b8788c239e
MCP Docker / build-and-push (push) Has been cancelled
- Remove telemetry: disabled all phone-home (installation notify, false positives, behavior tracking, upgrade tips) - Version branding: removed 'ce-' prefix, product name changed to '长亭雷池 WAF' - Detection engine enhancement: strict preset enables all 17 modules with aggressive configs - Multi-user RBAC: admin/operator/viewer roles with password + TOTP 2FA - Rate limiting: nginx limit_req per website (RPS, burst, action) - JS Challenge: browser fingerprint verification page with cookie-based bypass - Security fixes: removed InsecureSkipVerify, hardcoded credentials, NO_AUTH backdoor
79 lines
2.3 KiB
Go
79 lines
2.3 KiB
Go
package controller
|
|
|
|
// nginxConfigTpl generates nginx config for each website.
|
|
// Placeholders:
|
|
// %s = upstream name
|
|
// %s = upstream addr(s)
|
|
// %s = server listen directive
|
|
// %s = server_name directive
|
|
// %s = ssl_certificate directive (or empty)
|
|
// %s = ssl_certificate_key directive (or empty)
|
|
// %s = upstream scheme (http/https)
|
|
// %s = upstream name (again for proxy_pass)
|
|
// %d = site UUID (SL-CE-SUID header value)
|
|
var nginxConfigTpl = `
|
|
upstream %s {
|
|
%s
|
|
keepalive 128;
|
|
keepalive_timeout 75;
|
|
}
|
|
server {
|
|
%s
|
|
%s
|
|
%s
|
|
%s
|
|
location = /forbidden_page {
|
|
internal;
|
|
root /etc/nginx/forbidden_pages;
|
|
try_files /default_forbidden_page.html =403;
|
|
}
|
|
location ^~ / {
|
|
proxy_pass %s://%s;
|
|
include proxy_params;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Accept-Encoding "";
|
|
t1k_append_header SL-CE-SUID %d;
|
|
t1k_body_size 1024k;
|
|
tx_body_size 4k;
|
|
t1k_error_page 403 /forbidden_page;
|
|
tx_error_page 403 /forbidden_page;
|
|
%s
|
|
%s
|
|
}
|
|
}`
|
|
|
|
// rateLimitZoneTpl defines a shared memory zone for rate limiting.
|
|
// %s = zone name (site_N)
|
|
// %s = rate (e.g. "100r/s")
|
|
var rateLimitZoneTpl = `limit_req_zone $binary_remote_addr zone=%s:%dm rate=%s;`
|
|
|
|
// rateLimitReqTpl applies rate limiting to a location.
|
|
// %s = zone name
|
|
// %d = burst value
|
|
var rateLimitReqTpl = `limit_req zone=%s burst=%d nodelay;`
|
|
|
|
// rateLimitRejectTpl returns 429 when rate limit is exceeded.
|
|
var rateLimitRejectTpl = `limit_req_status 429;`
|
|
|
|
// challengeLocationTpl adds a JS challenge verification endpoint.
|
|
var challengeLocationTpl = `
|
|
location = /__waf_challenge {
|
|
internal;
|
|
root /etc/nginx/challenge_pages;
|
|
try_files /challenge.html =200;
|
|
}
|
|
location = /__waf_verify {
|
|
internal;
|
|
proxy_pass http://127.0.0.1:3335/verify;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}`
|
|
|
|
var upstreamAddrTpl = `server %s;`
|
|
var serverListenTpl = `listen 0.0.0.0:%s%s%s;`
|
|
var addrAnyPropertiesTpl = " default_server backlog=65536 reuseport"
|
|
var serverNameTpl = `server_name %s;`
|
|
var certTpl = `ssl_certificate /etc/nginx/certs/%s;`
|
|
var certKeyTpl = `ssl_certificate_key /etc/nginx/certs/%s;`
|
|
var backendTpl = `backend_%d`
|