Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0e912b79cd | ||
|
|
12f3916e45 | ||
|
|
7813e2c3d2 | ||
|
|
54eff9bfae | ||
|
|
635cdd4338 | ||
|
|
4c64d3ab0f | ||
|
|
93a5c90fcb | ||
|
|
eb5e863146 |
1
build/edge-toa/.gitignore
vendored
1
build/edge-toa/.gitignore
vendored
@@ -1 +0,0 @@
|
||||
edge-toa
|
||||
BIN
build/edge-toa/edge-toa
Executable file
BIN
build/edge-toa/edge-toa
Executable file
Binary file not shown.
@@ -1,7 +1,7 @@
|
||||
package teaconst
|
||||
|
||||
const (
|
||||
Version = "0.2.3"
|
||||
Version = "0.2.4"
|
||||
|
||||
ProductName = "Edge Node"
|
||||
ProcessName = "edge-node"
|
||||
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/errors"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
||||
"github.com/lionsoul2014/ip2region/binding/golang/ip2region"
|
||||
"net"
|
||||
"strings"
|
||||
)
|
||||
|
||||
@@ -27,6 +28,9 @@ func (this *IP2RegionLibrary) Lookup(ip string) (*Result, error) {
|
||||
if strings.Contains(ip, ":") {
|
||||
return nil, nil
|
||||
}
|
||||
if net.ParseIP(ip) == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
if this.db == nil {
|
||||
return nil, errors.New("library has not been loaded")
|
||||
|
||||
@@ -47,48 +47,55 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
|
||||
// 检查IP白名单
|
||||
remoteAddrs := this.requestRemoteAddrs()
|
||||
inbound := firewallPolicy.Inbound
|
||||
if inbound.AllowListRef != nil && inbound.AllowListRef.IsOn && inbound.AllowListRef.ListId > 0 {
|
||||
list := iplibrary.SharedIPListManager.FindList(inbound.AllowListRef.ListId)
|
||||
if list != nil {
|
||||
found, _ := list.ContainsIPStrings(remoteAddrs)
|
||||
if found {
|
||||
breakChecking = true
|
||||
return
|
||||
if inbound == nil {
|
||||
return
|
||||
}
|
||||
for _, ref := range inbound.AllAllowListRefs() {
|
||||
if ref.IsOn && ref.ListId > 0 {
|
||||
list := iplibrary.SharedIPListManager.FindList(ref.ListId)
|
||||
if list != nil {
|
||||
found, _ := list.ContainsIPStrings(remoteAddrs)
|
||||
if found {
|
||||
breakChecking = true
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// 检查IP黑名单
|
||||
if inbound.DenyListRef != nil && inbound.DenyListRef.IsOn && inbound.DenyListRef.ListId > 0 {
|
||||
list := iplibrary.SharedIPListManager.FindList(inbound.DenyListRef.ListId)
|
||||
if list != nil {
|
||||
found, item := list.ContainsIPStrings(remoteAddrs)
|
||||
if found {
|
||||
// 触发事件
|
||||
if item != nil && len(item.EventLevel) > 0 {
|
||||
actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)
|
||||
for _, action := range actions {
|
||||
goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)
|
||||
if err != nil {
|
||||
remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())
|
||||
return true, false
|
||||
}
|
||||
if !goNext {
|
||||
this.disableLog = true
|
||||
return true, false
|
||||
for _, ref := range inbound.AllDenyListRefs() {
|
||||
if ref.IsOn && ref.ListId > 0 {
|
||||
list := iplibrary.SharedIPListManager.FindList(ref.ListId)
|
||||
if list != nil {
|
||||
found, item := list.ContainsIPStrings(remoteAddrs)
|
||||
if found {
|
||||
// 触发事件
|
||||
if item != nil && len(item.EventLevel) > 0 {
|
||||
actions := iplibrary.SharedActionManager.FindEventActions(item.EventLevel)
|
||||
for _, action := range actions {
|
||||
goNext, err := action.DoHTTP(this.RawReq, this.RawWriter)
|
||||
if err != nil {
|
||||
remotelogs.Error("HTTP_REQUEST_WAF", "do action '"+err.Error()+"' failed: "+err.Error())
|
||||
return true, false
|
||||
}
|
||||
if !goNext {
|
||||
this.disableLog = true
|
||||
return true, false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TODO 需要记录日志信息
|
||||
|
||||
this.writer.WriteHeader(http.StatusForbidden)
|
||||
this.writer.Close()
|
||||
|
||||
// 停止日志
|
||||
this.disableLog = true
|
||||
|
||||
return true, false
|
||||
}
|
||||
|
||||
// TODO 需要记录日志信息
|
||||
|
||||
this.writer.WriteHeader(http.StatusForbidden)
|
||||
this.writer.Close()
|
||||
|
||||
// 停止日志
|
||||
this.disableLog = true
|
||||
|
||||
return true, false
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -169,7 +176,25 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
|
||||
|
||||
// call response waf
|
||||
func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
|
||||
firewallPolicy := sharedNodeConfig.HTTPFirewallPolicy
|
||||
// 当前服务的独立设置
|
||||
if this.web.FirewallPolicy != nil && this.web.FirewallPolicy.IsOn {
|
||||
blocked := this.checkWAFResponse(this.web.FirewallPolicy, resp)
|
||||
if blocked {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
// 公用的防火墙设置
|
||||
if sharedNodeConfig.HTTPFirewallPolicy != nil {
|
||||
blocked := this.checkWAFResponse(sharedNodeConfig.HTTPFirewallPolicy, resp)
|
||||
if blocked {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response) (blocked bool) {
|
||||
if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn {
|
||||
return
|
||||
}
|
||||
|
||||
@@ -86,6 +86,7 @@ func (this *TOAManager) SendMsg(msg string) error {
|
||||
if this.conn != nil {
|
||||
_, err := this.conn.Write([]byte(msg + "\n"))
|
||||
if err != nil {
|
||||
_ = this.conn.Close()
|
||||
this.conn = nil
|
||||
}
|
||||
return err
|
||||
|
||||
@@ -17,7 +17,7 @@ import (
|
||||
|
||||
var SharedHTTPRequestStatManager = NewHTTPRequestStatManager()
|
||||
|
||||
// HTTP请求相关的统计
|
||||
// HTTPRequestStatManager HTTP请求相关的统计
|
||||
// 这里的统计是一个辅助统计,注意不要因为统计而影响服务工作性能
|
||||
type HTTPRequestStatManager struct {
|
||||
ipChan chan string
|
||||
@@ -32,7 +32,7 @@ type HTTPRequestStatManager struct {
|
||||
dailyFirewallRuleGroupMap map[string]int64 // serverId@firewallRuleGroupId@action => count
|
||||
}
|
||||
|
||||
// 获取新对象
|
||||
// NewHTTPRequestStatManager 获取新对象
|
||||
func NewHTTPRequestStatManager() *HTTPRequestStatManager {
|
||||
return &HTTPRequestStatManager{
|
||||
ipChan: make(chan string, 10_000), // TODO 将来可以配置容量
|
||||
@@ -46,7 +46,7 @@ func NewHTTPRequestStatManager() *HTTPRequestStatManager {
|
||||
}
|
||||
}
|
||||
|
||||
// 启动
|
||||
// Start 启动
|
||||
func (this *HTTPRequestStatManager) Start() {
|
||||
loopTicker := time.NewTicker(1 * time.Second)
|
||||
uploadTicker := time.NewTicker(30 * time.Minute)
|
||||
@@ -76,7 +76,7 @@ func (this *HTTPRequestStatManager) Start() {
|
||||
}
|
||||
}
|
||||
|
||||
// 添加客户端地址
|
||||
// AddRemoteAddr 添加客户端地址
|
||||
func (this *HTTPRequestStatManager) AddRemoteAddr(serverId int64, remoteAddr string) {
|
||||
if len(remoteAddr) == 0 {
|
||||
return
|
||||
@@ -100,7 +100,7 @@ func (this *HTTPRequestStatManager) AddRemoteAddr(serverId int64, remoteAddr str
|
||||
}
|
||||
}
|
||||
|
||||
// 添加UserAgent
|
||||
// AddUserAgent 添加UserAgent
|
||||
func (this *HTTPRequestStatManager) AddUserAgent(serverId int64, userAgent string) {
|
||||
if len(userAgent) == 0 {
|
||||
return
|
||||
@@ -113,7 +113,7 @@ func (this *HTTPRequestStatManager) AddUserAgent(serverId int64, userAgent strin
|
||||
}
|
||||
}
|
||||
|
||||
// 添加防火墙拦截动作
|
||||
// AddFirewallRuleGroupId 添加防火墙拦截动作
|
||||
func (this *HTTPRequestStatManager) AddFirewallRuleGroupId(serverId int64, firewallRuleGroupId int64, action string) {
|
||||
if firewallRuleGroupId <= 0 {
|
||||
return
|
||||
@@ -125,7 +125,7 @@ func (this *HTTPRequestStatManager) AddFirewallRuleGroupId(serverId int64, firew
|
||||
}
|
||||
}
|
||||
|
||||
// 单个循环
|
||||
// Loop 单个循环
|
||||
func (this *HTTPRequestStatManager) Loop() error {
|
||||
timeout := time.NewTimer(10 * time.Minute) // 执行的最大时间
|
||||
userAgentParser := &user_agent.UserAgent{}
|
||||
@@ -189,6 +189,7 @@ Loop:
|
||||
return nil
|
||||
}
|
||||
|
||||
// Upload 上传数据
|
||||
func (this *HTTPRequestStatManager) Upload() error {
|
||||
// 上传统计数据
|
||||
rpcClient, err := rpc.SharedRPC()
|
||||
|
||||
Reference in New Issue
Block a user