2021-04-29 16:48:47 +08:00
|
|
|
|
// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
|
|
|
|
|
|
|
|
|
|
|
|
package nodes
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2022-12-21 15:59:07 +08:00
|
|
|
|
"errors"
|
2021-04-29 16:48:47 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
|
2022-01-10 19:54:10 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
|
2022-09-02 15:20:58 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/conns"
|
2021-11-13 21:30:24 +08:00
|
|
|
|
teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
|
2022-01-10 19:54:10 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
|
2022-07-05 20:37:00 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/stats"
|
2022-01-10 19:54:10 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/ttlcache"
|
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/waf"
|
2022-08-26 16:47:42 +08:00
|
|
|
|
"github.com/iwind/TeaGo/Tea"
|
2022-01-10 19:54:10 +08:00
|
|
|
|
"github.com/iwind/TeaGo/types"
|
2022-12-27 18:58:29 +08:00
|
|
|
|
"io"
|
2021-04-29 16:48:47 +08:00
|
|
|
|
"net"
|
2022-01-10 19:54:10 +08:00
|
|
|
|
"os"
|
2022-07-05 20:37:00 +08:00
|
|
|
|
"strings"
|
2021-04-29 16:48:47 +08:00
|
|
|
|
"sync/atomic"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
// ClientConn 客户端连接
|
|
|
|
|
|
type ClientConn struct {
|
2022-08-26 16:47:42 +08:00
|
|
|
|
BaseClientConn
|
|
|
|
|
|
|
2022-12-21 15:59:07 +08:00
|
|
|
|
createdAt int64
|
|
|
|
|
|
|
|
|
|
|
|
isTLS bool
|
|
|
|
|
|
hasRead bool
|
2022-01-13 11:45:51 +08:00
|
|
|
|
|
2022-09-14 18:52:26 +08:00
|
|
|
|
isLO bool // 是否为环路
|
|
|
|
|
|
isInAllowList bool
|
2022-07-05 20:37:00 +08:00
|
|
|
|
|
2022-01-13 11:36:05 +08:00
|
|
|
|
hasResetSYNFlood bool
|
2022-12-21 15:59:07 +08:00
|
|
|
|
|
|
|
|
|
|
lastReadAt int64
|
|
|
|
|
|
lastWriteAt int64
|
|
|
|
|
|
lastErr error
|
2021-04-29 16:48:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2022-09-14 18:52:26 +08:00
|
|
|
|
func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList bool) net.Conn {
|
2022-07-05 20:37:00 +08:00
|
|
|
|
// 是否为环路
|
2022-08-27 10:49:16 +08:00
|
|
|
|
var remoteAddr = rawConn.RemoteAddr().String()
|
2022-07-05 20:37:00 +08:00
|
|
|
|
var isLO = strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:")
|
|
|
|
|
|
|
2022-08-27 10:49:16 +08:00
|
|
|
|
var conn = &ClientConn{
|
|
|
|
|
|
BaseClientConn: BaseClientConn{rawConn: rawConn},
|
2022-07-05 20:37:00 +08:00
|
|
|
|
isTLS: isTLS,
|
|
|
|
|
|
isLO: isLO,
|
2022-09-14 18:52:26 +08:00
|
|
|
|
isInAllowList: isInAllowList,
|
2022-12-21 15:59:07 +08:00
|
|
|
|
createdAt: time.Now().Unix(),
|
2022-07-05 20:37:00 +08:00
|
|
|
|
}
|
2022-08-27 10:49:16 +08:00
|
|
|
|
|
|
|
|
|
|
if quickClose {
|
|
|
|
|
|
// TODO 可以在配置中设置此值
|
|
|
|
|
|
_ = conn.SetLinger(nodeconfigs.DefaultTCPLinger)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-09-02 15:20:58 +08:00
|
|
|
|
// 加入到Map
|
|
|
|
|
|
conns.SharedMap.Add(conn)
|
|
|
|
|
|
|
2022-08-27 10:49:16 +08:00
|
|
|
|
return conn
|
2021-04-29 16:48:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) Read(b []byte) (n int, err error) {
|
2023-01-01 19:27:38 +08:00
|
|
|
|
var globalServerConfig = sharedNodeConfig.GlobalServerConfig
|
2022-12-21 15:59:07 +08:00
|
|
|
|
|
2023-01-01 19:27:38 +08:00
|
|
|
|
if globalServerConfig != nil && globalServerConfig.Performance.Debug {
|
|
|
|
|
|
this.lastReadAt = time.Now().Unix()
|
|
|
|
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
this.lastErr = errors.New("read error: " + err.Error())
|
|
|
|
|
|
}
|
|
|
|
|
|
}()
|
|
|
|
|
|
}
|
2022-12-21 15:59:07 +08:00
|
|
|
|
|
2022-07-05 20:37:00 +08:00
|
|
|
|
// 环路直接读取
|
|
|
|
|
|
if this.isLO {
|
|
|
|
|
|
n, err = this.rawConn.Read(b)
|
|
|
|
|
|
if n > 0 {
|
|
|
|
|
|
atomic.AddUint64(&teaconst.InTrafficBytes, uint64(n))
|
|
|
|
|
|
}
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 开始读取
|
2021-04-29 16:48:47 +08:00
|
|
|
|
n, err = this.rawConn.Read(b)
|
|
|
|
|
|
if n > 0 {
|
2021-11-13 21:30:24 +08:00
|
|
|
|
atomic.AddUint64(&teaconst.InTrafficBytes, uint64(n))
|
2022-12-21 15:59:07 +08:00
|
|
|
|
this.hasRead = true
|
2021-04-29 16:48:47 +08:00
|
|
|
|
}
|
2022-01-10 19:54:10 +08:00
|
|
|
|
|
2022-09-14 18:52:26 +08:00
|
|
|
|
// 检测是否为握手错误
|
2022-01-13 11:45:51 +08:00
|
|
|
|
var isHandshakeError = err != nil && os.IsTimeout(err) && !this.hasRead
|
2022-01-13 11:46:42 +08:00
|
|
|
|
if isHandshakeError {
|
|
|
|
|
|
_ = this.SetLinger(0)
|
|
|
|
|
|
}
|
2022-07-15 11:15:55 +08:00
|
|
|
|
|
2022-09-14 18:52:26 +08:00
|
|
|
|
// 忽略白名单和局域网
|
|
|
|
|
|
if !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) {
|
|
|
|
|
|
// SYN Flood检测
|
|
|
|
|
|
if this.serverId == 0 || !this.hasResetSYNFlood {
|
|
|
|
|
|
var synFloodConfig = sharedNodeConfig.SYNFloodConfig()
|
|
|
|
|
|
if synFloodConfig != nil && synFloodConfig.IsOn {
|
|
|
|
|
|
if isHandshakeError {
|
|
|
|
|
|
this.increaseSYNFlood(synFloodConfig)
|
|
|
|
|
|
} else if err == nil && !this.hasResetSYNFlood {
|
|
|
|
|
|
this.hasResetSYNFlood = true
|
|
|
|
|
|
this.resetSYNFlood()
|
|
|
|
|
|
}
|
2022-07-15 11:15:55 +08:00
|
|
|
|
}
|
2022-01-10 19:54:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-12-27 18:58:29 +08:00
|
|
|
|
// 关闭连接
|
|
|
|
|
|
if err == io.EOF {
|
2023-01-02 10:44:10 +08:00
|
|
|
|
_ = this.Close()
|
2022-12-27 18:58:29 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) Write(b []byte) (n int, err error) {
|
2023-01-01 19:27:38 +08:00
|
|
|
|
var globalServerConfig = sharedNodeConfig.GlobalServerConfig
|
2022-12-21 15:59:07 +08:00
|
|
|
|
|
2023-01-01 19:27:38 +08:00
|
|
|
|
if globalServerConfig != nil && globalServerConfig.Performance.Debug {
|
|
|
|
|
|
this.lastWriteAt = time.Now().Unix()
|
|
|
|
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
this.lastErr = errors.New("write error: " + err.Error())
|
|
|
|
|
|
}
|
|
|
|
|
|
}()
|
|
|
|
|
|
}
|
2022-12-21 15:59:07 +08:00
|
|
|
|
|
2022-12-10 18:22:00 +08:00
|
|
|
|
// 设置超时时间
|
2023-01-01 19:27:38 +08:00
|
|
|
|
if globalServerConfig != nil && globalServerConfig.Performance.AutoWriteTimeout {
|
|
|
|
|
|
// TODO L2 -> L1 写入时不限制时间
|
|
|
|
|
|
var timeoutSeconds = len(b) / 4096
|
|
|
|
|
|
if timeoutSeconds < 3 {
|
|
|
|
|
|
timeoutSeconds = 3
|
|
|
|
|
|
}
|
|
|
|
|
|
_ = this.rawConn.SetWriteDeadline(time.Now().Add(time.Duration(timeoutSeconds) * time.Second)) // TODO 时间可以设置
|
2022-12-12 10:04:36 +08:00
|
|
|
|
}
|
2022-12-10 18:22:00 +08:00
|
|
|
|
|
2021-04-29 16:48:47 +08:00
|
|
|
|
n, err = this.rawConn.Write(b)
|
|
|
|
|
|
if n > 0 {
|
2022-07-05 20:37:00 +08:00
|
|
|
|
// 统计当前服务带宽
|
|
|
|
|
|
if this.serverId > 0 {
|
2022-08-26 16:47:42 +08:00
|
|
|
|
if !this.isLO || Tea.IsTesting() { // 环路不统计带宽,避免缓存预热等行为产生带宽
|
|
|
|
|
|
atomic.AddUint64(&teaconst.OutTrafficBytes, uint64(n))
|
2022-07-07 09:21:18 +08:00
|
|
|
|
stats.SharedBandwidthStatManager.Add(this.userId, this.serverId, int64(n))
|
2022-07-05 20:37:00 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2021-04-29 16:48:47 +08:00
|
|
|
|
}
|
2022-07-05 20:37:00 +08:00
|
|
|
|
|
2022-12-10 19:51:05 +08:00
|
|
|
|
// 如果是写入超时,则立即关闭连接
|
|
|
|
|
|
if err != nil && os.IsTimeout(err) {
|
2022-12-12 10:04:36 +08:00
|
|
|
|
// TODO 考虑对多次慢连接的IP做出惩罚
|
2022-12-10 19:51:05 +08:00
|
|
|
|
conn, ok := this.rawConn.(LingerConn)
|
|
|
|
|
|
if ok {
|
|
|
|
|
|
_ = conn.SetLinger(0)
|
|
|
|
|
|
}
|
2022-12-21 16:11:55 +08:00
|
|
|
|
|
2023-01-02 10:44:10 +08:00
|
|
|
|
_ = this.Close()
|
2022-12-10 19:51:05 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) Close() error {
|
2021-09-29 09:19:45 +08:00
|
|
|
|
this.isClosed = true
|
2021-12-12 11:48:01 +08:00
|
|
|
|
|
2021-12-22 16:43:16 +08:00
|
|
|
|
err := this.rawConn.Close()
|
|
|
|
|
|
|
2021-12-12 11:48:01 +08:00
|
|
|
|
// 单个服务并发数限制
|
2022-07-25 19:48:03 +08:00
|
|
|
|
// 不能加条件限制,因为服务配置随时有变化
|
|
|
|
|
|
sharedClientConnLimiter.Remove(this.rawConn.RemoteAddr().String())
|
2021-12-12 11:48:01 +08:00
|
|
|
|
|
2022-09-02 15:20:58 +08:00
|
|
|
|
// 从conn map中移除
|
|
|
|
|
|
conns.SharedMap.Remove(this)
|
|
|
|
|
|
|
2021-12-22 16:43:16 +08:00
|
|
|
|
return err
|
2021-04-29 16:48:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) LocalAddr() net.Addr {
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return this.rawConn.LocalAddr()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) RemoteAddr() net.Addr {
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return this.rawConn.RemoteAddr()
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) SetDeadline(t time.Time) error {
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return this.rawConn.SetDeadline(t)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) SetReadDeadline(t time.Time) error {
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return this.rawConn.SetReadDeadline(t)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2021-10-20 22:32:02 +08:00
|
|
|
|
func (this *ClientConn) SetWriteDeadline(t time.Time) error {
|
2021-04-29 16:48:47 +08:00
|
|
|
|
return this.rawConn.SetWriteDeadline(t)
|
|
|
|
|
|
}
|
2022-01-10 19:54:10 +08:00
|
|
|
|
|
2022-12-21 15:59:07 +08:00
|
|
|
|
func (this *ClientConn) CreatedAt() int64 {
|
|
|
|
|
|
return this.createdAt
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *ClientConn) LastReadAt() int64 {
|
|
|
|
|
|
return this.lastReadAt
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *ClientConn) LastWriteAt() int64 {
|
|
|
|
|
|
return this.lastWriteAt
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *ClientConn) LastErr() error {
|
|
|
|
|
|
return this.lastErr
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-10 19:54:10 +08:00
|
|
|
|
func (this *ClientConn) resetSYNFlood() {
|
2022-01-13 11:36:05 +08:00
|
|
|
|
ttlcache.SharedCache.Delete("SYN_FLOOD:" + this.RawIP())
|
2022-01-10 19:54:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2022-01-13 11:36:05 +08:00
|
|
|
|
func (this *ClientConn) increaseSYNFlood(synFloodConfig *firewallconfigs.SYNFloodConfig) {
|
2022-01-10 19:54:10 +08:00
|
|
|
|
var ip = this.RawIP()
|
|
|
|
|
|
if len(ip) > 0 && !iplibrary.IsInWhiteList(ip) && (!synFloodConfig.IgnoreLocal || !utils.IsLocalIP(ip)) {
|
2022-01-11 09:25:34 +08:00
|
|
|
|
var timestamp = utils.NextMinuteUnixTime()
|
2022-05-12 21:48:33 +08:00
|
|
|
|
var result = ttlcache.SharedCache.IncreaseInt64("SYN_FLOOD:"+ip, 1, timestamp, true)
|
2022-01-10 19:54:10 +08:00
|
|
|
|
var minAttempts = synFloodConfig.MinAttempts
|
2022-01-11 16:02:41 +08:00
|
|
|
|
if minAttempts < 5 {
|
|
|
|
|
|
minAttempts = 5
|
2022-01-10 19:54:10 +08:00
|
|
|
|
}
|
2022-01-13 11:36:05 +08:00
|
|
|
|
if !this.isTLS {
|
|
|
|
|
|
// 非TLS,设置为两倍,防止误封
|
|
|
|
|
|
minAttempts = 2 * minAttempts
|
|
|
|
|
|
}
|
2022-01-10 19:54:10 +08:00
|
|
|
|
if result >= int64(minAttempts) {
|
|
|
|
|
|
var timeout = synFloodConfig.TimeoutSeconds
|
|
|
|
|
|
if timeout <= 0 {
|
|
|
|
|
|
timeout = 600
|
|
|
|
|
|
}
|
2022-08-27 10:49:16 +08:00
|
|
|
|
|
|
|
|
|
|
// 关闭当前连接
|
|
|
|
|
|
_ = this.SetLinger(0)
|
|
|
|
|
|
_ = this.Close()
|
|
|
|
|
|
|
2022-01-10 19:54:10 +08:00
|
|
|
|
waf.SharedIPBlackList.RecordIP(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip, time.Now().Unix()+int64(timeout), 0, true, 0, 0, "疑似SYN Flood攻击,当前1分钟"+types.String(result)+"次空连接")
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
