Block动作增加默认时间60秒

internal/nodes/http_request_waf.go

@@ -16,6 +16,15 @@ import (
 
 // 调用WAF
 func (this *HTTPRequest) doWAFRequest() (blocked bool) {
+	// 当前连接是否已关闭
+	var conn = this.RawReq.Context().Value(HTTPConnContextKey)
+	if conn != nil {
+		trafficConn, ok := conn.(*TrafficConn)
+		if ok && trafficConn.IsClosed() {
+			return true
+		}
+	}
+
 	// 当前服务的独立设置
 	if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
 		blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy)

internal/nodes/listener_http.go

@@ -1,6 +1,7 @@
 package nodes
 
 import (
+	"context"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"golang.org/x/net/http2"
@@ -18,6 +19,12 @@ var httpErrorLogger = log.New(io.Discard, "", 0)
 var metricNewConnMap = map[string]bool{} // remoteAddr => bool
 var metricNewConnMapLocker = &sync.Mutex{}
 
+type contextKey struct {
+	key string
+}
+
+var HTTPConnContextKey = &contextKey{key: "http-conn"}
+
 type HTTPListener struct {
 	BaseListener
 
@@ -65,6 +72,9 @@ func (this *HTTPListener) Serve() error {
 				metricNewConnMapLocker.Unlock()
 			}
 		},
+		ConnContext: func(ctx context.Context, c net.Conn) context.Context {
+			return context.WithValue(ctx, HTTPConnContextKey, c)
+		},
 	}
 	this.httpServer.SetKeepAlivesEnabled(true)
 

internal/nodes/traffic_conn.go

@@ -45,6 +45,7 @@ func init() {
 // TrafficConn 用于统计流量的连接
 type TrafficConn struct {
 	rawConn  net.Conn
+	isClosed bool
 }
 
 func NewTrafficConn(conn net.Conn) net.Conn {
@@ -68,6 +69,7 @@ func (this *TrafficConn) Write(b []byte) (n int, err error) {
 }
 
 func (this *TrafficConn) Close() error {
+	this.isClosed = true
 	return this.rawConn.Close()
 }
 
@@ -90,3 +92,7 @@ func (this *TrafficConn) SetReadDeadline(t time.Time) error {
 func (this *TrafficConn) SetWriteDeadline(t time.Time) error {
 	return this.rawConn.SetWriteDeadline(t)
 }
+
+func (this *TrafficConn) IsClosed() bool {
+	return this.isClosed
+}

internal/nodes/traffic_listener.go

@@ -24,7 +24,7 @@ func (this *TrafficListener) Accept() (net.Conn, error) {
 	// 是否在WAF名单中
 	ip, _, err := net.SplitHostPort(conn.RemoteAddr().String())
 	if err == nil {
-		if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, ip) && waf.SharedIPBlackLIst.Contains(waf.IPTypeAll, ip) {
+		if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, ip) && waf.SharedIPBlackList.Contains(waf.IPTypeAll, ip) {
 			defer func() {
 				_ = conn.Close()
 			}()

internal/waf/action_block.go

@@ -57,10 +57,12 @@ func (this *BlockAction) WillChange() bool {
 }
 
 func (this *BlockAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (allow bool) {
-	if this.Timeout > 0 {
 	// 加入到黑名单
-		SharedIPBlackLIst.Add(IPTypeAll, request.WAFRemoteIP(), time.Now().Unix()+int64(this.Timeout))
+	var timeout = this.Timeout
+	if timeout <= 0 {
+		timeout = 60 // 默认封锁60秒
 	}
+	SharedIPBlackList.Add(IPTypeAll, request.WAFRemoteIP(), time.Now().Unix()+int64(timeout))
 
 	if writer != nil {
 		// close the connection

internal/waf/action_record_ip.go

@@ -92,7 +92,7 @@ func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
 	if this.Type == "black" {
 		_ = this.CloseConn(writer)
 
-		SharedIPBlackLIst.Add(IPTypeAll, request.WAFRemoteIP(), expiredAt)
+		SharedIPBlackList.Add(IPTypeAll, request.WAFRemoteIP(), expiredAt)
 	} else {
 		// 加入本地白名单
 		timeout := this.Timeout

internal/waf/ip_list.go

@@ -9,7 +9,7 @@ import (
 )
 
 var SharedIPWhiteList = NewIPList()
-var SharedIPBlackLIst = NewIPList()
+var SharedIPBlackList = NewIPList()
 
 const IPTypeAll = "*"