code: HTTPFirewallActionBlock, + Description: "阻止请求并中断当前连接。", + Category: HTTPFirewallActionCategoryBlock, }, { - Name: "允许通过", - Code: HTTPFirewallActionAllow, + Name: "允许通过", + Code: HTTPFirewallActionAllow, + Description: "允许正常通过,不记录到日志。", + Category: HTTPFirewallActionCategoryAllow, }, { - Name: "允许并记录日志", - Code: HTTPFirewallActionLog, + Name: "允许并记录日志", + Code: HTTPFirewallActionLog, + Description: "允许正常通过并记录到日志。", + Category: HTTPFirewallActionCategoryAllow, }, { - Name: "Captcha验证码", - Code: HTTPFirewallActionCaptcha, + Name: "Captcha验证码", + Code: HTTPFirewallActionCaptcha, + Description: "在浏览器使用验证码来验证客户端。", + Category: HTTPFirewallActionCategoryVerify, }, { - Name: "跳到下一个规则分组", - Code: HTTPFirewallActionGoGroup, - Type: reflect.TypeOf(new(HTTPFirewallGoGroupAction)).Elem(), + Name: "告警", + Code: HTTPFirewallActionNotify, + Description: "发送消息通知。", + Category: HTTPFirewallActionCategoryVerify, }, { - Name: "跳到下一个规则集", - Code: HTTPFirewallActionGoSet, - Type: reflect.TypeOf(new(HTTPFirewallGoSetAction)).Elem(), + Name: "GET 302", + Code: HTTPFirewallActionGet302, + Description: "通过302重定向GET请求验证客户端。", + Category: HTTPFirewallActionCategoryVerify, + }, + { + Name: "POST 307", + Code: HTTPFirewallActionPost307, + Description: "通过307重定向POST请求验证客户端。", + Category: HTTPFirewallActionCategoryVerify, + }, + { + Name: "记录IP", + Code: HTTPFirewallActionRecordIP, + Description: "将此IP记录到某个IP名单中。", + Category: HTTPFirewallActionCategoryBlock, + }, + { + Name: "标签", + Code: HTTPFirewallActionTag, + Description: "为匹配的请求打上标签。", + Category: HTTPFirewallActionCategoryAllow, + }, + { + Name: "跳到下一个规则分组", + Code: HTTPFirewallActionGoGroup, + Type: reflect.TypeOf(new(HTTPFirewallGoGroupAction)).Elem(), + Category: HTTPFirewallActionCategoryVerify, + }, + { + Name: "跳到下一个规则集", + Code: HTTPFirewallActionGoSet, + Type: reflect.TypeOf(new(HTTPFirewallGoSetAction)).Elem(), + Category: HTTPFirewallActionCategoryVerify, }, } -func FindActionName(action HTTPFirewallActionString) string { +func FindActionDefinition(actionCode HTTPFirewallActionString) *HTTPFirewallActionDefinition { for _, def := range AllActions { - if def.Code == action { - return def.Name + if def.Code == actionCode { + return def } } - return "" + return nil } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_policy.go b/pkg/serverconfigs/firewallconfigs/http_firewall_policy.go index dc1b3b7..766b88a 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_policy.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_policy.go @@ -2,7 +2,7 @@ package firewallconfigs import "encoding/json" -// 防火墙策略 +// HTTPFirewallPolicy 防火墙策略 type HTTPFirewallPolicy struct { Id int64 `yaml:"id" json:"id"` IsOn bool `yaml:"isOn" json:"isOn"` @@ -11,9 +11,10 @@ type HTTPFirewallPolicy struct { Inbound *HTTPFirewallInboundConfig `yaml:"inbound" json:"inbound"` Outbound *HTTPFirewallOutboundConfig `yaml:"outbound" json:"outbound"` BlockOptions *HTTPFirewallBlockAction `yaml:"blockOptions" json:"blockOptions"` + } -// 初始化 +// Init 初始化 func (this *HTTPFirewallPolicy) Init() error { if this.Inbound != nil { err := this.Inbound.Init() @@ -31,7 +32,7 @@ func (this *HTTPFirewallPolicy) Init() error { return nil } -// 获取所有分组 +// AllRuleGroups 获取所有分组 func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup { result := []*HTTPFirewallRuleGroup{} if this.Inbound != nil { @@ -43,7 +44,7 @@ func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup { return result } -// 根据代号查找分组 +// FindRuleGroupWithCode 根据代号查找分组 func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewallRuleGroup { for _, g := range this.AllRuleGroups() { if g.Code == code { @@ -53,7 +54,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewall return nil } -// 根据ID查找分组 +// FindRuleGroup 根据ID查找分组 func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGroup { for _, g := range this.AllRuleGroups() { if g.Id == groupId { @@ -63,7 +64,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGr return nil } -// 删除某个分组 +// RemoveRuleGroup 删除某个分组 func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) { if this.Inbound != nil { this.Inbound.RemoveRuleGroup(groupId) @@ -73,7 +74,7 @@ func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) { } } -// Inbound JSON +// InboundJSON Inbound JSON func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) { if this.Inbound == nil { return []byte("null"), nil @@ -86,7 +87,7 @@ func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) { return json.Marshal(this.Inbound) } -// Outbound JSON +// OutboundJSON Outbound JSON func (this *HTTPFirewallPolicy) OutboundJSON() ([]byte, error) { if this.Inbound == nil { return []byte("null"), nil diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go b/pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go index b78b7f1..dce5814 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go @@ -2,21 +2,30 @@ package firewallconfigs import "github.com/iwind/TeaGo/maps" -// 规则集定义 -type HTTPFirewallRuleSet struct { - Id int64 `yaml:"id" json:"id"` - IsOn bool `yaml:"isOn" json:"isOn"` - Name string `yaml:"name" json:"name"` - Code string `yaml:"code" json:"code"` - Description string `yaml:"description" json:"description"` - Connector string `yaml:"connector" json:"connector"` - RuleRefs []*HTTPFirewallRuleRef `yaml:"ruleRefs" json:"ruleRefs"` - Rules []*HTTPFirewallRule `yaml:"rules" json:"rules"` - Action string `yaml:"action" json:"action"` - ActionOptions maps.Map `yaml:"actionOptions" json:"actionOptions"` +// HTTPFirewallActionConfig 单个动作配置 +type HTTPFirewallActionConfig struct { + Code HTTPFirewallActionString `yaml:"code" json:"code"` + Options maps.Map `yaml:"options" json:"options"` } -// 初始化 +// HTTPFirewallRuleSet 规则集定义 +type HTTPFirewallRuleSet struct { + Id int64 `yaml:"id" json:"id"` + IsOn bool `yaml:"isOn" json:"isOn"` + Name string `yaml:"name" json:"name"` + Code string `yaml:"code" json:"code"` + Description string `yaml:"description" json:"description"` + Connector string `yaml:"connector" json:"connector"` + RuleRefs []*HTTPFirewallRuleRef `yaml:"ruleRefs" json:"ruleRefs"` + Rules []*HTTPFirewallRule `yaml:"rules" json:"rules"` + + Actions []*HTTPFirewallActionConfig `yaml:"actions" json:"actions"` + + //Action string `yaml:"action" json:"action"` // deprecated, v0.2.5 + //ActionOptions maps.Map `yaml:"actionOptions" json:"actionOptions"` // deprecated, v0.2.5 +} + +// Init 初始化 func (this *HTTPFirewallRuleSet) Init() error { for _, rule := range this.Rules { err := rule.Init() @@ -24,10 +33,11 @@ func (this *HTTPFirewallRuleSet) Init() error { return err } } + return nil } -// 添加规则 +// AddRule 添加规则 func (this *HTTPFirewallRuleSet) AddRule(rule *HTTPFirewallRule) { this.Rules = append(this.Rules, rule) } diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go index 2f8d440..0b99f49 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go @@ -27,7 +27,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "Javascript事件" set.Code = "1001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestURI}", @@ -44,7 +48,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "Javascript函数" set.Code = "1002" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestURI}", @@ -61,7 +69,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "HTML标签" set.Code = "1003" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestURI}", @@ -89,7 +101,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "上传文件扩展名" set.Code = "2001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestUpload.ext}", @@ -117,7 +133,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "Web Shell" set.Code = "3001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestAll}", @@ -144,7 +164,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "命令注入" set.Code = "4001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestURI}", @@ -179,7 +203,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "路径穿越" set.Code = "5001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestURI}", @@ -207,7 +235,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "特殊目录" set.Code = "6001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestPath}", @@ -235,7 +267,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "Union SQL Injection" set.Code = "7001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -254,7 +290,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "SQL注释" set.Code = "7002" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -273,7 +313,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "SQL条件" set.Code = "7003" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -313,7 +357,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "SQL函数" set.Code = "7004" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -332,7 +380,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "SQL附加语句" set.Code = "7005" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -362,7 +414,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Name = "常见网络爬虫" set.Code = "20001" set.Connector = HTTPFirewallRuleConnectorOr - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, @@ -393,7 +449,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Description = "限制单IP在一定时间内的请求数" set.Code = "8001" set.Connector = HTTPFirewallRuleConnectorAnd - set.Action = HTTPFirewallActionBlock + set.Actions = []*HTTPFirewallActionConfig{ + { + Code: HTTPFirewallActionBlock, + }, + } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${cc.requests}", diff --git a/pkg/serverconfigs/shared/request_variables.go b/pkg/serverconfigs/shared/request_variables.go index a418560..30232e6 100644 --- a/pkg/serverconfigs/shared/request_variables.go +++ b/pkg/serverconfigs/shared/request_variables.go @@ -8,8 +8,8 @@ import "github.com/iwind/TeaGo/maps" func DefaultRequestVariables() []maps.Map { return []maps.Map{ {"code": "${edgeVersion}", "name": "边缘节点版本", "description": ""}, - {"code": "${remoteAddr}", "name": "客户端地址(IP)", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取"}, - {"code": "${rawRemoteAddr}", "name": "客户端地址(IP)", "description": "返回直接连接服务的客户端原始IP地址,从v0.1.3版本加入"}, + {"code": "${remoteAddr}", "name": "客户端地址(IP)", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取,适合前端有别的反向代理服务时使用,存在伪造的风险"}, + {"code": "${rawRemoteAddr}", "name": "客户端地址(IP)", "description": "返回直接连接服务的客户端原始IP地址"}, {"code": "${remotePort}", "name": "客户端端口", "description": ""}, {"code": "${remoteUser}", "name": "客户端用户名", "description": ""}, {"code": "${requestURI}", "name": "请求URI", "description": ""},