TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2026-03-12 21:15:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

优化WAF黑名单处理

Browse Source
This commit is contained in:
刘祥超
2023-03-31 21:37:15 +08:00
parent 964524816f
commit d9fa3dcc3b
11 changed files with 157 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/waf/action_js_cookie.go
View File

@@ -119,13 +119,7 @@ func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64,
var countFails = ttlcache.SharedCache.IncreaseInt64(key, 1, time.Now().Unix()+300, true)
if int(countFails) >= maxFails {
var useLocalFirewall = false
if this.Scope == firewallconfigs.FirewallScopeGlobal {
useLocalFirewall = true
}
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, useLocalFirewall, groupId, setId, "JS_COOKIE验证连续失败超过"+types.String(maxFails)+"次")
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, true, groupId, setId, "JS_COOKIE验证连续失败超过"+types.String(maxFails)+"次")
return false
}

78
internal/waf/action_record_ip.go
View File

@@ -30,7 +30,7 @@ type recordIPTask struct {
sourceHTTPFirewallRuleSetId int64
}
var recordIPTaskChan = make(chan *recordIPTask, 1024)
var recordIPTaskChan = make(chan *recordIPTask, 2048)
func init() {
if !teaconst.IsMain {
@@ -45,32 +45,56 @@ func init() {
return
}
for task := range recordIPTaskChan {
ipType := "ipv4"
if strings.Contains(task.ip, ":") {
ipType = "ipv6"
}
var reason = task.reason
if len(reason) == 0 {
reason = "触发WAF规则自动加入"
}
_, err = rpcClient.IPItemRPC.CreateIPItem(rpcClient.Context(), &pb.CreateIPItemRequest{
IpListId: task.listId,
IpFrom: task.ip,
IpTo: "",
ExpiredAt: task.expiresAt,
Reason: reason,
Type: ipType,
EventLevel: task.level,
ServerId: task.serverId,
SourceNodeId: teaconst.NodeId,
SourceServerId: task.sourceServerId,
SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId,
SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,
SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId,
})
if err != nil {
remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())
const maxItems = 512 // 每次上传的最大IP数
for {
var pbItems = []*pb.CreateIPItemsRequest_IPItem{}
func() {
for {
select {
case task := <-recordIPTaskChan:
var ipType = "ipv4"
if strings.Contains(task.ip, ":") {
ipType = "ipv6"
}
var reason = task.reason
if len(reason) == 0 {
reason = "触发WAF规则自动加入"
}
pbItems = append(pbItems, &pb.CreateIPItemsRequest_IPItem{
IpListId: task.listId,
IpFrom: task.ip,
IpTo: "",
ExpiredAt: task.expiresAt,
Reason: reason,
Type: ipType,
EventLevel: task.level,
ServerId: task.serverId,
SourceNodeId: teaconst.NodeId,
SourceServerId: task.sourceServerId,
SourceHTTPFirewallPolicyId: task.sourceHTTPFirewallPolicyId,
SourceHTTPFirewallRuleGroupId: task.sourceHTTPFirewallRuleGroupId,
SourceHTTPFirewallRuleSetId: task.sourceHTTPFirewallRuleSetId,
})
if len(pbItems) >= maxItems {
return
}
default:
return
}
}
}()
if len(pbItems) > 0 {
_, err = rpcClient.IPItemRPC.CreateIPItems(rpcClient.Context(), &pb.CreateIPItemsRequest{IpItems: pbItems})
if err != nil {
remotelogs.Error("WAF_RECORD_IP_ACTION", "create ip item failed: "+err.Error())
}
} else {
time.Sleep(1 * time.Second)
}
}
})

8
internal/waf/captcha_counter.go
View File

@@ -29,13 +29,7 @@ func CaptchaIncreaseFails(req requests.Request, actionConfig *CaptchaAction, pol
}
var countFails = ttlcache.SharedCache.IncreaseInt64(CaptchaCacheKey(req, pageCode), 1, time.Now().Unix()+300, true)
if int(countFails) >= maxFails {
var useLocalFirewall = false
if actionConfig.FailBlockScopeAll {
useLocalFirewall = true
}
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, useLocalFirewall, groupId, setId, "CAPTCHA验证连续失败超过"+types.String(maxFails)+"次")
SharedIPBlackList.RecordIP(IPTypeAll, firewallconfigs.FirewallScopeService, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(failBlockTimeout), policyId, true, groupId, setId, "CAPTCHA验证连续失败超过"+types.String(maxFails)+"次")
return false
}
}

20
internal/waf/ip_list.go
View File

@@ -10,7 +10,6 @@ import (
"github.com/iwind/TeaGo/types"
"sync"
"sync/atomic"
"time"
)
var SharedIPWhiteList = NewIPList(IPListTypeAllow)
@@ -95,6 +94,12 @@ func (this *IPList) RecordIP(ipType string,
this.Add(ipType, scope, serverId, ip, expiresAt)
if this.listType == IPListTypeDeny {
// 作用域
var scopeServerId int64
if scope == firewallconfigs.FirewallScopeService {
scopeServerId = serverId
}
// 加入队列等待上传
select {
case recordIPTaskChan <- &recordIPTask{
@@ -102,7 +107,7 @@ func (this *IPList) RecordIP(ipType string,
listId: firewallconfigs.GlobalListId,
expiresAt: expiresAt,
level: firewallconfigs.DefaultEventLevel,
serverId: serverId,
serverId: scopeServerId,
sourceServerId: serverId,
sourceHTTPFirewallPolicyId: policyId,
sourceHTTPFirewallRuleGroupId: groupId,
@@ -114,15 +119,8 @@ func (this *IPList) RecordIP(ipType string,
}
// 使用本地防火墙
if useLocalFirewall {
var seconds = expiresAt - time.Now().Unix()
if seconds > 0 {
// 最大3600防止误封时间过长
if seconds > 3600 {
seconds = 3600
}
_ = firewalls.Firewall().DropSourceIP(ip, int(seconds), true)
}
if useLocalFirewall && expiresAt > 0 {
firewalls.DropTemporaryTo(ip, expiresAt)
}
// 关闭此IP相关连接