TRKJ/EdgeCommon
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeCommon.git synced 2025-11-04 13:10:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

WAF支持更多动作

Browse Source
This commit is contained in:
刘祥超
2021-07-14 22:46:31 +08:00
parent b4c72dc8f4
commit 66f04de8c1
16 changed files with 309 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
pkg/rpc/dao/http_firewall_policy_dao.go
View File

@@ -7,16 +7,17 @@ import (
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ipconfigs"
"github.com/iwind/TeaGo/maps"
)
var SharedHTTPFirewallPolicyDAO = new(HTTPFirewallPolicyDAO)
// WAF策略相关
// HTTPFirewallPolicyDAO WAF策略相关
type HTTPFirewallPolicyDAO struct {
BaseDAO
}
// 查找WAF策略基本信息
// FindEnabledHTTPFirewallPolicy 查找WAF策略基本信息
func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Context, policyId int64) (*pb.HTTPFirewallPolicy, error) {
resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicy(ctx, &pb.FindEnabledHTTPFirewallPolicyRequest{HttpFirewallPolicyId: policyId})
if err != nil {
@@ -25,7 +26,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicy(ctx context.Con
return resp.HttpFirewallPolicy, nil
}
// 查找WAF策略配置
// FindEnabledHTTPFirewallPolicyConfig 查找WAF策略配置
func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallPolicy, error) {
resp, err := this.RPC().HTTPFirewallPolicyRPC().FindEnabledHTTPFirewallPolicyConfig(ctx, &pb.FindEnabledHTTPFirewallPolicyConfigRequest{HttpFirewallPolicyId: policyId})
if err != nil {
@@ -42,7 +43,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyConfig(ctx conte
return firewallPolicy, nil
}
// 查找WAF的Inbound
// FindEnabledHTTPFirewallPolicyInboundConfig 查找WAF的Inbound
func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ctx context.Context, policyId int64) (*firewallconfigs.HTTPFirewallInboundConfig, error) {
config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
if err != nil {
@@ -54,7 +55,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyInboundConfig(ct
return config.Inbound, nil
}
// 根据类型查找WAF的IP名单
// FindEnabledPolicyIPListIdWithType 根据类型查找WAF的IP名单
func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context.Context, policyId int64, listType ipconfigs.IPListType) (int64, error) {
switch listType {
case ipconfigs.IPListTypeWhite:
@@ -66,7 +67,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyIPListIdWithType(ctx context
}
}
// 查找WAF的白名单
// FindEnabledPolicyWhiteIPListId 查找WAF的白名单
func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Context, policyId int64) (int64, error) {
config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
if err != nil {
@@ -110,7 +111,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyWhiteIPListId(ctx context.Co
return config.Inbound.AllowListRef.ListId, nil
}
// 查找WAF的黑名单
// FindEnabledPolicyBlackIPListId 查找WAF的黑名单
func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Context, policyId int64) (int64, error) {
config, err := this.FindEnabledHTTPFirewallPolicyConfig(ctx, policyId)
if err != nil {
@@ -154,7 +155,7 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledPolicyBlackIPListId(ctx context.Co
return config.Inbound.DenyListRef.ListId, nil
}
// 根据服务Id查找WAF策略
// FindEnabledHTTPFirewallPolicyWithServerId 根据服务Id查找WAF策略
func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx context.Context, serverId int64) (*pb.HTTPFirewallPolicy, error) {
serverResp, err := this.RPC().ServerRPC().FindEnabledServer(ctx, &pb.FindEnabledServerRequest{ServerId: serverId})
if err != nil {
@@ -180,3 +181,72 @@ func (this *HTTPFirewallPolicyDAO) FindEnabledHTTPFirewallPolicyWithServerId(ctx
}
return SharedHTTPFirewallPolicyDAO.FindEnabledHTTPFirewallPolicy(ctx, cluster.HttpFirewallPolicyId)
}
// FindHTTPFirewallActionConfigs 查找动作相关信息
func (this *HTTPFirewallPolicyDAO) FindHTTPFirewallActionConfigs(ctx context.Context, actions []*firewallconfigs.HTTPFirewallActionConfig) ([]maps.Map, error) {
var actionConfigs = []maps.Map{}
for _, action := range actions {
def := firewallconfigs.FindActionDefinition(action.Code)
if def == nil {
continue
}
if action.Options == nil {
action.Options = maps.Map{}
}
switch action.Code {
case firewallconfigs.HTTPFirewallActionRecordIP:
listId := action.Options.GetInt64("ipListId")
listResp, err := this.RPC().IPListRPC().FindEnabledIPList(ctx, &pb.FindEnabledIPListRequest{IpListId: listId})
if err != nil {
return nil, err
}
if listResp.IpList != nil {
action.Options["ipListName"] = listResp.IpList.Name
} else {
action.Options["ipListName"] = action.Options.GetString("ipListName") + "(已删除)"
}
case firewallconfigs.HTTPFirewallActionGoGroup:
groupId := action.Options.GetInt64("groupId")
groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId})
if err != nil {
return nil, err
}
if groupResp.FirewallRuleGroup != nil {
action.Options["groupName"] = groupResp.FirewallRuleGroup.Name
} else {
action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)"
}
case firewallconfigs.HTTPFirewallActionGoSet:
groupId := action.Options.GetInt64("groupId")
groupResp, err := this.RPC().HTTPFirewallRuleGroupRPC().FindEnabledHTTPFirewallRuleGroup(ctx, &pb.FindEnabledHTTPFirewallRuleGroupRequest{FirewallRuleGroupId: groupId})
if err != nil {
return nil, err
}
if groupResp.FirewallRuleGroup != nil {
action.Options["groupName"] = groupResp.FirewallRuleGroup.Name
} else {
action.Options["groupName"] = action.Options.GetString("groupName") + "(已删除)"
}
setId := action.Options.GetInt64("setId")
setResp, err := this.RPC().HTTPFirewallRuleSetRPC().FindEnabledHTTPFirewallRuleSet(ctx, &pb.FindEnabledHTTPFirewallRuleSetRequest{FirewallRuleSetId: setId})
if err != nil {
return nil, err
}
if setResp.FirewallRuleSet != nil {
action.Options["setName"] = setResp.FirewallRuleSet.Name
} else {
action.Options["setName"] = action.Options.GetString("setName") + "(已删除)"
}
}
actionConfigs = append(actionConfigs, maps.Map{
"name": def.Name,
"code": def.Code,
"category": def.Category,
"options": action.Options,
})
}
return actionConfigs, nil
}

6
pkg/rpc/dao/ip_list_dao.go
View File

@@ -15,7 +15,7 @@ type IPListDAO struct {
BaseDAO
}
// 查找服务的允许IP列表
// FindAllowIPListIdWithServerId 查找服务的允许IP列表
func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
@@ -30,7 +30,7 @@ func (this *IPListDAO) FindAllowIPListIdWithServerId(ctx context.Context, server
return webConfig.FirewallPolicy.Inbound.AllowListRef.ListId, nil
}
// 查找服务的禁止IP列表
// FindDenyIPListIdWithServerId 查找服务的禁止IP列表
func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverId int64) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {
@@ -45,7 +45,7 @@ func (this *IPListDAO) FindDenyIPListIdWithServerId(ctx context.Context, serverI
return webConfig.FirewallPolicy.Inbound.DenyListRef.ListId, nil
}
// 为服务创建IP名单
// CreateIPListForServerId 为服务创建IP名单
func (this *IPListDAO) CreateIPListForServerId(ctx context.Context, serverId int64, listType string) (int64, error) {
webConfig, err := SharedHTTPWebDAO.FindWebConfigWithServerId(ctx, serverId)
if err != nil {

1
pkg/serverconfigs/firewallconfigs/http_firewall_action_allow.go
View File

@@ -1,4 +1,5 @@
package firewallconfigs
type HTTPFirewallAllowAction struct {
Life int64 `yaml:"life" json:"life"`
}

3
pkg/serverconfigs/firewallconfigs/http_firewall_action_block.go
View File

@@ -1,8 +1,9 @@
package firewallconfigs
// url client configure
// HTTPFirewallBlockAction url client configure
type HTTPFirewallBlockAction struct {
StatusCode int `yaml:"statusCode" json:"statusCode"`
Body string `yaml:"body" json:"body"` // supports HTML
URL string `yaml:"url" json:"url"`
Life int64 `yaml:"life" json:"life"`
}

1
pkg/serverconfigs/firewallconfigs/http_firewall_action_captcha.go
View File

@@ -1,4 +1,5 @@
package firewallconfigs
type HTTPFirewallCaptchaAction struct {
Life int64 `yaml:"life" json:"life"`
}

19
pkg/serverconfigs/firewallconfigs/http_firewall_action_definition.go
View File

@@ -2,10 +2,19 @@ package firewallconfigs
import "reflect"
// action definition
type HTTPFirewallActionCategory = string
const (
HTTPFirewallActionCategoryBlock HTTPFirewallActionCategory = "block"
HTTPFirewallActionCategoryAllow HTTPFirewallActionCategory = "allow"
HTTPFirewallActionCategoryVerify HTTPFirewallActionCategory = "verify"
)
// HTTPFirewallActionDefinition action definition
type HTTPFirewallActionDefinition struct {
Name string
Code HTTPFirewallActionString
Description string
Type reflect.Type
Name string `json:"name"`
Code HTTPFirewallActionString `json:"code"`
Description string `json:"description"`
Type reflect.Type `json:"type"`
Category HTTPFirewallActionCategory `json:"category"`
}

7
pkg/serverconfigs/firewallconfigs/http_firewall_action_get_302.go Normal file
View File

@@ -0,0 +1,7 @@
// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
package firewallconfigs
type HTTPFirewallGet302Action struct {
Life int64 `yaml:"life" json:"life"`
}

7
pkg/serverconfigs/firewallconfigs/http_firewall_action_post_307.go Normal file
View File

@@ -0,0 +1,7 @@
// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
package firewallconfigs
type HTTPFirewallPost307Action struct {
Life int64 `yaml:"life" json:"life"`
}

10
pkg/serverconfigs/firewallconfigs/http_firewall_action_record_ip.go Normal file
View File

@@ -0,0 +1,10 @@
// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
package firewallconfigs
type HTTPFirewallRecordIPAction struct {
Type string `yaml:"type" json:"type"`
IPListId int64 `yaml:"ipListId" json:"ipListId"`
Level string `yaml:"level" json:"level"`
Timeout int64 `yaml:"timeout" json:"timeout"`
}

7
pkg/serverconfigs/firewallconfigs/http_firewall_action_tag.go Normal file
View File

@@ -0,0 +1,7 @@
// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
package firewallconfigs
type HTTPFirewallTagAction struct {
Tags []string `yaml:"tags" json:"tags"`
}

17
pkg/serverconfigs/firewallconfigs/http_firewall_action_type.go
View File

@@ -3,10 +3,15 @@ package firewallconfigs
type HTTPFirewallActionString = string
const (
HTTPFirewallActionLog = "log" // allow and log
HTTPFirewallActionBlock = "block" // block
HTTPFirewallActionCaptcha = "captcha" // block and show captcha
HTTPFirewallActionAllow = "allow" // allow
HTTPFirewallActionGoGroup = "go_group" // go to next rule group
HTTPFirewallActionGoSet = "go_set" // go to next rule set
HTTPFirewallActionLog HTTPFirewallActionString = "log" // allow and log
HTTPFirewallActionBlock HTTPFirewallActionString = "block" // block
HTTPFirewallActionCaptcha HTTPFirewallActionString = "captcha" // block and show captcha
HTTPFirewallActionNotify HTTPFirewallActionString = "notify" // 告警
HTTPFirewallActionGet302 HTTPFirewallActionString = "get_302" // 针对GET的302重定向认证
HTTPFirewallActionPost307 HTTPFirewallActionString = "post_307" // 针对POST的307重定向认证
HTTPFirewallActionRecordIP HTTPFirewallActionString = "record_ip" // 记录IP
HTTPFirewallActionTag HTTPFirewallActionString = "tag" // 标签
HTTPFirewallActionAllow HTTPFirewallActionString = "allow" // allow
HTTPFirewallActionGoGroup HTTPFirewallActionString = "go_group" // go to next rule group
HTTPFirewallActionGoSet HTTPFirewallActionString = "go_set" // go to next rule set
)

48
pkg/serverconfigs/firewallconfigs/http_firewall_action_utils.go
View File

@@ -8,36 +8,76 @@ var AllActions = []*HTTPFirewallActionDefinition{
{
Name: "阻止",
Code: HTTPFirewallActionBlock,
Description: "阻止请求并中断当前连接。",
Category: HTTPFirewallActionCategoryBlock,
},
{
Name: "允许通过",
Code: HTTPFirewallActionAllow,
Description: "允许正常通过,不记录到日志。",
Category: HTTPFirewallActionCategoryAllow,
},
{
Name: "允许并记录日志",
Code: HTTPFirewallActionLog,
Description: "允许正常通过并记录到日志。",
Category: HTTPFirewallActionCategoryAllow,
},
{
Name: "Captcha验证码",
Code: HTTPFirewallActionCaptcha,
Description: "在浏览器使用验证码来验证客户端。",
Category: HTTPFirewallActionCategoryVerify,
},
{
Name: "告警",
Code: HTTPFirewallActionNotify,
Description: "发送消息通知。",
Category: HTTPFirewallActionCategoryVerify,
},
{
Name: "GET 302",
Code: HTTPFirewallActionGet302,
Description: "通过302重定向GET请求验证客户端。",
Category: HTTPFirewallActionCategoryVerify,
},
{
Name: "POST 307",
Code: HTTPFirewallActionPost307,
Description: "通过307重定向POST请求验证客户端。",
Category: HTTPFirewallActionCategoryVerify,
},
{
Name: "记录IP",
Code: HTTPFirewallActionRecordIP,
Description: "将此IP记录到某个IP名单中。",
Category: HTTPFirewallActionCategoryBlock,
},
{
Name: "标签",
Code: HTTPFirewallActionTag,
Description: "为匹配的请求打上标签。",
Category: HTTPFirewallActionCategoryAllow,
},
{
Name: "跳到下一个规则分组",
Code: HTTPFirewallActionGoGroup,
Type: reflect.TypeOf(new(HTTPFirewallGoGroupAction)).Elem(),
Category: HTTPFirewallActionCategoryVerify,
},
{
Name: "跳到下一个规则集",
Code: HTTPFirewallActionGoSet,
Type: reflect.TypeOf(new(HTTPFirewallGoSetAction)).Elem(),
Category: HTTPFirewallActionCategoryVerify,
},
}
func FindActionName(action HTTPFirewallActionString) string {
func FindActionDefinition(actionCode HTTPFirewallActionString) *HTTPFirewallActionDefinition {
for _, def := range AllActions {
if def.Code == action {
return def.Name
if def.Code == actionCode {
return def
}
}
return ""
return nil
}

17
pkg/serverconfigs/firewallconfigs/http_firewall_policy.go
View File

@@ -2,7 +2,7 @@ package firewallconfigs
import "encoding/json"
// 防火墙策略
// HTTPFirewallPolicy 防火墙策略
type HTTPFirewallPolicy struct {
Id int64 `yaml:"id" json:"id"`
IsOn bool `yaml:"isOn" json:"isOn"`
@@ -11,9 +11,10 @@ type HTTPFirewallPolicy struct {
Inbound *HTTPFirewallInboundConfig `yaml:"inbound" json:"inbound"`
Outbound *HTTPFirewallOutboundConfig `yaml:"outbound" json:"outbound"`
BlockOptions *HTTPFirewallBlockAction `yaml:"blockOptions" json:"blockOptions"`
}
// 初始化
// Init 初始化
func (this *HTTPFirewallPolicy) Init() error {
if this.Inbound != nil {
err := this.Inbound.Init()
@@ -31,7 +32,7 @@ func (this *HTTPFirewallPolicy) Init() error {
return nil
}
// 获取所有分组
// AllRuleGroups 获取所有分组
func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup {
result := []*HTTPFirewallRuleGroup{}
if this.Inbound != nil {
@@ -43,7 +44,7 @@ func (this *HTTPFirewallPolicy) AllRuleGroups() []*HTTPFirewallRuleGroup {
return result
}
// 根据代号查找分组
// FindRuleGroupWithCode 根据代号查找分组
func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewallRuleGroup {
for _, g := range this.AllRuleGroups() {
if g.Code == code {
@@ -53,7 +54,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroupWithCode(code string) *HTTPFirewall
return nil
}
// 根据ID查找分组
// FindRuleGroup 根据ID查找分组
func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGroup {
for _, g := range this.AllRuleGroups() {
if g.Id == groupId {
@@ -63,7 +64,7 @@ func (this *HTTPFirewallPolicy) FindRuleGroup(groupId int64) *HTTPFirewallRuleGr
return nil
}
// 删除某个分组
// RemoveRuleGroup 删除某个分组
func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) {
if this.Inbound != nil {
this.Inbound.RemoveRuleGroup(groupId)
@@ -73,7 +74,7 @@ func (this *HTTPFirewallPolicy) RemoveRuleGroup(groupId int64) {
}
}
// Inbound JSON
// InboundJSON Inbound JSON
func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) {
if this.Inbound == nil {
return []byte("null"), nil
@@ -86,7 +87,7 @@ func (this *HTTPFirewallPolicy) InboundJSON() ([]byte, error) {
return json.Marshal(this.Inbound)
}
// Outbound JSON
// OutboundJSON Outbound JSON
func (this *HTTPFirewallPolicy) OutboundJSON() ([]byte, error) {
if this.Inbound == nil {
return []byte("null"), nil

20
pkg/serverconfigs/firewallconfigs/http_firewall_rule_set.go
View File

@@ -2,7 +2,13 @@ package firewallconfigs
import "github.com/iwind/TeaGo/maps"
// 规则集定义
// HTTPFirewallActionConfig 单个动作配置
type HTTPFirewallActionConfig struct {
Code HTTPFirewallActionString `yaml:"code" json:"code"`
Options maps.Map `yaml:"options" json:"options"`
}
// HTTPFirewallRuleSet 规则集定义
type HTTPFirewallRuleSet struct {
Id int64 `yaml:"id" json:"id"`
IsOn bool `yaml:"isOn" json:"isOn"`
@@ -12,11 +18,14 @@ type HTTPFirewallRuleSet struct {
Connector string `yaml:"connector" json:"connector"`
RuleRefs []*HTTPFirewallRuleRef `yaml:"ruleRefs" json:"ruleRefs"`
Rules []*HTTPFirewallRule `yaml:"rules" json:"rules"`
Action string `yaml:"action" json:"action"`
ActionOptions maps.Map `yaml:"actionOptions" json:"actionOptions"`
Actions []*HTTPFirewallActionConfig `yaml:"actions" json:"actions"`
//Action string `yaml:"action" json:"action"` // deprecated, v0.2.5
//ActionOptions maps.Map `yaml:"actionOptions" json:"actionOptions"` // deprecated, v0.2.5
}
// 初始化
// Init 初始化
func (this *HTTPFirewallRuleSet) Init() error {
for _, rule := range this.Rules {
err := rule.Init()
@@ -24,10 +33,11 @@ func (this *HTTPFirewallRuleSet) Init() error {
return err
}
}
return nil
}
// 添加规则
// AddRule 添加规则
func (this *HTTPFirewallRuleSet) AddRule(rule *HTTPFirewallRule) {
this.Rules = append(this.Rules, rule)
}

90
pkg/serverconfigs/firewallconfigs/http_firewall_template.go
View File

@@ -27,7 +27,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "Javascript事件"
set.Code = "1001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
@@ -44,7 +48,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "Javascript函数"
set.Code = "1002"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
@@ -61,7 +69,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "HTML标签"
set.Code = "1003"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
@@ -89,7 +101,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "上传文件扩展名"
set.Code = "2001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestUpload.ext}",
@@ -117,7 +133,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "Web Shell"
set.Code = "3001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestAll}",
@@ -144,7 +164,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "命令注入"
set.Code = "4001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
@@ -179,7 +203,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "路径穿越"
set.Code = "5001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
@@ -207,7 +235,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "特殊目录"
set.Code = "6001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestPath}",
@@ -235,7 +267,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "Union SQL Injection"
set.Code = "7001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -254,7 +290,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "SQL注释"
set.Code = "7002"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -273,7 +313,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "SQL条件"
set.Code = "7003"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -313,7 +357,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "SQL函数"
set.Code = "7004"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -332,7 +380,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "SQL附加语句"
set.Code = "7005"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -362,7 +414,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Name = "常见网络爬虫"
set.Code = "20001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
@@ -393,7 +449,11 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
set.Description = "限制单IP在一定时间内的请求数"
set.Code = "8001"
set.Connector = HTTPFirewallRuleConnectorAnd
set.Action = HTTPFirewallActionBlock
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${cc.requests}",

4
pkg/serverconfigs/shared/request_variables.go
View File

@@ -8,8 +8,8 @@ import "github.com/iwind/TeaGo/maps"
func DefaultRequestVariables() []maps.Map {
return []maps.Map{
{"code": "${edgeVersion}", "name": "边缘节点版本", "description": ""},
{"code": "${remoteAddr}", "name": "客户端地址IP", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取"},
{"code": "${rawRemoteAddr}", "name": "客户端地址IP", "description": "返回直接连接服务的客户端原始IP地址从v0.1.3版本加入"},
{"code": "${remoteAddr}", "name": "客户端地址IP", "description": "会依次根据X-Forwarded-For、X-Real-IP、RemoteAddr获取,适合前端有别的反向代理服务时使用,存在伪造的风险"},
{"code": "${rawRemoteAddr}", "name": "客户端地址IP", "description": "返回直接连接服务的客户端原始IP地址"},
{"code": "${remotePort}", "name": "客户端端口", "description": ""},
{"code": "${remoteUser}", "name": "客户端用户名", "description": ""},
{"code": "${requestURI}", "name": "请求URI", "description": ""},