From cfa55f60a69f9b0d9527a08e869a941d4d29b199 Mon Sep 17 00:00:00 2001 From: GoEdgeLab Date: Sat, 16 Jul 2022 18:47:59 +0800 Subject: [PATCH] =?UTF-8?q?WAF=E7=AD=96=E7=95=A5=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E8=AE=B0=E5=BD=95=E5=8C=BA=E5=9F=9F=E5=B0=81=E7=A6=81=E6=97=A5?= =?UTF-8?q?=E5=BF=97=E9=80=89=E9=A1=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/nodes/http_request.go | 17 +++++++------ internal/nodes/http_request_waf.go | 40 +++++++++++++++++++++--------- 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/internal/nodes/http_request.go b/internal/nodes/http_request.go index a89df76..f4bff67 100644 --- a/internal/nodes/http_request.go +++ b/internal/nodes/http_request.go @@ -1114,7 +1114,7 @@ func (this *HTTPRequest) requestRemoteAddr(supportVar bool) string { // 获取请求的客户端地址列表 func (this *HTTPRequest) requestRemoteAddrs() (result []string) { // X-Forwarded-For - forwardedFor := this.RawReq.Header.Get("X-Forwarded-For") + var forwardedFor = this.RawReq.Header.Get("X-Forwarded-For") if len(forwardedFor) > 0 { commaIndex := strings.Index(forwardedFor, ",") if commaIndex > 0 { @@ -1139,13 +1139,16 @@ func (this *HTTPRequest) requestRemoteAddrs() (result []string) { } // Remote-Addr - remoteAddr := this.RawReq.RemoteAddr - host, _, err := net.SplitHostPort(remoteAddr) - if err == nil { - result = append(result, host) - } else { - result = append(result, remoteAddr) + { + var remoteAddr = this.RawReq.RemoteAddr + host, _, err := net.SplitHostPort(remoteAddr) + if err == nil { + result = append(result, host) + } else { + result = append(result, remoteAddr) + } } + return } diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go index 4f126ee..02284a8 100644 --- a/internal/nodes/http_request_waf.go +++ b/internal/nodes/http_request_waf.go @@ -55,17 +55,19 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) { var forceLog = false var forceLogRequestBody = false + var forceLogRegionDenying = false if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn && this.ReqServer.HTTPFirewallPolicy.Log != nil && this.ReqServer.HTTPFirewallPolicy.Log.IsOn { forceLog = true forceLogRequestBody = this.ReqServer.HTTPFirewallPolicy.Log.RequestBody + forceLogRegionDenying = this.ReqServer.HTTPFirewallPolicy.Log.RegionDenying } // 当前服务的独立设置 if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn { - blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody) + blocked, breakChecking := this.checkWAFRequest(this.web.FirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying) if blocked { return true } @@ -76,7 +78,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) { // 公用的防火墙设置 if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.IsOn { - blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody) + blocked, breakChecking := this.checkWAFRequest(this.ReqServer.HTTPFirewallPolicy, forceLog, forceLogRequestBody, forceLogRegionDenying) if blocked { return true } @@ -88,15 +90,21 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) { return } -func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool) (blocked bool, breakChecking bool) { +func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool) (blocked bool, breakChecking bool) { // 检查配置是否为空 if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass { return } // 检查IP白名单 - remoteAddrs := this.requestRemoteAddrs() - inbound := firewallPolicy.Inbound + var remoteAddrs []string + if len(this.remoteAddr) > 0 { + remoteAddrs = []string{this.remoteAddr} + } else { + remoteAddrs = this.requestRemoteAddrs() + } + + var inbound = firewallPolicy.Inbound if inbound == nil { return } @@ -167,13 +175,17 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir if len(regionConfig.DenyCountryIds) > 0 && len(result.Country) > 0 { countryId := iplibrary.SharedCountryManager.Lookup(result.Country) if countryId > 0 && lists.ContainsInt64(regionConfig.DenyCountryIds, countryId) { - // TODO 可以配置对封禁的处理方式等 - // TODO 需要记录日志信息 + this.firewallPolicyId = firewallPolicy.Id + this.writer.WriteHeader(http.StatusForbidden) this.writer.Close() // 停止日志 - this.disableLog = true + if !logDenying { + this.disableLog = true + } else { + this.tags = append(this.tags, "denyCountry") + } return true, false } @@ -181,15 +193,19 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir // 检查省份封禁 if len(regionConfig.DenyProvinceIds) > 0 && len(result.Province) > 0 { - provinceId := iplibrary.SharedProvinceManager.Lookup(result.Province) + var provinceId = iplibrary.SharedProvinceManager.Lookup(result.Province) if provinceId > 0 && lists.ContainsInt64(regionConfig.DenyProvinceIds, provinceId) { - // TODO 可以配置对封禁的处理方式等 - // TODO 需要记录日志信息 + this.firewallPolicyId = firewallPolicy.Id + this.writer.WriteHeader(http.StatusForbidden) this.writer.Close() // 停止日志 - this.disableLog = true + if !logDenying { + this.disableLog = true + } else { + this.tags = append(this.tags, "denyProvince") + } return true, false }