用户端可以添加WAF 黑白名单

2026-05-06 07:05:17 +08:00 · 2021-01-03 20:18:47 +08:00
parent 2616b7448d
commit 063a686deb
8 changed files with 508 additions and 26 deletions
--- a/internal/nodes/http_request.go
+++ b/internal/nodes/http_request.go
@@ -74,7 +74,7 @@ type HTTPRequest struct {
 func (this *HTTPRequest) init() {
 	this.writer = NewHTTPWriter(this, this.RawWriter)
 	this.web = &serverconfigs.HTTPWebConfig{IsOn: true}
-	//this.uri = this.RawReq.URL.RequestURI()
+	// this.uri = this.RawReq.URL.RequestURI()
 	// 之所以不使用RequestURI()，是不想让URL中的Path被Encode
 	if len(this.RawReq.URL.RawQuery) > 0 {
 		this.uri = this.RawReq.URL.Path + "?" + this.RawReq.URL.RawQuery
@@ -82,7 +82,6 @@ func (this *HTTPRequest) init() {
 		this.uri = this.RawReq.URL.Path
 	}

-	this.uri = this.RawReq.URL.Path
 	this.rawURI = this.uri
 	this.varMapping = map[string]string{
 		// 缓存相关初始化
@@ -300,6 +299,9 @@ func (this *HTTPRequest) configureWeb(web *serverconfigs.HTTPWebConfig, isTop bo
 	// waf
 	if web.FirewallRef != nil && (web.FirewallRef.IsPrior || isTop) {
 		this.web.FirewallRef = web.FirewallRef
+		if web.FirewallPolicy != nil {
+			this.web.FirewallPolicy = web.FirewallPolicy
+		}
 	}

 	// access log
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -1,6 +1,7 @@
 package nodes

 import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/iplibrary"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/waf"
@@ -11,8 +12,26 @@ import (

 // 调用WAF
 func (this *HTTPRequest) doWAFRequest() (blocked bool) {
-	firewallPolicy := sharedNodeConfig.HTTPFirewallPolicy
+	// 当前服务的独立设置
+	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
+		blocked = this.checkWAFRequest(this.web.FirewallPolicy)
+		if blocked {
+			return
+		}
+	}

+	// 公用的防火墙设置
+	if sharedNodeConfig.HTTPFirewallPolicy != nil {
+		blocked = this.checkWAFRequest(sharedNodeConfig.HTTPFirewallPolicy)
+		if blocked {
+			return
+		}
+	}
+
+	return
+}
+
+func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool) {
 	// 检查配置是否为空
 	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn {
 		return
@@ -21,16 +40,16 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
 	// 检查IP白名单
 	remoteAddr := this.requestRemoteAddr()
 	inbound := firewallPolicy.Inbound
-	if inbound.WhiteListRef != nil && inbound.WhiteListRef.IsOn && inbound.WhiteListRef.ListId > 0 {
-		list := iplibrary.SharedIPListManager.FindList(inbound.WhiteListRef.ListId)
+	if inbound.AllowListRef != nil && inbound.AllowListRef.IsOn && inbound.AllowListRef.ListId > 0 {
+		list := iplibrary.SharedIPListManager.FindList(inbound.AllowListRef.ListId)
 		if list != nil && list.Contains(iplibrary.IP2Long(remoteAddr)) {
 			return
 		}
 	}

 	// 检查IP黑名单
-	if inbound.BlackListRef != nil && inbound.BlackListRef.IsOn && inbound.BlackListRef.ListId > 0 {
-		list := iplibrary.SharedIPListManager.FindList(inbound.BlackListRef.ListId)
+	if inbound.DenyListRef != nil && inbound.DenyListRef.IsOn && inbound.DenyListRef.ListId > 0 {
+		list := iplibrary.SharedIPListManager.FindList(inbound.DenyListRef.ListId)
 		if list != nil && list.Contains(iplibrary.IP2Long(remoteAddr)) {
 			// TODO 可以配置对封禁的处理方式等
 			this.writer.WriteHeader(http.StatusForbidden)
--- a/internal/nodes/node_status_executor_windows.go
+++ b/internal/nodes/node_status_executor_windows.go
@@ -1,6 +1,6 @@
 // +build windows

-package agent
+package nodes

 import (
 	"context"