实现基础的DDoS防护

2025-11-07 23:30:25 +08:00 · 2022-05-18 21:02:58 +08:00
parent de09d8f2b9
commit eb559b930e
15 changed files with 2290 additions and 1294 deletions
--- a/pkg/messageconfigs/messages.go
+++ b/pkg/messageconfigs/messages.go
@@ -11,6 +11,7 @@ const (
 	MessageCodeCleanCache          MessageCode = "cleanCache"          // 清理缓存
 	MessageCodePreheatCache        MessageCode = "preheatCache"        // 预热缓存
 	MessageCodeCheckSystemdService MessageCode = "checkSystemdService" // 检查Systemd服务
 	MessageCodeCheckLocalFirewall  MessageCode = "checkLocalFirewall"  // 检查本地防火墙
 	MessageCodeNewNodeTask         MessageCode = "newNodeTask"         // 有新的节点任务产生
 	MessageCodeChangeAPINode       MessageCode = "changeAPINode"       // 改变新的API节点
 )
@@ -69,6 +70,11 @@ type PreheatCacheMessage struct {
 type CheckSystemdServiceMessage struct {
 }
 // CheckLocalFirewallMessage 检查本地防火墙
 type CheckLocalFirewallMessage struct {
 	Name string `json:"name"`
 }
 // NewNodeTaskMessage 有新的节点任务
 type NewNodeTaskMessage struct {
 }
--- a/pkg/nodeconfigs/defaults.go
+++ b/pkg/nodeconfigs/defaults.go
@@ -2,7 +2,10 @@
 package nodeconfigs
 import "github.com/iwind/TeaGo/maps"
 // 一组系统默认值
 // 修改单个IP相关限制值时要考虑到NAT中每个IP会代表很多个主机，并非1对1的关系
 const (
 	DefaultMaxThreads    = 20000   // 单节点最大线程数
@@ -10,6 +13,18 @@ const (
 	DefaultMaxThreadsMax = 100_000 // 单节点最大线程数最大值
 	DefaultTCPMaxConnections        = 100_000 // 单节点TCP最大连接数
 	DefaultTCPMaxConnectionsPerIP   = 1000    // 单IP最大连接数
 	DefaultTCPMinConnectionsPerIP   = 5       // 单IP最小连接数
 	DefaultTCPNewConnectionsRate    = 500     // 单IP连接速率限制（按分钟）
 	DefaultTCPNewConnectionsMinRate = 5       // 单IP最小连接速率
 	DefaultTCPLinger                = 3       // 单节点TCP Linger值
 	DefaultTLSHandshakeTimeout      = 3       // TLS握手超时时间
 )
 var DefaultConfigs = maps.Map{
 	"tcpMaxConnections":        DefaultTCPMaxConnections,
 	"tcpMaxConnectionsPerIP":   DefaultTCPMaxConnectionsPerIP,
 	"tcpMinConnectionsPerIP":   DefaultTCPMinConnectionsPerIP,
 	"tcpNewConnectionsRate":    DefaultTCPNewConnectionsRate,
 	"tcpNewConnectionsMinRate": DefaultTCPNewConnectionsMinRate,
 }
--- a/pkg/nodeconfigs/node_config.go
+++ b/pkg/nodeconfigs/node_config.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/ddosconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/Tea"
@@ -45,8 +46,8 @@ type NodeConfig struct {
 	CacheDiskDir           string                        `yaml:"cacheDiskDir" json:"cacheDiskDir"`                     // 文件缓存目录
 	MaxCacheDiskCapacity   *shared.SizeCapacity          `yaml:"maxCacheDiskCapacity" json:"maxCacheDiskCapacity"`     // 文件缓存容量
 	MaxCacheMemoryCapacity *shared.SizeCapacity          `yaml:"maxCacheMemoryCapacity" json:"maxCacheMemoryCapacity"` // 内容缓存容量
-	MaxThreads             int                  `yaml:"maxThreads" json:"maxThreads"`
+	MaxThreads             int                           `yaml:"maxThreads" json:"maxThreads"`                         // 最大线程数
-	TCPMaxConnections      int                  `yaml:"tcpMaxConnections" json:"tcpMaxConnections"`
+	DDOSProtection         *ddosconfigs.ProtectionConfig `yaml:"ddosProtection" json:"ddosProtection"`
 	// 级别
 	Level       int32                         `yaml:"level" json:"level"`
--- a/pkg/rpc/pb/model_node_cluster.pb.go
+++ b/pkg/rpc/pb/model_node_cluster.pb.go
@@ -44,7 +44,6 @@ type NodeCluster struct {
 	IsOn                 bool   `protobuf:"varint,12,opt,name=isOn,proto3" json:"isOn,omitempty"`
 	TimeZone             string `protobuf:"bytes,13,opt,name=timeZone,proto3" json:"timeZone,omitempty"`
 	NodeMaxThreads       int32  `protobuf:"varint,14,opt,name=nodeMaxThreads,proto3" json:"nodeMaxThreads,omitempty"`
 	NodeTCPMaxConnections int32  `protobuf:"varint,15,opt,name=nodeTCPMaxConnections,proto3" json:"nodeTCPMaxConnections,omitempty"`
 	AutoOpenPorts        bool   `protobuf:"varint,16,opt,name=autoOpenPorts,proto3" json:"autoOpenPorts,omitempty"`
 	IsPinned             bool   `protobuf:"varint,17,opt,name=isPinned,proto3" json:"isPinned,omitempty"`
 }
@@ -179,13 +178,6 @@ func (x *NodeCluster) GetNodeMaxThreads() int32 {
 	return 0
 }
 func (x *NodeCluster) GetNodeTCPMaxConnections() int32 {
 	if x != nil {
 		return x.NodeTCPMaxConnections
 	}
 	return 0
 }
 func (x *NodeCluster) GetAutoOpenPorts() bool {
 	if x != nil {
 		return x.AutoOpenPorts
@@ -205,7 +197,7 @@ var File_models_model_node_cluster_proto protoreflect.FileDescriptor
 var file_models_model_node_cluster_proto_rawDesc = []byte{
 	0x0a, 0x1f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x73, 0x2f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x5f, 0x6e,
 	0x6f, 0x64, 0x65, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x02, 0x70, 0x62, 0x22, 0xb3, 0x04, 0x0a, 0x0b, 0x4e, 0x6f, 0x64, 0x65, 0x43, 0x6c,
+	0x6f, 0x12, 0x02, 0x70, 0x62, 0x22, 0xfd, 0x03, 0x0a, 0x0b, 0x4e, 0x6f, 0x64, 0x65, 0x43, 0x6c,
 	0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x72, 0x65,
@@ -233,15 +225,12 @@ var file_models_model_node_cluster_proto_rawDesc = []byte{
 	0x09, 0x52, 0x08, 0x74, 0x69, 0x6d, 0x65, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x6e,
 	0x6f, 0x64, 0x65, 0x4d, 0x61, 0x78, 0x54, 0x68, 0x72, 0x65, 0x61, 0x64, 0x73, 0x18, 0x0e, 0x20,
 	0x01, 0x28, 0x05, 0x52, 0x0e, 0x6e, 0x6f, 0x64, 0x65, 0x4d, 0x61, 0x78, 0x54, 0x68, 0x72, 0x65,
-	0x61, 0x64, 0x73, 0x12, 0x34, 0x0a, 0x15, 0x6e, 0x6f, 0x64, 0x65, 0x54, 0x43, 0x50, 0x4d, 0x61,
+	0x61, 0x64, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x61, 0x75, 0x74, 0x6f, 0x4f, 0x70, 0x65, 0x6e, 0x50,
-	0x78, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0f, 0x20, 0x01,
+	0x6f, 0x72, 0x74, 0x73, 0x18, 0x10, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x6f,
-	0x28, 0x05, 0x52, 0x15, 0x6e, 0x6f, 0x64, 0x65, 0x54, 0x43, 0x50, 0x4d, 0x61, 0x78, 0x43, 0x6f,
+	0x4f, 0x70, 0x65, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x50,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x61, 0x75, 0x74,
+	0x69, 0x6e, 0x6e, 0x65, 0x64, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x73, 0x50,
-	0x6f, 0x4f, 0x70, 0x65, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x10, 0x20, 0x01, 0x28, 0x08,
+	0x69, 0x6e, 0x6e, 0x65, 0x64, 0x42, 0x06, 0x5a, 0x04, 0x2e, 0x2f, 0x70, 0x62, 0x62, 0x06, 0x70,
-	0x52, 0x0d, 0x61, 0x75, 0x74, 0x6f, 0x4f, 0x70, 0x65, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x12,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 	0x1a, 0x0a, 0x08, 0x69, 0x73, 0x50, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x18, 0x11, 0x20, 0x01, 0x28,
 	0x08, 0x52, 0x08, 0x69, 0x73, 0x50, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x42, 0x06, 0x5a, 0x04, 0x2e,
 	0x2f, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
--- a/pkg/rpc/pb/service_ip_item.pb.go
+++ b/pkg/rpc/pb/service_ip_item.pb.go
@@ -332,9 +332,9 @@ type DeleteIPItemRequest struct {
 	unknownFields protoimpl.UnknownFields
 	IpItemId int64  `protobuf:"varint,1,opt,name=ipItemId,proto3" json:"ipItemId,omitempty"` // IP条目的ID
-	IpFrom   string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`      // 开始IP，和ipItemId二选一
+	IpFrom   string `protobuf:"bytes,2,opt,name=ipFrom,proto3" json:"ipFrom,omitempty"`      // v0.4.8新增，开始IP，和ipItemId二选一
-	IpTo     string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`          // 结束IP，和ipItemId二选一
+	IpTo     string `protobuf:"bytes,3,opt,name=ipTo,proto3" json:"ipTo,omitempty"`          // v0.4.8新增，结束IP，和ipItemId二选一
-	IpListId int64  `protobuf:"varint,4,opt,name=ipListId,proto3" json:"ipListId,omitempty"` // IP列表，IP所在的IP列表，如果不指定，则会删除所有IP列表中的相关IP信息
+	IpListId int64  `protobuf:"varint,4,opt,name=ipListId,proto3" json:"ipListId,omitempty"` // v0.4.8新增，IP列表，IP所在的IP列表，如果不指定，则会删除所有IP列表中的相关IP信息
 }
 func (x *DeleteIPItemRequest) Reset() {
--- a/pkg/rpc/pb/service_node.pb.go
+++ b/pkg/rpc/pb/service_node.pb.go
--- a/pkg/rpc/pb/service_node_cluster.pb.go
+++ b/pkg/rpc/pb/service_node_cluster.pb.go
--- a/pkg/rpc/protos/models/model_node_cluster.proto
+++ b/pkg/rpc/protos/models/model_node_cluster.proto
@@ -18,7 +18,6 @@ message NodeCluster {
 	bool isOn = 12;
 	string timeZone = 13;
 	int32 nodeMaxThreads = 14;
 	int32 nodeTCPMaxConnections = 15;
 	bool autoOpenPorts = 16;
 	bool isPinned = 17;
 }
--- a/pkg/rpc/protos/service_node.proto
+++ b/pkg/rpc/protos/service_node.proto
@@ -139,6 +139,15 @@ service NodeService {
 	// 修改DNS Resolver
 	rpc updateNodeDNSResolver(UpdateNodeDNSResolverRequest) returns (RPCSuccess);
 	// 获取节点的DDoS设置
 	rpc findNodeDDoSProtection(FindNodeDDoSProtectionRequest) returns (FindNodeDDoSProtectionResponse);
 	// 修改节点的DDoS设置
 	rpc updateNodeDDoSProtection(UpdateNodeDDoSProtectionRequest) returns (RPCSuccess);
 	// 取得节点的配置概要信息
 	rpc findEnabledNodeConfigInfo (FindEnabledNodeConfigInfoRequest) returns (FindEnabledNodeConfigInfoResponse);
 }
 // 创建节点
@@ -263,6 +272,7 @@ message FindCurrentNodeConfigResponse {
 	bool isChanged = 2;
 	bool isCompressed = 3;
 	int64 dataSize = 4;
 	int64 timestamp = 5;
 }
 // 节点stream
@@ -533,3 +543,32 @@ message UpdateNodeDNSResolverRequest {
 	int64 nodeId = 1;
 	bytes dnsResolverJSON = 2;
 }
 // 获取节点的DDoS设置
 message FindNodeDDoSProtectionRequest {
 	int64 nodeId = 1;
 }
 message FindNodeDDoSProtectionResponse {
 	bytes ddosProtectionJSON = 1;
 }
 // 修改节点的DDOS设置
 message UpdateNodeDDoSProtectionRequest {
 	int64 nodeId = 1;
 	bytes ddosProtectionJSON = 2;
 }
 // 取得节点的配置概要信息
 message FindEnabledNodeConfigInfoRequest {
 	int64 nodeId = 1;
 }
 message FindEnabledNodeConfigInfoResponse {
 	bool hasDNSInfo = 1;
 	bool  hasCacheInfo = 2;
 	bool  hasThresholds = 3;
 	bool  hasSSH = 4;
 	bool  hasSystemSettings = 5;
 	bool hasDDoSProtection = 6;
 }
--- a/pkg/rpc/protos/service_node_cluster.proto
+++ b/pkg/rpc/protos/service_node_cluster.proto
@@ -121,6 +121,12 @@ service NodeClusterService {
 	// 设置集群WebP策略
 	rpc updateNodeClusterWebPPolicy(UpdateNodeClusterWebPPolicyRequest) returns (RPCSuccess);
 	// 获取集群的DDoS设置
 	rpc findNodeClusterDDoSProtection(FindNodeClusterDDoSProtectionRequest) returns (FindNodeClusterDDoSProtectionResponse);
 	// 修改集群的DDoS设置
 	rpc updateNodeClusterDDoSProtection(UpdateNodeClusterDDoSProtectionRequest) returns (RPCSuccess);
 }
 // 获取所有集群的信息
@@ -156,7 +162,7 @@ message UpdateNodeClusterRequest {
 	string installDir = 4;
 	string timeZone = 5;
 	int32 nodeMaxThreads = 6;
-	int32 nodeTCPMaxConnections = 7;
+
 	bool autoOpenPorts = 8;
 }
@@ -429,6 +435,7 @@ message FindEnabledNodeClusterConfigInfoResponse {
 	bool hasMetricItems = 6;
 	bool webpIsOn = 7;
 	bool hasSystemServices = 8;
 	bool hasDDoSProtection = 9;
 }
 // 设置集群是否置顶
@@ -451,3 +458,18 @@ message UpdateNodeClusterWebPPolicyRequest {
 	int64 nodeClusterId = 1;
 	bytes webpPolicyJSON = 2;
 }
 // 获取集群的DDoS设置
 message FindNodeClusterDDoSProtectionRequest {
 	int64 nodeClusterId = 1;
 }
 message FindNodeClusterDDoSProtectionResponse {
 	bytes ddosProtectionJSON = 1;
 }
 // 修改集群的DDOS设置
 message UpdateNodeClusterDDoSProtectionRequest {
 	int64 nodeClusterId = 1;
 	bytes ddosProtectionJSON = 2;
 }
--- a/pkg/serverconfigs/ddosconfigs/ip_config.go
+++ b/pkg/serverconfigs/ddosconfigs/ip_config.go
@@ -0,0 +1,8 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 package ddosconfigs
 type IPConfig struct {
 	IP          string `json:"ip"`
 	Description string `json:"description"`
 }
--- a/pkg/serverconfigs/ddosconfigs/port_config.go
+++ b/pkg/serverconfigs/ddosconfigs/port_config.go
@@ -0,0 +1,8 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 package ddosconfigs
 type PortConfig struct {
 	Port        int32  `json:"port"`
 	Description string `json:"description"`
 }
--- a/pkg/serverconfigs/ddosconfigs/protection_config.go
+++ b/pkg/serverconfigs/ddosconfigs/protection_config.go
@@ -0,0 +1,51 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 package ddosconfigs
 func DefaultProtectionConfig() *ProtectionConfig {
 	return &ProtectionConfig{}
 }
 type ProtectionConfig struct {
 	TCP *TCPConfig `yaml:"tcp" json:"tcp"`
 }
 func (this *ProtectionConfig) Init() error {
 	// tcp
 	if this.TCP != nil {
 		err := this.TCP.Init()
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (this *ProtectionConfig) IsPriorEmpty() bool {
 	if this.TCP != nil && this.TCP.IsPrior {
 		return false
 	}
 	return true
 }
 func (this *ProtectionConfig) IsOn() bool {
 	// tcp
 	if this.TCP != nil && this.TCP.IsOn {
 		return true
 	}
 	return false
 }
 func (this *ProtectionConfig) Merge(childConfig *ProtectionConfig) {
 	if childConfig == nil {
 		return
 	}
 	// tcp
 	if childConfig.TCP != nil && childConfig.TCP.IsPrior {
 		this.TCP = childConfig.TCP
 	}
 }
--- a/pkg/serverconfigs/ddosconfigs/tcp_config.go
+++ b/pkg/serverconfigs/ddosconfigs/tcp_config.go
@@ -0,0 +1,17 @@
 // Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
 package ddosconfigs
 type TCPConfig struct {
 	IsPrior             bool          `json:"isPrior"`
 	IsOn                bool          `json:"isOn"`
 	MaxConnections      int32         `json:"maxConnections"`
 	MaxConnectionsPerIP int32         `json:"maxConnectionsPerIP"`
 	NewConnectionsRate  int32         `json:"newConnectionsRate"`
 	AllowIPList         []*IPConfig   `json:"allowIPList"`
 	Ports               []*PortConfig `json:"ports"`
 }
 func (this *TCPConfig) Init() error {
 	return nil
 }
--- a/pkg/serverconfigs/shared/size_capacity.go
+++ b/pkg/serverconfigs/shared/size_capacity.go
@@ -28,6 +28,12 @@ func NewSizeCapacity(count int64, unit SizeCapacityUnit) *SizeCapacity {
 	}
 }
 func DecodeSizeCapacityJSON(sizeCapacityJSON []byte) (*SizeCapacity, error) {
 	var capacity = &SizeCapacity{}
 	err := json.Unmarshal(sizeCapacityJSON, capacity)
 	return capacity, err
 }
 func (this *SizeCapacity) Bytes() int64 {
 	if this.Count < 0 {
 		return -1