feat: ACL 规则增加匹配方式 (#4237)

8 months ago · ebc3195df4
6 changed files with 65 additions and 10 deletions
--- a/frontend/src/lang/modules/en.ts
+++ b/frontend/src/lang/modules/en.ts
@ -2269,6 +2269,11 @@ const message = {
            redisConfig: 'Redis configuration',
            redisHelper: 'Enable Redis to persist temporarily blocked IPs',
            wafHelper: 'All websites will lose protection after closing',
+            attackIP: 'Attack IP',
+            attackParam: 'Attack information',
+            execRule: 'Hit rule',
+            acl: 'ACL',
+            sql: 'SQL injection',
        },
        monitor: {
            name: 'Website Monitor',
--- a/frontend/src/lang/modules/tw.ts
+++ b/frontend/src/lang/modules/tw.ts
@ -2123,6 +2123,11 @@ const message = {
            redisConfig: 'Redis 配置',
            redisHelper: '開啟 Redis 可以將暫時拉黑的 IP 持久化',
            wafHelper: '關閉之後所有網站將失去防護',
+            attackIP: '攻擊 IP',
+            attackParam: '攻擊訊息',
+            execRule: '命中規則',
+            acl: 'ACL',
+            sql: 'SQL 注入',
        },
        monitor: {
            name: '網站監控',
--- a/frontend/src/lang/modules/zh.ts
+++ b/frontend/src/lang/modules/zh.ts
@ -2124,6 +2124,11 @@ const message = {
            redisConfig: 'Redis 配置',
            redisHelper: '开启 Redis 可以将临时拉黑的 IP 持久化',
            wafHelper: '关闭之后所有网站将失去防护',
+            attackIP: '攻击 IP',
+            attackParam: '攻击信息',
+            execRule: '命中规则',
+            acl: 'ACL',
+            sql: 'SQL 注入',
        },
        monitor: {
            name: '网站监控',
--- a/frontend/src/utils/util.ts
+++ b/frontend/src/utils/util.ts
@ -500,3 +500,11 @@ export async function copyText(content: string) {
        MsgError(i18n.global.t('commons.msg.copyFailed'));
    }
 }
+
+export function getRuleType(ruleType: string) {
+    return i18n.global.t(`xpack.waf.${ruleType}`);
+}
+
+export function getAction(action: string) {
+    return i18n.global.t(`xpack.waf.${action}`);
+}
--- a/plugins/openresty/waf/config.lua
+++ b/plugins/openresty/waf/config.lua
@ -59,6 +59,9 @@ local function init_sites_config()
    end
    config.site_config = site_config
    config.site_rules = site_rules
+
+    local waf_dict = ngx.shared.waf
+    waf_dict:set("config", config)
 end

 local function ini_waf_info()
@ -120,6 +123,7 @@ local function get_config()
    local config_table =  waf_dict:get("config")
    if config_table == nil then
        init_global_config()
+        init_sites_config()
        return config
    end
    config = config_table
--- a/plugins/openresty/waf/lib/lib.lua
+++ b/plugins/openresty/waf/lib/lib.lua
@ -586,18 +586,44 @@ function _M.post_check()

 end

+local function match_acl_rule(match_value, pattern,rule)
+    if pattern == "eq" then
+        if match_value == rule then
+            return true
+        end
+        
+    elseif  pattern == "notEq" then
+        if match_value ~= rule then
+            return true
+        end  
+    
+    elseif   pattern == "regex"  then
+        if matches(match_value, rule) then
+            return true
+        end
+        
+    elseif pattern == "contain"   then
+        if ngx_re_find(match_value, rule, "isjo") then
+            return true
+        end
+    end
+end
+
 function _M.acl()
    local rules = get_site_rule("acl")
    for _, rule in pairs(rules) do
        if rule.state == nil or rule.state == "off" then
            goto continue
        end
+        ngx.log(ngx.ERR,"acl rule: "..rule.name .. "state"..rule.state)
        local conditions = rule.conditions
        local match = true
+        local condition_rule = ""
        for _, condition in pairs(conditions) do
            local field = condition.field
            local field_name = condition.name
            local pattern = condition.pattern
+            condition_rule = condition.rule
            local match_value = ''
            if field == 'URL' then
                match_value = ngx.var.request_uri
@ -639,20 +665,22 @@ function _M.acl()
            end

            if pattern == '' then
-                if match_value ~= nil and match_value ~= '' then
-                    match = false
-                    break
-                end
-            else
-                if not matches(match_value, pattern) then
-                    match = false
-                    break
-                end
+                match = false
+                break
+            end    
+            
+            if not match_acl_rule(match_value, pattern,condition_rule) then
+                match = false
+                break
            end
        end
        if match then
            rule.type = "acl"
-            exec_action(rule)
+            local mr = {
+                type = rule.name,
+                rule = condition_rule
+            }
+            exec_action(rule,mr)
        end
        :: continue ::
    end