[WAF]规则中增加请求Header长度限制和响应Header长度限制

2025-11-03 15:00:26 +08:00 · 2020-11-18 19:35:38 +08:00
parent 58933c8187
commit b55cdc8067
38 changed files with 214 additions and 64 deletions
--- a/internal/const/const.go
+++ b/internal/const/const.go
@@ -1,7 +1,7 @@
 package teaconst

 const (
-	Version = "0.0.1"
+	Version = "0.0.2"

 	ProductName = "Edge Node"
 	ProcessName = "edge-node"
--- a/internal/nodes/listener_http.go
+++ b/internal/nodes/listener_http.go
@@ -132,7 +132,9 @@ func (this *HTTPListener) handleHTTP(rawWriter http.ResponseWriter, rawReq *http
 			mismatchAction := httpAllConfig.DomainMismatchAction
 			if mismatchAction != nil && mismatchAction.Code == "page" {
 				if mismatchAction.Options != nil {
-					http.Error(rawWriter, mismatchAction.Options.GetString("contentHTML"), mismatchAction.Options.GetInt("statusCode"))
+					rawWriter.Header().Set("Content-Type", "text/html; charset=utf-8")
+					rawWriter.WriteHeader(mismatchAction.Options.GetInt("statusCode"))
+					_, _ = rawWriter.Write([]byte(mismatchAction.Options.GetString("contentHTML")))
 				} else {
 					http.Error(rawWriter, "404 page not found: '"+rawReq.URL.String()+"'", http.StatusNotFound)
 				}
--- a/internal/waf/checkpoints/cc.go
+++ b/internal/waf/checkpoints/cc.go
@@ -31,7 +31,7 @@ func (this *CCCheckpoint) Start() {
 	this.grid = grids.NewGrid(32, grids.NewLimitCountOpt(1000_0000))
 }

-func (this *CCCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *CCCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = 0

 	if this.grid == nil {
@@ -121,7 +121,7 @@ func (this *CCCheckpoint) RequestValue(req *requests.Request, param string, opti
 	return
 }

-func (this *CCCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *CCCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/checkpoint.go
+++ b/internal/waf/checkpoints/checkpoint.go
@@ -11,6 +11,10 @@ func (this *Checkpoint) IsRequest() bool {
 	return true
 }

+func (this *Checkpoint) IsComposed() bool {
+	return false
+}
+
 func (this *Checkpoint) ParamOptions() *ParamOptions {
 	return nil
 }
--- a/internal/waf/checkpoints/checkpoint_interface.go
+++ b/internal/waf/checkpoints/checkpoint_interface.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // Check Point
@@ -12,11 +13,14 @@ type CheckpointInterface interface {
 	// is request?
 	IsRequest() bool

+	// is composed?
+	IsComposed() bool
+
 	// get request value
-	RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error)
+	RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error)

 	// get response value
-	ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error)
+	ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error)

 	// param option list
 	ParamOptions() *ParamOptions
--- a/internal/waf/checkpoints/request_all.go
+++ b/internal/waf/checkpoints/request_all.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // ${requestAll}
@@ -9,7 +10,7 @@ type RequestAllCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestAllCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestAllCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	valueBytes := []byte{}
 	if len(req.RequestURI) > 0 {
 		valueBytes = append(valueBytes, req.RequestURI...)
@@ -37,7 +38,7 @@ func (this *RequestAllCheckpoint) RequestValue(req *requests.Request, param stri
 	return
 }

-func (this *RequestAllCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestAllCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = ""
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
--- a/internal/waf/checkpoints/request_arg.go
+++ b/internal/waf/checkpoints/request_arg.go
@@ -2,17 +2,18 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestArgCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestArgCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestArgCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	return req.URL.Query().Get(param), nil, nil
 }

-func (this *RequestArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_args.go
+++ b/internal/waf/checkpoints/request_args.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestArgsCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestArgsCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestArgsCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.URL.RawQuery
 	return
 }

-func (this *RequestArgsCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestArgsCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_body.go
+++ b/internal/waf/checkpoints/request_body.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // ${requestBody}
@@ -9,7 +10,7 @@ type RequestBodyCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestBodyCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestBodyCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if req.Body == nil {
 		value = ""
 		return
@@ -28,7 +29,7 @@ func (this *RequestBodyCheckpoint) RequestValue(req *requests.Request, param str
 	return req.BodyData, nil, nil
 }

-func (this *RequestBodyCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestBodyCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_content_type.go
+++ b/internal/waf/checkpoints/request_content_type.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestContentTypeCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestContentTypeCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestContentTypeCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.Header.Get("Content-Type")
 	return
 }

-func (this *RequestContentTypeCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestContentTypeCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_cookie.go
+++ b/internal/waf/checkpoints/request_cookie.go
@@ -2,13 +2,14 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestCookieCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestCookieCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestCookieCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	cookie, err := req.Cookie(param)
 	if err != nil {
 		value = ""
@@ -19,7 +20,7 @@ func (this *RequestCookieCheckpoint) RequestValue(req *requests.Request, param s
 	return
 }

-func (this *RequestCookieCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestCookieCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_cookies.go
+++ b/internal/waf/checkpoints/request_cookies.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"net/url"
 	"strings"
 )
@@ -10,7 +11,7 @@ type RequestCookiesCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestCookiesCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestCookiesCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	var cookies = []string{}
 	for _, cookie := range req.Cookies() {
 		cookies = append(cookies, url.QueryEscape(cookie.Name)+"="+url.QueryEscape(cookie.Value))
@@ -19,7 +20,7 @@ func (this *RequestCookiesCheckpoint) RequestValue(req *requests.Request, param
 	return
 }

-func (this *RequestCookiesCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestCookiesCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_form_arg.go
+++ b/internal/waf/checkpoints/request_form_arg.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"net/url"
 )

@@ -10,7 +11,7 @@ type RequestFormArgCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestFormArgCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestFormArgCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if req.Body == nil {
 		value = ""
 		return
@@ -31,7 +32,7 @@ func (this *RequestFormArgCheckpoint) RequestValue(req *requests.Request, param
 	return values.Get(param), nil, nil
 }

-func (this *RequestFormArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestFormArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_general_header_length.go
+++ b/internal/waf/checkpoints/request_general_header_length.go
@@ -0,0 +1,40 @@
+package checkpoints
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
+	"github.com/iwind/TeaGo/types"
+)
+
+type RequestGeneralHeaderLengthCheckpoint struct {
+	Checkpoint
+}
+
+func (this *RequestGeneralHeaderLengthCheckpoint) IsComposed() bool {
+	return true
+}
+
+func (this *RequestGeneralHeaderLengthCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
+	value = false
+
+	headers := options.GetSlice("headers")
+	if len(headers) == 0 {
+		return
+	}
+
+	length := options.GetInt("length")
+
+	for _, header := range headers {
+		v := req.Header.Get(types.String(header))
+		if len(v) > length {
+			value = true
+			break
+		}
+	}
+
+	return
+}
+
+func (this *RequestGeneralHeaderLengthCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
+	return
+}
--- a/internal/waf/checkpoints/request_header.go
+++ b/internal/waf/checkpoints/request_header.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"strings"
 )

@@ -9,7 +10,7 @@ type RequestHeaderCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestHeaderCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHeaderCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	v, found := req.Header[param]
 	if !found {
 		value = ""
@@ -19,7 +20,7 @@ func (this *RequestHeaderCheckpoint) RequestValue(req *requests.Request, param s
 	return
 }

-func (this *RequestHeaderCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHeaderCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_headers.go
+++ b/internal/waf/checkpoints/request_headers.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"sort"
 	"strings"
 )
@@ -10,7 +11,7 @@ type RequestHeadersCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestHeadersCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHeadersCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	var headers = []string{}
 	for k, v := range req.Header {
 		for _, subV := range v {
@@ -22,7 +23,7 @@ func (this *RequestHeadersCheckpoint) RequestValue(req *requests.Request, param
 	return
 }

-func (this *RequestHeadersCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHeadersCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_host.go
+++ b/internal/waf/checkpoints/request_host.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestHostCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestHostCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHostCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.Host
 	return
 }

-func (this *RequestHostCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestHostCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_json_arg.go
+++ b/internal/waf/checkpoints/request_json_arg.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"strings"
 )

@@ -12,7 +13,7 @@ type RequestJSONArgCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestJSONArgCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestJSONArgCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if len(req.BodyData) == 0 {
 		data, err := req.ReadBody(int64(32 * 1024 * 1024)) // read 32m bytes
 		if err != nil {
@@ -36,7 +37,7 @@ func (this *RequestJSONArgCheckpoint) RequestValue(req *requests.Request, param
 	return "", nil, nil
 }

-func (this *RequestJSONArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestJSONArgCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_length.go
+++ b/internal/waf/checkpoints/request_length.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestLengthCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestLengthCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestLengthCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.ContentLength
 	return
 }

-func (this *RequestLengthCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestLengthCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_method.go
+++ b/internal/waf/checkpoints/request_method.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestMethodCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestMethodCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestMethodCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.Method
 	return
 }

-func (this *RequestMethodCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestMethodCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_path.go
+++ b/internal/waf/checkpoints/request_path.go
@@ -2,17 +2,18 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestPathCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestPathCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestPathCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	return req.URL.Path, nil, nil
 }

-func (this *RequestPathCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestPathCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_proto.go
+++ b/internal/waf/checkpoints/request_proto.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestProtoCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestProtoCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestProtoCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.Proto
 	return
 }

-func (this *RequestProtoCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestProtoCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_raw_remote_addr.go
+++ b/internal/waf/checkpoints/request_raw_remote_addr.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"net"
 )

@@ -9,7 +10,7 @@ type RequestRawRemoteAddrCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestRawRemoteAddrCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRawRemoteAddrCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	host, _, err := net.SplitHostPort(req.RemoteAddr)
 	if err == nil {
 		value = host
@@ -19,7 +20,7 @@ func (this *RequestRawRemoteAddrCheckpoint) RequestValue(req *requests.Request,
 	return
 }

-func (this *RequestRawRemoteAddrCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRawRemoteAddrCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_referer.go
+++ b/internal/waf/checkpoints/request_referer.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestRefererCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestRefererCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRefererCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.Referer()
 	return
 }

-func (this *RequestRefererCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRefererCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_remote_addr.go
+++ b/internal/waf/checkpoints/request_remote_addr.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"net"
 	"strings"
 )
@@ -10,7 +11,7 @@ type RequestRemoteAddrCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestRemoteAddrCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemoteAddrCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	// X-Forwarded-For
 	forwardedFor := req.Header.Get("X-Forwarded-For")
 	if len(forwardedFor) > 0 {
@@ -51,7 +52,7 @@ func (this *RequestRemoteAddrCheckpoint) RequestValue(req *requests.Request, par
 	return
 }

-func (this *RequestRemoteAddrCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemoteAddrCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_remote_port.go
+++ b/internal/waf/checkpoints/request_remote_port.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
 	"net"
 )
@@ -10,7 +11,7 @@ type RequestRemotePortCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestRemotePortCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemotePortCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	_, port, err := net.SplitHostPort(req.RemoteAddr)
 	if err == nil {
 		value = types.Int(port)
@@ -20,7 +21,7 @@ func (this *RequestRemotePortCheckpoint) RequestValue(req *requests.Request, par
 	return
 }

-func (this *RequestRemotePortCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemotePortCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_remote_user.go
+++ b/internal/waf/checkpoints/request_remote_user.go
@@ -2,13 +2,14 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestRemoteUserCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestRemoteUserCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemoteUserCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	username, _, ok := req.BasicAuth()
 	if !ok {
 		value = ""
@@ -18,7 +19,7 @@ func (this *RequestRemoteUserCheckpoint) RequestValue(req *requests.Request, par
 	return
 }

-func (this *RequestRemoteUserCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestRemoteUserCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_scheme.go
+++ b/internal/waf/checkpoints/request_scheme.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestSchemeCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestSchemeCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestSchemeCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.URL.Scheme
 	return
 }

-func (this *RequestSchemeCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestSchemeCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_upload.go
+++ b/internal/waf/checkpoints/request_upload.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
 	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/maps"
 	"io/ioutil"
 	"net/http"
 	"path/filepath"
@@ -15,7 +16,7 @@ type RequestUploadCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestUploadCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestUploadCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = ""
 	if param == "minSize" || param == "maxSize" {
 		value = 0
@@ -112,7 +113,7 @@ func (this *RequestUploadCheckpoint) RequestValue(req *requests.Request, param s
 	return
 }

-func (this *RequestUploadCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestUploadCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_uri.go
+++ b/internal/waf/checkpoints/request_uri.go
@@ -2,13 +2,14 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestURICheckpoint struct {
 	Checkpoint
 }

-func (this *RequestURICheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestURICheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if len(req.RequestURI) > 0 {
 		value = req.RequestURI
 	} else if req.URL != nil {
@@ -17,7 +18,7 @@ func (this *RequestURICheckpoint) RequestValue(req *requests.Request, param stri
 	return
 }

-func (this *RequestURICheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestURICheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/request_user_agent.go
+++ b/internal/waf/checkpoints/request_user_agent.go
@@ -2,18 +2,19 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 type RequestUserAgentCheckpoint struct {
 	Checkpoint
 }

-func (this *RequestUserAgentCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestUserAgentCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = req.UserAgent()
 	return
 }

-func (this *RequestUserAgentCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *RequestUserAgentCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if this.IsRequest() {
 		return this.RequestValue(req, param, options)
 	}
--- a/internal/waf/checkpoints/response_body.go
+++ b/internal/waf/checkpoints/response_body.go
@@ -3,6 +3,7 @@ package checkpoints
 import (
 	"bytes"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 	"io/ioutil"
 )

@@ -15,12 +16,12 @@ func (this *ResponseBodyCheckpoint) IsRequest() bool {
 	return false
 }

-func (this *ResponseBodyCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseBodyCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = ""
 	return
 }

-func (this *ResponseBodyCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseBodyCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = ""
 	if resp != nil && resp.Body != nil {
 		if len(resp.BodyData) > 0 {
--- a/internal/waf/checkpoints/response_bytes_sent.go
+++ b/internal/waf/checkpoints/response_bytes_sent.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // ${bytesSent}
@@ -13,12 +14,12 @@ func (this *ResponseBytesSentCheckpoint) IsRequest() bool {
 	return false
 }

-func (this *ResponseBytesSentCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseBytesSentCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = 0
 	return
 }

-func (this *ResponseBytesSentCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseBytesSentCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = 0
 	if resp != nil {
 		value = resp.ContentLength
--- a/internal/waf/checkpoints/response_general_header_length.go
+++ b/internal/waf/checkpoints/response_general_header_length.go
@@ -0,0 +1,45 @@
+package checkpoints
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
+	"github.com/iwind/TeaGo/types"
+)
+
+type ResponseGeneralHeaderLengthCheckpoint struct {
+	Checkpoint
+}
+
+func (this *ResponseGeneralHeaderLengthCheckpoint) IsRequest() bool {
+	return false
+}
+
+func (this *ResponseGeneralHeaderLengthCheckpoint) IsComposed() bool {
+	return true
+}
+
+func (this *ResponseGeneralHeaderLengthCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
+
+	return
+}
+
+func (this *ResponseGeneralHeaderLengthCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
+	value = false
+
+	headers := options.GetSlice("headers")
+	if len(headers) == 0 {
+		return
+	}
+
+	length := options.GetInt("length")
+
+	for _, header := range headers {
+		v := req.Header.Get(types.String(header))
+		if len(v) > length {
+			value = true
+			break
+		}
+	}
+
+	return
+}
--- a/internal/waf/checkpoints/response_header.go
+++ b/internal/waf/checkpoints/response_header.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // ${responseHeader.arg}
@@ -13,12 +14,12 @@ func (this *ResponseHeaderCheckpoint) IsRequest() bool {
 	return false
 }

-func (this *ResponseHeaderCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseHeaderCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = ""
 	return
 }

-func (this *ResponseHeaderCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseHeaderCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if resp != nil && resp.Header != nil {
 		value = resp.Header.Get(param)
 	} else {
--- a/internal/waf/checkpoints/response_status.go
+++ b/internal/waf/checkpoints/response_status.go
@@ -2,6 +2,7 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
+	"github.com/iwind/TeaGo/maps"
 )

 // ${bytesSent}
@@ -13,12 +14,12 @@ func (this *ResponseStatusCheckpoint) IsRequest() bool {
 	return false
 }

-func (this *ResponseStatusCheckpoint) RequestValue(req *requests.Request, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseStatusCheckpoint) RequestValue(req *requests.Request, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	value = 0
 	return
 }

-func (this *ResponseStatusCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options map[string]interface{}) (value interface{}, sysErr error, userErr error) {
+func (this *ResponseStatusCheckpoint) ResponseValue(req *requests.Request, resp *requests.Response, param string, options maps.Map) (value interface{}, sysErr error, userErr error) {
 	if resp != nil {
 		value = resp.StatusCode
 	}
--- a/internal/waf/checkpoints/utils.go
+++ b/internal/waf/checkpoints/utils.go
@@ -2,6 +2,13 @@ package checkpoints

 // all check points list
 var AllCheckpoints = []*CheckpointDefinition{
+	{
+		Name:        "通用请求Header长度限制",
+		Prefix:      "requestGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Accept之类的长度限制，防止缓冲区溢出攻击",
+		HasParams:   false,
+		Instance:    new(RequestGeneralHeaderLengthCheckpoint),
+	},
 	{
 		Name:        "客户端地址（IP）",
 		Prefix:      "remoteAddr",
@@ -184,6 +191,13 @@ var AllCheckpoints = []*CheckpointDefinition{
 		HasParams:   true,
 		Instance:    new(CCCheckpoint),
 	},
+	{
+		Name:        "通用响应Header长度限制",
+		Prefix:      "responseGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Accept之类的长度限制，防止缓冲区溢出攻击",
+		HasParams:   false,
+		Instance:    new(ResponseGeneralHeaderLengthCheckpoint),
+	},
 	{
 		Name:        "响应状态码",
 		Prefix:      "status",
--- a/internal/waf/rule.go
+++ b/internal/waf/rule.go
@@ -186,6 +186,12 @@ func (this *Rule) MatchRequest(req *requests.Request) (b bool, err error) {
 		if err != nil {
 			return false, err
 		}
+
+		// if is composed checkpoint, we just returns true or false
+		if this.singleCheckpoint.IsComposed() {
+			return types.Bool(value), nil
+		}
+
 		return this.Test(value), nil
 	}

@@ -235,6 +241,12 @@ func (this *Rule) MatchResponse(req *requests.Request, resp *requests.Response)
 		if err != nil {
 			return false, err
 		}
+
+		// if is composed checkpoint, we just returns true or false
+		if this.singleCheckpoint.IsComposed() {
+			return types.Bool(value), nil
+		}
+
 		return this.Test(value), nil
 	}