mirror of
https://github.com/1Panel-dev/1Panel
synced 2024-11-21 23:29:44 +00:00
feat: ACL 规则增加匹配方式 (#4237)
This commit is contained in:
parent
ce69f6a142
commit
ebc3195df4
@ -2269,6 +2269,11 @@ const message = {
|
||||
redisConfig: 'Redis configuration',
|
||||
redisHelper: 'Enable Redis to persist temporarily blocked IPs',
|
||||
wafHelper: 'All websites will lose protection after closing',
|
||||
attackIP: 'Attack IP',
|
||||
attackParam: 'Attack information',
|
||||
execRule: 'Hit rule',
|
||||
acl: 'ACL',
|
||||
sql: 'SQL injection',
|
||||
},
|
||||
monitor: {
|
||||
name: 'Website Monitor',
|
||||
|
@ -2123,6 +2123,11 @@ const message = {
|
||||
redisConfig: 'Redis 配置',
|
||||
redisHelper: '開啟 Redis 可以將暫時拉黑的 IP 持久化',
|
||||
wafHelper: '關閉之後所有網站將失去防護',
|
||||
attackIP: '攻擊 IP',
|
||||
attackParam: '攻擊訊息',
|
||||
execRule: '命中規則',
|
||||
acl: 'ACL',
|
||||
sql: 'SQL 注入',
|
||||
},
|
||||
monitor: {
|
||||
name: '網站監控',
|
||||
|
@ -2124,6 +2124,11 @@ const message = {
|
||||
redisConfig: 'Redis 配置',
|
||||
redisHelper: '开启 Redis 可以将临时拉黑的 IP 持久化',
|
||||
wafHelper: '关闭之后所有网站将失去防护',
|
||||
attackIP: '攻击 IP',
|
||||
attackParam: '攻击信息',
|
||||
execRule: '命中规则',
|
||||
acl: 'ACL',
|
||||
sql: 'SQL 注入',
|
||||
},
|
||||
monitor: {
|
||||
name: '网站监控',
|
||||
|
@ -500,3 +500,11 @@ export async function copyText(content: string) {
|
||||
MsgError(i18n.global.t('commons.msg.copyFailed'));
|
||||
}
|
||||
}
|
||||
|
||||
export function getRuleType(ruleType: string) {
|
||||
return i18n.global.t(`xpack.waf.${ruleType}`);
|
||||
}
|
||||
|
||||
export function getAction(action: string) {
|
||||
return i18n.global.t(`xpack.waf.${action}`);
|
||||
}
|
||||
|
@ -59,6 +59,9 @@ local function init_sites_config()
|
||||
end
|
||||
config.site_config = site_config
|
||||
config.site_rules = site_rules
|
||||
|
||||
local waf_dict = ngx.shared.waf
|
||||
waf_dict:set("config", config)
|
||||
end
|
||||
|
||||
local function ini_waf_info()
|
||||
@ -120,6 +123,7 @@ local function get_config()
|
||||
local config_table = waf_dict:get("config")
|
||||
if config_table == nil then
|
||||
init_global_config()
|
||||
init_sites_config()
|
||||
return config
|
||||
end
|
||||
config = config_table
|
||||
|
@ -586,18 +586,44 @@ function _M.post_check()
|
||||
|
||||
end
|
||||
|
||||
local function match_acl_rule(match_value, pattern,rule)
|
||||
if pattern == "eq" then
|
||||
if match_value == rule then
|
||||
return true
|
||||
end
|
||||
|
||||
elseif pattern == "notEq" then
|
||||
if match_value ~= rule then
|
||||
return true
|
||||
end
|
||||
|
||||
elseif pattern == "regex" then
|
||||
if matches(match_value, rule) then
|
||||
return true
|
||||
end
|
||||
|
||||
elseif pattern == "contain" then
|
||||
if ngx_re_find(match_value, rule, "isjo") then
|
||||
return true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
function _M.acl()
|
||||
local rules = get_site_rule("acl")
|
||||
for _, rule in pairs(rules) do
|
||||
if rule.state == nil or rule.state == "off" then
|
||||
goto continue
|
||||
end
|
||||
ngx.log(ngx.ERR,"acl rule: "..rule.name .. "state"..rule.state)
|
||||
local conditions = rule.conditions
|
||||
local match = true
|
||||
local condition_rule = ""
|
||||
for _, condition in pairs(conditions) do
|
||||
local field = condition.field
|
||||
local field_name = condition.name
|
||||
local pattern = condition.pattern
|
||||
condition_rule = condition.rule
|
||||
local match_value = ''
|
||||
if field == 'URL' then
|
||||
match_value = ngx.var.request_uri
|
||||
@ -639,20 +665,22 @@ function _M.acl()
|
||||
end
|
||||
|
||||
if pattern == '' then
|
||||
if match_value ~= nil and match_value ~= '' then
|
||||
match = false
|
||||
break
|
||||
end
|
||||
else
|
||||
if not matches(match_value, pattern) then
|
||||
match = false
|
||||
break
|
||||
end
|
||||
match = false
|
||||
break
|
||||
end
|
||||
|
||||
if not match_acl_rule(match_value, pattern,condition_rule) then
|
||||
match = false
|
||||
break
|
||||
end
|
||||
end
|
||||
if match then
|
||||
rule.type = "acl"
|
||||
exec_action(rule)
|
||||
local mr = {
|
||||
type = rule.name,
|
||||
rule = condition_rule
|
||||
}
|
||||
exec_action(rule,mr)
|
||||
end
|
||||
:: continue ::
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user