diff --git a/internal/nodes/client_conn.go b/internal/nodes/client_conn.go index 95a3154..41b7b60 100644 --- a/internal/nodes/client_conn.go +++ b/internal/nodes/client_conn.go @@ -24,8 +24,6 @@ import ( "time" ) -var synFloodCounter = counters.NewCounter().WithGC() - // ClientConn 客户端连接 type ClientConn struct { BaseClientConn @@ -292,13 +290,13 @@ func (this *ClientConn) LastErr() error { } func (this *ClientConn) resetSYNFlood() { - synFloodCounter.ResetKey("SYN_FLOOD:" + this.RawIP()) + counters.SharedCounter.ResetKey("SYN_FLOOD:" + this.RawIP()) } func (this *ClientConn) increaseSYNFlood(synFloodConfig *firewallconfigs.SYNFloodConfig) { var ip = this.RawIP() if len(ip) > 0 && !iplibrary.IsInWhiteList(ip) && (!synFloodConfig.IgnoreLocal || !utils.IsLocalIP(ip)) { - var result = synFloodCounter.IncreaseKey("SYN_FLOOD:"+ip, 60) + var result = counters.SharedCounter.IncreaseKey("SYN_FLOOD:"+ip, 60) var minAttempts = synFloodConfig.MinAttempts if minAttempts < 5 { minAttempts = 5 diff --git a/internal/utils/counters/counter.go b/internal/utils/counters/counter.go index 9fedcfd..ca5c2e8 100644 --- a/internal/utils/counters/counter.go +++ b/internal/utils/counters/counter.go @@ -11,7 +11,9 @@ import ( "time" ) -const maxItemsPerGroup = 100_000 +const maxItemsPerGroup = 60_000 + +var SharedCounter = NewCounter().WithGC() type Counter struct { countMaps uint64 @@ -25,11 +27,9 @@ type Counter struct { // NewCounter create new counter func NewCounter() *Counter { - var count = utils.SystemMemoryGB() * 2 + var count = utils.SystemMemoryGB() * 4 if count < 8 { count = 8 - } else if count > 128 { - count = 128 } var itemMaps = []map[uint64]*Item{} diff --git a/internal/waf/action_js_cookie.go b/internal/waf/action_js_cookie.go index 64e4e3b..21102c6 100644 --- a/internal/waf/action_js_cookie.go +++ b/internal/waf/action_js_cookie.go @@ -7,6 +7,7 @@ import ( "fmt" "github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs" "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" + "github.com/TeaOSLab/EdgeNode/internal/utils/counters" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/types" "net/http" @@ -118,9 +119,9 @@ func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64, failBlockTimeout = 1800 // 默认1800s } - var key = "JS_COOKIE:FAILS:" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + req.WAFRaw().URL.String() + var key = "WAF:JS_COOKIE:FAILS:" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + req.WAFRaw().URL.String() - var countFails = SharedCounter.IncreaseKey(key, 300) + var countFails = counters.SharedCounter.IncreaseKey(key, 300) if int(countFails) >= maxFails { SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, true, groupId, setId, "JS_COOKIE验证连续失败超过"+types.String(maxFails)+"次") return false diff --git a/internal/waf/captcha_counter.go b/internal/waf/captcha_counter.go index df36d61..9358f96 100644 --- a/internal/waf/captcha_counter.go +++ b/internal/waf/captcha_counter.go @@ -5,6 +5,7 @@ package waf import ( "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" "github.com/TeaOSLab/EdgeNode/internal/utils" + "github.com/TeaOSLab/EdgeNode/internal/utils/counters" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/types" "time" @@ -26,7 +27,7 @@ func CaptchaIncreaseFails(req requests.Request, actionConfig *CaptchaAction, pol if maxFails <= 3 { maxFails = 3 // 不能小于3,防止意外刷新出现 } - var countFails = SharedCounter.IncreaseKey(CaptchaCacheKey(req, pageCode), 300) + var countFails = counters.SharedCounter.IncreaseKey(CaptchaCacheKey(req, pageCode), 300) if int(countFails) >= maxFails { SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, true, groupId, setId, "CAPTCHA验证连续失败超过"+types.String(maxFails)+"次") return false @@ -37,9 +38,9 @@ func CaptchaIncreaseFails(req requests.Request, actionConfig *CaptchaAction, pol // CaptchaDeleteCacheKey 清除计数 func CaptchaDeleteCacheKey(req requests.Request) { - SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeInit)) - SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeShow)) - SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeSubmit)) + counters.SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeInit)) + counters.SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeShow)) + counters.SharedCounter.ResetKey(CaptchaCacheKey(req, CaptchaPageCodeSubmit)) } // CaptchaCacheKey 获取Captcha缓存Key @@ -53,5 +54,5 @@ func CaptchaCacheKey(req requests.Request, pageCode CaptchaPageCode) string { } } - return "CAPTCHA:FAILS:" + pageCode + ":" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + requestPath + return "WAF:CAPTCHA:FAILS:" + pageCode + ":" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + requestPath } diff --git a/internal/waf/checkpoints/cc.go b/internal/waf/checkpoints/cc.go index b2e37db..e848fc2 100644 --- a/internal/waf/checkpoints/cc.go +++ b/internal/waf/checkpoints/cc.go @@ -8,7 +8,6 @@ import ( "regexp" ) -var ccCounter = counters.NewCounter().WithGC() // CCCheckpoint ${cc.arg} // TODO implement more traffic rules @@ -98,7 +97,7 @@ func (this *CCCheckpoint) RequestValue(req requests.Request, param string, optio if len(key) == 0 { key = req.WAFRemoteIP() } - value = ccCounter.IncreaseKey(types.String(ruleId)+"@"+key, types.Int(period)) + value = counters.SharedCounter.IncreaseKey(types.String(ruleId)+"@WAF_CC@"+key, types.Int(period)) } return diff --git a/internal/waf/checkpoints/cc2.go b/internal/waf/checkpoints/cc2.go index 2124a22..b58fdcb 100644 --- a/internal/waf/checkpoints/cc2.go +++ b/internal/waf/checkpoints/cc2.go @@ -13,8 +13,6 @@ import ( "strings" ) -var cc2Counter = counters.NewCounter().WithGC() - var commonFileExtensionsMap = map[string]zero.Zero{ ".ico": zero.New(), ".jpg": zero.New(), @@ -77,7 +75,7 @@ func (this *CC2Checkpoint) RequestValue(req requests.Request, param string, opti } var ccKey = "WAF-CC-" + types.String(ruleId) + "-" + strings.Join(keyValues, "@") - value = cc2Counter.IncreaseKey(ccKey, period) + value = counters.SharedCounter.IncreaseKey(ccKey, period) // 基于指纹统计 var enableFingerprint = true @@ -96,7 +94,7 @@ func (this *CC2Checkpoint) RequestValue(req requests.Request, param string, opti fpKeyValues = append(fpKeyValues, req.Format(types.String(key))) } var fpCCKey = "WAF-CC-" + types.String(ruleId) + "-" + strings.Join(fpKeyValues, "@") - var fpValue = cc2Counter.IncreaseKey(fpCCKey, period) + var fpValue = counters.SharedCounter.IncreaseKey(fpCCKey, period) if fpValue > value.(uint64) { value = fpValue } diff --git a/internal/waf/counter.go b/internal/waf/counter.go deleted file mode 100644 index 818e746..0000000 --- a/internal/waf/counter.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn . - -package waf - -import "github.com/TeaOSLab/EdgeNode/internal/utils/counters" - -var SharedCounter = counters.NewCounter().WithGC()