mirror of
https://github.com/TeaOSLab/EdgeCommon.git
synced 2025-11-07 23:30:25 +08:00
优化WAF规则模板
This commit is contained in:
GoEdgeLab
@@ -204,14 +204,15 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.Connector = HTTPFirewallRuleConnectorOr
|
set.Connector = HTTPFirewallRuleConnectorOr
|
||||||
set.Actions = []*HTTPFirewallActionConfig{
|
set.Actions = []*HTTPFirewallActionConfig{
|
||||||
{
|
{
|
||||||
Code: HTTPFirewallActionBlock,
|
Code: HTTPFirewallActionPage,
|
||||||
|
Options: maps.Map{"status": 403, "body": ""},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${requestPath}",
|
Param: "${requestPath}",
|
||||||
Operator: HTTPFirewallRuleOperatorMatch,
|
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
|
||||||
Value: `/\.(git|svn|htaccess|idea|env)\b`, // TODO more keywords here
|
Value: "/.git\n/.svn\n/.htaccess\n/.idea\n/.env\n/.vscode",
|
||||||
IsCaseInsensitive: true,
|
IsCaseInsensitive: true,
|
||||||
})
|
})
|
||||||
group.AddRuleSet(set)
|
group.AddRuleSet(set)
|
||||||
@@ -273,15 +274,16 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.Connector = HTTPFirewallRuleConnectorOr
|
set.Connector = HTTPFirewallRuleConnectorOr
|
||||||
set.Actions = []*HTTPFirewallActionConfig{
|
set.Actions = []*HTTPFirewallActionConfig{
|
||||||
{
|
{
|
||||||
Code: HTTPFirewallActionBlock,
|
Code: HTTPFirewallActionPage,
|
||||||
|
Options: maps.Map{"status": 403, "body": ""},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${userAgent}",
|
Param: "${userAgent}",
|
||||||
Operator: HTTPFirewallRuleOperatorMatch,
|
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
|
||||||
Value: `360spider|adldxbot|adsbot-google|applebot|admantx|alexa|baidu|bingbot|bingpreview|facebookexternalhit|googlebot|proximic|slurp|sogou|twitterbot|yandex|spider`,
|
Value: "360spider\nadldxbot\nadsbot-google\napplebot\nadmantx\nalexa\nbaidu\nbingbot\nbingpreview\nfacebookexternalhit\ngooglebot\nproximic\nslurp\nsogou\ntwitterbot\nyandex\nspider",
|
||||||
IsCaseInsensitive: true,
|
IsCaseInsensitive: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -296,22 +298,23 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.Connector = HTTPFirewallRuleConnectorAnd
|
set.Connector = HTTPFirewallRuleConnectorAnd
|
||||||
set.Actions = []*HTTPFirewallActionConfig{
|
set.Actions = []*HTTPFirewallActionConfig{
|
||||||
{
|
{
|
||||||
Code: HTTPFirewallActionBlock,
|
Code: HTTPFirewallActionPage,
|
||||||
|
Options: maps.Map{"status": 403, "body": ""},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${userAgent}",
|
Param: "${userAgent}",
|
||||||
Operator: HTTPFirewallRuleOperatorMatch,
|
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
|
||||||
Value: `python|pycurl|http-client|httpclient|apachebench|nethttp|http_request|java|perl|ruby|scrapy|php\b|rust`,
|
Value: "python\npycurl\nhttp-client\nhttpclient\napachebench\nnethttp\nhttp_request\njava\nperl\nruby\nscrapy\nphp\nrust",
|
||||||
IsCaseInsensitive: true,
|
IsCaseInsensitive: true,
|
||||||
})
|
})
|
||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${userAgent}",
|
Param: "${userAgent}",
|
||||||
Operator: HTTPFirewallRuleOperatorNotMatch,
|
Operator: HTTPFirewallRuleOperatorNotContainsAnyWord,
|
||||||
Value: `goedge`,
|
Value: "goedge",
|
||||||
IsCaseInsensitive: true,
|
IsCaseInsensitive: true,
|
||||||
Description: "User-Agent白名单",
|
Description: "User-Agent白名单",
|
||||||
})
|
})
|
||||||
@@ -337,8 +340,8 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${userAgent}",
|
Param: "${userAgent}",
|
||||||
Operator: HTTPFirewallRuleOperatorMatch,
|
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
|
||||||
Value: `wget|curl`,
|
Value: "wget\ncurl",
|
||||||
IsCaseInsensitive: true,
|
IsCaseInsensitive: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -353,7 +356,8 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.Connector = HTTPFirewallRuleConnectorOr
|
set.Connector = HTTPFirewallRuleConnectorOr
|
||||||
set.Actions = []*HTTPFirewallActionConfig{
|
set.Actions = []*HTTPFirewallActionConfig{
|
||||||
{
|
{
|
||||||
Code: HTTPFirewallActionBlock,
|
Code: HTTPFirewallActionPage,
|
||||||
|
Options: maps.Map{"status": 403, "body": ""},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -396,6 +400,7 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
set.IgnoreLocal = true
|
||||||
set.AddRule(&HTTPFirewallRule{
|
set.AddRule(&HTTPFirewallRule{
|
||||||
IsOn: true,
|
IsOn: true,
|
||||||
Param: "${cc2}",
|
Param: "${cc2}",
|
||||||
@@ -409,34 +414,6 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
},
|
},
|
||||||
IsCaseInsensitive: false,
|
IsCaseInsensitive: false,
|
||||||
})
|
})
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `127.0.0.1/8`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `192.168.0.1/16`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `10.0.0.1/8`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `172.16.0.1/12`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
|
|
||||||
group.AddRuleSet(set)
|
group.AddRuleSet(set)
|
||||||
}
|
}
|
||||||
@@ -447,6 +424,7 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
set.Description = "限制单IP在一定时间内的总体请求数"
|
set.Description = "限制单IP在一定时间内的总体请求数"
|
||||||
set.Code = "8002"
|
set.Code = "8002"
|
||||||
set.Connector = HTTPFirewallRuleConnectorAnd
|
set.Connector = HTTPFirewallRuleConnectorAnd
|
||||||
|
set.IgnoreLocal = true
|
||||||
set.Actions = []*HTTPFirewallActionConfig{
|
set.Actions = []*HTTPFirewallActionConfig{
|
||||||
{
|
{
|
||||||
Code: HTTPFirewallActionBlock,
|
Code: HTTPFirewallActionBlock,
|
||||||
@@ -468,34 +446,6 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
|
|||||||
},
|
},
|
||||||
IsCaseInsensitive: false,
|
IsCaseInsensitive: false,
|
||||||
})
|
})
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `127.0.0.1/8`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `192.168.0.1/16`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `10.0.0.1/8`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
set.AddRule(&HTTPFirewallRule{
|
|
||||||
IsOn: true,
|
|
||||||
Param: "${remoteAddr}",
|
|
||||||
Operator: HTTPFirewallRuleOperatorNotIPRange,
|
|
||||||
Value: `172.16.0.1/12`,
|
|
||||||
IsCaseInsensitive: false,
|
|
||||||
})
|
|
||||||
|
|
||||||
group.AddRuleSet(set)
|
group.AddRuleSet(set)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user