From c43387bf6a3ebb1a949be3bb29a38c4ab4bc7280 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Thu, 25 May 2023 12:02:40 +0800
Subject: [PATCH] =?UTF-8?q?WAF=E5=9B=BD=E5=AE=B6/=E5=9C=B0=E5=8C=BA?=
 =?UTF-8?q?=E5=B0=81=E7=A6=81=E3=80=81=E7=9C=81=E4=BB=BD=E5=B0=81=E7=A6=81?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E4=BE=8B=E5=A4=96URL=E3=80=81=E9=99=90?=
 =?UTF-8?q?=E5=88=B6URL?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/nodes/http_request_waf.go | 63 ++++++++++++++++--------------
 1 file changed, 34 insertions(+), 29 deletions(-)

diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go
index 76cd9b1..c2846cb 100644
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -163,47 +163,52 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 	// 检查地区封禁
 	if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {
 		if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
-			regionConfig := firewallPolicy.Inbound.Region
+			var regionConfig = firewallPolicy.Inbound.Region
 			if regionConfig.IsNotEmpty() {
 				for _, remoteAddr := range remoteAddrs {
 					var result = iplib.LookupIP(remoteAddr)
 					if result != nil && result.IsOk() {
-						// 检查国家/地区级别封禁
-						var countryId = result.CountryId()
-						if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
-							this.firewallPolicyId = firewallPolicy.Id
+						var currentURL = this.URL()
+						if regionConfig.MatchCountryURL(currentURL) {
+							// 检查国家/地区级别封禁
+							var countryId = result.CountryId()
+							if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
+								this.firewallPolicyId = firewallPolicy.Id
 
-							this.writeCode(http.StatusForbidden, "", "")
-							this.writer.Flush()
-							this.writer.Close()
+								this.writeCode(http.StatusForbidden, "", "")
+								this.writer.Flush()
+								this.writer.Close()
 
-							// 停止日志
-							if !logDenying {
-								this.disableLog = true
-							} else {
-								this.tags = append(this.tags, "denyCountry")
+								// 停止日志
+								if !logDenying {
+									this.disableLog = true
+								} else {
+									this.tags = append(this.tags, "denyCountry")
+								}
+
+								return true, false
 							}
-
-							return true, false
 						}
 
-						// 检查省份封禁
-						var provinceId = result.ProvinceId()
-						if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
-							this.firewallPolicyId = firewallPolicy.Id
+						if regionConfig.MatchProvinceURL(currentURL) {
+							// 检查省份封禁
+							var provinceId = result.ProvinceId()
+							if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
+								this.firewallPolicyId = firewallPolicy.Id
 
-							this.writeCode(http.StatusForbidden, "", "")
-							this.writer.Flush()
-							this.writer.Close()
+								this.writeCode(http.StatusForbidden, "", "")
+								this.writer.Flush()
+								this.writer.Close()
 
-							// 停止日志
-							if !logDenying {
-								this.disableLog = true
-							} else {
-								this.tags = append(this.tags, "denyProvince")
+								// 停止日志
+								if !logDenying {
+									this.disableLog = true
+								} else {
+									this.tags = append(this.tags, "denyProvince")
+								}
+
+								return true, false
 							}
-
-							return true, false
 						}
 					}
 				}