WAF国家/地区封禁、省份封禁增加例外URL、限制URL

2025-12-01 21:30:24 +08:00 · 2023-05-25 12:02:40 +08:00
parent 47f5cbeac9
commit c43387bf6a
1 changed files with 34 additions and 29 deletions
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -163,47 +163,52 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 	// 检查地区封禁
 	if firewallPolicy.Mode == firewallconfigs.FirewallModeDefend {
 		if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
-			regionConfig := firewallPolicy.Inbound.Region
+			var regionConfig = firewallPolicy.Inbound.Region
 			if regionConfig.IsNotEmpty() {
 				for _, remoteAddr := range remoteAddrs {
 					var result = iplib.LookupIP(remoteAddr)
 					if result != nil && result.IsOk() {
-						// 检查国家/地区级别封禁
-						var countryId = result.CountryId()
-						if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
-							this.firewallPolicyId = firewallPolicy.Id
+						var currentURL = this.URL()
+						if regionConfig.MatchCountryURL(currentURL) {
+							// 检查国家/地区级别封禁
+							var countryId = result.CountryId()
+							if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) {
+								this.firewallPolicyId = firewallPolicy.Id

-							this.writeCode(http.StatusForbidden, "", "")
-							this.writer.Flush()
-							this.writer.Close()
+								this.writeCode(http.StatusForbidden, "", "")
+								this.writer.Flush()
+								this.writer.Close()

-							// 停止日志
-							if !logDenying {
-								this.disableLog = true
-							} else {
-								this.tags = append(this.tags, "denyCountry")
+								// 停止日志
+								if !logDenying {
+									this.disableLog = true
+								} else {
+									this.tags = append(this.tags, "denyCountry")
+								}
+
+								return true, false
 							}
-
-							return true, false
 						}

-						// 检查省份封禁
-						var provinceId = result.ProvinceId()
-						if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
-							this.firewallPolicyId = firewallPolicy.Id
+						if regionConfig.MatchProvinceURL(currentURL) {
+							// 检查省份封禁
+							var provinceId = result.ProvinceId()
+							if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) {
+								this.firewallPolicyId = firewallPolicy.Id

-							this.writeCode(http.StatusForbidden, "", "")
-							this.writer.Flush()
-							this.writer.Close()
+								this.writeCode(http.StatusForbidden, "", "")
+								this.writer.Flush()
+								this.writer.Close()

-							// 停止日志
-							if !logDenying {
-								this.disableLog = true
-							} else {
-								this.tags = append(this.tags, "denyProvince")
+								// 停止日志
+								if !logDenying {
+									this.disableLog = true
+								} else {
+									this.tags = append(this.tags, "denyProvince")
+								}
+
+								return true, false
 							}
-
-							return true, false
 						}
 					}
 				}