mirror of
https://github.com/1Panel-dev/1Panel.git
synced 2025-01-19 08:19:15 +08:00
feat: ACL 规则增加匹配方式 (#4237)
This commit is contained in:
zhengkunwang
GitHub
parent
ce69f6a142
commit
ebc3195df4
@ -2269,6 +2269,11 @@ const message = {
|
|||||||
redisConfig: 'Redis configuration',
|
redisConfig: 'Redis configuration',
|
||||||
redisHelper: 'Enable Redis to persist temporarily blocked IPs',
|
redisHelper: 'Enable Redis to persist temporarily blocked IPs',
|
||||||
wafHelper: 'All websites will lose protection after closing',
|
wafHelper: 'All websites will lose protection after closing',
|
||||||
|
attackIP: 'Attack IP',
|
||||||
|
attackParam: 'Attack information',
|
||||||
|
execRule: 'Hit rule',
|
||||||
|
acl: 'ACL',
|
||||||
|
sql: 'SQL injection',
|
||||||
},
|
},
|
||||||
monitor: {
|
monitor: {
|
||||||
name: 'Website Monitor',
|
name: 'Website Monitor',
|
||||||
|
|||||||
@ -2123,6 +2123,11 @@ const message = {
|
|||||||
redisConfig: 'Redis 配置',
|
redisConfig: 'Redis 配置',
|
||||||
redisHelper: '開啟 Redis 可以將暫時拉黑的 IP 持久化',
|
redisHelper: '開啟 Redis 可以將暫時拉黑的 IP 持久化',
|
||||||
wafHelper: '關閉之後所有網站將失去防護',
|
wafHelper: '關閉之後所有網站將失去防護',
|
||||||
|
attackIP: '攻擊 IP',
|
||||||
|
attackParam: '攻擊訊息',
|
||||||
|
execRule: '命中規則',
|
||||||
|
acl: 'ACL',
|
||||||
|
sql: 'SQL 注入',
|
||||||
},
|
},
|
||||||
monitor: {
|
monitor: {
|
||||||
name: '網站監控',
|
name: '網站監控',
|
||||||
|
|||||||
@ -2124,6 +2124,11 @@ const message = {
|
|||||||
redisConfig: 'Redis 配置',
|
redisConfig: 'Redis 配置',
|
||||||
redisHelper: '开启 Redis 可以将临时拉黑的 IP 持久化',
|
redisHelper: '开启 Redis 可以将临时拉黑的 IP 持久化',
|
||||||
wafHelper: '关闭之后所有网站将失去防护',
|
wafHelper: '关闭之后所有网站将失去防护',
|
||||||
|
attackIP: '攻击 IP',
|
||||||
|
attackParam: '攻击信息',
|
||||||
|
execRule: '命中规则',
|
||||||
|
acl: 'ACL',
|
||||||
|
sql: 'SQL 注入',
|
||||||
},
|
},
|
||||||
monitor: {
|
monitor: {
|
||||||
name: '网站监控',
|
name: '网站监控',
|
||||||
|
|||||||
@ -500,3 +500,11 @@ export async function copyText(content: string) {
|
|||||||
MsgError(i18n.global.t('commons.msg.copyFailed'));
|
MsgError(i18n.global.t('commons.msg.copyFailed'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export function getRuleType(ruleType: string) {
|
||||||
|
return i18n.global.t(`xpack.waf.${ruleType}`);
|
||||||
|
}
|
||||||
|
|
||||||
|
export function getAction(action: string) {
|
||||||
|
return i18n.global.t(`xpack.waf.${action}`);
|
||||||
|
}
|
||||||
|
|||||||
@ -59,6 +59,9 @@ local function init_sites_config()
|
|||||||
end
|
end
|
||||||
config.site_config = site_config
|
config.site_config = site_config
|
||||||
config.site_rules = site_rules
|
config.site_rules = site_rules
|
||||||
|
|
||||||
|
local waf_dict = ngx.shared.waf
|
||||||
|
waf_dict:set("config", config)
|
||||||
end
|
end
|
||||||
|
|
||||||
local function ini_waf_info()
|
local function ini_waf_info()
|
||||||
@ -120,6 +123,7 @@ local function get_config()
|
|||||||
local config_table = waf_dict:get("config")
|
local config_table = waf_dict:get("config")
|
||||||
if config_table == nil then
|
if config_table == nil then
|
||||||
init_global_config()
|
init_global_config()
|
||||||
|
init_sites_config()
|
||||||
return config
|
return config
|
||||||
end
|
end
|
||||||
config = config_table
|
config = config_table
|
||||||
|
|||||||
@ -586,18 +586,44 @@ function _M.post_check()
|
|||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
local function match_acl_rule(match_value, pattern,rule)
|
||||||
|
if pattern == "eq" then
|
||||||
|
if match_value == rule then
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
elseif pattern == "notEq" then
|
||||||
|
if match_value ~= rule then
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
elseif pattern == "regex" then
|
||||||
|
if matches(match_value, rule) then
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
elseif pattern == "contain" then
|
||||||
|
if ngx_re_find(match_value, rule, "isjo") then
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
function _M.acl()
|
function _M.acl()
|
||||||
local rules = get_site_rule("acl")
|
local rules = get_site_rule("acl")
|
||||||
for _, rule in pairs(rules) do
|
for _, rule in pairs(rules) do
|
||||||
if rule.state == nil or rule.state == "off" then
|
if rule.state == nil or rule.state == "off" then
|
||||||
goto continue
|
goto continue
|
||||||
end
|
end
|
||||||
|
ngx.log(ngx.ERR,"acl rule: "..rule.name .. "state"..rule.state)
|
||||||
local conditions = rule.conditions
|
local conditions = rule.conditions
|
||||||
local match = true
|
local match = true
|
||||||
|
local condition_rule = ""
|
||||||
for _, condition in pairs(conditions) do
|
for _, condition in pairs(conditions) do
|
||||||
local field = condition.field
|
local field = condition.field
|
||||||
local field_name = condition.name
|
local field_name = condition.name
|
||||||
local pattern = condition.pattern
|
local pattern = condition.pattern
|
||||||
|
condition_rule = condition.rule
|
||||||
local match_value = ''
|
local match_value = ''
|
||||||
if field == 'URL' then
|
if field == 'URL' then
|
||||||
match_value = ngx.var.request_uri
|
match_value = ngx.var.request_uri
|
||||||
@ -639,20 +665,22 @@ function _M.acl()
|
|||||||
end
|
end
|
||||||
|
|
||||||
if pattern == '' then
|
if pattern == '' then
|
||||||
if match_value ~= nil and match_value ~= '' then
|
match = false
|
||||||
match = false
|
break
|
||||||
break
|
end
|
||||||
end
|
|
||||||
else
|
if not match_acl_rule(match_value, pattern,condition_rule) then
|
||||||
if not matches(match_value, pattern) then
|
match = false
|
||||||
match = false
|
break
|
||||||
break
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
if match then
|
if match then
|
||||||
rule.type = "acl"
|
rule.type = "acl"
|
||||||
exec_action(rule)
|
local mr = {
|
||||||
|
type = rule.name,
|
||||||
|
rule = condition_rule
|
||||||
|
}
|
||||||
|
exec_action(rule,mr)
|
||||||
end
|
end
|
||||||
:: continue ::
|
:: continue ::
|
||||||
end
|
end
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user