WAF策略中增加验证码相关定制设置

2026-02-03 14:25:47 +08:00 · 2022-05-21 11:17:53 +08:00
parent 14bb131e8d
commit 4e6d2fa5ea
18 changed files with 274 additions and 91 deletions
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -194,7 +194,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 	}

 	// 规则测试
-	w := sharedWAFManager.FindWAF(firewallPolicy.Id)
+	w := waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
 	if w == nil {
 		return
 	}
@@ -261,7 +261,7 @@ func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFi
 		return
 	}

-	w := sharedWAFManager.FindWAF(firewallPolicy.Id)
+	w := waf.SharedWAFManager.FindWAF(firewallPolicy.Id)
 	if w == nil {
 		return
 	}
--- a/internal/nodes/node.go
+++ b/internal/nodes/node.go
@@ -21,6 +21,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/stats"
 	"github.com/TeaOSLab/EdgeNode/internal/trackers"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/TeaOSLab/EdgeNode/internal/waf"
 	"github.com/andybalholm/brotli"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/lists"
@@ -865,7 +866,7 @@ func (this *Node) onReload(config *nodeconfigs.NodeConfig) {
 	}

 	// WAF策略
-	sharedWAFManager.UpdatePolicies(config.FindAllFirewallPolicies())
+	waf.SharedWAFManager.UpdatePolicies(config.FindAllFirewallPolicies())
 	iplibrary.SharedActionManager.UpdateActions(config.FirewallActions)

 	// 统计指标
--- a/internal/nodes/waf_manager.go
+++ b/internal/nodes/waf_manager.go
@@ -1,191 +0,0 @@
-package nodes
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
-	"github.com/TeaOSLab/EdgeNode/internal/errors"
-	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
-	"github.com/TeaOSLab/EdgeNode/internal/waf"
-	"strconv"
-	"sync"
-)
-
-var sharedWAFManager = NewWAFManager()
-
-// WAFManager WAF管理器
-type WAFManager struct {
-	mapping map[int64]*waf.WAF // policyId => WAF
-	locker  sync.RWMutex
-}
-
-// NewWAFManager 获取新对象
-func NewWAFManager() *WAFManager {
-	return &WAFManager{
-		mapping: map[int64]*waf.WAF{},
-	}
-}
-
-// UpdatePolicies 更新策略
-func (this *WAFManager) UpdatePolicies(policies []*firewallconfigs.HTTPFirewallPolicy) {
-	this.locker.Lock()
-	defer this.locker.Unlock()
-
-	m := map[int64]*waf.WAF{}
-	for _, p := range policies {
-		w, err := this.convertWAF(p)
-		if w != nil {
-			m[p.Id] = w
-		}
-		if err != nil {
-			remotelogs.Error("WAF", "initialize policy '"+strconv.FormatInt(p.Id, 10)+"' failed: "+err.Error())
-			continue
-		}
-	}
-	this.mapping = m
-}
-
-// FindWAF 查找WAF
-func (this *WAFManager) FindWAF(policyId int64) *waf.WAF {
-	this.locker.RLock()
-	w, _ := this.mapping[policyId]
-	this.locker.RUnlock()
-	return w
-}
-
-// 将Policy转换为WAF
-func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (*waf.WAF, error) {
-	if policy == nil {
-		return nil, errors.New("policy should not be nil")
-	}
-	if len(policy.Mode) == 0 {
-		policy.Mode = firewallconfigs.FirewallModeDefend
-	}
-	w := &waf.WAF{
-		Id:               policy.Id,
-		IsOn:             policy.IsOn,
-		Name:             policy.Name,
-		Mode:             policy.Mode,
-		UseLocalFirewall: policy.UseLocalFirewall,
-		SYNFlood:         policy.SYNFlood,
-	}
-
-	// inbound
-	if policy.Inbound != nil && policy.Inbound.IsOn {
-		for _, group := range policy.Inbound.Groups {
-			g := &waf.RuleGroup{
-				Id:          group.Id,
-				IsOn:        group.IsOn,
-				Name:        group.Name,
-				Description: group.Description,
-				Code:        group.Code,
-				IsInbound:   true,
-			}
-
-			// rule sets
-			for _, set := range group.Sets {
-				s := &waf.RuleSet{
-					Id:          set.Id,
-					Code:        set.Code,
-					IsOn:        set.IsOn,
-					Name:        set.Name,
-					Description: set.Description,
-					Connector:   set.Connector,
-					IgnoreLocal: set.IgnoreLocal,
-				}
-				for _, a := range set.Actions {
-					s.AddAction(a.Code, a.Options)
-				}
-
-				// rules
-				for _, rule := range set.Rules {
-					r := &waf.Rule{
-						Description:       rule.Description,
-						Param:             rule.Param,
-						ParamFilters:      []*waf.ParamFilter{},
-						Operator:          rule.Operator,
-						Value:             rule.Value,
-						IsCaseInsensitive: rule.IsCaseInsensitive,
-						CheckpointOptions: rule.CheckpointOptions,
-					}
-
-					for _, paramFilter := range rule.ParamFilters {
-						r.ParamFilters = append(r.ParamFilters, &waf.ParamFilter{
-							Code:    paramFilter.Code,
-							Options: paramFilter.Options,
-						})
-					}
-
-					s.Rules = append(s.Rules, r)
-				}
-
-				g.RuleSets = append(g.RuleSets, s)
-			}
-
-			w.Inbound = append(w.Inbound, g)
-		}
-	}
-
-	// outbound
-	if policy.Outbound != nil && policy.Outbound.IsOn {
-		for _, group := range policy.Outbound.Groups {
-			g := &waf.RuleGroup{
-				Id:          group.Id,
-				IsOn:        group.IsOn,
-				Name:        group.Name,
-				Description: group.Description,
-				Code:        group.Code,
-				IsInbound:   true,
-			}
-
-			// rule sets
-			for _, set := range group.Sets {
-				s := &waf.RuleSet{
-					Id:          set.Id,
-					Code:        set.Code,
-					IsOn:        set.IsOn,
-					Name:        set.Name,
-					Description: set.Description,
-					Connector:   set.Connector,
-					IgnoreLocal: set.IgnoreLocal,
-				}
-
-				for _, a := range set.Actions {
-					s.AddAction(a.Code, a.Options)
-				}
-
-				// rules
-				for _, rule := range set.Rules {
-					r := &waf.Rule{
-						Description:       rule.Description,
-						Param:             rule.Param,
-						Operator:          rule.Operator,
-						Value:             rule.Value,
-						IsCaseInsensitive: rule.IsCaseInsensitive,
-						CheckpointOptions: rule.CheckpointOptions,
-					}
-					s.Rules = append(s.Rules, r)
-				}
-
-				g.RuleSets = append(g.RuleSets, s)
-			}
-
-			w.Outbound = append(w.Outbound, g)
-		}
-	}
-
-	// action
-	if policy.BlockOptions != nil {
-		w.DefaultBlockAction = &waf.BlockAction{
-			StatusCode: policy.BlockOptions.StatusCode,
-			Body:       policy.BlockOptions.Body,
-			URL:        policy.BlockOptions.URL,
-			Timeout:    policy.BlockOptions.Timeout,
-		}
-	}
-
-	errorList := w.Init()
-	if len(errorList) > 0 {
-		return w, errorList[0]
-	}
-
-	return w, nil
-}
--- a/internal/nodes/waf_manager_test.go
+++ b/internal/nodes/waf_manager_test.go
@@ -1,44 +0,0 @@
-package nodes
-
-import (
-	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
-	"github.com/iwind/TeaGo/logs"
-	"testing"
-)
-
-func TestWAFManager_convert(t *testing.T) {
-	p := &firewallconfigs.HTTPFirewallPolicy{
-		Id:   1,
-		IsOn: true,
-		Inbound: &firewallconfigs.HTTPFirewallInboundConfig{
-			IsOn: true,
-			Groups: []*firewallconfigs.HTTPFirewallRuleGroup{
-				{
-					Id: 1,
-					Sets: []*firewallconfigs.HTTPFirewallRuleSet{
-						{
-							Id: 1,
-						},
-						{
-							Id: 2,
-							Rules: []*firewallconfigs.HTTPFirewallRule{
-								{
-									Id: 1,
-								},
-								{
-									Id: 2,
-								},
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-	w, err := sharedWAFManager.convertWAF(p)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	logs.PrintAsJSON(w, t)
-}