WAF策略增加记录区域封禁日志选项

2025-11-03 23:20:25 +08:00 · 2022-07-16 18:47:59 +08:00
parent a47d7d275c
commit 2301e74b1c
2 changed files with 38 additions and 19 deletions
--- a/internal/nodes/http_request.go
+++ b/internal/nodes/http_request.go
@@ -1114,7 +1114,7 @@ func (this *HTTPRequest) requestRemoteAddr(supportVar bool) string {
 // 获取请求的客户端地址列表
 func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
 	// X-Forwarded-For
-	forwardedFor := this.RawReq.Header.Get("X-Forwarded-For")
+	var forwardedFor = this.RawReq.Header.Get("X-Forwarded-For")
 	if len(forwardedFor) > 0 {
 		commaIndex := strings.Index(forwardedFor, ",")
 		if commaIndex > 0 {
@@ -1139,13 +1139,16 @@ func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
 	}

 	// Remote-Addr
-	remoteAddr := this.RawReq.RemoteAddr
-	host, _, err := net.SplitHostPort(remoteAddr)
-	if err == nil {
-		result = append(result, host)
-	} else {
-		result = append(result, remoteAddr)
+	{
+		var remoteAddr = this.RawReq.RemoteAddr
+		host, _, err := net.SplitHostPort(remoteAddr)
+		if err == nil {
+			result = append(result, host)
+		} else {
+			result = append(result, remoteAddr)
+		}
 	}
+
 	return
 }

--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -55,17 +55,19 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {

 	var forceLog = false
 	var forceLogRequestBody = false
+	var forceLogRegionDenying = false
 	if this.ReqServer.HTTPFirewallPolicy != nil &&
 		this.ReqServer.HTTPFirewallPolicy.IsOn &&
 		this.ReqServer.HTTPFirewallPolicy.Log != nil &&
 		this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
 		forceLog = true
 		forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
+		forceLogRegionDenying = this.ReqServer.HTTPFirewallPolicy.Log.RegionDenying
 	}

 	// 当前服务的独立设置
 	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
-		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody)
+		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
 		if blocked {
 			return true
 		}
@@ -76,7 +78,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {

 	// 公用的防火墙设置
 	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
-		blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody)
+		blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
 		if blocked {
 			return true
 		}
@@ -88,15 +90,21 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
 	return
 }

-func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool) (blocked bool, breakChecking bool) {
+func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool) (blocked bool, breakChecking bool) {
 	// 检查配置是否为空
 	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
 		return
 	}

 	// 检查IP白名单
-	remoteAddrs := this.requestRemoteAddrs()
-	inbound := firewallPolicy.Inbound
+	var remoteAddrs []string
+	if len(this.remoteAddr) > 0 {
+		remoteAddrs = []string{this.remoteAddr}
+	} else {
+		remoteAddrs = this.requestRemoteAddrs()
+	}
+
+	var inbound = firewallPolicy.Inbound
 	if inbound == nil {
 		return
 	}
@@ -167,13 +175,17 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 							if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 {
 								countryId := iplibrary.SharedCountryManager.Lookup(result.Country)
 								if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
-									// TODO 可以配置对封禁的处理方式等
-									// TODO 需要记录日志信息
+									this.firewallPolicyId = firewallPolicy.Id
+
 									this.writer.WriteHeader(http.StatusForbidden)
 									this.writer.Close()

 									// 停止日志
-									this.disableLog = true
+									if !logDenying {
+										this.disableLog = true
+									} else {
+										this.tags = append(this.tags, "denyCountry")
+									}

 									return true, false
 								}
@@ -181,15 +193,19 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir

 							// 检查省份封禁
 							if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 {
-								provinceId := iplibrary.SharedProvinceManager.Lookup(result.Province)
+								var provinceId = iplibrary.SharedProvinceManager.Lookup(result.Province)
 								if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
-									// TODO 可以配置对封禁的处理方式等
-									// TODO 需要记录日志信息
+									this.firewallPolicyId = firewallPolicy.Id
+
 									this.writer.WriteHeader(http.StatusForbidden)
 									this.writer.Close()

 									// 停止日志
-									this.disableLog = true
+									if !logDenying {
+										this.disableLog = true
+									} else {
+										this.tags = append(this.tags, "denyProvince")
+									}

 									return true, false
 								}