EdgeNode/internal/waf/action_record_ip.go

package waf

import (
	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
	"github.com/TeaOSLab/EdgeNode/internal/events"
	"github.com/TeaOSLab/EdgeNode/internal/goman"
	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
	"github.com/TeaOSLab/EdgeNode/internal/rpc"
	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
	"github.com/iwind/TeaGo/types"
	"net/http"
	"strings"
	"time"
)

type recordIPTask struct {
	ip        string
	listId    int64
	expiresAt int64
	level     string
	serverId  int64

	reason string

	sourceServerId                int64
	sourceHTTPFirewallPolicyId    int64
	sourceHTTPFirewallRuleGroupId int64
	sourceHTTPFirewallRuleSetId   int64
}

var recordIPTaskChan = make(chan *recordIPTask, 2048)

func init() {
	if !teaconst.IsMain {
		return
	}

	events.On(events.EventLoaded, func() {
		goman.New(func() {
			rpcClient, err := rpc.SharedRPC()
			if err != nil {
				remotelogs.Error("WAF_RECORD_IP_ACTION", "create rpc client failed: "+err.Error())
				return
			}

			const maxItems = 512 // 每次上传的最大IP数

			for {
				var pbItemMap = map[string]*pb.CreateIPItemsRequest_IPItem{} // ip => IPItem

				func() {
					for {
						select {
						case task := <-recordIPTaskChan:
							var ipType = "ipv4"
							if strings.Contains(task.ip, ":") {
								ipType = "ipv6"
							}
							var reason = task.reason
							if len(reason) == 0 {
								reason = "触发WAF规则自动加入"
							}

							pbItemMap[task.ip] = &pb.CreateIPItemsRequest_IPItem{
								IpListId:                      task.listId,
								IpFrom:                        task.ip,
								IpTo:                          "",
								ExpiredAt:                     task.expiresAt,
								Reason:                        reason,
								Type:                          ipType,
								EventLevel:                    task.level,
								ServerId:                      task.serverId,
								SourceNodeId:                  teaconst.NodeId,
								SourceServerId:                task.sourceServerId,
								SourceHTTPFirewallPolicyId:    task.sourceHTTPFirewallPolicyId,
								SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,
								SourceHTTPFirewallRuleSetId:   task.sourceHTTPFirewallRuleSetId,
							}

							if len(pbItemMap) >= maxItems {
								return
							}
						default:
							return
						}
					}
				}()

				if len(pbItemMap) > 0 {
					var pbItems = []*pb.CreateIPItemsRequest_IPItem{}
					for _, pbItem := range pbItemMap {
						pbItems = append(pbItems, pbItem)
					}
					_, err = rpcClient.IPItemRPC.CreateIPItems(rpcClient.Context(), &pb.CreateIPItemsRequest{IpItems: pbItems})
					if err != nil {
						remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())
					}
				} else {
					time.Sleep(1 * time.Second)
				}
			}
		})
	})
}

type RecordIPAction struct {
	BaseAction

	Type     string `yaml:"type" json:"type"`
	IPListId int64  `yaml:"ipListId" json:"ipListId"`
	Level    string `yaml:"level" json:"level"`
	Timeout  int32  `yaml:"timeout" json:"timeout"`
	Scope    string `yaml:"scope" json:"scope"`
}

func (this *RecordIPAction) Init(waf *WAF) error {
	return nil
}

func (this *RecordIPAction) Code() string {
	return ActionRecordIP
}

func (this *RecordIPAction) IsAttack() bool {
	return this.Type == "black"
}

func (this *RecordIPAction) WillChange() bool {
	return this.Type == "black"
}

func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {
	// 是否在本地白名单中
	if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
		return true, false
	}

	var timeout = this.Timeout
	var isForever = false
	if timeout <= 0 {
		isForever = true
		timeout = 86400 // 1天
	}
	var expiresAt = time.Now().Unix() + int64(timeout)

	if this.Type == "black" {
		request.ProcessResponseHeaders(writer.Header(), http.StatusForbidden)
		writer.WriteHeader(http.StatusForbidden)

		request.WAFClose()

		// 先加入本地的黑名单
		SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiresAt)
	} else {
		// 加入本地白名单
		SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiresAt)
	}

	// 上报
	if this.IPListId > 0 {
		var serverId int64
		if this.Scope == firewallconfigs.FirewallScopeService {
			serverId = request.WAFServerId()
		}

		var realExpiresAt = expiresAt
		if isForever {
			realExpiresAt = 0
		}

		select {
		case recordIPTaskChan <- &recordIPTask{
			ip:                            request.WAFRemoteIP(),
			listId:                        this.IPListId,
			expiresAt:                     realExpiresAt,
			level:                         this.Level,
			serverId:                      serverId,
			sourceServerId:                request.WAFServerId(),
			sourceHTTPFirewallPolicyId:    waf.Id,
			sourceHTTPFirewallRuleGroupId: group.Id,
			sourceHTTPFirewallRuleSetId:   set.Id,
		}:
		default:

		}
	}

	return this.Type != "black", false
}
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`package waf`

			`import (`
			`"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`teaconst "github.com/TeaOSLab/EdgeNode/internal/const"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/events"`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/goman"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/remotelogs"`
			`"github.com/TeaOSLab/EdgeNode/internal/rpc"`
			`"github.com/TeaOSLab/EdgeNode/internal/waf/requests"`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`"github.com/iwind/TeaGo/types"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"net/http"`
			`"strings"`
			`"time"`
			`)`

			`type recordIPTask struct {`
			`ip string`
			`listId int64`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`expiresAt int64`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`level string`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`serverId int64`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00
实现自动SYN Flood防护 2022-01-10 19:54:10 +08:00			`reason string`

IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`sourceServerId int64`
			`sourceHTTPFirewallPolicyId int64`
			`sourceHTTPFirewallRuleGroupId int64`
			`sourceHTTPFirewallRuleSetId int64`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

优化WAF黑名单处理 2023-03-31 21:37:15 +08:00			`var recordIPTaskChan = make(chan *recordIPTask, 2048)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
			`func init() {`
执行一般命令时不运行init()中内容 2023-03-10 15:14:14 +08:00			`if !teaconst.IsMain {`
			`return`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`events.On(events.EventLoaded, func() {`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`goman.New(func() {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`rpcClient, err := rpc.SharedRPC()`
			`if err != nil {`
			`remotelogs.Error("WAF_RECORD_IP_ACTION", "create rpc client failed: "+err.Error())`
			`return`
			`}`

优化WAF黑名单处理 2023-03-31 21:37:15 +08:00			`const maxItems = 512 // 每次上传的最大IP数`

			`for {`
优化IP名单上传程序 2023-04-01 20:51:49 +08:00			`var pbItemMap = map[string]*pb.CreateIPItemsRequest_IPItem{} // ip => IPItem`
优化WAF黑名单处理 2023-03-31 21:37:15 +08:00
			`func() {`
			`for {`
			`select {`
			`case task := <-recordIPTaskChan:`
			`var ipType = "ipv4"`
			`if strings.Contains(task.ip, ":") {`
			`ipType = "ipv6"`
			`}`
			`var reason = task.reason`
			`if len(reason) == 0 {`
			`reason = "触发WAF规则自动加入"`
			`}`

优化IP名单上传程序 2023-04-01 20:51:49 +08:00			`pbItemMap[task.ip] = &pb.CreateIPItemsRequest_IPItem{`
优化WAF黑名单处理 2023-03-31 21:37:15 +08:00			`IpListId: task.listId,`
			`IpFrom: task.ip,`
			`IpTo: "",`
			`ExpiredAt: task.expiresAt,`
			`Reason: reason,`
			`Type: ipType,`
			`EventLevel: task.level,`
			`ServerId: task.serverId,`
			`SourceNodeId: teaconst.NodeId,`
			`SourceServerId: task.sourceServerId,`
			`SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId,`
			`SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,`
			`SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId,`
优化IP名单上传程序 2023-04-01 20:51:49 +08:00			`}`
优化WAF黑名单处理 2023-03-31 21:37:15 +08:00
优化IP名单上传程序 2023-04-01 20:51:49 +08:00			`if len(pbItemMap) >= maxItems {`
优化WAF黑名单处理 2023-03-31 21:37:15 +08:00			`return`
			`}`
			`default:`
			`return`
			`}`
			`}`
			`}()`

优化IP名单上传程序 2023-04-01 20:51:49 +08:00			`if len(pbItemMap) > 0 {`
			`var pbItems = []*pb.CreateIPItemsRequest_IPItem{}`
			`for _, pbItem := range pbItemMap {`
			`pbItems = append(pbItems, pbItem)`
			`}`
优化WAF黑名单处理 2023-03-31 21:37:15 +08:00			`_, err = rpcClient.IPItemRPC.CreateIPItems(rpcClient.Context(), &pb.CreateIPItemsRequest{IpItems: pbItems})`
			`if err != nil {`
			`remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())`
			`}`
			`} else {`
			`time.Sleep(1 * time.Second)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`
			`}`
优化系统goroutine使用，减少goroutine数量，增加goman查看goroutine数量指令 2021-12-08 15:17:45 +08:00			`})`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`})`
			`}`

			`type RecordIPAction struct {`
			`BaseAction`

			Type string `yaml:"type" json:"type"`
			IPListId int64 `yaml:"ipListId" json:"ipListId"`
			Level string `yaml:"level" json:"level"`
			Timeout int32 `yaml:"timeout" json:"timeout"`
WAF动作支持有效范围 2021-10-18 20:08:43 +08:00			Scope string `yaml:"scope" json:"scope"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`func (this RecordIPAction) Init(waf WAF) error {`
			`return nil`
			`}`

			`func (this *RecordIPAction) Code() string {`
			`return ActionRecordIP`
			`}`

			`func (this *RecordIPAction) IsAttack() bool {`
			`return this.Type == "black"`
			`}`

			`func (this *RecordIPAction) WillChange() bool {`
			`return this.Type == "black"`
			`}`

WAF标签动作匹配之后可以继续尝试匹配别的分组中的规则集 2022-08-25 16:44:44 +08:00			`func (this RecordIPAction) Perform(waf WAF, group RuleGroup, set RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`// 是否在本地白名单中`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {`
WAF标签动作匹配之后可以继续尝试匹配别的分组中的规则集 2022-08-25 16:44:44 +08:00			`return true, false`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`var timeout = this.Timeout`
			`var isForever = false`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`if timeout <= 0 {`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`isForever = true`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`timeout = 86400 // 1天`
			`}`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`var expiresAt = time.Now().Unix() + int64(timeout)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
			`if this.Type == "black" {`
WAF在输出内容时也加入自定义的响应报头 2023-06-11 10:46:20 +08:00			`request.ProcessResponseHeaders(writer.Header(), http.StatusForbidden)`
WAF动作record_ip返回403/优化关闭连接方法 2021-10-12 09:06:28 +08:00			`writer.WriteHeader(http.StatusForbidden)`

			`request.WAFClose()`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
WAF动作支持有效范围 2021-10-18 20:08:43 +08:00			`// 先加入本地的黑名单`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiresAt)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`} else {`
			`// 加入本地白名单`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiresAt)`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`

			`// 上报`
			`if this.IPListId > 0 {`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`var serverId int64`
			`if this.Scope == firewallconfigs.FirewallScopeService {`
			`serverId = request.WAFServerId()`
			`}`

修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`var realExpiresAt = expiresAt`
			`if isForever {`
			`realExpiresAt = 0`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`select {`
			`case recordIPTaskChan <- &recordIPTask{`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`ip: request.WAFRemoteIP(),`
			`listId: this.IPListId,`
修复WAF记录IP动作时无法不超时的Bug 2022-12-06 11:01:34 +08:00			`expiresAt: realExpiresAt,`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`level: this.Level,`
WAF规则匹配后的IP也会上报/实现IP全局名单/将名单存储到本地数据库，提升读写速度 2021-11-17 16:16:09 +08:00			`serverId: serverId,`
IP名单中IP创建时保存相关节点、服务、WAF策略信息 2021-11-16 16:11:05 +08:00			`sourceServerId: request.WAFServerId(),`
			`sourceHTTPFirewallPolicyId: waf.Id,`
			`sourceHTTPFirewallRuleGroupId: group.Id,`
			`sourceHTTPFirewallRuleSetId: set.Id,`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}:`
			`default:`

			`}`
			`}`

WAF标签动作匹配之后可以继续尝试匹配别的分组中的规则集 2022-08-25 16:44:44 +08:00			`return this.Type != "black", false`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`}`