EdgeNode/internal/nodes/http_request_waf.go

package nodes

import (
	"bytes"
	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
	"github.com/TeaOSLab/EdgeNode/internal/stats"
	"github.com/TeaOSLab/EdgeNode/internal/waf"
	"github.com/iwind/TeaGo/lists"
	"github.com/iwind/TeaGo/types"
	"io"
	"io/ioutil"
	"net"
	"net/http"
)

// 调用WAF
func (this *HTTPRequest) doWAFRequest() (blocked bool) {
	// 当前连接是否已关闭
	var conn = this.RawReq.Context().Value(HTTPConnContextKey)
	if conn != nil {
		trafficConn, ok := conn.(*TrafficConn)
		if ok && trafficConn.IsClosed() {
			return true
		}
	}

	// 当前服务的独立设置
	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy)
		if blocked {
			return true
		}
		if breakChecking {
			return false
		}
	}

	// 公用的防火墙设置
	if this.Server.HTTPFirewallPolicy != nil && this.Server.HTTPFirewallPolicy.IsOn {
		blocked, breakChecking := this.checkWAFRequest(this.Server.HTTPFirewallPolicy)
		if blocked {
			return true
		}
		if breakChecking {
			return false
		}
	}

	return
}

func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool, breakChecking bool) {
	// 检查配置是否为空
	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass {
		return
	}

	// 检查IP白名单
	remoteAddrs := this.requestRemoteAddrs()
	inbound := firewallPolicy.Inbound
	if inbound == nil {
		return
	}
	for _, ref := range inbound.AllAllowListRefs() {
		if ref.IsOn && ref.ListId > 0 {
			list := iplibrary.SharedIPListManager.FindList(ref.ListId)
			if list != nil {
				_, found := list.ContainsIPStrings(remoteAddrs)
				if found {
					breakChecking = true
					return
				}
			}
		}
	}

	// 检查IP黑名单
	if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {
		for _, ref := range inbound.AllDenyListRefs() {
			if ref.IsOn && ref.ListId > 0 {
				list := iplibrary.SharedIPListManager.FindList(ref.ListId)
				if list != nil {
					item, found := list.ContainsIPStrings(remoteAddrs)
					if found {
						// 触发事件
						if item != nil && len(item.EventLevel) > 0 {
							actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)
							for _, action := range actions {
								goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)
								if err != nil {
									remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())
									return true, false
								}
								if !goNext {
									this.disableLog = true
									return true, false
								}
							}
						}

						// TODO 需要记录日志信息

						this.writer.WriteHeader(http.StatusForbidden)
						this.writer.Close()

						// 停止日志
						this.disableLog = true

						return true, false
					}
				}
			}
		}
	}

	// 检查地区封禁
	if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {
		if iplibrary.SharedLibrary != nil {
			if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
				regionConfig := firewallPolicy.Inbound.Region
				if regionConfig.IsNotEmpty() {
					for _, remoteAddr := range remoteAddrs {
						result, err := iplibrary.SharedLibrary.Lookup(remoteAddr)
						if err != nil {
							remotelogs.Error("HTTP_REQUEST_WAF", "iplibrary lookup failed: "+err.Error())
						} else if result != nil {
							// 检查国家级别封禁
							if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 {
								countryId := iplibrary.SharedCountryManager.Lookup(result.Country)
								if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
									// TODO 可以配置对封禁的处理方式等
									// TODO 需要记录日志信息
									this.writer.WriteHeader(http.StatusForbidden)
									this.writer.Close()

									// 停止日志
									this.disableLog = true

									return true, false
								}
							}

							// 检查省份封禁
							if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 {
								provinceId := iplibrary.SharedProvinceManager.Lookup(result.Province)
								if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
									// TODO 可以配置对封禁的处理方式等
									// TODO 需要记录日志信息
									this.writer.WriteHeader(http.StatusForbidden)
									this.writer.Close()

									// 停止日志
									this.disableLog = true

									return true, false
								}
							}
						}
					}
				}
			}
		}
	}

	// 规则测试
	w := sharedWAFManager.FindWAF(firewallPolicy.Id)
	if w == nil {
		return
	}

	w.OnAction(func(action waf.ActionInterface) (goNext bool) {
		switch action.Code() {
		case waf.ActionTag:
			this.tags = action.(*waf.TagAction).Tags
		}
		return true
	})

	goNext, ruleGroup, ruleSet, err := w.MatchRequest(this, this.writer)
	if err != nil {
		remotelogs.Error("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
		return
	}

	if ruleSet != nil {
		if ruleSet.HasSpecialActions() {
			this.firewallPolicyId = firewallPolicy.Id
			this.firewallRuleGroupId = types.Int64(ruleGroup.Id)
			this.firewallRuleSetId = types.Int64(ruleSet.Id)

			if ruleSet.HasAttackActions() {
				this.isAttack = true
			}

			// 添加统计
			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)
		}

		this.firewallActions = ruleSet.ActionCodes()
	}

	return !goNext, false
}

// call response waf
func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
	// 当前服务的独立设置
	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
		blocked := this.checkWAFResponse(this.web.FirewallPolicy, resp)
		if blocked {
			return true
		}
	}

	// 公用的防火墙设置
	if this.Server.HTTPFirewallPolicy != nil && this.Server.HTTPFirewallPolicy.IsOn {
		blocked := this.checkWAFResponse(this.Server.HTTPFirewallPolicy, resp)
		if blocked {
			return true
		}
	}
	return
}

func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response) (blocked bool) {
	if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass {
		return
	}

	w := sharedWAFManager.FindWAF(firewallPolicy.Id)
	if w == nil {
		return
	}

	w.OnAction(func(action waf.ActionInterface) (goNext bool) {
		switch action.Code() {
		case waf.ActionTag:
			this.tags = action.(*waf.TagAction).Tags
		}
		return true
	})

	goNext, ruleGroup, ruleSet, err := w.MatchResponse(this, resp, this.writer)
	if err != nil {
		remotelogs.Error("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())
		return
	}

	if ruleSet != nil {
		if ruleSet.HasSpecialActions() {
			this.firewallPolicyId = firewallPolicy.Id
			this.firewallRuleGroupId = types.Int64(ruleGroup.Id)
			this.firewallRuleSetId = types.Int64(ruleSet.Id)

			if ruleSet.HasAttackActions() {
				this.isAttack = true
			}

			// 添加统计
			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)
		}

		this.firewallActions = ruleSet.ActionCodes()
	}

	return !goNext
}

// WAFRaw 原始请求
func (this *HTTPRequest) WAFRaw() *http.Request {
	return this.RawReq
}

// WAFRemoteIP 客户端IP
func (this *HTTPRequest) WAFRemoteIP() string {
	return this.requestRemoteAddr()
}

// WAFGetCacheBody 获取缓存中的Body
func (this *HTTPRequest) WAFGetCacheBody() []byte {
	return this.bodyData
}

// WAFSetCacheBody 设置Body
func (this *HTTPRequest) WAFSetCacheBody(body []byte) {
	this.bodyData = body
}

// WAFReadBody 读取Body
func (this *HTTPRequest) WAFReadBody(max int64) (data []byte, err error) {
	if this.RawReq.ContentLength > 0 {
		data, err = ioutil.ReadAll(io.LimitReader(this.RawReq.Body, max))
	}
	return
}

// WAFRestoreBody 恢复Body
func (this *HTTPRequest) WAFRestoreBody(data []byte) {
	if len(data) > 0 {
		rawReader := bytes.NewBuffer(data)
		buf := make([]byte, 1024)
		_, _ = io.CopyBuffer(rawReader, this.RawReq.Body, buf)
		this.RawReq.Body = ioutil.NopCloser(rawReader)
	}
}

// WAFServerId 服务ID
func (this *HTTPRequest) WAFServerId() int64 {
	return this.Server.Id
}

// WAFClose 关闭连接
func (this *HTTPRequest) WAFClose() {
	requestConn := this.RawReq.Context().Value(HTTPConnContextKey)
	if requestConn == nil {
		return
	}
	conn, ok := requestConn.(net.Conn)
	if ok {
		_ = conn.Close()
		return
	}
	return
}
实现WAF 2020-10-08 15:06:42 +08:00			`package nodes`

			`import (`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"bytes"`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/iplibrary"`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/remotelogs"`
实现WAF统计 2021-01-26 18:42:46 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/stats"`
实现WAF 2020-10-08 15:06:42 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/waf"`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`"github.com/iwind/TeaGo/lists"`
记录WAF日志 2020-11-02 15:49:30 +08:00			`"github.com/iwind/TeaGo/types"`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`"io"`
			`"io/ioutil"`
优化WAF关闭连接操作 2021-09-29 11:06:00 +08:00			`"net"`
实现WAF 2020-10-08 15:06:42 +08:00			`"net/http"`
			`)`

			`// 调用WAF`
			`func (this *HTTPRequest) doWAFRequest() (blocked bool) {`
Block动作增加默认时间60秒 2021-09-29 09:19:45 +08:00			`// 当前连接是否已关闭`
			`var conn = this.RawReq.Context().Value(HTTPConnContextKey)`
			`if conn != nil {`
			`trafficConn, ok := conn.(*TrafficConn)`
			`if ok && trafficConn.IsClosed() {`
			`return true`
			`}`
			`}`

用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`// 当前服务的独立设置`
			`if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {`
[WAF]匹配到白名单后立即返回，不再往下尝试别的规则 2021-01-21 10:45:55 +08:00			`blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy)`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`if blocked {`
[WAF]匹配到白名单后立即返回，不再往下尝试别的规则 2021-01-21 10:45:55 +08:00			`return true`
			`}`
			`if breakChecking {`
			`return false`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`}`
			`}`

			`// 公用的防火墙设置`
WAF策略和缓存策略跟随集群 2021-08-01 14:54:06 +08:00			`if this.Server.HTTPFirewallPolicy != nil && this.Server.HTTPFirewallPolicy.IsOn {`
			`blocked, breakChecking := this.checkWAFRequest(this.Server.HTTPFirewallPolicy)`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`if blocked {`
[WAF]匹配到白名单后立即返回，不再往下尝试别的规则 2021-01-21 10:45:55 +08:00			`return true`
			`}`
			`if breakChecking {`
			`return false`
用户端可以添加WAF 黑白名单 2021-01-03 20:18:47 +08:00			`}`
			`}`

			`return`
			`}`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00
[WAF]匹配到白名单后立即返回，不再往下尝试别的规则 2021-01-21 10:45:55 +08:00			`func (this HTTPRequest) checkWAFRequest(firewallPolicy firewallconfigs.HTTPFirewallPolicy) (blocked bool, breakChecking bool) {`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`// 检查配置是否为空`
WAF策略增加观察模式和通过模式 2021-09-30 11:30:58 +08:00			`if firewallPolicy == nil \|\| !firewallPolicy.IsOn \|\| firewallPolicy.Inbound == nil \|\| !firewallPolicy.Inbound.IsOn \|\| firewallPolicy.Mode == firewallconfigs.FirewallModePass {`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`return`
			`}`

			`// 检查IP白名单`
IP名单改成同时检查多个IP来源 2021-02-02 19:32:19 +08:00			`remoteAddrs := this.requestRemoteAddrs()`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`inbound := firewallPolicy.Inbound`
实现公用的IP名单 2021-06-23 13:14:37 +08:00			`if inbound == nil {`
			`return`
			`}`
			`for _, ref := range inbound.AllAllowListRefs() {`
			`if ref.IsOn && ref.ListId > 0 {`
			`list := iplibrary.SharedIPListManager.FindList(ref.ListId)`
			`if list != nil {`
大幅优化IP名单查询速度 2021-10-04 17:42:38 +08:00			`_, found := list.ContainsIPStrings(remoteAddrs)`
实现公用的IP名单 2021-06-23 13:14:37 +08:00			`if found {`
			`breakChecking = true`
			`return`
			`}`
WAF动作增加显示HTML内容 2021-02-26 16:33:58 +08:00			`}`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`}`
			`}`

			`// 检查IP黑名单`
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {`
			`for _, ref := range inbound.AllDenyListRefs() {`
			`if ref.IsOn && ref.ListId > 0 {`
			`list := iplibrary.SharedIPListManager.FindList(ref.ListId)`
			`if list != nil {`
			`item, found := list.ContainsIPStrings(remoteAddrs)`
			`if found {`
			`// 触发事件`
			`if item != nil && len(item.EventLevel) > 0 {`
			`actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)`
			`for _, action := range actions {`
			`goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)`
			`if err != nil {`
			`remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())`
			`return true, false`
			`}`
			`if !goNext {`
			`this.disableLog = true`
			`return true, false`
			`}`
实现公用的IP名单 2021-06-23 13:14:37 +08:00			`}`
WAF动作增加显示HTML内容 2021-02-26 16:33:58 +08:00			`}`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`// TODO 需要记录日志信息`
在对IP封禁时，不写入访问日志 2020-11-09 11:02:29 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`this.writer.WriteHeader(http.StatusForbidden)`
			`this.writer.Close()`
WAF动作增加显示HTML内容 2021-02-26 16:33:58 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`// 停止日志`
			`this.disableLog = true`
WAF动作增加显示HTML内容 2021-02-26 16:33:58 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`return true, false`
			`}`
实现公用的IP名单 2021-06-23 13:14:37 +08:00			`}`
WAF动作增加显示HTML内容 2021-02-26 16:33:58 +08:00			`}`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`}`
			`}`

			`// 检查地区封禁`
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {`
			`if iplibrary.SharedLibrary != nil {`
			`if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {`
			`regionConfig := firewallPolicy.Inbound.Region`
			`if regionConfig.IsNotEmpty() {`
			`for _, remoteAddr := range remoteAddrs {`
			`result, err := iplibrary.SharedLibrary.Lookup(remoteAddr)`
			`if err != nil {`
			`remotelogs.Error("HTTP_REQUEST_WAF", "iplibrary lookup failed: "+err.Error())`
			`} else if result != nil {`
			`// 检查国家级别封禁`
			`if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 {`
			`countryId := iplibrary.SharedCountryManager.Lookup(result.Country)`
			`if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {`
			`// TODO 可以配置对封禁的处理方式等`
			`// TODO 需要记录日志信息`
			`this.writer.WriteHeader(http.StatusForbidden)`
			`this.writer.Close()`

			`// 停止日志`
			`this.disableLog = true`

			`return true, false`
			`}`
IP名单改成同时检查多个IP来源 2021-02-02 19:32:19 +08:00			`}`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`// 检查省份封禁`
			`if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 {`
			`provinceId := iplibrary.SharedProvinceManager.Lookup(result.Province)`
			`if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {`
			`// TODO 可以配置对封禁的处理方式等`
			`// TODO 需要记录日志信息`
			`this.writer.WriteHeader(http.StatusForbidden)`
			`this.writer.Close()`
在对IP封禁时，不写入访问日志 2020-11-09 11:02:29 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`// 停止日志`
			`this.disableLog = true`
在对IP封禁时，不写入访问日志 2020-11-09 11:02:29 +08:00
WAF模式为defend时IP黑名单才生效 2021-10-04 18:22:51 +08:00			`return true, false`
			`}`
IP名单改成同时检查多个IP来源 2021-02-02 19:32:19 +08:00			`}`
实现IP黑白名单、国家｜地区封禁、省份封禁 2020-11-09 10:45:44 +08:00			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

在对IP封禁时，不写入访问日志 2020-11-09 11:02:29 +08:00			`// 规则测试`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`w := sharedWAFManager.FindWAF(firewallPolicy.Id)`
实现WAF 2020-10-08 15:06:42 +08:00			`if w == nil {`
			`return`
			`}`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
			`w.OnAction(func(action waf.ActionInterface) (goNext bool) {`
			`switch action.Code() {`
			`case waf.ActionTag:`
			`this.tags = action.(*waf.TagAction).Tags`
			`}`
			`return true`
			`})`

			`goNext, ruleGroup, ruleSet, err := w.MatchRequest(this, this.writer)`
实现WAF 2020-10-08 15:06:42 +08:00			`if err != nil {`
优化HTTP缓存，主要是并发冲突、缓存写入不全等问题 2021-06-06 23:42:11 +08:00			`remotelogs.Error("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())`
实现WAF 2020-10-08 15:06:42 +08:00			`return`
			`}`

			`if ruleSet != nil {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`if ruleSet.HasSpecialActions() {`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`this.firewallPolicyId = firewallPolicy.Id`
记录WAF日志 2020-11-02 15:49:30 +08:00			`this.firewallRuleGroupId = types.Int64(ruleGroup.Id)`
			`this.firewallRuleSetId = types.Int64(ruleSet.Id)`
实现WAF统计 2021-01-26 18:42:46 +08:00
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`if ruleSet.HasAttackActions() {`
增加攻击拦截统计 2021-07-13 11:04:38 +08:00			`this.isAttack = true`
			`}`

实现WAF统计 2021-01-26 18:42:46 +08:00			`// 添加统计`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)`
实现WAF 2020-10-08 15:06:42 +08:00			`}`
记录WAF日志 2020-11-02 15:49:30 +08:00
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`this.firewallActions = ruleSet.ActionCodes()`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

[WAF]匹配到白名单后立即返回，不再往下尝试别的规则 2021-01-21 10:45:55 +08:00			`return !goNext, false`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`// call response waf`
			`func (this HTTPRequest) doWAFResponse(resp http.Response) (blocked bool) {`
应用网站自定义的WAF出站规则 2021-06-21 15:29:07 +08:00			`// 当前服务的独立设置`
			`if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {`
			`blocked := this.checkWAFResponse(this.web.FirewallPolicy, resp)`
			`if blocked {`
			`return true`
			`}`
			`}`

			`// 公用的防火墙设置`
WAF策略和缓存策略跟随集群 2021-08-01 14:54:06 +08:00			`if this.Server.HTTPFirewallPolicy != nil && this.Server.HTTPFirewallPolicy.IsOn {`
			`blocked := this.checkWAFResponse(this.Server.HTTPFirewallPolicy, resp)`
应用网站自定义的WAF出站规则 2021-06-21 15:29:07 +08:00			`if blocked {`
			`return true`
			`}`
			`}`
			`return`
			`}`

			`func (this HTTPRequest) checkWAFResponse(firewallPolicy firewallconfigs.HTTPFirewallPolicy, resp *http.Response) (blocked bool) {`
WAF策略增加观察模式和通过模式 2021-09-30 11:30:58 +08:00			`if firewallPolicy == nil \|\| !firewallPolicy.IsOn \|\| !firewallPolicy.Outbound.IsOn \|\| firewallPolicy.Mode == firewallconfigs.FirewallModePass {`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`return`
			`}`

			`w := sharedWAFManager.FindWAF(firewallPolicy.Id)`
实现WAF 2020-10-08 15:06:42 +08:00			`if w == nil {`
			`return`
			`}`

WAF增加多个动作 2021-07-18 15:51:49 +08:00			`w.OnAction(func(action waf.ActionInterface) (goNext bool) {`
			`switch action.Code() {`
			`case waf.ActionTag:`
			`this.tags = action.(*waf.TagAction).Tags`
			`}`
			`return true`
			`})`

			`goNext, ruleGroup, ruleSet, err := w.MatchResponse(this, resp, this.writer)`
实现WAF 2020-10-08 15:06:42 +08:00			`if err != nil {`
优化HTTP缓存，主要是并发冲突、缓存写入不全等问题 2021-06-06 23:42:11 +08:00			`remotelogs.Error("HTTP_REQUEST_WAF", this.rawURI+": "+err.Error())`
实现WAF 2020-10-08 15:06:42 +08:00			`return`
			`}`

			`if ruleSet != nil {`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`if ruleSet.HasSpecialActions() {`
在节点重新实现缓存策略和WAF策略 2020-12-17 17:36:10 +08:00			`this.firewallPolicyId = firewallPolicy.Id`
记录WAF日志 2020-11-02 15:49:30 +08:00			`this.firewallRuleGroupId = types.Int64(ruleGroup.Id)`
			`this.firewallRuleSetId = types.Int64(ruleSet.Id)`
实现WAF统计 2021-01-26 18:42:46 +08:00
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`if ruleSet.HasAttackActions() {`
增加攻击拦截统计 2021-07-13 11:04:38 +08:00			`this.isAttack = true`
			`}`

实现WAF统计 2021-01-26 18:42:46 +08:00			`// 添加统计`
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)`
实现WAF 2020-10-08 15:06:42 +08:00			`}`
记录WAF日志 2020-11-02 15:49:30 +08:00
WAF增加多个动作 2021-07-18 15:51:49 +08:00			`this.firewallActions = ruleSet.ActionCodes()`
实现WAF 2020-10-08 15:06:42 +08:00			`}`

			`return !goNext`
			`}`
WAF增加多个动作 2021-07-18 15:51:49 +08:00
			`// WAFRaw 原始请求`
			`func (this HTTPRequest) WAFRaw() http.Request {`
			`return this.RawReq`
			`}`

			`// WAFRemoteIP 客户端IP`
			`func (this *HTTPRequest) WAFRemoteIP() string {`
			`return this.requestRemoteAddr()`
			`}`

			`// WAFGetCacheBody 获取缓存中的Body`
			`func (this *HTTPRequest) WAFGetCacheBody() []byte {`
			`return this.bodyData`
			`}`

			`// WAFSetCacheBody 设置Body`
			`func (this *HTTPRequest) WAFSetCacheBody(body []byte) {`
			`this.bodyData = body`
			`}`

			`// WAFReadBody 读取Body`
			`func (this *HTTPRequest) WAFReadBody(max int64) (data []byte, err error) {`
			`if this.RawReq.ContentLength > 0 {`
			`data, err = ioutil.ReadAll(io.LimitReader(this.RawReq.Body, max))`
			`}`
			`return`
			`}`

			`// WAFRestoreBody 恢复Body`
			`func (this *HTTPRequest) WAFRestoreBody(data []byte) {`
			`if len(data) > 0 {`
			`rawReader := bytes.NewBuffer(data)`
			`buf := make([]byte, 1024)`
			`_, _ = io.CopyBuffer(rawReader, this.RawReq.Body, buf)`
			`this.RawReq.Body = ioutil.NopCloser(rawReader)`
			`}`
			`}`

			`// WAFServerId 服务ID`
			`func (this *HTTPRequest) WAFServerId() int64 {`
			`return this.Server.Id`
			`}`
优化WAF关闭连接操作 2021-09-29 11:06:00 +08:00
			`// WAFClose 关闭连接`
			`func (this *HTTPRequest) WAFClose() {`
			`requestConn := this.RawReq.Context().Value(HTTPConnContextKey)`
			`if requestConn == nil {`
			`return`
			`}`
			`conn, ok := requestConn.(net.Conn)`
			`if ok {`
			`_ = conn.Close()`
			`return`
			`}`
			`return`
			`}`