From 12bddc6e8220ddc458e6e506651b45ee9666aadb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= Date: Thu, 30 Sep 2021 11:30:58 +0800 Subject: [PATCH] =?UTF-8?q?WAF=E7=AD=96=E7=95=A5=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E8=A7=82=E5=AF=9F=E6=A8=A1=E5=BC=8F=E5=92=8C=E9=80=9A=E8=BF=87?= =?UTF-8?q?=E6=A8=A1=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/nodes/http_request_waf.go | 4 ++-- internal/nodes/waf_manager.go | 1 + internal/waf/rule_set.go | 5 +++++ internal/waf/waf.go | 14 ++++++++------ 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go index e2fb0b0..b801f4d 100644 --- a/internal/nodes/http_request_waf.go +++ b/internal/nodes/http_request_waf.go @@ -53,7 +53,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) { func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool, breakChecking bool) { // 检查配置是否为空 - if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn { + if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass { return } @@ -221,7 +221,7 @@ func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) { } func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response) (blocked bool) { - if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn { + if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass { return } diff --git a/internal/nodes/waf_manager.go b/internal/nodes/waf_manager.go index ac3ab19..4ca3943 100644 --- a/internal/nodes/waf_manager.go +++ b/internal/nodes/waf_manager.go @@ -61,6 +61,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( Id: strconv.FormatInt(policy.Id, 10), IsOn: policy.IsOn, Name: policy.Name, + Mode: policy.Mode, } // inbound diff --git a/internal/waf/rule_set.go b/internal/waf/rule_set.go index 7a0e40b..cfb6286 100644 --- a/internal/waf/rule_set.go +++ b/internal/waf/rule_set.go @@ -1,6 +1,7 @@ package waf import ( + "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" "github.com/TeaOSLab/EdgeNode/internal/remotelogs" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/lists" @@ -117,6 +118,10 @@ func (this *RuleSet) ActionCodes() []string { } func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Request, writer http.ResponseWriter) bool { + if waf.Mode != firewallconfigs.FirewallModeDefend { + return true + } + // 先执行allow for _, instance := range this.actionInstances { if !instance.WillChange() { diff --git a/internal/waf/waf.go b/internal/waf/waf.go index 08c762c..3a744d2 100644 --- a/internal/waf/waf.go +++ b/internal/waf/waf.go @@ -2,6 +2,7 @@ package waf import ( "errors" + "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" teaconst "github.com/TeaOSLab/EdgeNode/internal/const" "github.com/TeaOSLab/EdgeNode/internal/waf/checkpoints" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" @@ -15,12 +16,13 @@ import ( ) type WAF struct { - Id string `yaml:"id" json:"id"` - IsOn bool `yaml:"isOn" json:"isOn"` - Name string `yaml:"name" json:"name"` - Inbound []*RuleGroup `yaml:"inbound" json:"inbound"` - Outbound []*RuleGroup `yaml:"outbound" json:"outbound"` - CreatedVersion string `yaml:"createdVersion" json:"createdVersion"` + Id string `yaml:"id" json:"id"` + IsOn bool `yaml:"isOn" json:"isOn"` + Name string `yaml:"name" json:"name"` + Inbound []*RuleGroup `yaml:"inbound" json:"inbound"` + Outbound []*RuleGroup `yaml:"outbound" json:"outbound"` + CreatedVersion string `yaml:"createdVersion" json:"createdVersion"` + Mode firewallconfigs.FirewallMode `yaml:"mode" json:"mode"` DefaultBlockAction *BlockAction