From 7fea67a2b54317fdb2f918233dd6665d0ef1fb30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= Date: Sat, 18 Nov 2023 15:02:58 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8C=BA=E5=9F=9F=E5=B0=81=E7=A6=81=E6=94=AF?= =?UTF-8?q?=E6=8C=81=E8=A7=82=E5=AF=9F=E8=80=85=E6=A8=A1=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/nodes/http_request_waf.go | 67 +++++++++++++++++------------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go index f9e3be7..2d3eb46 100644 --- a/internal/nodes/http_request_waf.go +++ b/internal/nodes/http_request_waf.go @@ -96,6 +96,8 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir return } + var isDefendMode = firewallPolicy.Mode == firewallconfigs.FirewallModeDefend + // 检查IP白名单 var remoteAddrs []string if len(this.remoteAddr) > 0 { @@ -122,7 +124,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir } // 检查IP黑名单 - if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend { + if isDefendMode { for _, ref := range inbound.AllDenyListRefs() { if ref.IsOn && ref.ListId > 0 { list := iplibrary.SharedIPListManager.FindList(ref.ListId) @@ -161,19 +163,20 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir } // 检查地区封禁 - if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend { - if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn { - var regionConfig = firewallPolicy.Inbound.Region - if regionConfig.IsNotEmpty() { - for _, remoteAddr := range remoteAddrs { - var result = iplib.LookupIP(remoteAddr) - if result != nil && result.IsOk() { - var currentURL = this.URL() - if regionConfig.MatchCountryURL(currentURL) { - // 检查国家/地区级别封禁 - if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) { - this.firewallPolicyId = firewallPolicy.Id + if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn { + var regionConfig = firewallPolicy.Inbound.Region + if regionConfig.IsNotEmpty() { + for _, remoteAddr := range remoteAddrs { + var result = iplib.LookupIP(remoteAddr) + if result != nil && result.IsOk() { + var currentURL = this.URL() + if regionConfig.MatchCountryURL(currentURL) { + // 检查国家/地区级别封禁 + if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) { + this.firewallPolicyId = firewallPolicy.Id + + if isDefendMode { var promptHTML string if len(regionConfig.CountryHTML) > 0 { promptHTML = regionConfig.CountryHTML @@ -193,23 +196,27 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir // 延时返回,避免攻击 time.Sleep(1 * time.Second) + } - // 停止日志 - if !logDenying { - this.disableLog = true - } else { - this.tags = append(this.tags, "denyCountry") - } + // 停止日志 + if !logDenying { + this.disableLog = true + } else { + this.tags = append(this.tags, "denyCountry") + } + if isDefendMode { return true, false } } + } - if regionConfig.MatchProvinceURL(currentURL) { - // 检查省份封禁 - if !regionConfig.IsAllowedProvince(result.CountryId(), result.ProvinceId()) { - this.firewallPolicyId = firewallPolicy.Id + if regionConfig.MatchProvinceURL(currentURL) { + // 检查省份封禁 + if !regionConfig.IsAllowedProvince(result.CountryId(), result.ProvinceId()) { + this.firewallPolicyId = firewallPolicy.Id + if isDefendMode { var promptHTML string if len(regionConfig.ProvinceHTML) > 0 { promptHTML = regionConfig.ProvinceHTML @@ -229,14 +236,16 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir // 延时返回,避免攻击 time.Sleep(1 * time.Second) + } - // 停止日志 - if !logDenying { - this.disableLog = true - } else { - this.tags = append(this.tags, "denyProvince") - } + // 停止日志 + if !logDenying { + this.disableLog = true + } else { + this.tags = append(this.tags, "denyProvince") + } + if isDefendMode { return true, false } }