TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-12-25 22:46:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

优化WAF

Browse Source 
* 信息加密使用struct代替map,以缩短加密后内容长度
* 拦截动作、人机识别动作增加是否尝试全局封禁选项
* JSCookie识别动作增加默认设置选项
* 人机识别中传入info参数异常时,尝试跳转到来源地址,避免直接提示invalid request
This commit is contained in:
GoEdgeLab
2024-04-07 14:31:22 +08:00
parent 3f012b6021
commit b772085ef2
18 changed files with 441 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
internal/waf/action_js_cookie.go
View File

@@ -22,10 +22,32 @@ type JSCookieAction struct {
MaxFails int `yaml:"maxFails" json:"maxFails"` // 最大失败次数
FailBlockTimeout int `yaml:"failBlockTimeout" json:"failBlockTimeout"` // 失败拦截时间
Scope string `yaml:"scope" json:"scope"`
FailBlockScopeAll bool `yaml:"failBlockScopeAll" json:"failBlockScopeAll"`
}
func (this *JSCookieAction) Init(waf *WAF) error {
this.Scope = firewallconfigs.FirewallScopeGlobal
if waf.DefaultJSCookieAction != nil {
if this.Life <= 0 {
this.Life = waf.DefaultJSCookieAction.Life
}
if this.MaxFails <= 0 {
this.MaxFails = waf.DefaultJSCookieAction.MaxFails
}
if this.FailBlockTimeout <= 0 {
this.FailBlockTimeout = waf.DefaultJSCookieAction.FailBlockTimeout
}
if len(this.Scope) == 0 {
this.Scope = waf.DefaultJSCookieAction.Scope
}
this.FailBlockScopeAll = waf.DefaultJSCookieAction.FailBlockScopeAll
}
if len(this.Scope) == 0 {
this.Scope = firewallconfigs.FirewallScopeGlobal
}
return nil
}
@@ -107,19 +129,19 @@ window.location.reload();
_, _ = writer.Write([]byte(respHTML))
// 记录失败次数
this.increaseFails(req, waf.Id, group.Id, set.Id)
this.increaseFails(req, waf.Id, group.Id, set.Id, waf.UseLocalFirewall && (this.FailBlockScopeAll || this.Scope == firewallconfigs.FirewallScopeGlobal))
return PerformResult{}
}
func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64, groupId int64, setId int64) (goNext bool) {
func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64, groupId int64, setId int64, useLocalFirewall bool) (goNext bool) {
var maxFails = this.MaxFails
var failBlockTimeout = this.FailBlockTimeout
if maxFails <= 0 {
maxFails = 10 // 默认10次
} else if maxFails <= 3 {
maxFails = 3 // 不能小于3防止意外刷新出现
} else if maxFails <= 5 {
maxFails = 5 // 不能小于3防止意外刷新出现
}
if failBlockTimeout <= 0 {
failBlockTimeout = 1800 // 默认1800s
@@ -129,7 +151,7 @@ func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64,
var countFails = counters.SharedCounter.IncreaseKey(key, 300)
if int(countFails) >= maxFails {
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, true, groupId, setId, "JS_COOKIE验证连续失败超过"+types.String(maxFails)+"次")
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeServer, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, useLocalFirewall, groupId, setId, "JS_COOKIE验证连续失败超过"+types.String(maxFails)+"次")
return false
}