mirror of
https://github.com/TeaOSLab/EdgeNode.git
synced 2025-11-04 16:00:25 +08:00
WAF策略增加记录区域封禁日志选项
This commit is contained in:
刘祥超
@@ -1114,7 +1114,7 @@ func (this *HTTPRequest) requestRemoteAddr(supportVar bool) string {
|
|||||||
// 获取请求的客户端地址列表
|
// 获取请求的客户端地址列表
|
||||||
func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
|
func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
|
||||||
// X-Forwarded-For
|
// X-Forwarded-For
|
||||||
forwardedFor := this.RawReq.Header.Get("X-Forwarded-For")
|
var forwardedFor = this.RawReq.Header.Get("X-Forwarded-For")
|
||||||
if len(forwardedFor) > 0 {
|
if len(forwardedFor) > 0 {
|
||||||
commaIndex := strings.Index(forwardedFor, ",")
|
commaIndex := strings.Index(forwardedFor, ",")
|
||||||
if commaIndex > 0 {
|
if commaIndex > 0 {
|
||||||
@@ -1139,13 +1139,16 @@ func (this *HTTPRequest) requestRemoteAddrs() (result []string) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Remote-Addr
|
// Remote-Addr
|
||||||
remoteAddr := this.RawReq.RemoteAddr
|
{
|
||||||
|
var remoteAddr = this.RawReq.RemoteAddr
|
||||||
host, _, err := net.SplitHostPort(remoteAddr)
|
host, _, err := net.SplitHostPort(remoteAddr)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
result = append(result, host)
|
result = append(result, host)
|
||||||
} else {
|
} else {
|
||||||
result = append(result, remoteAddr)
|
result = append(result, remoteAddr)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -55,17 +55,19 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
|
|||||||
|
|
||||||
var forceLog = false
|
var forceLog = false
|
||||||
var forceLogRequestBody = false
|
var forceLogRequestBody = false
|
||||||
|
var forceLogRegionDenying = false
|
||||||
if this.ReqServer.HTTPFirewallPolicy != nil &&
|
if this.ReqServer.HTTPFirewallPolicy != nil &&
|
||||||
this.ReqServer.HTTPFirewallPolicy.IsOn &&
|
this.ReqServer.HTTPFirewallPolicy.IsOn &&
|
||||||
this.ReqServer.HTTPFirewallPolicy.Log != nil &&
|
this.ReqServer.HTTPFirewallPolicy.Log != nil &&
|
||||||
this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
|
this.ReqServer.HTTPFirewallPolicy.Log.IsOn {
|
||||||
forceLog = true
|
forceLog = true
|
||||||
forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
|
forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody
|
||||||
|
forceLogRegionDenying = this.ReqServer.HTTPFirewallPolicy.Log.RegionDenying
|
||||||
}
|
}
|
||||||
|
|
||||||
// 当前服务的独立设置
|
// 当前服务的独立设置
|
||||||
if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
|
if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
|
||||||
blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody)
|
blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
|
||||||
if blocked {
|
if blocked {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
@@ -76,7 +78,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
|
|||||||
|
|
||||||
// 公用的防火墙设置
|
// 公用的防火墙设置
|
||||||
if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
|
if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn {
|
||||||
blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody)
|
blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying)
|
||||||
if blocked {
|
if blocked {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
@@ -88,15 +90,21 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool) (blocked bool, breakChecking bool) {
|
func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool) (blocked bool, breakChecking bool) {
|
||||||
// 检查配置是否为空
|
// 检查配置是否为空
|
||||||
if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
|
if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// 检查IP白名单
|
// 检查IP白名单
|
||||||
remoteAddrs := this.requestRemoteAddrs()
|
var remoteAddrs []string
|
||||||
inbound := firewallPolicy.Inbound
|
if len(this.remoteAddr) > 0 {
|
||||||
|
remoteAddrs = []string{this.remoteAddr}
|
||||||
|
} else {
|
||||||
|
remoteAddrs = this.requestRemoteAddrs()
|
||||||
|
}
|
||||||
|
|
||||||
|
var inbound = firewallPolicy.Inbound
|
||||||
if inbound == nil {
|
if inbound == nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -167,13 +175,17 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
|
|||||||
if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 {
|
if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 {
|
||||||
countryId := iplibrary.SharedCountryManager.Lookup(result.Country)
|
countryId := iplibrary.SharedCountryManager.Lookup(result.Country)
|
||||||
if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
|
if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
|
||||||
// TODO 可以配置对封禁的处理方式等
|
this.firewallPolicyId = firewallPolicy.Id
|
||||||
// TODO 需要记录日志信息
|
|
||||||
this.writer.WriteHeader(http.StatusForbidden)
|
this.writer.WriteHeader(http.StatusForbidden)
|
||||||
this.writer.Close()
|
this.writer.Close()
|
||||||
|
|
||||||
// 停止日志
|
// 停止日志
|
||||||
|
if !logDenying {
|
||||||
this.disableLog = true
|
this.disableLog = true
|
||||||
|
} else {
|
||||||
|
this.tags = append(this.tags, "denyCountry")
|
||||||
|
}
|
||||||
|
|
||||||
return true, false
|
return true, false
|
||||||
}
|
}
|
||||||
@@ -181,15 +193,19 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
|
|||||||
|
|
||||||
// 检查省份封禁
|
// 检查省份封禁
|
||||||
if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 {
|
if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 {
|
||||||
provinceId := iplibrary.SharedProvinceManager.Lookup(result.Province)
|
var provinceId = iplibrary.SharedProvinceManager.Lookup(result.Province)
|
||||||
if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
|
if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
|
||||||
// TODO 可以配置对封禁的处理方式等
|
this.firewallPolicyId = firewallPolicy.Id
|
||||||
// TODO 需要记录日志信息
|
|
||||||
this.writer.WriteHeader(http.StatusForbidden)
|
this.writer.WriteHeader(http.StatusForbidden)
|
||||||
this.writer.Close()
|
this.writer.Close()
|
||||||
|
|
||||||
// 停止日志
|
// 停止日志
|
||||||
|
if !logDenying {
|
||||||
this.disableLog = true
|
this.disableLog = true
|
||||||
|
} else {
|
||||||
|
this.tags = append(this.tags, "denyProvince")
|
||||||
|
}
|
||||||
|
|
||||||
return true, false
|
return true, false
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user