TRKJ/EdgeCommon
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeCommon.git synced 2025-11-03 20:40:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e0bf7e376700e9875538405b753b5b6eea2793a5
EdgeCommon/pkg/serverconfigs/firewallconfigs/http_firewall_template.go

540 lines
14 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package firewallconfigs
import "github.com/iwind/TeaGo/maps"
type HTTPFirewallRuleConnector = string
const (
HTTPFirewallRuleConnectorAnd = "and"
HTTPFirewallRuleConnectorOr = "or"
)
func HTTPFirewallTemplate() *HTTPFirewallPolicy {
policy := &HTTPFirewallPolicy{}
policy.IsOn = true
policy.Inbound = &HTTPFirewallInboundConfig{}
policy.Outbound = &HTTPFirewallOutboundConfig{}
// xss
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "XSS"
group.Code = "xss"
group.Description = "防跨站脚本攻击Cross Site Scripting"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "XSS攻击检测"
set.Code = "1010"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestAll}",
Operator: HTTPFirewallRuleOperatorContainsXSS,
Value: "",
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// upload
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = false
group.Name = "文件上传"
group.Code = "upload"
group.Description = "防止上传可执行脚本文件到服务器"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "上传文件扩展名"
set.Code = "2001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestUpload.ext}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `\.(php|jsp|aspx|asp|exe|asa|rb|py)\b`, // TODO more keywords here
IsCaseInsensitive: true,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// web shell
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = false
group.Name = "Web Shell"
group.Code = "webShell"
group.Description = "防止远程执行服务器命令"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "Web Shell"
set.Code = "3001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestAll}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `\b(eval|system|exec|execute|passthru|shell_exec|phpinfo)\s*\(`, // TODO more keywords here
IsCaseInsensitive: true,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// command injection
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = false
group.Name = "命令注入"
group.Code = "commandInjection"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "命令注入"
set.Code = "4001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `\b(pwd|ls|ll|whoami|id|net\s+user)\s*$`, // TODO more keywords here
IsCaseInsensitive: false,
})
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestBody}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `\b(pwd|ls|ll|whoami|id|net\s+user)\s*$`, // TODO more keywords here
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// path traversal
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "路径穿越"
group.Code = "pathTraversal"
group.Description = "防止读取网站目录之外的其他系统文件"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "路径穿越"
set.Code = "5001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestURI}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `((\.+)(/+)){2,}`,
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// special dirs
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "特殊目录"
group.Code = "denyDirs"
group.Description = "防止通过Web访问到一些特殊目录"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "特殊目录"
set.Code = "6001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestPath}",
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
Value: "/.git\n/.svn\n/.htaccess\n/.idea\n/.env\n/.vscode",
IsCaseInsensitive: true,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// sql injection
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = false
group.Name = "SQL注入"
group.Code = "sqlInjection"
group.Description = "防止SQL注入漏洞"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "SQL注入检测"
set.Code = "7010"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${requestAll}",
Operator: HTTPFirewallRuleOperatorContainsSQLInjection,
Value: "",
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// bot
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "网络爬虫"
group.Code = "bot"
group.Description = "禁止一些网络爬虫"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = false
set.Name = "搜索引擎"
set.Code = "20001"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${userAgent}",
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
Value: "360spider\nadldxbot\nadsbot-google\napplebot\nadmantx\nalexa\nbaidu\nbingbot\nbingpreview\nfacebookexternalhit\ngooglebot\nproximic\nslurp\nsogou\ntwitterbot\nyandex\nspider",
IsCaseInsensitive: true,
})
group.AddRuleSet(set)
}
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "爬虫工具"
set.Code = "20003"
set.Connector = HTTPFirewallRuleConnectorAnd
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${userAgent}",
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
Value: "python\npycurl\nhttp-client\nhttpclient\napachebench\nnethttp\nhttp_request\njava\nperl\nruby\nscrapy\nphp\nrust",
IsCaseInsensitive: true,
})
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${userAgent}",
Operator: HTTPFirewallRuleOperatorNotContainsAnyWord,
Value: "goedge",
IsCaseInsensitive: true,
Description: "User-Agent白名单",
})
group.AddRuleSet(set)
}
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "下载工具"
set.Code = "20004"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionTag,
Options: maps.Map{
"tags": []string{"download"},
},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${userAgent}",
Operator: HTTPFirewallRuleOperatorContainsAnyWord,
Value: "wget\ncurl",
IsCaseInsensitive: true,
})
group.AddRuleSet(set)
}
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "空Agent"
set.Code = "20002"
set.Connector = HTTPFirewallRuleConnectorOr
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
// 空Agent
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${userAgent}",
Operator: HTTPFirewallRuleOperatorEqString,
Value: "",
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// cc2
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "CC攻击"
group.Description = "Challenge Collapsar防止短时间大量请求涌入请谨慎开启和设置"
group.Code = "cc2"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "CC单URL请求数"
set.Description = "限制单IP在一定时间内对单URL的请求数"
set.Code = "8001"
set.Connector = HTTPFirewallRuleConnectorAnd
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
Options: maps.Map{
"timeout": 1800,
},
},
}
set.IgnoreLocal = true
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${cc2}",
Operator: HTTPFirewallRuleOperatorGt,
Value: "120",
CheckpointOptions: map[string]interface{}{
"keys": []string{"${remoteAddr}", "${requestPath}"},
"period": "60",
"threshold": 120,
"enableFingerprint": true,
},
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "CC请求数"
set.Description = "限制单IP在一定时间内的总体请求数"
set.Code = "8002"
set.Connector = HTTPFirewallRuleConnectorAnd
set.IgnoreLocal = true
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionBlock,
Options: maps.Map{
"timeout": 1800,
},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${cc2}",
Operator: HTTPFirewallRuleOperatorGt,
Value: "1200",
CheckpointOptions: map[string]interface{}{
"keys": []string{"${remoteAddr}"},
"period": "60",
"threshold": 1200,
"enableFingerprint": true,
},
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "随机URL攻击"
set.Description = "限制用户使用随机URL访问网站"
set.Code = "8003"
set.Connector = HTTPFirewallRuleConnectorAnd
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${args}",
Operator: HTTPFirewallRuleOperatorMatch,
Value: `^[0-9a-zA-Z_\-.]{12,}$`,
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// custom
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "防盗链"
group.Description = "防止第三方网站引用本站资源。"
group.Code = "referer"
group.IsTemplate = true
{
var set = &HTTPFirewallRuleSet{}
set.IsOn = true
set.Name = "防盗链"
set.Description = "防止第三方网站引用本站资源"
set.Code = "9001"
set.Connector = HTTPFirewallRuleConnectorAnd
set.Actions = []*HTTPFirewallActionConfig{
{
Code: HTTPFirewallActionPage,
Options: maps.Map{"status": 403, "body": ""},
},
}
set.AddRule(&HTTPFirewallRule{
IsOn: true,
Param: "${refererBlock}",
Operator: HTTPFirewallRuleOperatorEq,
Value: "0",
CheckpointOptions: map[string]interface{}{
"allowEmpty": true,
"allowSameDomain": true,
"allowDomains": []string{"*"},
},
IsCaseInsensitive: false,
})
group.AddRuleSet(set)
}
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
// custom
{
var group = &HTTPFirewallRuleGroup{}
group.IsOn = true
group.Name = "自定义规则分组"
group.Description = "我的自定义规则分组,可以将自定义的规则放在这个分组下"
group.Code = "custom"
group.IsTemplate = true
policy.Inbound.Groups = append(policy.Inbound.Groups, group)
}
return policy
}
Reference in New Issue View Git Blame Copy Permalink