From e12a379f4d696b10448c4db869fbfc96dc54fe15 Mon Sep 17 00:00:00 2001 From: GoEdgeLab Date: Sat, 9 Dec 2023 18:15:27 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96WAF=E8=A7=84=E5=88=99?= =?UTF-8?q?=E6=A8=A1=E6=9D=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../firewallconfigs/http_firewall_template.go | 90 +++++-------------- 1 file changed, 20 insertions(+), 70 deletions(-) diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go index ed4c51c..d8629ba 100644 --- a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go +++ b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go @@ -204,14 +204,15 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Connector = HTTPFirewallRuleConnectorOr set.Actions = []*HTTPFirewallActionConfig{ { - Code: HTTPFirewallActionBlock, + Code: HTTPFirewallActionPage, + Options: maps.Map{"status": 403, "body": ""}, }, } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${requestPath}", - Operator: HTTPFirewallRuleOperatorMatch, - Value: `/\.(git|svn|htaccess|idea|env)\b`, // TODO more keywords here + Operator: HTTPFirewallRuleOperatorContainsAnyWord, + Value: "/.git\n/.svn\n/.htaccess\n/.idea\n/.env\n/.vscode", IsCaseInsensitive: true, }) group.AddRuleSet(set) @@ -273,15 +274,16 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Connector = HTTPFirewallRuleConnectorOr set.Actions = []*HTTPFirewallActionConfig{ { - Code: HTTPFirewallActionBlock, + Code: HTTPFirewallActionPage, + Options: maps.Map{"status": 403, "body": ""}, }, } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${userAgent}", - Operator: HTTPFirewallRuleOperatorMatch, - Value: `360spider|adldxbot|adsbot-google|applebot|admantx|alexa|baidu|bingbot|bingpreview|facebookexternalhit|googlebot|proximic|slurp|sogou|twitterbot|yandex|spider`, + Operator: HTTPFirewallRuleOperatorContainsAnyWord, + Value: "360spider\nadldxbot\nadsbot-google\napplebot\nadmantx\nalexa\nbaidu\nbingbot\nbingpreview\nfacebookexternalhit\ngooglebot\nproximic\nslurp\nsogou\ntwitterbot\nyandex\nspider", IsCaseInsensitive: true, }) @@ -296,22 +298,23 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Connector = HTTPFirewallRuleConnectorAnd set.Actions = []*HTTPFirewallActionConfig{ { - Code: HTTPFirewallActionBlock, + Code: HTTPFirewallActionPage, + Options: maps.Map{"status": 403, "body": ""}, }, } set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${userAgent}", - Operator: HTTPFirewallRuleOperatorMatch, - Value: `python|pycurl|http-client|httpclient|apachebench|nethttp|http_request|java|perl|ruby|scrapy|php\b|rust`, + Operator: HTTPFirewallRuleOperatorContainsAnyWord, + Value: "python\npycurl\nhttp-client\nhttpclient\napachebench\nnethttp\nhttp_request\njava\nperl\nruby\nscrapy\nphp\nrust", IsCaseInsensitive: true, }) set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${userAgent}", - Operator: HTTPFirewallRuleOperatorNotMatch, - Value: `goedge`, + Operator: HTTPFirewallRuleOperatorNotContainsAnyWord, + Value: "goedge", IsCaseInsensitive: true, Description: "User-Agent白名单", }) @@ -337,8 +340,8 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${userAgent}", - Operator: HTTPFirewallRuleOperatorMatch, - Value: `wget|curl`, + Operator: HTTPFirewallRuleOperatorContainsAnyWord, + Value: "wget\ncurl", IsCaseInsensitive: true, }) @@ -353,7 +356,8 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Connector = HTTPFirewallRuleConnectorOr set.Actions = []*HTTPFirewallActionConfig{ { - Code: HTTPFirewallActionBlock, + Code: HTTPFirewallActionPage, + Options: maps.Map{"status": 403, "body": ""}, }, } @@ -396,6 +400,7 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { }, }, } + set.IgnoreLocal = true set.AddRule(&HTTPFirewallRule{ IsOn: true, Param: "${cc2}", @@ -409,34 +414,6 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { }, IsCaseInsensitive: false, }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `127.0.0.1/8`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `192.168.0.1/16`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `10.0.0.1/8`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `172.16.0.1/12`, - IsCaseInsensitive: false, - }) group.AddRuleSet(set) } @@ -447,6 +424,7 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { set.Description = "限制单IP在一定时间内的总体请求数" set.Code = "8002" set.Connector = HTTPFirewallRuleConnectorAnd + set.IgnoreLocal = true set.Actions = []*HTTPFirewallActionConfig{ { Code: HTTPFirewallActionBlock, @@ -468,34 +446,6 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy { }, IsCaseInsensitive: false, }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `127.0.0.1/8`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `192.168.0.1/16`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `10.0.0.1/8`, - IsCaseInsensitive: false, - }) - set.AddRule(&HTTPFirewallRule{ - IsOn: true, - Param: "${remoteAddr}", - Operator: HTTPFirewallRuleOperatorNotIPRange, - Value: `172.16.0.1/12`, - IsCaseInsensitive: false, - }) group.AddRuleSet(set) }