WAF支持更多动作

pkg/rpc/dao/http_firewall_policy_dao.go

@@ -7,16 +7,17 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
+	"github.com/iwind/TeaGo/maps"
 )
 
 var SharedHTTPFirewallPolicyDAO = new(HTTPFirewallPolicyDAO)
 
-// WAF策略相关
+// HTTPFirewallPolicyDAO WAF策略相关
 type HTTPFirewallPolicyDAO struct {
 	BaseDAO
 }
 
-// 查找WAF策略基本信息
+// FindEnabledHTTPFirewallPolicy 查找WAF策略基本信息
 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Context, policyId int64) (*pb.HTTPFirewallPolicy, error) {
 	resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicy(ctx, &pb.FindEnabledHTTPFirewallPolicyRequest{HttpFirewallPolicyId: policyId})
 	if err != nil {
@@ -25,7 +26,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Con
 	return resp.HttpFirewallPolicy, nil
 }
 
-// 查找WAF策略配置
+// FindEnabledHTTPFirewallPolicyConfig 查找WAF策略配置
 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallPolicy, error) {
 	resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicyConfig(ctx, &pb.FindEnabledHTTPFirewallPolicyConfigRequest{HttpFirewallPolicyId: policyId})
 	if err != nil {
@@ -42,7 +43,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx conte
 	return firewallPolicy, nil
 }
 
-// 查找WAF的Inbound
+// FindEnabledHTTPFirewallPolicyInboundConfig 查找WAF的Inbound
 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallInboundConfig, error) {
 	config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
 	if err != nil {
@@ -54,7 +55,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ct
 	return config.Inbound, nil
 }
 
-// 根据类型查找WAF的IP名单
+// FindEnabledPolicyIPListIdWithType 根据类型查找WAF的IP名单
 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context.Context, policyId int64, listType ipconfigs.IPListType) (int64, error) {
 	switch listType {
 	case ipconfigs.IPListTypeWhite:
@@ -66,7 +67,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context
 	}
 }
 
-// 查找WAF的白名单
+// FindEnabledPolicyWhiteIPListId 查找WAF的白名单
 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Context, policyId int64) (int64, error) {
 	config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
 	if err != nil {
@@ -110,7 +111,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
 	return config.Inbound.AllowListRef.ListId, nil
 }
 
-// 查找WAF的黑名单
+// FindEnabledPolicyBlackIPListId 查找WAF的黑名单
 func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Context, policyId int64) (int64, error) {
 	config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
 	if err != nil {
@@ -154,7 +155,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
 	return config.Inbound.DenyListRef.ListId, nil
 }
 
-// 根据服务Id查找WAF策略
+// FindEnabledHTTPFirewallPolicyWithServerId 根据服务Id查找WAF策略
 func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx context.Context, serverId int64) (*pb.HTTPFirewallPolicy, error) {
 	serverResp, err := this.RPC().ServerRPC().FindEnabledServer(ctx, &pb.FindEnabledServerRequest{ServerId: serverId})
 	if err != nil {
@@ -180,3 +181,72 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx
 	}
 	return SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicy(ctx, cluster.HttpFirewallPolicyId)
 }
+
+// FindHTTPFirewallActionConfigs 查找动作相关信息
+func (this *HTTPFirewallPolicyDAO) FindHTTPFirewallActionConfigs(ctx context.Context, actions []*firewallconfigs.HTTPFirewallActionConfig) ([]maps.Map, error) {
+	var actionConfigs = []maps.Map{}
+	for _, action := range actions {
+		def := firewallconfigs.FindActionDefinition(action.Code)
+		if def == nil {
+			continue
+		}
+		if action.Options == nil {
+			action.Options = maps.Map{}
+		}
+
+		switch action.Code {
+		case firewallconfigs.HTTPFirewallActionRecordIP:
+			listId := action.Options.GetInt64("ipListId")
+			listResp, err := this.RPC().IPListRPC().FindEnabledIPList(ctx, &pb.FindEnabledIPListRequest{IpListId: listId})
+			if err != nil {
+				return nil, err
+			}
+			if listResp.IpList != nil {
+				action.Options["ipListName"] = listResp.IpList.Name
+			} else {
+				action.Options["ipListName"] = action.Options.GetString("ipListName") + "(已删除)"
+			}
+		case firewallconfigs.HTTPFirewallActionGoGroup:
+			groupId := action.Options.GetInt64("groupId")
+			groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId})
+			if err != nil {
+				return nil, err
+			}
+			if groupResp.FirewallRuleGroup != nil {
+				action.Options["groupName"] = groupResp.FirewallRuleGroup.Name
+			} else {
+				action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)"
+			}
+		case firewallconfigs.HTTPFirewallActionGoSet:
+			groupId := action.Options.GetInt64("groupId")
+			groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId})
+			if err != nil {
+				return nil, err
+			}
+			if groupResp.FirewallRuleGroup != nil {
+				action.Options["groupName"] = groupResp.FirewallRuleGroup.Name
+			} else {
+				action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)"
+			}
+
+			setId := action.Options.GetInt64("setId")
+			setResp, err := this.RPC().HTTPFirewallRuleSetRPC().FindEnabledHTTPFirewallRuleSet(ctx, &pb.FindEnabledHTTPFirewallRuleSetRequest{FirewallRuleSetId: setId})
+			if err != nil {
+				return nil, err
+			}
+			if setResp.FirewallRuleSet != nil {
+				action.Options["setName"] = setResp.FirewallRuleSet.Name
+			} else {
+				action.Options["setName"] = action.Options.GetString("setName") + "(已删除)"
+			}
+		}
+
+		actionConfigs = append(actionConfigs, maps.Map{
+			"name":     def.Name,
+			"code":     def.Code,
+			"category": def.Category,
+			"options":  action.Options,
+		})
+	}
+	return actionConfigs, nil
+}

pkg/rpc/dao/ip_list_dao.go

@@ -15,7 +15,7 @@ type IPListDAO struct {
 	BaseDAO
 }
 
-// 查找服务的允许IP列表
+// FindAllowIPListIdWithServerId 查找服务的允许IP列表
 func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
 	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
 	if err != nil {
@@ -30,7 +30,7 @@ func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, server
 	return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil
 }
 
-// 查找服务的禁止IP列表
+// FindDenyIPListIdWithServerId 查找服务的禁止IP列表
 func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
 	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
 	if err != nil {
@@ -45,7 +45,7 @@ func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverI
 	return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil
 }
 
-// 为服务创建IP名单
+// CreateIPListForServerId 为服务创建IP名单
 func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) {
 	webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
 	if err != nil {

pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go

@@ -1,4 +1,5 @@
 package firewallconfigs
 
 type HTTPFirewallAllowAction struct {
+	Life int64 `yaml:"life" json:"life"`
 }

pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go

@@ -1,8 +1,9 @@
 package firewallconfigs
 
-// url client configure
+// HTTPFirewallBlockAction url client configure
 type HTTPFirewallBlockAction struct {
 	StatusCode int    `yaml:"statusCode" json:"statusCode"`
 	Body       string `yaml:"body" json:"body"` // supports HTML
 	URL        string `yaml:"url" json:"url"`
+	Life       int64  `yaml:"life" json:"life"`
 }

pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go

@@ -1,4 +1,5 @@
 package firewallconfigs
 
 type HTTPFirewallCaptchaAction struct {
+	Life int64 `yaml:"life" json:"life"`
 }

pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go

@@ -2,10 +2,19 @@ package firewallconfigs
 
 import "reflect"
 
-// action definition
+type HTTPFirewallActionCategory = string
+
+const (
+	HTTPFirewallActionCategoryBlock  HTTPFirewallActionCategory = "block"
+	HTTPFirewallActionCategoryAllow  HTTPFirewallActionCategory = "allow"
+	HTTPFirewallActionCategoryVerify HTTPFirewallActionCategory = "verify"
+)
+
+// HTTPFirewallActionDefinition action definition
 type HTTPFirewallActionDefinition struct {
-	Name        string
+	Name        string                     `json:"name"`
-	Code        HTTPFirewallActionString
+	Code        HTTPFirewallActionString   `json:"code"`
-	Description string
+	Description string                     `json:"description"`
-	Type        reflect.Type
+	Type        reflect.Type               `json:"type"`
+	Category    HTTPFirewallActionCategory `json:"category"`
 }

pkg/serverconfigs/firewallconfigs/http_firewall_action_get_302.go

@@ -0,0 +1,7 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package firewallconfigs
+
+type HTTPFirewallGet302Action struct {
+	Life int64 `yaml:"life" json:"life"`
+}

pkg/serverconfigs/firewallconfigs/http_firewall_action_post_307.go

@@ -0,0 +1,7 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package firewallconfigs
+
+type HTTPFirewallPost307Action struct {
+	Life int64 `yaml:"life" json:"life"`
+}

pkg/serverconfigs/firewallconfigs/http_firewall_action_record_ip.go

@@ -0,0 +1,10 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package firewallconfigs
+
+type HTTPFirewallRecordIPAction struct {
+	Type     string `yaml:"type" json:"type"`
+	IPListId int64  `yaml:"ipListId" json:"ipListId"`
+	Level    string `yaml:"level" json:"level"`
+	Timeout  int64  `yaml:"timeout" json:"timeout"`
+}

pkg/serverconfigs/firewallconfigs/http_firewall_action_tag.go

@@ -0,0 +1,7 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package firewallconfigs
+
+type HTTPFirewallTagAction struct {
+	Tags []string `yaml:"tags" json:"tags"`
+}

pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go

@@ -3,10 +3,15 @@ package firewallconfigs
 type HTTPFirewallActionString = string
 
 const (
-	HTTPFirewallActionLog     = "log"      // allow and log
+	HTTPFirewallActionLog      HTTPFirewallActionString = "log"       // allow and log
-	HTTPFirewallActionBlock   = "block"    // block
+	HTTPFirewallActionBlock    HTTPFirewallActionString = "block"     // block
-	HTTPFirewallActionCaptcha = "captcha"  // block and show captcha
+	HTTPFirewallActionCaptcha  HTTPFirewallActionString = "captcha"   // block and show captcha
-	HTTPFirewallActionAllow   = "allow"    // allow
+	HTTPFirewallActionNotify   HTTPFirewallActionString = "notify"    // 告警
-	HTTPFirewallActionGoGroup = "go_group" // go to next rule group
+	HTTPFirewallActionGet302   HTTPFirewallActionString = "get_302"   // 针对GET的302重定向认证
-	HTTPFirewallActionGoSet   = "go_set"   // go to next rule set
+	HTTPFirewallActionPost307  HTTPFirewallActionString = "post_307"  // 针对POST的307重定向认证
+	HTTPFirewallActionRecordIP HTTPFirewallActionString = "record_ip" // 记录IP
+	HTTPFirewallActionTag      HTTPFirewallActionString = "tag"       // 标签
+	HTTPFirewallActionAllow    HTTPFirewallActionString = "allow"     // allow
+	HTTPFirewallActionGoGroup  HTTPFirewallActionString = "go_group"  // go to next rule group
+	HTTPFirewallActionGoSet    HTTPFirewallActionString = "go_set"    // go to next rule set
 )

pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go

@@ -6,38 +6,78 @@ import (
 
 var AllActions = []*HTTPFirewallActionDefinition{
 	{
-		Name: "阻止",
+		Name:        "阻止",
-		Code: HTTPFirewallActionBlock,
+		Code:        HTTPFirewallActionBlock,
+		Description: "阻止请求并中断当前连接。",
+		Category:    HTTPFirewallActionCategoryBlock,
 	},
 	{
-		Name: "允许通过",
+		Name:        "允许通过",
-		Code: HTTPFirewallActionAllow,
+		Code:        HTTPFirewallActionAllow,
+		Description: "允许正常通过，不记录到日志。",
+		Category:    HTTPFirewallActionCategoryAllow,
 	},
 	{
-		Name: "允许并记录日志",
+		Name:        "允许并记录日志",
-		Code: HTTPFirewallActionLog,
+		Code:        HTTPFirewallActionLog,
+		Description: "允许正常通过并记录到日志。",
+		Category:    HTTPFirewallActionCategoryAllow,
 	},
 	{
-		Name: "Captcha验证码",
+		Name:        "Captcha验证码",
-		Code: HTTPFirewallActionCaptcha,
+		Code:        HTTPFirewallActionCaptcha,
+		Description: "在浏览器使用验证码来验证客户端。",
+		Category:    HTTPFirewallActionCategoryVerify,
 	},
 	{
-		Name: "跳到下一个规则分组",
+		Name:        "告警",
-		Code: HTTPFirewallActionGoGroup,
+		Code:        HTTPFirewallActionNotify,
-		Type: reflect.TypeOf(new(HTTPFirewallGoGroupAction)).Elem(),
+		Description: "发送消息通知。",
+		Category:    HTTPFirewallActionCategoryVerify,
 	},
 	{
-		Name: "跳到下一个规则集",
+		Name:        "GET 302",
-		Code: HTTPFirewallActionGoSet,
+		Code:        HTTPFirewallActionGet302,
-		Type: reflect.TypeOf(new(HTTPFirewallGoSetAction)).Elem(),
+		Description: "通过302重定向GET请求验证客户端。",
+		Category:    HTTPFirewallActionCategoryVerify,
+	},
+	{
+		Name:        "POST 307",
+		Code:        HTTPFirewallActionPost307,
+		Description: "通过307重定向POST请求验证客户端。",
+		Category:    HTTPFirewallActionCategoryVerify,
+	},
+	{
+		Name:        "记录IP",
+		Code:        HTTPFirewallActionRecordIP,
+		Description: "将此IP记录到某个IP名单中。",
+		Category:    HTTPFirewallActionCategoryBlock,
+	},
+	{
+		Name:        "标签",
+		Code:        HTTPFirewallActionTag,
+		Description: "为匹配的请求打上标签。",
+		Category:    HTTPFirewallActionCategoryAllow,
+	},
+	{
+		Name:     "跳到下一个规则分组",
+		Code:     HTTPFirewallActionGoGroup,
+		Type:     reflect.TypeOf(new(HTTPFirewallGoGroupAction)).Elem(),
+		Category: HTTPFirewallActionCategoryVerify,
+	},
+	{
+		Name:     "跳到下一个规则集",
+		Code:     HTTPFirewallActionGoSet,
+		Type:     reflect.TypeOf(new(HTTPFirewallGoSetAction)).Elem(),
+		Category: HTTPFirewallActionCategoryVerify,
 	},
 }
 
-func FindActionName(action HTTPFirewallActionString) string {
+func FindActionDefinition(actionCode HTTPFirewallActionString) *HTTPFirewallActionDefinition {
 	for _, def := range AllActions {
-		if def.Code == action {
+		if def.Code == actionCode {
-			return def.Name
+			return def
 		}
 	}
-	return ""
+	return nil
 }

pkg/serverconfigs/firewallconfigs/http_firewall_policy.go

@@ -2,7 +2,7 @@ package firewallconfigs
 
 import "encoding/json"
 
-// 防火墙策略
+// HTTPFirewallPolicy 防火墙策略
 type HTTPFirewallPolicy struct {
 	Id           int64                       `yaml:"id" json:"id"`
 	IsOn         bool                        `yaml:"isOn" json:"isOn"`
@@ -11,9 +11,10 @@ type HTTPFirewallPolicy struct {
 	Inbound      *HTTPFirewallInboundConfig  `yaml:"inbound" json:"inbound"`
 	Outbound     *HTTPFirewallOutboundConfig `yaml:"outbound" json:"outbound"`
 	BlockOptions *HTTPFirewallBlockAction    `yaml:"blockOptions" json:"blockOptions"`
+
 }
 
-// 初始化
+// Init 初始化
 func (this *HTTPFirewallPolicy) Init() error {
 	if this.Inbound != nil {
 		err := this.Inbound.Init()
@@ -31,7 +32,7 @@ func (this *HTTPFirewallPolicy) Init() error {
 	return nil
 }
 
-// 获取所有分组
+// AllRuleGroups 获取所有分组
 func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup {
 	result := []*HTTPFirewallRuleGroup{}
 	if this.Inbound != nil {
@@ -43,7 +44,7 @@ func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup {
 	return result
 }
 
-// 根据代号查找分组
+// FindRuleGroupWithCode 根据代号查找分组
 func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewallRuleGroup {
 	for _, g := range this.AllRuleGroups() {
 		if g.Code == code {
@@ -53,7 +54,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewall
 	return nil
 }
 
-// 根据ID查找分组
+// FindRuleGroup 根据ID查找分组
 func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGroup {
 	for _, g := range this.AllRuleGroups() {
 		if g.Id == groupId {
@@ -63,7 +64,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGr
 	return nil
 }
 
-// 删除某个分组
+// RemoveRuleGroup 删除某个分组
 func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) {
 	if this.Inbound != nil {
 		this.Inbound.RemoveRuleGroup(groupId)
@@ -73,7 +74,7 @@ func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) {
 	}
 }
 
-// Inbound JSON
+// InboundJSON Inbound JSON
 func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) {
 	if this.Inbound == nil {
 		return []byte("null"), nil
@@ -86,7 +87,7 @@ func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) {
 	return json.Marshal(this.Inbound)
 }
 
-// Outbound JSON
+// OutboundJSON Outbound JSON
 func (this *HTTPFirewallPolicy) OutboundJSON() ([]byte, error) {
 	if this.Inbound == nil {
 		return []byte("null"), nil

pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go

@@ -2,21 +2,30 @@ package firewallconfigs
 
 import "github.com/iwind/TeaGo/maps"
 
-// 规则集定义
+// HTTPFirewallActionConfig 单个动作配置
-type HTTPFirewallRuleSet struct {
+type HTTPFirewallActionConfig struct {
-	Id            int64                  `yaml:"id" json:"id"`
+	Code    HTTPFirewallActionString `yaml:"code" json:"code"`
-	IsOn          bool                   `yaml:"isOn" json:"isOn"`
+	Options maps.Map                 `yaml:"options" json:"options"`
-	Name          string                 `yaml:"name" json:"name"`
-	Code          string                 `yaml:"code" json:"code"`
-	Description   string                 `yaml:"description" json:"description"`
-	Connector     string                 `yaml:"connector" json:"connector"`
-	RuleRefs      []*HTTPFirewallRuleRef `yaml:"ruleRefs" json:"ruleRefs"`
-	Rules         []*HTTPFirewallRule    `yaml:"rules" json:"rules"`
-	Action        string                 `yaml:"action" json:"action"`
-	ActionOptions maps.Map               `yaml:"actionOptions" json:"actionOptions"`
 }
 
-// 初始化
+// HTTPFirewallRuleSet 规则集定义
+type HTTPFirewallRuleSet struct {
+	Id          int64                  `yaml:"id" json:"id"`
+	IsOn        bool                   `yaml:"isOn" json:"isOn"`
+	Name        string                 `yaml:"name" json:"name"`
+	Code        string                 `yaml:"code" json:"code"`
+	Description string                 `yaml:"description" json:"description"`
+	Connector   string                 `yaml:"connector" json:"connector"`
+	RuleRefs    []*HTTPFirewallRuleRef `yaml:"ruleRefs" json:"ruleRefs"`
+	Rules       []*HTTPFirewallRule    `yaml:"rules" json:"rules"`
+
+	Actions []*HTTPFirewallActionConfig `yaml:"actions" json:"actions"`
+
+	//Action        string   `yaml:"action" json:"action"`               // deprecated, v0.2.5
+	//ActionOptions maps.Map `yaml:"actionOptions" json:"actionOptions"` // deprecated, v0.2.5
+}
+
+// Init 初始化
 func (this *HTTPFirewallRuleSet) Init() error {
 	for _, rule := range this.Rules {
 		err := rule.Init()
@@ -24,10 +33,11 @@ func (this *HTTPFirewallRuleSet) Init() error {
 			return err
 		}
 	}
+
 	return nil
 }
 
-// 添加规则
+// AddRule 添加规则
 func (this *HTTPFirewallRuleSet) AddRule(rule *HTTPFirewallRule) {
 	this.Rules = append(this.Rules, rule)
 }

pkg/serverconfigs/firewallconfigs/http_firewall_template.go

@@ -27,7 +27,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "Javascript事件"
 			set.Code = "1001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestURI}",
@@ -44,7 +48,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "Javascript函数"
 			set.Code = "1002"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestURI}",
@@ -61,7 +69,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "HTML标签"
 			set.Code = "1003"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestURI}",
@@ -89,7 +101,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "上传文件扩展名"
 			set.Code = "2001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestUpload.ext}",
@@ -117,7 +133,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "Web Shell"
 			set.Code = "3001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestAll}",
@@ -144,7 +164,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "命令注入"
 			set.Code = "4001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestURI}",
@@ -179,7 +203,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "路径穿越"
 			set.Code = "5001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestURI}",
@@ -207,7 +235,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "特殊目录"
 			set.Code = "6001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
 				Param:             "${requestPath}",
@@ -235,7 +267,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "Union SQL Injection"
 			set.Code = "7001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -254,7 +290,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "SQL注释"
 			set.Code = "7002"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -273,7 +313,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "SQL条件"
 			set.Code = "7003"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -313,7 +357,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "SQL函数"
 			set.Code = "7004"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -332,7 +380,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "SQL附加语句"
 			set.Code = "7005"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -362,7 +414,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Name = "常见网络爬虫"
 			set.Code = "20001"
 			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
@@ -393,7 +449,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 			set.Description = "限制单IP在一定时间内的请求数"
 			set.Code = "8001"
 			set.Connector = HTTPFirewallRuleConnectorAnd
-			set.Action = HTTPFirewallActionBlock
+			set.Actions = []*HTTPFirewallActionConfig{
+				{
+					Code: HTTPFirewallActionBlock,
+				},
+			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:     true,
 				Param:    "${cc.requests}",

pkg/serverconfigs/shared/request_variables.go

@@ -8,8 +8,8 @@ import "github.com/iwind/TeaGo/maps"
 func DefaultRequestVariables() []maps.Map {
 	return []maps.Map{
 		{"code": "${edgeVersion}", "name": "边缘节点版本", "description": ""},
-		{"code": "${remoteAddr}", "name": "客户端地址（IP）", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取"},
+		{"code": "${remoteAddr}", "name": "客户端地址（IP）", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取，适合前端有别的反向代理服务时使用，存在伪造的风险"},
-		{"code": "${rawRemoteAddr}", "name": "客户端地址（IP）", "description": "返回直接连接服务的客户端原始IP地址，从v0.1.3版本加入"},
+		{"code": "${rawRemoteAddr}", "name": "客户端地址（IP）", "description": "返回直接连接服务的客户端原始IP地址"},
 		{"code": "${remotePort}", "name": "客户端端口", "description": ""},
 		{"code": "${remoteUser}", "name": "客户端用户名", "description": ""},
 		{"code": "${requestURI}", "name": "请求URI", "description": ""},