给防盗链增加禁止空来源

2 years ago · a2377d960e
parent 60f1ce2575
commit a2377d960e
4 changed files with 58 additions and 36 deletions
--- a/README.md
+++ b/README.md
@ -100,20 +100,9 @@ docker run -itd --name mw-server --privileged=true -p 7200:7200 -p 80:80 -p 443:
 ```


-### 版本更新 0.16.0
+### 版本更新 0.16.1

-yum install -y libargon2-devel
-apt install -y libargon2-dev
-
-OP防火墙 - 重载即可
-
-* 增加PHP83。
-* 面板日志单独为一页并加入日志审计功能。
-* 修复webssh服务器读取问题。
-* 站点批量删除修复。
-* OP防火墙-修复`自动强制验证`关闭不生效。
-* 新增OneDrive备份插件。
-* FTP备份优化。
+* 给防盗链增加禁止空来源。

 ### JSDelivr安装地址

--- a/class/core/config_api.py
+++ b/class/core/config_api.py
@ -27,7 +27,7 @@ from flask import request

 class config_api:

-    __version = '0.16.0'
+    __version = '0.16.1'
    __api_addr = 'data/api.json'

    def __init__(self):
--- a/class/core/site_api.py
+++ b/class/core/site_api.py
@ -1149,8 +1149,9 @@ class site_api:
        domains = request.form.get('domains', '')
        status = request.form.get('status', '')
        name = request.form.get('name', '')
+        none = request.form.get('none', '')
        sid = request.form.get('id', '')
-        return self.setSecurity(sid, name, fix, domains, status)
+        return self.setSecurity(sid, name, fix, domains, status, none)

    def getLogsApi(self):
        siteName = request.form.get('siteName', '')
@ -2430,9 +2431,28 @@ location ^~ {from} {\n\
            tmp = re.search(rep, conf).group()
            data['fix'] = re.search(
                "\(.+\)\$", tmp).group().replace('(', '').replace(')$', '').replace('|', ',')
-            data['domains'] = ','.join(re.search(
-                "valid_referers\s+none\s+blocked\s+(.+);\n", tmp).groups()[0].split())
-            data['status'] = True
+
+            data['status'] = False
+            data['none'] = False
+
+            valid_referers = re.search(
+                "valid_referers\s+(.+);\n", tmp)
+            valid_referers_none = re.search(
+                "valid_referers\s+none\s+blocked\s+(.+);\n", tmp)
+
+            if valid_referers or valid_referers_none:
+                data['status'] = True
+
+            if valid_referers_none:
+                domain_t = valid_referers_none.groups()[0].split()
+                data['domains'] = ','.join(domain_t)
+                data['none'] = True
+            elif valid_referers:
+                domain_t = valid_referers.groups()[0].split()
+                data['domains'] = ','.join(domain_t)
+                data['none'] = False
+
+            # print(data)
        else:
            data['fix'] = 'jpg,jpeg,gif,png,js,css'
            domains = mw.M('domain').where(
@ -2442,19 +2462,27 @@ location ^~ {from} {\n\
                tmp.append(domain['name'])
            data['domains'] = ','.join(tmp)
            data['status'] = False
+            data['none'] = False
        return mw.getJson(data)

-    def setSecurity(self, sid, name, fix, domains, status):
+    def setSecurity(self, sid, name, fix, domains, status, none=''):
        if len(fix) < 2:
            return mw.returnJson(False, 'URL后缀不能为空!')
        file = self.getHostConf(name)
        if os.path.exists(file):
            conf = mw.readFile(file)
-            if conf.find('SECURITY-START') != -1:
+            if status == 'false':
                rep = "\s{0,4}#SECURITY-START(\n|.){1,500}#SECURITY-END\n?"
                conf = re.sub(rep, '', conf)
                mw.writeLog('网站管理', '站点[' + name + ']已关闭防盗链设置!')
            else:
+                rep = "\s{0,4}#SECURITY-START(\n|.){1,500}#SECURITY-END\n?"
+                conf = re.sub(rep, '', conf)
+
+                valid_referers = domains.strip().replace(',', ' ')
+                if none == 'true':
+                    valid_referers = 'none blocked ' + valid_referers
+
                pre_path = self.setupPath + "/php/conf"
                re_path = "include\s+" + pre_path + "/enable-php-"
                rconf = '''#SECURITY-START 防盗链配置
@ -2462,13 +2490,13 @@ location ^~ {from} {\n\
    {
        expires      30d;
        access_log /dev/null;
-        valid_referers none blocked %s;
+        valid_referers %s;
        if ($invalid_referer){
           return 404;
        }
    }
    #SECURITY-END
-    include %s/enable-php-''' % (fix.strip().replace(',', '|'), domains.strip().replace(',', ' '), pre_path)
+    include %s/enable-php-''' % (fix.strip().replace(',', '|'), valid_referers, pre_path)
                conf = re.sub(re_path, rconf, conf)
                mw.writeLog('网站管理', '站点[' + name + ']已开启防盗链!')
            mw.writeFile(file, conf)
--- a/route/static/app/site.js
+++ b/route/static/app/site.js
@ -1108,11 +1108,13 @@ function getSiteErrorLogs(siteName){
 function security(id,name){
 	var loadT = layer.msg(lan.site.the_msg,{icon:16,time:0,shade: [0.3, '#000']});
 	$.post('/site/get_security',{id:id,name:name},function(rdata){
+		console.log(rdata);
 		layer.close(loadT);
 		var mbody = '<div>'
 					+'<p style="margin-bottom:8px"><span style="display: inline-block; width: 60px;">URL后缀</span><input class="bt-input-text" type="text" name="sec_fix" value="'+rdata.fix+'" style="margin-left: 5px;width: 425px;height: 30px;margin-right:10px;'+(rdata.status?'background-color: #eee;':'')+'" placeholder="多个请用逗号隔开,例：png,jpeg,jpg,gif,zip" '+(rdata.status?'readonly':'')+'></p>'
 					+'<p style="margin-bottom:8px"><span style="display: inline-block; width: 60px;">许可域名</span><input class="bt-input-text" type="text" name="sec_domains" value="'+rdata.domains+'" style="margin-left: 5px;width: 425px;height: 30px;margin-right:10px;'+(rdata.status?'background-color: #eee;':'')+'" placeholder="支持通配符,多个域名请用逗号隔开,例：*.test.com,test.com" '+(rdata.status?'readonly':'')+'></p>'
 					+'<div class="label-input-group ptb10"><label style="font-weight:normal"><input type="checkbox" name="sec_status" onclick="setSecurity(\''+name+'\','+id+')" '+(rdata.status?'checked':'')+'>启用防盗链</label></div>'
+					+'<div class="label-input-group ptb10"><label style="font-weight:normal"><input type="checkbox" name="sec_none_status" onclick="setSecurity(\''+name+'\','+id+')" '+(rdata.none?'checked':'')+'>允许空HTTP_REFERER请求</label></div>'
 					+'<ul class="help-info-text c7 ptb10">'
 						+'<li>默认允许资源被直接访问,即不限制HTTP_REFERER为空的请求</li>'
 						+'<li>多个URL后缀与域名请使用逗号(,)隔开,如: png,jpeg,zip,js</li>'
@ -1124,20 +1126,23 @@ function security(id,name){
 }

 //设置防盗链
-function setSecurity(name,id){
-	var data = {
-		fix:$("input[name='sec_fix']").val(),
-		domains:$("input[name='sec_domains']").val(),
-		status:$("input[name='sec_status']").val(),
-		name:name,
-		id:id
-	}
-	var loadT = layer.msg(lan.site.the_msg,{icon:16,time:0,shade: [0.3, '#000']});
-	$.post('/site/set_security',data,function(rdata){
-		layer.close(loadT);
-		layer.msg(rdata.msg,{icon:rdata.status?1:2});
-		if(rdata.status) setTimeout(function(){security(id,name);},1000);
-	},'json');
+function setSecurity(name,id, none){
+	setTimeout(function(){
+		var data = {
+			fix:$("input[name='sec_fix']").val(),
+			domains:$("input[name='sec_domains']").val(),
+			status:$("input[name='sec_status']").prop("checked"),
+			none:$("input[name='sec_none_status']").prop("checked"),
+			name:name,
+			id:id
+		}
+		var loadT = layer.msg(lan.site.the_msg,{icon:16,time:0,shade: [0.3, '#000']});
+		$.post('/site/set_security',data,function(rdata){
+			layer.close(loadT);
+			layer.msg(rdata.msg,{icon:rdata.status?1:2});
+			if(rdata.status) setTimeout(function(){security(id,name);},1000);
+		},'json');
+	},100);
 }