midoks
/
mdserver-web
mirror of https://github.com/midoks/mdserver-web
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

防火墙插件优化

Browse Source
pull/109/head
Mr Chen 6 years ago
parent 78c9a6edae
commit 9b648a85a6
5 changed files with 223 additions and 55 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 17
      plugins/op_waf/index.html
  2. 66
      plugins/op_waf/index.py
  3. 193
      plugins/op_waf/js/op_waf.js
  4. 1
      plugins/op_waf/waf/config.json
  5. 1
      plugins/op_waf/waf/site.json

17
plugins/op_waf/index.html
Unescape View File

@ -42,7 +42,7 @@
}
.wavbox {
width: 232px;
width: 314px;
float: left;
height: 60px;
line-height: 52px;
@ -58,7 +58,7 @@
font-weight: bold;
}
.line {
.screen .line {
width: 33.333%;
text-align: center;
height: 70px;
@ -66,11 +66,11 @@
margin: 6px 0;
}
.line:nth-of-type(3n-1) {
.screen .line:nth-of-type(3n-1) {
margin-right: 0;
}
.line .name {
.screen .line .name {
width: auto;
display: block;
text-align: center;
@ -78,7 +78,7 @@
color: #666;
}
.line .val {
.screen .line .val {
font-size: 18px;
display: block;
text-align: center;
@ -106,7 +106,7 @@
font-size: 16px;
}
.gjcs {
.screen {
background-color: #fafafa;
border: #ddd 1px solid;
padding: 0;
@ -114,7 +114,7 @@
border-radius: 4px;
margin-top: 5px;
margin-bottom: 10px;
width: 480px;
width: 645px;
}
.table .sitename, .filtertext {
@ -231,7 +231,7 @@
<p onclick="wafScreen();">首页</p>
<p onclick="wafGloabl();">全局配置</p>
<p onclick="wafSite();">站点配置</p>
<p onclick="wafSite();">封锁历史</p>
<p onclick="wafHistory();">封锁历史</p>
<p onclick="wafLogs();">操作日志</p>
</div>
<!-- lib-con -->
@ -242,6 +242,7 @@
</div>
<script type="text/javascript">
resetPluginWinWidth(800);
$.getScript( "/plugins/file?name=op_waf&f=js/op_waf.js", function(){
pluginService('op_waf');
});

66
plugins/op_waf/index.py
Unescape View File

@ -5,6 +5,7 @@ import io
import os
import time
import subprocess
import json
sys.path.append(os.getcwd() + "/class/core")
import public
@ -16,7 +17,7 @@ if public.isAppleSystem():
def getPluginName():
return 'op_firewall'
return 'op_waf'
def getPluginDir():
@ -50,6 +51,14 @@ def getArgs():
return tmp
def checkArgs(data, ck=[]):
for i in range(len(ck)):
if not ck[i] in data:
return (False, public.returnJson(False, '参数:(' + ck[i] + ')没有!'))
return (True, public.returnJson(True, 'ok'))
def getConf():
path = public.getServerDir() + "/openresty/nginx/conf/nginx.conf"
return path
@ -127,9 +136,56 @@ def restart():
def reload():
return 'ok'
def getJsonPath(name):
path = public.getServerDir() + "/openresty/nginx/conf/waf/"+name+".json"
return path
def setObjStatus():
args = getArgs()
data = checkArgs(args, ['obj', 'statusCode'])
if not data[0]:
return data[1]
conf = getJsonPath('config')
content = public.readFile(conf)
cobj = json.loads(content)
o = args['obj']
status = args['statusCode']
cobj[o]['status'] = status
cjson = public.getJson(cobj)
public.writeFile(conf,cjson)
return public.returnJson(True,'设置成功!')
def setObjOpen():
args = getArgs()
data = checkArgs(args, ['obj'])
if not data[0]:
return data[1]
conf = getJsonPath('config')
content = public.readFile(conf)
cobj = json.loads(content)
o = args['obj']
if cobj[o]["open"]:
cobj[o]["open"] = False
else:
cobj[o]["open"] = True
cjson = public.getJson(cobj)
public.writeFile(conf,cjson)
return public.returnJson(True,'设置成功!')
def getWafSrceen():
conf = getJsonPath('total')
return public.readFile(conf)
def getWafConf():
return public.getJson([])
conf = getJsonPath('config')
return public.readFile(conf)
if __name__ == "__main__":
@ -146,6 +202,12 @@ if __name__ == "__main__":
print reload()
elif func == 'conf':
print getConf()
elif func == 'set_obj_status':
print setObjStatus()
elif func == 'set_obj_open':
print setObjOpen()
elif func == 'waf_srceen':
print getWafSrceen()
elif func == 'waf_conf':
print getWafConf()
else:

193
plugins/op_waf/js/op_waf.js
Unescape View File

@ -15,65 +15,172 @@ function owPost(method, args, callback){
}
function setRequestCode(ruleName, statusCode){
layer.open({
type: 1,
title: "设置响应代码【" + ruleName + "】",
area: '300px',
shift: 5,
closeBtn: 2,
shadeClose: true,
content: '<div class="bt-form pd20 pb70">\
<div class="line">\
<span class="tname">响应代码</span>\
<div class="info-r">\
<select id="statusCode" class="bt-input-text mr5" style="width:150px;">\
<option value="200" '+ (statusCode == 200 ? 'selected' : '') + '>正常(200)</option>\
<option value="404" '+ (statusCode == 404 ? 'selected' : '') + '>文件不存在(404)</option>\
<option value="403" '+ (statusCode == 403 ? 'selected' : '') + '>拒绝访问(403)</option>\
<option value="444" '+ (statusCode == 444 ? 'selected' : '') + '>关闭连接(444)</option>\
<option value="500" '+ (statusCode == 500 ? 'selected' : '') + '>应用程序错误(500)</option>\
<option value="502" '+ (statusCode == 502 ? 'selected' : '') + '>连接超时(502)</option>\
<option value="503" '+ (statusCode == 503 ? 'selected' : '') + '>服务器不可用(503)</option>\
</select>\
</div>\
</div>\
<div class="bt-form-submit-btn">\
<button type="button" class="btn btn-success btn-sm btn-title" onclick="setState(\''+ ruleName + '\')">确定</button>\
</div>\
</div>'
});
}
function wafScreen(){
function setState(ruleName){
var statusCode = $('#statusCode').val();
owPost('set_obj_status', {obj:ruleName,statusCode:statusCode},function(data){
var rdata = $.parseJSON(data.data);
if (rdata.status){
layer.msg(rdata.msg,{icon:0,time:2000,shade: [0.3, '#000']});
wafGloabl();
} else {
layer.msg('设置失败!',{icon:0,time:2000,shade: [0.3, '#000']});
}
});
}
var con = '<div class="wavbox alert alert-success" style="margin-right:16px">总拦截<span>0</span>次</div>';
con += '<div class="wavbox alert alert-info" style="margin-right:16px">安全防护<span>0</span>天</div>';
con += '<div class="gjcs">\
<div class="line"><span class="name">POST渗透</span><span class="val">0</span></div>\
<div class="line"><span class="name">GET渗透</span><span class="val">0</span></div>\
<div class="line"><span class="name">CC攻击</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意User-Agent</span><span class="val">0</span></div>\
<div class="line"><span class="name">Cookie渗透</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意扫描</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意HEAD请求</span><span class="val">0</span></div>\
<div class="line"><span class="name">URI自定义拦截</span><span class="val">0</span></div>\
<div class="line"><span class="name">URI保护</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意文件上传</span><span class="val">0</span></div>\
<div class="line"><span class="name">禁止的扩展名</span><span class="val">0</span></div>\
<div class="line"><span class="name">禁止PHP脚本</span><span class="val">0</span></div>\
</div>';
function setObjOpen(ruleName){
owPost('set_obj_open', {obj:ruleName},function(data){
var rdata = $.parseJSON(data.data);
if (rdata.status){
layer.msg(rdata.msg,{icon:0,time:2000,shade: [0.3, '#000']});
wafGloabl();
} else {
layer.msg('设置失败!',{icon:0,time:2000,shade: [0.3, '#000']});
}
});
}
con += '<div style="width:480px;"><ul class="help-info-text c7">\
<li>在此处关闭防火墙后,所有站点将失去保护</li>\
<li>网站防火墙会使nginx有一定的性能损失(&lt;5% 10C静态并发测试结果)</li>\
<li>网站防火墙仅主要针对网站渗透攻击,暂时不具备系统加固功能</li>\
</ul></div>';
function setCcRule(cycle, limit, endtime, siteName, increase){
var incstr = '<li style="color:red;">此处设置仅对当前站点有效。</li>';
if (siteName == 'undefined') {
incstr = '<li style="color:red;">此处设置的是初始值,新添加站点时将继承,对现有站点无效。</li>';
}
$(".soft-man-con").html(con);
}
function wafScreen(){
owPost('waf_srceen', {}, function(data){
var rdata = $.parseJSON(data.data);
console.log(rdata);
var con = '<div class="wavbox alert alert-success" style="margin-right:16px">总拦截<span>'+rdata.total+'</span>次</div>';
con += '<div class="wavbox alert alert-info" style="margin-right:16px">安全防护<span>0</span>天</div>';
con += '<div class="screen">\
<div class="line"><span class="name">POST渗透</span><span class="val">'+rdata.rules.post+'</span></div>\
<div class="line"><span class="name">GET渗透</span><span class="val">0</span></div>\
<div class="line"><span class="name">CC攻击</span><span class="val">'+rdata.rules.cc+'</span></div>\
<div class="line"><span class="name">恶意User-Agent</span><span class="val">'+rdata.rules.user_agent+'</span></div>\
<div class="line"><span class="name">Cookie渗透</span><span class="val">'+rdata.rules.cookie+'</span></div>\
<div class="line"><span class="name">恶意扫描</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意HEAD请求</span><span class="val">0</span></div>\
<div class="line"><span class="name">URI自定义拦截</span><span class="val">0</span></div>\
<div class="line"><span class="name">URI保护</span><span class="val">0</span></div>\
<div class="line"><span class="name">恶意文件上传</span><span class="val">0</span></div>\
<div class="line"><span class="name">禁止的扩展名</span><span class="val">0</span></div>\
<div class="line"><span class="name">禁止PHP脚本</span><span class="val">0</span></div>\
</div>';
con += '<div style="width:660px;"><ul class="help-info-text c7">\
<li>在此处关闭防火墙后,所有站点将失去保护</li>\
<li>网站防火墙会使nginx有一定的性能损失(&lt;5% 10C静态并发测试结果)</li>\
<li>网站防火墙仅主要针对网站渗透攻击,暂时不具备系统加固功能</li>\
</ul></div>';
$(".soft-man-con").html(con);
});
}
function wafGloabl(){
owPost('waf_conf', {}, function(data){
var rdata = $.parseJSON(data.data);
var con = '<div class="divtable">\
<table class="table table-hover waftable">\
<thead><tr><th width="18%">名称</th>\
<th width="44%">描述</th>\
<th width="10%">响应</th>\
<th style="text-align: center;" width="10%">状态</th>\
<th style="text-align: right;">操作</th></tr>\
</thead>\
<tbody>\
<tr><td>CC防御</td>\
<td>防御CC攻击具体防御参数请到站点配置中调整</td>\
<td><a class="btlink" onclick="setRequestCode(\'cc\','+rdata.cc.status+')">'+rdata.cc.status+'</a></td>\
<td><div class="ssh-item">\
<input class="btswitch btswitch-ios" id="closecc" type="checkbox" '+(rdata.cc.open ? 'checked' : '')+'>\
<label class="btswitch-btn" for="closecc" onclick="setObjOpen(\'cc\')"></label></div>\
</td>\
<td class="text-right"><a class="btlink" onclick="setCcRule(80,120,60,\'undefined\',false)">初始规则</a></td>\
</tr>\
</tbody>\
</table>\
</div>';
con += '<div style="width:645px;"><ul class="help-info-text c7">\
<li>继承: 全局设置将在站点配置中自动继承为默认值</li>\
<li>优先级: IP白名单>IP黑名单>URL白名单>URL黑名单>CC防御>禁止国外IP访问>User-Agent>URI过滤>URL参数>Cookie>POST</li>\
</ul></div>';
$(".soft-man-con").html(con);
});
}
function wafSite(){
var con = '<div class="divtable">\
<table class="table table-hover waftable" style="color:#fff;">\
<thead><tr><th width="18%">名称</th>\
<th width="44%">描述</th>\
<th width="10%">响应</th>\
<th style="text-align: center;" width="10%">状态</th>\
<th style="text-align: right;">操作</th></tr>\
<thead>\
<tr><th width="18%">站点</th>\
<th>GET</th>\
<th>POST</th>\
<th>UA</th>\
<th>Cookie</th>\
<th>CDN</th>\
<th>CC</th>\
<th>状态</th>\
<th>操作</th></tr>\
</thead>\
</table>\
</div>';
con += '<div style="width:480px;"><ul class="help-info-text c7">\
<li>继承: 全局设置将在站点配置中自动继承为默认值</li>\
<li>优先级: IP白名单 > IP黑名单 > URL白名单 > URL黑名单 > CC防御 > 禁止国外IP访问 > User-Agent > URI过滤 > URL参数 > Cookie > POST</li>\
</ul></div>';
$(".soft-man-con").html(con);
}
function wafSite(){
var con = '<div class="divtable">\
function wafHistory(){
var con = '<button class="btn btn-success btn-sm" onclick="UncoverAll()">解封所有</button>';
con += '<div class="divtable mt10">\
<table class="table table-hover waftable" style="color:#fff;">\
<thead><tr><th width="18%">名称</th>\
<th width="44%">描述</th>\
<th width="10%">响应</th>\
<thead><tr><th width="18%">开始时间</th>\
<th width="44%">IP</th>\
<th width="10%">站点</th>\
<th width="10%">封锁原因</th>\
<th width="10%">封锁时长</th>\
<th style="text-align: center;" width="10%">状态</th>\
<th style="text-align: right;">操作</th></tr>\
</thead>\
</table>\
</div>';
@ -81,7 +188,6 @@ function wafSite(){
}
function wafLogs(){
var con = '<div class="divtable">\
<table class="table table-hover waftable" style="color:#fff;">\
@ -92,9 +198,6 @@ function wafLogs(){
<th style="text-align: right;">操作</th></tr>\
</thead>\
</table>\
</div>';
</div>';
$(".soft-man-con").html(con);
}

1
plugins/op_waf/waf/config.json
Unescape View File

@ -0,0 +1 @@
{"reqfile_path": "/www/server/btwaf/html", "drop_abroad": {"status": 444, "ps": "\u7981\u6b62\u4e2d\u56fd\u5927\u9646\u4ee5\u5916\u7684\u5730\u533a\u8bbf\u95ee\u7ad9\u70b9", "open": true, "reqfile": ""}, "retry": 6, "log": true, "retry_cycle": 60, "scan": {"status": 444, "ps": "\u8fc7\u6ee4\u5e38\u89c1\u626b\u63cf\u6d4b\u8bd5\u5de5\u5177\u7684\u6e17\u900f\u6d4b\u8bd5", "open": true, "reqfile": ""}, "cc": {"status": 444, "ps": "\u8fc7\u8651CC\u653b\u51fb", "limit": 120, "endtime": 300, "open": true, "reqfile": "", "cycle": 60}, "body_character_string": [], "start_time": 1556095983.425878, "get": {"status": 403, "ps": "\u8fc7\u6ee4uri\u3001uri\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "get.html"}, "body_regular": [], "log_save": 30, "user-agent": {"status": 403, "ps": "\u901a\u5e38\u7528\u4e8e\u8fc7\u6ee4\u6d4f\u89c8\u5668\u3001\u8718\u86db\u53ca\u4e00\u4e9b\u81ea\u52a8\u626b\u63cf\u5668", "open": true, "reqfile": "user_agent.html"}, "retry_time": 180, "other": {"status": 403, "ps": "\u5176\u5b83\u975e\u901a\u7528\u8fc7\u6ee4", "reqfile": "other.html"}, "cookie": {"status": 403, "ps": "\u8fc7\u6ee4\u5229\u7528Cookie\u53d1\u8d77\u7684\u6e17\u900f\u653b\u51fb", "open": true, "reqfile": "cookie.html"}, "logs_path": "/www/wwwlogs/btwaf", "post": {"status": 403, "ps": "\u8fc7\u6ee4POST\u53c2\u6570\u4e2d\u5e38\u89c1sql\u6ce8\u5165\u3001xss\u7b49\u653b\u51fb", "open": true, "reqfile": "post.html"}, "open": true}

1
plugins/op_waf/waf/site.json
Unescape View File

@ -0,0 +1 @@
{"www.khxs.org": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}, "gae.cachecha.com": {"scan": true, "cc": {"limit": 120, "endtime": 300, "open": true, "cycle": 60}, "disable_php_path": [], "cdn": false, "cc_uri_white": [], "open": true, "retry": 6, "log": true, "disable_ext": [], "user-agent": true, "disable_upload_ext": ["php", "jsp"], "body_character_string": [], "get": true, "drop_abroad": false, "retry_cycle": 60, "url_tell": [], "cdn_header": ["x-forwarded-for", "x-real-ip"], "url_rule": [], "cookie": true, "retry_time": 180, "post": true, "url_white": [], "disable_rule": {"url": [], "post": [], "args": [], "cookie": [], "user_agent": []}, "project": "", "disable_path": []}}
Write Preview
Loading…
Cancel
Save