From 731f213310a753530b2a10c07ab843a8ed80e016 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Wed, 8 May 2024 16:45:28 +0800
Subject: [PATCH] =?UTF-8?q?WAF=E8=A7=84=E5=88=99=E9=9B=86=E4=B8=AD?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E2=80=9C=E5=85=81=E8=AE=B8=E6=90=9C=E7=B4=A2?=
 =?UTF-8?q?=E5=BC=95=E6=93=8E=E2=80=9D=E9=80=89=E9=A1=B9=EF=BC=8C=E5=8F=AF?=
 =?UTF-8?q?=E4=BB=A5=E5=BF=AB=E9=80=9F=E5=85=81=E8=AE=B8=E6=90=9C=E7=B4=A2?=
 =?UTF-8?q?=E5=BC=95=E6=93=8E=E8=AE=BF=E9=97=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/utils/agents/manager_test.go |  5 +++-
 internal/waf/rule_set.go              | 37 +++++++++++++++++++--------
 internal/waf/utils/utils.go           | 29 +++++++++++++++++++++
 internal/waf/waf_manager.go           | 34 ++++++++++++------------
 4 files changed, 78 insertions(+), 27 deletions(-)

diff --git a/internal/utils/agents/manager_test.go b/internal/utils/agents/manager_test.go
index 7164d39..b27bd2f 100644
--- a/internal/utils/agents/manager_test.go
+++ b/internal/utils/agents/manager_test.go
@@ -33,5 +33,8 @@ func TestNewManager(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	t.Log(manager.LookupIP("192.168.3.100"))
+	t.Log(manager.LookupIP("192.168.3.100"))   // not found
+	t.Log(manager.LookupIP("66.249.79.25"))    // google
+	t.Log(manager.ContainsIP("66.249.79.25"))  // true
+	t.Log(manager.ContainsIP("66.249.79.255")) // not found
 }
diff --git a/internal/waf/rule_set.go b/internal/waf/rule_set.go
index 9472e81..d96c2b7 100644
--- a/internal/waf/rule_set.go
+++ b/internal/waf/rule_set.go
@@ -6,6 +6,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	wafutils "github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
@@ -21,15 +22,16 @@ const (
 )
 
 type RuleSet struct {
-	Id          int64           `yaml:"id" json:"id"`
-	Code        string          `yaml:"code" json:"code"`
-	IsOn        bool            `yaml:"isOn" json:"isOn"`
-	Name        string          `yaml:"name" json:"name"`
-	Description string          `yaml:"description" json:"description"`
-	Rules       []*Rule         `yaml:"rules" json:"rules"`
-	Connector   RuleConnector   `yaml:"connector" json:"connector"` // rules connector
-	Actions     []*ActionConfig `yaml:"actions" json:"actions"`
-	IgnoreLocal bool            `yaml:"ignoreLocal" json:"ignoreLocal"`
+	Id                 int64           `yaml:"id" json:"id"`
+	Code               string          `yaml:"code" json:"code"`
+	IsOn               bool            `yaml:"isOn" json:"isOn"`
+	Name               string          `yaml:"name" json:"name"`
+	Description        string          `yaml:"description" json:"description"`
+	Rules              []*Rule         `yaml:"rules" json:"rules"`
+	Connector          RuleConnector   `yaml:"connector" json:"connector"` // rules connector
+	Actions            []*ActionConfig `yaml:"actions" json:"actions"`
+	IgnoreLocal        bool            `yaml:"ignoreLocal" json:"ignoreLocal"`
+	IgnoreSearchEngine bool            `yaml:"ignoreSearchEngine" json:"ignoreSearchEngine"`
 
 	actionCodes     []string
 	actionInstances []ActionInterface
@@ -225,7 +227,12 @@ func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Req
 func (this *RuleSet) MatchRequest(req requests.Request) (b bool, hasRequestBody bool, err error) {
 	// 是否忽略局域网IP
 	if this.IgnoreLocal && utils.IsLocalIP(req.WAFRemoteIP()) {
-		return false, hasRequestBody, nil
+		return
+	}
+
+	// 检查是否为搜索引擎
+	if this.IgnoreSearchEngine && wafutils.CheckSearchEngine(req.WAFRemoteIP()) {
+		return
 	}
 
 	if !this.hasRules {
@@ -278,6 +285,16 @@ func (this *RuleSet) MatchRequest(req requests.Request) (b bool, hasRequestBody
 }
 
 func (this *RuleSet) MatchResponse(req requests.Request, resp *requests.Response) (b bool, hasRequestBody bool, err error) {
+	// 是否忽略局域网IP
+	if this.IgnoreLocal && utils.IsLocalIP(req.WAFRemoteIP()) {
+		return
+	}
+
+	// 检查是否为搜索引擎
+	if this.IgnoreSearchEngine && wafutils.CheckSearchEngine(req.WAFRemoteIP()) {
+		return
+	}
+
 	if !this.hasRules {
 		return false, hasRequestBody, nil
 	}
diff --git a/internal/waf/utils/utils.go b/internal/waf/utils/utils.go
index 41ba5f2..fa377d7 100644
--- a/internal/waf/utils/utils.go
+++ b/internal/waf/utils/utils.go
@@ -1,8 +1,10 @@
 package utils
 
 import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/iplibrary"
 	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/re"
+	"github.com/TeaOSLab/EdgeNode/internal/utils/agents"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/cachehits"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
 	"github.com/TeaOSLab/EdgeNode/internal/utils/ttlcache"
@@ -100,3 +102,30 @@ func MatchBytesCache(regex *re.Regexp, byteSlice []byte, cacheLife CacheLife) bo
 func ComposeIPType(setId int64, req requests.Request) string {
 	return "set:" + types.String(setId) + "@" + stringutil.Md5(req.WAFRaw().UserAgent())
 }
+
+var searchEngineProviderMap = map[string]bool{
+	"谷歌":       true,
+	"雅虎":       true,
+	"脸书":       true,
+	"百度":       true,
+	"Facebook": true,
+	"Yandex":   true,
+}
+
+// CheckSearchEngine check if ip is from search engines
+func CheckSearchEngine(ip string) bool {
+	if len(ip) == 0 {
+		return false
+	}
+
+	if agents.SharedManager.ContainsIP(ip) {
+		return true
+	}
+
+	var result = iplibrary.LookupIP(ip)
+	if result == nil {
+		return false
+	}
+
+	return searchEngineProviderMap[result.ProviderName()]
+}
diff --git a/internal/waf/waf_manager.go b/internal/waf/waf_manager.go
index edcb3c2..3aeafe1 100644
--- a/internal/waf/waf_manager.go
+++ b/internal/waf/waf_manager.go
@@ -95,14 +95,15 @@ func (this *WAFManager) ConvertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 
 			// rule sets
 			for _, set := range group.Sets {
-				s := &RuleSet{
-					Id:          set.Id,
-					Code:        set.Code,
-					IsOn:        set.IsOn,
-					Name:        set.Name,
-					Description: set.Description,
-					Connector:   set.Connector,
-					IgnoreLocal: set.IgnoreLocal,
+				var s = &RuleSet{
+					Id:                 set.Id,
+					Code:               set.Code,
+					IsOn:               set.IsOn,
+					Name:               set.Name,
+					Description:        set.Description,
+					Connector:          set.Connector,
+					IgnoreLocal:        set.IgnoreLocal,
+					IgnoreSearchEngine: set.IgnoreSearchEngine,
 				}
 				for _, a := range set.Actions {
 					s.AddAction(a.Code, a.Options)
@@ -152,14 +153,15 @@ func (this *WAFManager) ConvertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 
 			// rule sets
 			for _, set := range group.Sets {
-				s := &RuleSet{
-					Id:          set.Id,
-					Code:        set.Code,
-					IsOn:        set.IsOn,
-					Name:        set.Name,
-					Description: set.Description,
-					Connector:   set.Connector,
-					IgnoreLocal: set.IgnoreLocal,
+				var s = &RuleSet{
+					Id:                 set.Id,
+					Code:               set.Code,
+					IsOn:               set.IsOn,
+					Name:               set.Name,
+					Description:        set.Description,
+					Connector:          set.Connector,
+					IgnoreLocal:        set.IgnoreLocal,
+					IgnoreSearchEngine: set.IgnoreSearchEngine,
 				}
 
 				for _, a := range set.Actions {