WAF在输出内容时也加入自定义的响应报头

internal/waf/action_block.go

@@ -82,8 +82,10 @@ func (this *BlockAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, reque
 
 		// output response
 		if this.StatusCode > 0 {
+			request.ProcessResponseHeaders(writer.Header(), this.StatusCode)
 			writer.WriteHeader(this.StatusCode)
 		} else {
+			request.ProcessResponseHeaders(writer.Header(), http.StatusForbidden)
 			writer.WriteHeader(http.StatusForbidden)
 		}
 		if len(this.URL) > 0 {

internal/waf/action_page.go

@@ -36,6 +36,7 @@ func (this *PageAction) WillChange() bool {
 
 // Perform the action
 func (this *PageAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {
+	request.ProcessResponseHeaders(writer.Header(), this.Status)
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(this.Status)
 	_, _ = writer.Write([]byte(request.Format(this.Body)))

internal/waf/action_record_ip.go

@@ -146,6 +146,7 @@ func (this *RecordIPAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
 	var expiresAt = time.Now().Unix() + int64(timeout)
 
 	if this.Type == "black" {
+		request.ProcessResponseHeaders(writer.Header(), http.StatusForbidden)
 		writer.WriteHeader(http.StatusForbidden)
 
 		request.WAFClose()

internal/waf/action_redirect.go

@@ -36,6 +36,7 @@ func (this *RedirectAction) WillChange() bool {
 
 // Perform the action
 func (this *RedirectAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {
+	request.ProcessResponseHeaders(writer.Header(), this.Status)
 	writer.Header().Set("Location", this.URL)
 	writer.WriteHeader(this.Status)
 

internal/waf/captcha_validator.go

@@ -26,6 +26,7 @@ func NewCaptchaValidator() *CaptchaValidator {
 func (this *CaptchaValidator) Run(req requests.Request, writer http.ResponseWriter) {
 	var info = req.WAFRaw().URL.Query().Get("info")
 	if len(info) == 0 {
+		req.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
 		writer.WriteHeader(http.StatusBadRequest)
 		_, _ = writer.Write([]byte("invalid request"))
 		return
@@ -183,8 +184,7 @@ func (this *CaptchaValidator) show(actionConfig *CaptchaAction, req requests.Req
 		}
 	}
 
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
-	_, _ = writer.Write([]byte(`<!DOCTYPE html>
+	var msgHTML = `<!DOCTYPE html>
 <html>
 <head>
 	<title>` + msgTitle + `</title>
@@ -206,7 +206,13 @@ func (this *CaptchaValidator) show(actionConfig *CaptchaAction, req requests.Req
 </head>
 <body>` + body + `
 </body>
-</html>`))
+</html>`
+
+	req.ProcessResponseHeaders(writer.Header(), http.StatusOK)
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.Header().Set("Content-Length", types.String(len(msgHTML)))
+	writer.WriteHeader(http.StatusOK)
+	_, _ = writer.Write([]byte(msgHTML))
 }
 
 func (this *CaptchaValidator) validate(actionConfig *CaptchaAction, policyId int64, groupId int64, setId int64, originURL string, req requests.Request, writer http.ResponseWriter) (allow bool) {

internal/waf/get302_validator.go

@@ -22,6 +22,7 @@ func NewGet302Validator() *Get302Validator {
 func (this *Get302Validator) Run(request requests.Request, writer http.ResponseWriter) {
 	var info = request.WAFRaw().URL.Query().Get("info")
 	if len(info) == 0 {
+		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
 		writer.WriteHeader(http.StatusBadRequest)
 		_, _ = writer.Write([]byte("invalid request"))
 		return
@@ -34,6 +35,7 @@ func (this *Get302Validator) Run(request requests.Request, writer http.ResponseW
 
 	var timestamp = m.GetInt64("timestamp")
 	if time.Now().Unix()-timestamp > 5 { // 超过5秒认为失效
+		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
 		writer.WriteHeader(http.StatusBadRequest)
 		_, _ = writer.Write([]byte("invalid request"))
 		return

internal/waf/requests/request.go

@@ -38,6 +38,9 @@ type Request interface {
 	// Format 格式化变量
 	Format(string) string
 
+	// ProcessResponseHeaders 处理响应Header
+	ProcessResponseHeaders(headers http.Header, status int)
+
 	// DisableAccessLog 在当前请求中不使用访问日志
 	DisableAccessLog()
 }