From 25e75d907832ecbb21b881da0bf80e82244e674b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= Date: Thu, 21 Jan 2021 10:45:55 +0800 Subject: [PATCH] =?UTF-8?q?[WAF]=E5=8C=B9=E9=85=8D=E5=88=B0=E7=99=BD?= =?UTF-8?q?=E5=90=8D=E5=8D=95=E5=90=8E=E7=AB=8B=E5=8D=B3=E8=BF=94=E5=9B=9E?= =?UTF-8?q?=EF=BC=8C=E4=B8=8D=E5=86=8D=E5=BE=80=E4=B8=8B=E5=B0=9D=E8=AF=95?= =?UTF-8?q?=E5=88=AB=E7=9A=84=E8=A7=84=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/nodes/http_request_waf.go | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go index 34114ac..e90c566 100644 --- a/internal/nodes/http_request_waf.go +++ b/internal/nodes/http_request_waf.go @@ -14,24 +14,30 @@ import ( func (this *HTTPRequest) doWAFRequest() (blocked bool) { // 当前服务的独立设置 if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn { - blocked = this.checkWAFRequest(this.web.FirewallPolicy) + blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy) if blocked { - return + return true + } + if breakChecking { + return false } } // 公用的防火墙设置 if sharedNodeConfig.HTTPFirewallPolicy != nil { - blocked = this.checkWAFRequest(sharedNodeConfig.HTTPFirewallPolicy) + blocked, breakChecking := this.checkWAFRequest(sharedNodeConfig.HTTPFirewallPolicy) if blocked { - return + return true + } + if breakChecking { + return false } } return } -func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool) { +func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool, breakChecking bool) { // 检查配置是否为空 if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn { return @@ -43,6 +49,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir if inbound.AllowListRef != nil && inbound.AllowListRef.IsOn && inbound.AllowListRef.ListId > 0 { list := iplibrary.SharedIPListManager.FindList(inbound.AllowListRef.ListId) if list != nil && list.Contains(iplibrary.IP2Long(remoteAddr)) { + breakChecking = true return } } @@ -52,13 +59,14 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir list := iplibrary.SharedIPListManager.FindList(inbound.DenyListRef.ListId) if list != nil && list.Contains(iplibrary.IP2Long(remoteAddr)) { // TODO 可以配置对封禁的处理方式等 + // TODO 需要记录日志信息 this.writer.WriteHeader(http.StatusForbidden) this.writer.Close() // 停止日志 this.disableLog = true - return true + return true, false } } @@ -82,7 +90,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir // 停止日志 this.disableLog = true - return true + return true, false } } @@ -97,7 +105,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir // 停止日志 this.disableLog = true - return true + return true, false } } } @@ -126,7 +134,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir this.logAttrs["waf.action"] = ruleSet.Action } - return !goNext + return !goNext, false } // call response waf