feat: ACL 规则增加匹配方式 (#4237)

This commit is contained in:
zhengkunwang 2024-03-19 20:58:06 +08:00 committed by GitHub
parent ce69f6a142
commit ebc3195df4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 65 additions and 10 deletions

View File

@ -2269,6 +2269,11 @@ const message = {
redisConfig: 'Redis configuration',
redisHelper: 'Enable Redis to persist temporarily blocked IPs',
wafHelper: 'All websites will lose protection after closing',
attackIP: 'Attack IP',
attackParam: 'Attack information',
execRule: 'Hit rule',
acl: 'ACL',
sql: 'SQL injection',
},
monitor: {
name: 'Website Monitor',

View File

@ -2123,6 +2123,11 @@ const message = {
redisConfig: 'Redis 配置',
redisHelper: '開啟 Redis 可以將暫時拉黑的 IP 持久化',
wafHelper: '關閉之後所有網站將失去防護',
attackIP: '攻擊 IP',
attackParam: '攻擊訊息',
execRule: '命中規則',
acl: 'ACL',
sql: 'SQL 注入',
},
monitor: {
name: '網站監控',

View File

@ -2124,6 +2124,11 @@ const message = {
redisConfig: 'Redis 配置',
redisHelper: '开启 Redis 可以将临时拉黑的 IP 持久化',
wafHelper: '关闭之后所有网站将失去防护',
attackIP: '攻击 IP',
attackParam: '攻击信息',
execRule: '命中规则',
acl: 'ACL',
sql: 'SQL 注入',
},
monitor: {
name: '网站监控',

View File

@ -500,3 +500,11 @@ export async function copyText(content: string) {
MsgError(i18n.global.t('commons.msg.copyFailed'));
}
}
export function getRuleType(ruleType: string) {
return i18n.global.t(`xpack.waf.${ruleType}`);
}
export function getAction(action: string) {
return i18n.global.t(`xpack.waf.${action}`);
}

View File

@ -59,6 +59,9 @@ local function init_sites_config()
end
config.site_config = site_config
config.site_rules = site_rules
local waf_dict = ngx.shared.waf
waf_dict:set("config", config)
end
local function ini_waf_info()
@ -120,6 +123,7 @@ local function get_config()
local config_table = waf_dict:get("config")
if config_table == nil then
init_global_config()
init_sites_config()
return config
end
config = config_table

View File

@ -586,18 +586,44 @@ function _M.post_check()
end
local function match_acl_rule(match_value, pattern,rule)
if pattern == "eq" then
if match_value == rule then
return true
end
elseif pattern == "notEq" then
if match_value ~= rule then
return true
end
elseif pattern == "regex" then
if matches(match_value, rule) then
return true
end
elseif pattern == "contain" then
if ngx_re_find(match_value, rule, "isjo") then
return true
end
end
end
function _M.acl()
local rules = get_site_rule("acl")
for _, rule in pairs(rules) do
if rule.state == nil or rule.state == "off" then
goto continue
end
ngx.log(ngx.ERR,"acl rule: "..rule.name .. "state"..rule.state)
local conditions = rule.conditions
local match = true
local condition_rule = ""
for _, condition in pairs(conditions) do
local field = condition.field
local field_name = condition.name
local pattern = condition.pattern
condition_rule = condition.rule
local match_value = ''
if field == 'URL' then
match_value = ngx.var.request_uri
@ -639,20 +665,22 @@ function _M.acl()
end
if pattern == '' then
if match_value ~= nil and match_value ~= '' then
match = false
break
end
else
if not matches(match_value, pattern) then
if not match_acl_rule(match_value, pattern,condition_rule) then
match = false
break
end
end
end
if match then
rule.type = "acl"
exec_action(rule)
local mr = {
type = rule.name,
rule = condition_rule
}
exec_action(rule,mr)
end
:: continue ::
end