Files
SafeLine/management/tcontrollerd/controller/template.go
T
Binbim b8788c239e
MCP Docker / build-and-push (push) Has been cancelled
feat: SafeLine CE 9.3.9 with pro features
- Remove telemetry: disabled all phone-home (installation notify, false positives, behavior tracking, upgrade tips)
- Version branding: removed 'ce-' prefix, product name changed to '长亭雷池 WAF'
- Detection engine enhancement: strict preset enables all 17 modules with aggressive configs
- Multi-user RBAC: admin/operator/viewer roles with password + TOTP 2FA
- Rate limiting: nginx limit_req per website (RPS, burst, action)
- JS Challenge: browser fingerprint verification page with cookie-based bypass
- Security fixes: removed InsecureSkipVerify, hardcoded credentials, NO_AUTH backdoor
2026-07-04 07:59:04 +08:00

79 lines
2.3 KiB
Go

package controller
// nginxConfigTpl generates nginx config for each website.
// Placeholders:
// %s = upstream name
// %s = upstream addr(s)
// %s = server listen directive
// %s = server_name directive
// %s = ssl_certificate directive (or empty)
// %s = ssl_certificate_key directive (or empty)
// %s = upstream scheme (http/https)
// %s = upstream name (again for proxy_pass)
// %d = site UUID (SL-CE-SUID header value)
var nginxConfigTpl = `
upstream %s {
%s
keepalive 128;
keepalive_timeout 75;
}
server {
%s
%s
%s
%s
location = /forbidden_page {
internal;
root /etc/nginx/forbidden_pages;
try_files /default_forbidden_page.html =403;
}
location ^~ / {
proxy_pass %s://%s;
include proxy_params;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
t1k_append_header SL-CE-SUID %d;
t1k_body_size 1024k;
tx_body_size 4k;
t1k_error_page 403 /forbidden_page;
tx_error_page 403 /forbidden_page;
%s
%s
}
}`
// rateLimitZoneTpl defines a shared memory zone for rate limiting.
// %s = zone name (site_N)
// %s = rate (e.g. "100r/s")
var rateLimitZoneTpl = `limit_req_zone $binary_remote_addr zone=%s:%dm rate=%s;`
// rateLimitReqTpl applies rate limiting to a location.
// %s = zone name
// %d = burst value
var rateLimitReqTpl = `limit_req zone=%s burst=%d nodelay;`
// rateLimitRejectTpl returns 429 when rate limit is exceeded.
var rateLimitRejectTpl = `limit_req_status 429;`
// challengeLocationTpl adds a JS challenge verification endpoint.
var challengeLocationTpl = `
location = /__waf_challenge {
internal;
root /etc/nginx/challenge_pages;
try_files /challenge.html =200;
}
location = /__waf_verify {
internal;
proxy_pass http://127.0.0.1:3335/verify;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}`
var upstreamAddrTpl = `server %s;`
var serverListenTpl = `listen 0.0.0.0:%s%s%s;`
var addrAnyPropertiesTpl = " default_server backlog=65536 reuseport"
var serverNameTpl = `server_name %s;`
var certTpl = `ssl_certificate /etc/nginx/certs/%s;`
var certKeyTpl = `ssl_certificate_key /etc/nginx/certs/%s;`
var backendTpl = `backend_%d`