mirror of
https://github.com/TeaOSLab/EdgeNode.git
synced 2025-11-03 23:20:25 +08:00
IP名单中IP创建时保存相关节点、服务、WAF策略信息
This commit is contained in:
GoEdgeLab
@@ -7,4 +7,6 @@ var (
|
||||
|
||||
InTrafficBytes = uint64(0)
|
||||
OutTrafficBytes = uint64(0)
|
||||
|
||||
NodeId int64 = 0
|
||||
)
|
||||
|
||||
@@ -131,6 +131,7 @@ func (this *Node) Start() {
|
||||
remotelogs.Error("NODE", "start failed: read node config failed: "+err.Error())
|
||||
return
|
||||
}
|
||||
teaconst.NodeId = nodeConfig.Id
|
||||
err = nodeConfig.Init()
|
||||
if err != nil {
|
||||
remotelogs.Error("NODE", "init node config failed: "+err.Error())
|
||||
@@ -363,6 +364,7 @@ func (this *Node) syncConfig(taskVersion int64) error {
|
||||
if err != nil {
|
||||
return errors.New("decode config failed: " + err.Error())
|
||||
}
|
||||
teaconst.NodeId = nodeConfig.Id
|
||||
|
||||
// 写入到文件中
|
||||
err = nodeConfig.Save()
|
||||
|
||||
@@ -61,7 +61,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
|
||||
policy.Mode = firewallconfigs.FirewallModeDefend
|
||||
}
|
||||
w := &waf.WAF{
|
||||
Id: strconv.FormatInt(policy.Id, 10),
|
||||
Id: policy.Id,
|
||||
IsOn: policy.IsOn,
|
||||
Name: policy.Name,
|
||||
Mode: policy.Mode,
|
||||
@@ -71,7 +71,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
|
||||
if policy.Inbound != nil && policy.Inbound.IsOn {
|
||||
for _, group := range policy.Inbound.Groups {
|
||||
g := &waf.RuleGroup{
|
||||
Id: strconv.FormatInt(group.Id, 10),
|
||||
Id: group.Id,
|
||||
IsOn: group.IsOn,
|
||||
Name: group.Name,
|
||||
Description: group.Description,
|
||||
@@ -82,7 +82,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
|
||||
// rule sets
|
||||
for _, set := range group.Sets {
|
||||
s := &waf.RuleSet{
|
||||
Id: strconv.FormatInt(set.Id, 10),
|
||||
Id: set.Id,
|
||||
Code: set.Code,
|
||||
IsOn: set.IsOn,
|
||||
Name: set.Name,
|
||||
@@ -126,7 +126,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
|
||||
if policy.Outbound != nil && policy.Outbound.IsOn {
|
||||
for _, group := range policy.Outbound.Groups {
|
||||
g := &waf.RuleGroup{
|
||||
Id: strconv.FormatInt(group.Id, 10),
|
||||
Id: group.Id,
|
||||
IsOn: group.IsOn,
|
||||
Name: group.Name,
|
||||
Description: group.Description,
|
||||
@@ -137,7 +137,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
|
||||
// rule sets
|
||||
for _, set := range group.Sets {
|
||||
s := &waf.RuleSet{
|
||||
Id: strconv.FormatInt(set.Id, 10),
|
||||
Id: set.Id,
|
||||
Code: set.Code,
|
||||
IsOn: set.IsOn,
|
||||
Name: set.Name,
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
stringutil "github.com/iwind/TeaGo/utils/string"
|
||||
"net/http"
|
||||
"net/url"
|
||||
@@ -44,7 +45,7 @@ func (this *CaptchaAction) WillChange() bool {
|
||||
|
||||
func (this *CaptchaAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
|
||||
// 是否在白名单中
|
||||
if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"time"
|
||||
@@ -47,7 +48,7 @@ func (this *Get302Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, requ
|
||||
}
|
||||
|
||||
// 是否已经在白名单中
|
||||
if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ package waf
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/logs"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
@@ -27,7 +28,7 @@ func (this *GoGroupAction) WillChange() bool {
|
||||
}
|
||||
|
||||
func (this *GoGroupAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
|
||||
nextGroup := waf.FindRuleGroup(this.GroupId)
|
||||
nextGroup := waf.FindRuleGroup(types.Int64(this.GroupId))
|
||||
if nextGroup == nil || !nextGroup.IsOn {
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -3,6 +3,7 @@ package waf
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/logs"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
@@ -28,11 +29,11 @@ func (this *GoSetAction) WillChange() bool {
|
||||
}
|
||||
|
||||
func (this *GoSetAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
|
||||
nextGroup := waf.FindRuleGroup(this.GroupId)
|
||||
nextGroup := waf.FindRuleGroup(types.Int64(this.GroupId))
|
||||
if nextGroup == nil || !nextGroup.IsOn {
|
||||
return true
|
||||
}
|
||||
nextSet := nextGroup.FindRuleSet(this.SetId)
|
||||
nextSet := nextGroup.FindRuleSet(types.Int64(this.SetId))
|
||||
if nextSet == nil || !nextSet.IsOn {
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
@@ -41,7 +42,7 @@ func (this *Post307Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req
|
||||
}
|
||||
|
||||
// 是否已经在白名单中
|
||||
if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
@@ -2,10 +2,12 @@ package waf
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/events"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/rpc"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
@@ -16,6 +18,11 @@ type recordIPTask struct {
|
||||
listId int64
|
||||
expiredAt int64
|
||||
level string
|
||||
|
||||
sourceServerId int64
|
||||
sourceHTTPFirewallPolicyId int64
|
||||
sourceHTTPFirewallRuleGroupId int64
|
||||
sourceHTTPFirewallRuleSetId int64
|
||||
}
|
||||
|
||||
var recordIPTaskChan = make(chan *recordIPTask, 1024)
|
||||
@@ -42,6 +49,11 @@ func init() {
|
||||
Reason: "触发WAF规则自动加入",
|
||||
Type: ipType,
|
||||
EventLevel: task.level,
|
||||
SourceNodeId: teaconst.NodeId,
|
||||
SourceServerId: task.sourceServerId,
|
||||
SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId,
|
||||
SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,
|
||||
SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId,
|
||||
})
|
||||
if err != nil {
|
||||
remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())
|
||||
@@ -79,7 +91,7 @@ func (this *RecordIPAction) WillChange() bool {
|
||||
|
||||
func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
|
||||
// 是否在本地白名单中
|
||||
if SharedIPWhiteList.Contains("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -98,7 +110,7 @@ func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
|
||||
SharedIPBlackList.Add(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)
|
||||
} else {
|
||||
// 加入本地白名单
|
||||
SharedIPWhiteList.Add("set:"+set.Id, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)
|
||||
SharedIPWhiteList.Add("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), expiredAt)
|
||||
}
|
||||
|
||||
// 上报
|
||||
@@ -109,6 +121,10 @@ func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
|
||||
listId: this.IPListId,
|
||||
expiredAt: expiredAt,
|
||||
level: this.Level,
|
||||
sourceServerId: request.WAFServerId(),
|
||||
sourceHTTPFirewallPolicyId: waf.Id,
|
||||
sourceHTTPFirewallRuleGroupId: group.Id,
|
||||
sourceHTTPFirewallRuleSetId: set.Id,
|
||||
}:
|
||||
default:
|
||||
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
|
||||
// rule group
|
||||
type RuleGroup struct {
|
||||
Id string `yaml:"id" json:"id"`
|
||||
Id int64 `yaml:"id" json:"id"`
|
||||
IsOn bool `yaml:"isOn" json:"isOn"`
|
||||
Name string `yaml:"name" json:"name"` // such as SQL Injection
|
||||
Description string `yaml:"description" json:"description"`
|
||||
@@ -41,10 +41,7 @@ func (this *RuleGroup) AddRuleSet(ruleSet *RuleSet) {
|
||||
this.RuleSets = append(this.RuleSets, ruleSet)
|
||||
}
|
||||
|
||||
func (this *RuleGroup) FindRuleSet(id string) *RuleSet {
|
||||
if len(id) == 0 {
|
||||
return nil
|
||||
}
|
||||
func (this *RuleGroup) FindRuleSet(id int64) *RuleSet {
|
||||
for _, ruleSet := range this.RuleSets {
|
||||
if ruleSet.Id == id {
|
||||
return ruleSet
|
||||
@@ -65,10 +62,7 @@ func (this *RuleGroup) FindRuleSetWithCode(code string) *RuleSet {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (this *RuleGroup) RemoveRuleSet(id string) {
|
||||
if len(id) == 0 {
|
||||
return
|
||||
}
|
||||
func (this *RuleGroup) RemoveRuleSet(id int64) {
|
||||
result := []*RuleSet{}
|
||||
for _, ruleSet := range this.RuleSets {
|
||||
if ruleSet.Id == id {
|
||||
|
||||
@@ -6,7 +6,6 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/lists"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"github.com/iwind/TeaGo/utils/string"
|
||||
"net/http"
|
||||
"sort"
|
||||
)
|
||||
@@ -19,7 +18,7 @@ const (
|
||||
)
|
||||
|
||||
type RuleSet struct {
|
||||
Id string `yaml:"id" json:"id"`
|
||||
Id int64 `yaml:"id" json:"id"`
|
||||
Code string `yaml:"code" json:"code"`
|
||||
IsOn bool `yaml:"isOn" json:"isOn"`
|
||||
Name string `yaml:"name" json:"name"`
|
||||
@@ -36,7 +35,6 @@ type RuleSet struct {
|
||||
|
||||
func NewRuleSet() *RuleSet {
|
||||
return &RuleSet{
|
||||
Id: stringutil.Rand(16),
|
||||
IsOn: true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@ package waf
|
||||
|
||||
func Template() *WAF {
|
||||
waf := NewWAF()
|
||||
waf.Id = "template"
|
||||
waf.Id = 0
|
||||
waf.IsOn = true
|
||||
|
||||
// xss
|
||||
|
||||
@@ -8,7 +8,6 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
||||
"github.com/iwind/TeaGo/Tea"
|
||||
"github.com/iwind/TeaGo/files"
|
||||
"github.com/iwind/TeaGo/utils/string"
|
||||
"gopkg.in/yaml.v3"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
@@ -16,7 +15,7 @@ import (
|
||||
)
|
||||
|
||||
type WAF struct {
|
||||
Id string `yaml:"id" json:"id"`
|
||||
Id int64 `yaml:"id" json:"id"`
|
||||
IsOn bool `yaml:"isOn" json:"isOn"`
|
||||
Name string `yaml:"name" json:"name"`
|
||||
Inbound []*RuleGroup `yaml:"inbound" json:"inbound"`
|
||||
@@ -35,7 +34,6 @@ type WAF struct {
|
||||
|
||||
func NewWAF() *WAF {
|
||||
return &WAF{
|
||||
Id: stringutil.Rand(16),
|
||||
IsOn: true,
|
||||
}
|
||||
}
|
||||
@@ -121,11 +119,7 @@ func (this *WAF) AddRuleGroup(ruleGroup *RuleGroup) {
|
||||
}
|
||||
}
|
||||
|
||||
func (this *WAF) RemoveRuleGroup(ruleGroupId string) {
|
||||
if len(ruleGroupId) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
func (this *WAF) RemoveRuleGroup(ruleGroupId int64) {
|
||||
{
|
||||
result := []*RuleGroup{}
|
||||
for _, group := range this.Inbound {
|
||||
@@ -149,10 +143,7 @@ func (this *WAF) RemoveRuleGroup(ruleGroupId string) {
|
||||
}
|
||||
}
|
||||
|
||||
func (this *WAF) FindRuleGroup(ruleGroupId string) *RuleGroup {
|
||||
if len(ruleGroupId) == 0 {
|
||||
return nil
|
||||
}
|
||||
func (this *WAF) FindRuleGroup(ruleGroupId int64) *RuleGroup {
|
||||
for _, group := range this.Inbound {
|
||||
if group.Id == ruleGroupId {
|
||||
return group
|
||||
@@ -396,10 +387,14 @@ func (this *WAF) MergeTemplate() (changedItems []string) {
|
||||
groups := []*RuleGroup{}
|
||||
groups = append(groups, template.Inbound...)
|
||||
groups = append(groups, template.Outbound...)
|
||||
|
||||
var newGroupId int64 = 1_000_000_000
|
||||
|
||||
for _, group := range groups {
|
||||
oldGroup := this.FindRuleGroupWithCode(group.Code)
|
||||
if oldGroup == nil {
|
||||
group.Id = stringutil.Rand(16)
|
||||
newGroupId++
|
||||
group.Id = newGroupId
|
||||
this.AddRuleGroup(group)
|
||||
changedItems = append(changedItems, "+group "+group.Name)
|
||||
continue
|
||||
|
||||
Reference in New Issue
Block a user