MCPcopy Index your code
hub / github.com/GoEdgeLab/EdgeNode / checkWAFRequest

Method checkWAFRequest

internal/nodes/http_request_waf.go:197–357  ·  view source on GitHub ↗

check waf inbound rules

(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool)

Source from the content-addressed store, hash-verified

195
196// check waf inbound rules
197func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool) (blocked bool, breakChecking bool) {
198 // 检查配置是否为空
199 if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass {
200 return
201 }
202
203 var isDefendMode = firewallPolicy.Mode == firewallconfigs.FirewallModeDefend
204
205 // 检查IP白名单
206 var remoteAddrs []string
207 if len(this.remoteAddr) > 0 {
208 remoteAddrs = []string{this.remoteAddr}
209 } else {
210 remoteAddrs = this.requestRemoteAddrs()
211 }
212
213 var inbound = firewallPolicy.Inbound
214 if inbound == nil {
215 return
216 }
217
218 // 检查地区封禁
219 if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn {
220 var regionConfig = firewallPolicy.Inbound.Region
221 if regionConfig.IsNotEmpty() {
222 for _, remoteAddr := range remoteAddrs {
223 var result = iplib.LookupIP(remoteAddr)
224 if result != nil && result.IsOk() {
225 var currentURL = this.URL()
226 if regionConfig.MatchCountryURL(currentURL) {
227 // 检查国家/地区级别封禁
228 if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) {
229 this.firewallPolicyId = firewallPolicy.Id
230
231 if isDefendMode {
232 var promptHTML string
233 if len(regionConfig.CountryHTML) > 0 {
234 promptHTML = regionConfig.CountryHTML
235 } else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML) > 0 {
236 promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML
237 }
238
239 if len(promptHTML) > 0 {
240 var formattedHTML = this.Format(promptHTML)
241 this.writer.Header().Set("Content-Type", "text/html; charset=utf-8")
242 this.writer.Header().Set("Content-Length", types.String(len(formattedHTML)))
243 this.writer.WriteHeader(http.StatusForbidden)
244 _, _ = this.writer.Write([]byte(formattedHTML))
245 } else {
246 this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问")
247 }
248
249 // 延时返回,避免攻击
250 time.Sleep(1 * time.Second)
251 }
252
253 // 停止日志
254 if !logDenying {

Callers 1

doWAFRequestMethod · 0.95

Calls 15

requestRemoteAddrsMethod · 0.95
URLMethod · 0.95
FormatMethod · 0.95
writeCodeMethod · 0.95
canIgnoreMethod · 0.95
WarnFunction · 0.92
LookupIPMethod · 0.80
FindWAFMethod · 0.80
HasAttackActionsMethod · 0.80
HasSpecialActionsMethod · 0.80
ActionCodesMethod · 0.80

Tested by

no test coverage detected