check waf inbound rules
(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool)
| 195 | |
| 196 | // check waf inbound rules |
| 197 | func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, forceLog bool, logRequestBody bool, logDenying bool, ignoreRules bool) (blocked bool, breakChecking bool) { |
| 198 | // 检查配置是否为空 |
| 199 | if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModeBypass { |
| 200 | return |
| 201 | } |
| 202 | |
| 203 | var isDefendMode = firewallPolicy.Mode == firewallconfigs.FirewallModeDefend |
| 204 | |
| 205 | // 检查IP白名单 |
| 206 | var remoteAddrs []string |
| 207 | if len(this.remoteAddr) > 0 { |
| 208 | remoteAddrs = []string{this.remoteAddr} |
| 209 | } else { |
| 210 | remoteAddrs = this.requestRemoteAddrs() |
| 211 | } |
| 212 | |
| 213 | var inbound = firewallPolicy.Inbound |
| 214 | if inbound == nil { |
| 215 | return |
| 216 | } |
| 217 | |
| 218 | // 检查地区封禁 |
| 219 | if firewallPolicy.Inbound.Region != nil && firewallPolicy.Inbound.Region.IsOn { |
| 220 | var regionConfig = firewallPolicy.Inbound.Region |
| 221 | if regionConfig.IsNotEmpty() { |
| 222 | for _, remoteAddr := range remoteAddrs { |
| 223 | var result = iplib.LookupIP(remoteAddr) |
| 224 | if result != nil && result.IsOk() { |
| 225 | var currentURL = this.URL() |
| 226 | if regionConfig.MatchCountryURL(currentURL) { |
| 227 | // 检查国家/地区级别封禁 |
| 228 | if !regionConfig.IsAllowedCountry(result.CountryId(), result.ProvinceId()) { |
| 229 | this.firewallPolicyId = firewallPolicy.Id |
| 230 | |
| 231 | if isDefendMode { |
| 232 | var promptHTML string |
| 233 | if len(regionConfig.CountryHTML) > 0 { |
| 234 | promptHTML = regionConfig.CountryHTML |
| 235 | } else if this.ReqServer != nil && this.ReqServer.HTTPFirewallPolicy != nil && len(this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML) > 0 { |
| 236 | promptHTML = this.ReqServer.HTTPFirewallPolicy.DenyCountryHTML |
| 237 | } |
| 238 | |
| 239 | if len(promptHTML) > 0 { |
| 240 | var formattedHTML = this.Format(promptHTML) |
| 241 | this.writer.Header().Set("Content-Type", "text/html; charset=utf-8") |
| 242 | this.writer.Header().Set("Content-Length", types.String(len(formattedHTML))) |
| 243 | this.writer.WriteHeader(http.StatusForbidden) |
| 244 | _, _ = this.writer.Write([]byte(formattedHTML)) |
| 245 | } else { |
| 246 | this.writeCode(http.StatusForbidden, "The region has been denied.", "当前区域禁止访问") |
| 247 | } |
| 248 | |
| 249 | // 延时返回,避免攻击 |
| 250 | time.Sleep(1 * time.Second) |
| 251 | } |
| 252 | |
| 253 | // 停止日志 |
| 254 | if !logDenying { |
no test coverage detected