EdgeNode/internal/nodes/http_request_waf.go

package nodes

import (
	"bytes"
	iplib "github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
	"github.com/TeaOSLab/EdgeNode/internal/stats"
	"github.com/TeaOSLab/EdgeNode/internal/waf"
	"github.com/iwind/TeaGo/Tea"
	"github.com/iwind/TeaGo/types"
	"io"
	"net/http"
	"time"
)

// 调用WAF
func (this *HTTPRequest) doWAFRequest() (blocked bool) {
	if this.web.FirewallRef == nil || !this.web.FirewallRef.IsOn {
		return
	}

	var remoteAddr = this.requestRemoteAddr(true)

	// 检查是否为白名单直连
	if !Tea.IsTesting() && this.nodeConfig.IPIsAutoAllowed(remoteAddr) {
		return
	}

	// 当前连接是否已关闭
	if this.isConnClosed() {
		this.disableLog = true
		return true
	}

	// 是否在全局名单中
	canGoNext, isInAllowedList, _ := iplibrary.AllowIP(remoteAddr, this.ReqServer.Id)
	if !canGoNext {
		this.disableLog = true
		this.Close()
		return true
	}
	if isInAllowedList {
		return false
	}

	// 检查是否在临时黑名单中
	if waf.SharedIPBlackList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeServer, this.ReqServer.Id, remoteAddr) || waf.SharedIPBlackList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, remoteAddr) {
		this.disableLog = true
		this.Close()

		return true
	}

	var forceLog = false
	var forceLogRequestBody = false
	var forceLogRegionDenying = false
	if this.ReqServer.HTTPFirewallPolicy != nil &&
		this.ReqServer.HTTPFirewallPolicy.IsOn &&
		this.ReqServer.HTTPFirewallPolicy.Log != nil &&
		this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
		forceLog = true
		forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
		forceLogRegionDenying = this.ReqServer.HTTPFirewallPolicy.Log.RegionDenying
	}

	// 当前服务的独立设置
	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
		blockedRequest, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, false)
		if blockedRequest {
			return true
		}
		if breakChecking {
			return false
		}
	}

	// 公用的防火墙设置
	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
		blockedRequest, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, this.web.FirewallRef.IgnoreGlobalRules)
		if blockedRequest {
			return true
		}
		if breakChecking {
			return false
		}
	}

	return
}

func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool) (blocked bool, breakChecking bool) {
	// 检查配置是否为空
	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
		return
	}

	var isDefendMode = firewallPolicy.Mode == firewallconfigs.FirewallModeDefend

	// 检查IP白名单
	var remoteAddrs []string
	if len(this.remoteAddr) > 0 {
		remoteAddrs = []string{this.remoteAddr}
	} else {
		remoteAddrs = this.requestRemoteAddrs()
	}

	var inbound = firewallPolicy.Inbound
	if inbound == nil {
		return
	}
	for _, ref := range inbound.AllAllowListRefs() {
		if ref.IsOn && ref.ListId > 0 {
			var list = iplibrary.SharedIPListManager.FindList(ref.ListId)
			if list != nil {
				_, found := list.ContainsIPStrings(remoteAddrs)
				if found {
					breakChecking = true
					return
				}
			}
		}
	}

	// 检查IP黑名单
	if isDefendMode {
		for _, ref := range inbound.AllDenyListRefs() {
			if ref.IsOn && ref.ListId > 0 {
				var list = iplibrary.SharedIPListManager.FindList(ref.ListId)
				if list != nil {
					item, found := list.ContainsIPStrings(remoteAddrs)
					if found {
						// 触发事件
						if item != nil && len(item.EventLevel) > 0 {
							actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)
							for _, action := range actions {
								goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)
								if err != nil {
									remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())
									return true, false
								}
								if !goNext {
									this.disableLog = true
									return true, false
								}
							}
						}

						// TODO 需要记录日志信息

						this.writer.WriteHeader(http.StatusForbidden)
						this.writer.Close()

						// 停止日志
						this.disableLog = true

						return true, false
					}
				}
			}
		}
	}

	// 检查地区封禁

	if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
		var regionConfig = firewallPolicy.Inbound.Region
		if regionConfig.IsNotEmpty() {
			for _, remoteAddr := range remoteAddrs {
				var result = iplib.LookupIP(remoteAddr)
				if result != nil && result.IsOk() {
					var currentURL = this.URL()
					if regionConfig.MatchCountryURL(currentURL) {
						// 检查国家/地区级别封禁
						if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) {
							this.firewallPolicyId = firewallPolicy.Id

							if isDefendMode {
								var promptHTML string
								if len(regionConfig.CountryHTML) > 0 {
									promptHTML = regionConfig.CountryHTML
								} else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML) > 0 {
									promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML
								}

								if len(promptHTML) > 0 {
									var formattedHTML = this.Format(promptHTML)
									this.writer.Header().Set("Content-Type", "text/html; charset=utf-8")
									this.writer.Header().Set("Content-Length", types.String(len(formattedHTML)))
									this.writer.WriteHeader(http.StatusForbidden)
									_, _ = this.writer.Write([]byte(formattedHTML))
								} else {
									this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问")
								}

								// 延时返回，避免攻击
								time.Sleep(1 * time.Second)
							}

							// 停止日志
							if !logDenying {
								this.disableLog = true
							} else {
								this.tags = append(this.tags, "denyCountry")
							}

							if isDefendMode {
								return true, false
							}
						}
					}

					if regionConfig.MatchProvinceURL(currentURL) {
						// 检查省份封禁
						if !regionConfig.IsAllowedProvince(result.CountryId(), result.ProvinceId()) {
							this.firewallPolicyId = firewallPolicy.Id

							if isDefendMode {
								var promptHTML string
								if len(regionConfig.ProvinceHTML) > 0 {
									promptHTML = regionConfig.ProvinceHTML
								} else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyProvinceHTML) > 0 {
									promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyProvinceHTML
								}

								if len(promptHTML) > 0 {
									var formattedHTML = this.Format(promptHTML)
									this.writer.Header().Set("Content-Type", "text/html; charset=utf-8")
									this.writer.Header().Set("Content-Length", types.String(len(formattedHTML)))
									this.writer.WriteHeader(http.StatusForbidden)
									_, _ = this.writer.Write([]byte(formattedHTML))
								} else {
									this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问")
								}

								// 延时返回，避免攻击
								time.Sleep(1 * time.Second)
							}

							// 停止日志
							if !logDenying {
								this.disableLog = true
							} else {
								this.tags = append(this.tags, "denyProvince")
							}

							if isDefendMode {
								return true, false
							}
						}
					}
				}
			}
		}
	}

	// 是否执行规则
	if ignoreRules {
		return
	}

	// 规则测试
	var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
	if w == nil {
		return
	}

	result, err := w.MatchRequest(this, this.writer, this.web.FirewallRef.DefaultCaptchaType)
	if result.IsAllowed && (len(result.AllowScope) == 0 || result.AllowScope == waf.AllowScopeGlobal) {
		breakChecking = true
	}
	if forceLog && logRequestBody && result.HasRequestBody && result.Set != nil && result.Set.HasAttackActions() {
		this.wafHasRequestBody = true
	}
	if err != nil {
		if !this.canIgnore(err) {
			remotelogs.Warn("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
		}
		return
	}

	if result.Set != nil {
		if forceLog {
			this.forceLog = true
		}

		if result.Set.HasSpecialActions() {
			this.firewallPolicyId = firewallPolicy.Id
			this.firewallRuleGroupId = types.Int64(result.Group.Id)
			this.firewallRuleSetId = types.Int64(result.Set.Id)

			if result.Set.HasAttackActions() {
				this.isAttack = true
			}

			// 添加统计
			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.ReqServer.Id, this.firewallRuleGroupId, result.Set.Actions)
		}

		this.firewallActions = append(result.Set.ActionCodes(), firewallPolicy.Mode)
	}

	return !result.GoNext, breakChecking
}

// call response waf
func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
	if this.web.FirewallRef == nil || !this.web.FirewallRef.IsOn {
		return
	}

	// 当前服务的独立设置
	var forceLog = false
	var forceLogRequestBody = false
	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn && this.ReqServer.HTTPFirewallPolicy.Log != nil && this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
		forceLog = true
		forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
	}

	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
		blockedRequest, breakChecking := this.checkWAFResponse(this.web.FirewallPolicy, resp, forceLog, forceLogRequestBody, false)
		if blockedRequest {
			return true
		}
		if breakChecking {
			return
		}
	}

	// 公用的防火墙设置
	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
		blockedRequest, _ := this.checkWAFResponse(this.ReqServer.HTTPFirewallPolicy, resp, forceLog, forceLogRequestBody, this.web.FirewallRef.IgnoreGlobalRules)
		if blockedRequest {
			return true
		}
	}
	return
}

func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response, forceLog bool, logRequestBody bool, ignoreRules bool) (blocked bool, breakChecking bool) {
	if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
		return
	}

	// 是否执行规则
	if ignoreRules {
		return
	}

	var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
	if w == nil {
		return
	}

	result, err := w.MatchResponse(this, resp, this.writer)
	if result.IsAllowed && (len(result.AllowScope) == 0 || result.AllowScope == waf.AllowScopeGlobal) {
		breakChecking = true
	}
	if forceLog && logRequestBody && result.HasRequestBody && result.Set != nil && result.Set.HasAttackActions() {
		this.wafHasRequestBody = true
	}
	if err != nil {
		if !this.canIgnore(err) {
			remotelogs.Warn("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
		}
		return
	}

	if result.Set != nil {
		if forceLog {
			this.forceLog = true
		}

		if result.Set.HasSpecialActions() {
			this.firewallPolicyId = firewallPolicy.Id
			this.firewallRuleGroupId = types.Int64(result.Group.Id)
			this.firewallRuleSetId = types.Int64(result.Set.Id)

			if result.Set.HasAttackActions() {
				this.isAttack = true
			}

			// 添加统计
			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.ReqServer.Id, this.firewallRuleGroupId, result.Set.Actions)
		}

		this.firewallActions = append(result.Set.ActionCodes(), firewallPolicy.Mode)
	}

	return !result.GoNext, breakChecking
}

// WAFRaw 原始请求
func (this *HTTPRequest) WAFRaw() *http.Request {
	return this.RawReq
}

// WAFRemoteIP 客户端IP
func (this *HTTPRequest) WAFRemoteIP() string {
	return this.requestRemoteAddr(true)
}

// WAFGetCacheBody 获取缓存中的Body
func (this *HTTPRequest) WAFGetCacheBody() []byte {
	return this.requestBodyData
}

// WAFSetCacheBody 设置Body
func (this *HTTPRequest) WAFSetCacheBody(body []byte) {
	this.requestBodyData = body
}

// WAFReadBody 读取Body
func (this *HTTPRequest) WAFReadBody(max int64) (data []byte, err error) {
	if this.RawReq.ContentLength > 0 {
		data, err = io.ReadAll(io.LimitReader(this.RawReq.Body, max))
	}

	return
}

// WAFRestoreBody 恢复Body
func (this *HTTPRequest) WAFRestoreBody(data []byte) {
	if len(data) > 0 {
		this.RawReq.Body = io.NopCloser(io.MultiReader(bytes.NewBuffer(data), this.RawReq.Body))
	}
}

// WAFServerId 服务ID
func (this *HTTPRequest) WAFServerId() int64 {
	return this.ReqServer.Id
}

// WAFClose 关闭连接
func (this *HTTPRequest) WAFClose() {
	this.Close()

	// 这里不要强关IP所有连接，避免因为单个服务而影响所有
}

func (this *HTTPRequest) WAFOnAction(action interface{}) (goNext bool) {
	if action == nil {
		return true
	}

	instance, ok := action.(waf.ActionInterface)
	if !ok {
		return true
	}

	switch instance.Code() {
	case waf.ActionTag:
		this.tags = append(this.tags, action.(*waf.TagAction).Tags...)
	}
	return true
}

func (this *HTTPRequest) WAFFingerprint() []byte {
	// 目前只有HTTPS请求才有指纹
	if !this.IsHTTPS {
		return nil
	}

	var requestConn = this.RawReq.Context().Value(HTTPConnContextKey)
	if requestConn == nil {
		return nil
	}

	clientConn, ok := requestConn.(ClientConnInterface)
	if ok {
		return clientConn.Fingerprint()
	}

	return nil
}

func (this *HTTPRequest) WAFMaxRequestSize() int64 {
	var maxRequestSize = firewallconfigs.DefaultMaxRequestBodySize
	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize > 0 {
		maxRequestSize = this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize
	}
	return maxRequestSize
}

// DisableAccessLog 在当前请求中不使用访问日志
func (this *HTTPRequest) DisableAccessLog() {
	this.disableLog = true
}

// DisableStat 停用统计
func (this *HTTPRequest) DisableStat() {
	if this.web != nil {
		this.web.StatRef = nil
	}
}
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+								package nodes
 								import (
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+									"bytes"
-												使用新版IP库

											
										
										
											2022-08-21 20:37:49 +08:00
+									iplib "github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
-												用户端可以添加WAF 黑白名单

											
										
										
											2021-01-03 20:18:47 +08:00
+									"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+									"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
-												在节点重新实现缓存策略和WAF策略

											
										
										
											2020-12-17 17:36:10 +08:00
+									"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
-												实现WAF统计

											
										
										
											2021-01-26 18:42:46 +08:00
+									"github.com/TeaOSLab/EdgeNode/internal/stats"
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									"github.com/TeaOSLab/EdgeNode/internal/waf"
-												自动将API节点的IP加入到白名单，防止误封

但要注意：在单个机器上安装API节点和边缘节点，通过局域网IP访问时就无法测试WAF规则，因为会被自动加入到白名单

											
										
										
											2021-12-06 10:11:22 +08:00
+									"github.com/iwind/TeaGo/Tea"
-												记录WAF日志

											
										
										
											2020-11-02 15:49:30 +08:00
+									"github.com/iwind/TeaGo/types"
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+									"io"
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									"net/http"
-												区域封禁增加延时返回

											
										
										
											2023-07-14 16:03:58 +08:00
+									"time"
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+								)
 								// 调用WAF
 								func (this *HTTPRequest) doWAFRequest() (blocked bool) {
-												优化代码

											
										
										
											2022-01-02 22:45:37 +08:00
+									if this.web.FirewallRef == nil || !this.web.FirewallRef.IsOn {
 										return
 									}
-												自动将API节点的IP加入到白名单，防止误封

但要注意：在单个机器上安装API节点和边缘节点，通过局域网IP访问时就无法测试WAF规则，因为会被自动加入到白名单

											
										
										
											2021-12-06 10:11:22 +08:00
+									var remoteAddr = this.requestRemoteAddr(true)
 									// 检查是否为白名单直连
-												优化代码/商业版支持L2节点

											
										
										
											2022-04-04 12:06:53 +08:00
+									if !Tea.IsTesting() && this.nodeConfig.IPIsAutoAllowed(remoteAddr) {
-												自动将API节点的IP加入到白名单，防止误封

但要注意：在单个机器上安装API节点和边缘节点，通过局域网IP访问时就无法测试WAF规则，因为会被自动加入到白名单

											
										
										
											2021-12-06 10:11:22 +08:00
+										return
 									}
-												Block动作增加默认时间60秒

											
										
										
											2021-09-29 09:19:45 +08:00
+									// 当前连接是否已关闭
-												因WAF规则拦截而关闭连接时，不记录499

											
										
										
											2021-12-01 20:55:19 +08:00
+									if this.isConnClosed() {
 										this.disableLog = true
 										return true
-												Block动作增加默认时间60秒

											
										
										
											2021-09-29 09:19:45 +08:00
+									}
-												WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度

											
										
										
											2021-11-17 16:16:09 +08:00
+									// 是否在全局名单中
-												优化WAF黑名单处理

											
										
										
											2023-03-31 21:37:15 +08:00
+									canGoNext, isInAllowedList, _ := iplibrary.AllowIP(remoteAddr, this.ReqServer.Id)
-												自动清理本地IP名单过期条目/修复白名单可能不起作用的Bug

											
										
										
											2022-03-06 19:40:26 +08:00
+									if !canGoNext {
-												WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度

											
										
										
											2021-11-17 16:16:09 +08:00
+										this.disableLog = true
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+										this.Close()
-												WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度

											
										
										
											2021-11-17 16:16:09 +08:00
+										return true
 									}
-												自动清理本地IP名单过期条目/修复白名单可能不起作用的Bug

											
										
										
											2022-03-06 19:40:26 +08:00
+									if isInAllowedList {
 										return false
 									}
-												WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度

											
										
										
											2021-11-17 16:16:09 +08:00
-												修复IP黑名单为服务时不生效的问题

											
										
										
											2021-10-19 09:21:58 +08:00
+									// 检查是否在临时黑名单中
-												优化WAF

* 信息加密使用struct代替map，以缩短加密后内容长度
* 拦截动作、人机识别动作增加是否尝试全局封禁选项
* JSCookie识别动作增加默认设置选项
* 人机识别中传入info参数异常时，尝试跳转到来源地址，避免直接提示invalid request

											
										
										
											2024-04-07 14:31:22 +08:00
+									if waf.SharedIPBlackList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeServer, this.ReqServer.Id, remoteAddr) || waf.SharedIPBlackList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, remoteAddr) {
-												修复IP黑名单为服务时不生效的问题

											
										
										
											2021-10-19 09:21:58 +08:00
+										this.disableLog = true
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+										this.Close()
-												修复IP黑名单为服务时不生效的问题

											
										
										
											2021-10-19 09:21:58 +08:00
 										return true
 									}
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+									var forceLog = false
 									var forceLogRequestBody = false
-												WAF策略增加记录区域封禁日志选项

											
										
										
											2022-07-16 18:47:59 +08:00
+									var forceLogRegionDenying = false
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+									if this.ReqServer.HTTPFirewallPolicy != nil &&
 										this.ReqServer.HTTPFirewallPolicy.IsOn &&
 										this.ReqServer.HTTPFirewallPolicy.Log != nil &&
 										this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
 										forceLog = true
 										forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
-												WAF策略增加记录区域封禁日志选项

											
										
										
											2022-07-16 18:47:59 +08:00
+										forceLogRegionDenying = this.ReqServer.HTTPFirewallPolicy.Log.RegionDenying
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+									}
-												优化WAF日志逻辑

											
										
										
											2022-04-21 19:44:19 +08:00
-												用户端可以添加WAF 黑白名单

											
										
										
											2021-01-03 20:18:47 +08:00
+									// 当前服务的独立设置
 									if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										blockedRequest, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, false)
 										if blockedRequest {
-												[WAF]匹配到白名单后立即返回，不再往下尝试别的规则

											
										
										
											2021-01-21 10:45:55 +08:00
+											return true
 										}
 										if breakChecking {
 											return false
-												用户端可以添加WAF 黑白名单

											
										
										
											2021-01-03 20:18:47 +08:00
+										}
 									}
 									// 公用的防火墙设置
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+									if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										blockedRequest, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying, this.web.FirewallRef.IgnoreGlobalRules)
 										if blockedRequest {
-												[WAF]匹配到白名单后立即返回，不再往下尝试别的规则

											
										
										
											2021-01-21 10:45:55 +08:00
+											return true
 										}
 										if breakChecking {
 											return false
-												用户端可以添加WAF 黑白名单

											
										
										
											2021-01-03 20:18:47 +08:00
+										}
 									}
 									return
 								}
-												在节点重新实现缓存策略和WAF策略

											
										
										
											2020-12-17 17:36:10 +08:00
-												WAF支持忽略全局WAF规则

											
										
										
											2023-03-01 16:46:43 +08:00
+								func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool) (blocked bool, breakChecking bool) {
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+									// 检查配置是否为空
-												WAF模式从pass改为bypass

											
										
										
											2021-10-07 13:51:26 +08:00
+									if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+										return
 									}
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+									var isDefendMode = firewallPolicy.Mode == firewallconfigs.FirewallModeDefend
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+									// 检查IP白名单
-												WAF策略增加记录区域封禁日志选项

											
										
										
											2022-07-16 18:47:59 +08:00
+									var remoteAddrs []string
 									if len(this.remoteAddr) > 0 {
 										remoteAddrs = []string{this.remoteAddr}
 									} else {
 										remoteAddrs = this.requestRemoteAddrs()
 									}
 									var inbound = firewallPolicy.Inbound
-												实现公用的IP名单

											
										
										
											2021-06-23 13:14:37 +08:00
+									if inbound == nil {
 										return
 									}
 									for _, ref := range inbound.AllAllowListRefs() {
 										if ref.IsOn && ref.ListId > 0 {
-												优化IP名单相关代码

											
										
										
											2024-04-06 15:37:14 +08:00
+											var list = iplibrary.SharedIPListManager.FindList(ref.ListId)
-												实现公用的IP名单

											
										
										
											2021-06-23 13:14:37 +08:00
+											if list != nil {
-												大幅优化IP名单查询速度

											
										
										
											2021-10-04 17:42:38 +08:00
+												_, found := list.ContainsIPStrings(remoteAddrs)
-												实现公用的IP名单

											
										
										
											2021-06-23 13:14:37 +08:00
+												if found {
 													breakChecking = true
 													return
 												}
-												WAF动作增加显示HTML内容

											
										
										
											2021-02-26 16:33:58 +08:00
+											}
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+										}
 									}
 									// 检查IP黑名单
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+									if isDefendMode {
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+										for _, ref := range inbound.AllDenyListRefs() {
 											if ref.IsOn && ref.ListId > 0 {
-												优化IP名单相关代码

											
										
										
											2024-04-06 15:37:14 +08:00
+												var list = iplibrary.SharedIPListManager.FindList(ref.ListId)
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+												if list != nil {
 													item, found := list.ContainsIPStrings(remoteAddrs)
 													if found {
 														// 触发事件
 														if item != nil && len(item.EventLevel) > 0 {
 															actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)
 															for _, action := range actions {
 																goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)
 																if err != nil {
 																	remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())
 																	return true, false
 																}
 																if !goNext {
 																	this.disableLog = true
 																	return true, false
 																}
-												实现公用的IP名单

											
										
										
											2021-06-23 13:14:37 +08:00
+															}
-												WAF动作增加显示HTML内容

											
										
										
											2021-02-26 16:33:58 +08:00
+														}
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+														// TODO 需要记录日志信息
-												在对IP封禁时，不写入访问日志

											
										
										
											2020-11-09 11:02:29 +08:00
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+														this.writer.WriteHeader(http.StatusForbidden)
 														this.writer.Close()
-												WAF动作增加显示HTML内容

											
										
										
											2021-02-26 16:33:58 +08:00
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+														// 停止日志
 														this.disableLog = true
-												WAF动作增加显示HTML内容

											
										
										
											2021-02-26 16:33:58 +08:00
-												WAF模式为defend时IP黑名单才生效

											
										
										
											2021-10-04 18:22:51 +08:00
+														return true, false
 													}
-												实现公用的IP名单

											
										
										
											2021-06-23 13:14:37 +08:00
+												}
-												WAF动作增加显示HTML内容

											
										
										
											2021-02-26 16:33:58 +08:00
+											}
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+										}
 									}
 									// 检查地区封禁
-												WAF国家/地区封禁、省份封禁增加例外URL、限制URL

											
										
										
											2023-05-25 12:02:40 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+									if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
 										var regionConfig = firewallPolicy.Inbound.Region
 										if regionConfig.IsNotEmpty() {
 											for _, remoteAddr := range remoteAddrs {
 												var result = iplib.LookupIP(remoteAddr)
 												if result != nil && result.IsOk() {
 													var currentURL = this.URL()
 													if regionConfig.MatchCountryURL(currentURL) {
 														// 检查国家/地区级别封禁
 														if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) {
 															this.firewallPolicyId = firewallPolicy.Id
 															if isDefendMode {
-												WAF策略可以自定义默认的区域/省份封禁提示

											
										
										
											2023-08-10 10:31:38 +08:00
+																var promptHTML string
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																if len(regionConfig.CountryHTML) > 0 {
-												WAF策略可以自定义默认的区域/省份封禁提示

											
										
										
											2023-08-10 10:31:38 +08:00
+																	promptHTML = regionConfig.CountryHTML
 																} else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML) > 0 {
 																	promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML
 																}
 																if len(promptHTML) > 0 {
 																	var formattedHTML = this.Format(promptHTML)
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																	this.writer.Header().Set("Content-Type", "text/html; charset=utf-8")
-												地区/省份封禁提示中支持变量

											
										
										
											2023-08-10 09:50:02 +08:00
+																	this.writer.Header().Set("Content-Length", types.String(len(formattedHTML)))
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																	this.writer.WriteHeader(http.StatusForbidden)
-												地区/省份封禁提示中支持变量

											
										
										
											2023-08-10 09:50:02 +08:00
+																	_, _ = this.writer.Write([]byte(formattedHTML))
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																} else {
 																	this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问")
 																}
-												区域封禁增加延时返回

											
										
										
											2023-07-14 16:03:58 +08:00
+																// 延时返回，避免攻击
 																time.Sleep(1 * time.Second)
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															}
-												WAF国家/地区封禁、省份封禁增加例外URL、限制URL

											
										
										
											2023-05-25 12:02:40 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															// 停止日志
 															if !logDenying {
 																this.disableLog = true
 															} else {
 																this.tags = append(this.tags, "denyCountry")
 															}
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															if isDefendMode {
-												WAF国家/地区封禁、省份封禁增加例外URL、限制URL

											
										
										
											2023-05-25 12:02:40 +08:00
+																return true, false
 															}
-												使用新版IP库

											
										
										
											2022-08-21 20:37:49 +08:00
+														}
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+													}
-												WAF策略增加记录区域封禁日志选项

											
										
										
											2022-07-16 18:47:59 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+													if regionConfig.MatchProvinceURL(currentURL) {
 														// 检查省份封禁
 														if !regionConfig.IsAllowedProvince(result.CountryId(), result.ProvinceId()) {
 															this.firewallPolicyId = firewallPolicy.Id
-												在对IP封禁时，不写入访问日志

											
										
										
											2020-11-09 11:02:29 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															if isDefendMode {
-												WAF策略可以自定义默认的区域/省份封禁提示

											
										
										
											2023-08-10 10:31:38 +08:00
+																var promptHTML string
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																if len(regionConfig.ProvinceHTML) > 0 {
-												WAF策略可以自定义默认的区域/省份封禁提示

											
										
										
											2023-08-10 10:31:38 +08:00
+																	promptHTML = regionConfig.ProvinceHTML
 																} else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyProvinceHTML) > 0 {
 																	promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyProvinceHTML
 																}
 																if len(promptHTML) > 0 {
 																	var formattedHTML = this.Format(promptHTML)
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																	this.writer.Header().Set("Content-Type", "text/html; charset=utf-8")
-												地区/省份封禁提示中支持变量

											
										
										
											2023-08-10 09:50:02 +08:00
+																	this.writer.Header().Set("Content-Length", types.String(len(formattedHTML)))
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																	this.writer.WriteHeader(http.StatusForbidden)
-												地区/省份封禁提示中支持变量

											
										
										
											2023-08-10 09:50:02 +08:00
+																	_, _ = this.writer.Write([]byte(formattedHTML))
-												WAF-区域封禁增加提示内容设置

											
										
										
											2023-07-14 11:02:20 +08:00
+																} else {
 																	this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问")
 																}
-												区域封禁增加延时返回

											
										
										
											2023-07-14 16:03:58 +08:00
 																// 延时返回，避免攻击
 																time.Sleep(1 * time.Second)
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															}
-												在对IP封禁时，不写入访问日志

											
										
										
											2020-11-09 11:02:29 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															// 停止日志
 															if !logDenying {
 																this.disableLog = true
 															} else {
 																this.tags = append(this.tags, "denyProvince")
 															}
-												使用新版IP库

											
										
										
											2022-08-21 20:37:49 +08:00
-												区域封禁支持观察者模式

											
										
										
											2023-11-18 15:02:58 +08:00
+															if isDefendMode {
-												WAF国家/地区封禁、省份封禁增加例外URL、限制URL

											
										
										
											2023-05-25 12:02:40 +08:00
+																return true, false
 															}
-												实现IP黑白名单、国家｜地区封禁、省份封禁

											
										
										
											2020-11-09 10:45:44 +08:00
+														}
 													}
 												}
 											}
 										}
 									}
-												WAF支持忽略全局WAF规则

											
										
										
											2023-03-01 16:46:43 +08:00
+									// 是否执行规则
 									if ignoreRules {
 										return
 									}
-												在对IP封禁时，不写入访问日志

											
										
										
											2020-11-09 11:02:29 +08:00
+									// 规则测试
-												WAF支持忽略全局WAF规则

											
										
										
											2023-03-01 16:46:43 +08:00
+									var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									if w == nil {
 										return
 									}
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									result, err := w.MatchRequest(this, this.writer, this.web.FirewallRef.DefaultCaptchaType)
 									if result.IsAllowed && (len(result.AllowScope) == 0 || result.AllowScope == waf.AllowScopeGlobal) {
 										breakChecking = true
 									}
 									if forceLog && logRequestBody && result.HasRequestBody && result.Set != nil && result.Set.HasAttackActions() {
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+										this.wafHasRequestBody = true
 									}
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									if err != nil {
-												WAF忽略客户端断开连接错误

											
										
										
											2021-12-04 19:28:02 +08:00
+										if !this.canIgnore(err) {
-												降低WAF相关日志级别

											
										
										
											2024-03-21 18:46:10 +08:00
+											remotelogs.Warn("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
-												WAF忽略客户端断开连接错误

											
										
										
											2021-12-04 19:28:02 +08:00
+										}
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+										return
 									}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									if result.Set != nil {
-												优化WAF日志逻辑

											
										
										
											2022-04-21 19:44:19 +08:00
+										if forceLog {
-												默认记录WAF的条件从检测到攻击改为所有匹配WAF规则集的请求

											
										
										
											2022-04-21 19:02:17 +08:00
+											this.forceLog = true
 										}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										if result.Set.HasSpecialActions() {
-												在节点重新实现缓存策略和WAF策略

											
										
										
											2020-12-17 17:36:10 +08:00
+											this.firewallPolicyId = firewallPolicy.Id
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											this.firewallRuleGroupId = types.Int64(result.Group.Id)
 											this.firewallRuleSetId = types.Int64(result.Set.Id)
-												实现WAF统计

											
										
										
											2021-01-26 18:42:46 +08:00
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											if result.Set.HasAttackActions() {
-												增加攻击拦截统计

											
										
										
											2021-07-13 11:04:38 +08:00
+												this.isAttack = true
 											}
-												实现WAF统计

											
										
										
											2021-01-26 18:42:46 +08:00
+											// 添加统计
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.ReqServer.Id, this.firewallRuleGroupId, result.Set.Actions)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+										}
-												记录WAF日志

											
										
										
											2020-11-02 15:49:30 +08:00
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										this.firewallActions = append(result.Set.ActionCodes(), firewallPolicy.Mode)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									return !result.GoNext, breakChecking
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+								}
 								// call response waf
 								func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
-												优化代码

											
										
										
											2022-01-02 22:45:37 +08:00
+									if this.web.FirewallRef == nil || !this.web.FirewallRef.IsOn {
 										return
 									}
-												应用网站自定义的WAF出站规则

											
										
										
											2021-06-21 15:29:07 +08:00
+									// 当前服务的独立设置
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+									var forceLog = false
 									var forceLogRequestBody = false
 									if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn && this.ReqServer.HTTPFirewallPolicy.Log != nil && this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
 										forceLog = true
 										forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
 									}
-												应用网站自定义的WAF出站规则

											
										
										
											2021-06-21 15:29:07 +08:00
+									if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										blockedRequest, breakChecking := this.checkWAFResponse(this.web.FirewallPolicy, resp, forceLog, forceLogRequestBody, false)
 										if blockedRequest {
-												应用网站自定义的WAF出站规则

											
										
										
											2021-06-21 15:29:07 +08:00
+											return true
 										}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										if breakChecking {
 											return
 										}
-												应用网站自定义的WAF出站规则

											
										
										
											2021-06-21 15:29:07 +08:00
+									}
 									// 公用的防火墙设置
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+									if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										blockedRequest, _ := this.checkWAFResponse(this.ReqServer.HTTPFirewallPolicy, resp, forceLog, forceLogRequestBody, this.web.FirewallRef.IgnoreGlobalRules)
 										if blockedRequest {
-												应用网站自定义的WAF出站规则

											
										
										
											2021-06-21 15:29:07 +08:00
+											return true
 										}
 									}
 									return
 								}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+								func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response, forceLog bool, logRequestBody bool, ignoreRules bool) (blocked bool, breakChecking bool) {
-												WAF模式从pass改为bypass

											
										
										
											2021-10-07 13:51:26 +08:00
+									if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
-												在节点重新实现缓存策略和WAF策略

											
										
										
											2020-12-17 17:36:10 +08:00
+										return
 									}
-												WAF支持忽略全局WAF规则

											
										
										
											2023-03-01 16:46:43 +08:00
+									// 是否执行规则
 									if ignoreRules {
 										return
 									}
 									var w = waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									if w == nil {
 										return
 									}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									result, err := w.MatchResponse(this, resp, this.writer)
 									if result.IsAllowed && (len(result.AllowScope) == 0 || result.AllowScope == waf.AllowScopeGlobal) {
 										breakChecking = true
 									}
 									if forceLog && logRequestBody && result.HasRequestBody && result.Set != nil && result.Set.HasAttackActions() {
-												WAF策略增加记录请求Body选项

											
										
										
											2022-07-16 17:05:37 +08:00
+										this.wafHasRequestBody = true
 									}
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									if err != nil {
-												WAF忽略客户端断开连接错误

											
										
										
											2021-12-04 19:28:02 +08:00
+										if !this.canIgnore(err) {
-												降低WAF相关日志级别

											
										
										
											2024-03-21 18:46:10 +08:00
+											remotelogs.Warn("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
-												WAF忽略客户端断开连接错误

											
										
										
											2021-12-04 19:28:02 +08:00
+										}
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+										return
 									}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									if result.Set != nil {
-												优化WAF日志逻辑

											
										
										
											2022-04-21 19:44:19 +08:00
+										if forceLog {
-												默认记录WAF的条件从检测到攻击改为所有匹配WAF规则集的请求

											
										
										
											2022-04-21 19:02:17 +08:00
+											this.forceLog = true
 										}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										if result.Set.HasSpecialActions() {
-												在节点重新实现缓存策略和WAF策略

											
										
										
											2020-12-17 17:36:10 +08:00
+											this.firewallPolicyId = firewallPolicy.Id
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											this.firewallRuleGroupId = types.Int64(result.Group.Id)
 											this.firewallRuleSetId = types.Int64(result.Set.Id)
-												实现WAF统计

											
										
										
											2021-01-26 18:42:46 +08:00
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											if result.Set.HasAttackActions() {
-												增加攻击拦截统计

											
										
										
											2021-07-13 11:04:38 +08:00
+												this.isAttack = true
 											}
-												实现WAF统计

											
										
										
											2021-01-26 18:42:46 +08:00
+											// 添加统计
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+											stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.ReqServer.Id, this.firewallRuleGroupId, result.Set.Actions)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+										}
-												记录WAF日志

											
										
										
											2020-11-02 15:49:30 +08:00
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+										this.firewallActions = append(result.Set.ActionCodes(), firewallPolicy.Mode)
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+									}
-												WAF允许动作默认跳过所有规则

											
										
										
											2024-01-20 20:54:41 +08:00
+									return !result.GoNext, breakChecking
-												实现WAF

											
										
										
											2020-10-08 15:06:42 +08:00
+								}
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
 								// WAFRaw 原始请求
 								func (this *HTTPRequest) WAFRaw() *http.Request {
 									return this.RawReq
 								}
 								// WAFRemoteIP 客户端IP
 								func (this *HTTPRequest) WAFRemoteIP() string {
-												服务支持自定义访客IP地址获取方式/对X-Real-IP等Header值进行有效性验证

											
										
										
											2021-10-06 11:40:48 +08:00
+									return this.requestRemoteAddr(true)
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+								}
 								// WAFGetCacheBody 获取缓存中的Body
 								func (this *HTTPRequest) WAFGetCacheBody() []byte {
-												实现记录请求Body

											
										
										
											2021-12-07 15:12:15 +08:00
+									return this.requestBodyData
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+								}
 								// WAFSetCacheBody 设置Body
 								func (this *HTTPRequest) WAFSetCacheBody(body []byte) {
-												实现记录请求Body

											
										
										
											2021-12-07 15:12:15 +08:00
+									this.requestBodyData = body
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+								}
 								// WAFReadBody 读取Body
 								func (this *HTTPRequest) WAFReadBody(max int64) (data []byte, err error) {
 									if this.RawReq.ContentLength > 0 {
-												优化代码

											
										
										
											2022-08-04 11:34:06 +08:00
+										data, err = io.ReadAll(io.LimitReader(this.RawReq.Body, max))
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+									}
-												WAF忽略客户端断开连接错误

											
										
										
											2021-12-04 19:28:02 +08:00
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+									return
 								}
 								// WAFRestoreBody 恢复Body
 								func (this *HTTPRequest) WAFRestoreBody(data []byte) {
 									if len(data) > 0 {
-												优化代码

											
										
										
											2022-08-04 11:34:06 +08:00
+										this.RawReq.Body = io.NopCloser(io.MultiReader(bytes.NewBuffer(data), this.RawReq.Body))
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+									}
 								}
 								// WAFServerId 服务ID
 								func (this *HTTPRequest) WAFServerId() int64 {
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+									return this.ReqServer.Id
-												WAF增加多个动作

											
										
										
											2021-07-18 15:51:49 +08:00
+								}
-												优化WAF关闭连接操作

											
										
										
											2021-09-29 11:06:00 +08:00
 								// WAFClose 关闭连接
 								func (this *HTTPRequest) WAFClose() {
-												优化代码

											
										
										
											2022-01-01 20:15:39 +08:00
+									this.Close()
-												将IP加入黑名单时，同时也会关闭此IP相关的连接

											
										
										
											2022-09-02 15:20:58 +08:00
 									// 这里不要强关IP所有连接，避免因为单个服务而影响所有
-												优化WAF关闭连接操作

											
										
										
											2021-09-29 11:06:00 +08:00
+								}
-												修复WAF OnAction在并发时无法准确调用请求动作的Bug

											
										
										
											2021-12-01 17:43:08 +08:00
 								func (this *HTTPRequest) WAFOnAction(action interface{}) (goNext bool) {
 									if action == nil {
 										return true
 									}
 									instance, ok := action.(waf.ActionInterface)
 									if !ok {
 										return true
 									}
 									switch instance.Code() {
 									case waf.ActionTag:
 										this.tags = append(this.tags, action.(*waf.TagAction).Tags...)
 									}
 									return true
 								}
-												WAF cc2尝试使用指纹统计方法

											
										
										
											2023-03-08 16:59:44 +08:00
 								func (this *HTTPRequest) WAFFingerprint() []byte {
-												WAF cc防护增加“检查请求来源指纹”选项

											
										
										
											2023-03-10 10:41:16 +08:00
+									// 目前只有HTTPS请求才有指纹
 									if !this.IsHTTPS {
 										return nil
 									}
-												WAF cc2尝试使用指纹统计方法

											
										
										
											2023-03-08 16:59:44 +08:00
+									var requestConn = this.RawReq.Context().Value(HTTPConnContextKey)
 									if requestConn == nil {
 										return nil
 									}
 									clientConn, ok := requestConn.(ClientConnInterface)
 									if ok {
 										return clientConn.Fingerprint()
 									}
 									return nil
 								}
-												在GET302和CAPTCHA验证中不记录特殊URL的访问日志

											
										
										
											2023-03-16 10:38:40 +08:00
-												WAF策略增加“最多检查内容尺寸“选项

											
										
										
											2023-08-02 17:00:16 +08:00
+								func (this *HTTPRequest) WAFMaxRequestSize() int64 {
 									var maxRequestSize = firewallconfigs.DefaultMaxRequestBodySize
 									if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize > 0 {
 										maxRequestSize = this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize
 									}
 									return maxRequestSize
 								}
-												在GET302和CAPTCHA验证中不记录特殊URL的访问日志

											
										
										
											2023-03-16 10:38:40 +08:00
+								// DisableAccessLog 在当前请求中不使用访问日志
 								func (this *HTTPRequest) DisableAccessLog() {
 									this.disableLog = true
 								}
-												减少一些不必要的访问统计

											
										
										
											2023-11-19 09:10:37 +08:00
 								// DisableStat 停用统计
 								func (this *HTTPRequest) DisableStat() {
 									if this.web != nil {
 										this.web.StatRef = nil
 									}
 								}