npm - @abtnode/router-provider - Versions diffs - 1.16.44-beta-20250527-130401-1b9ae926 → 1.16.44-beta-20250529-004636-15e80e20 - Mend

@abtnode/router-provider 1.16.44-beta-20250527-130401-1b9ae926 → 1.16.44-beta-20250529-004636-15e80e20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/lib/nginx/index.js +104 -3
package/package.json +7 -6

package/lib/nginx/index.js CHANGED Viewed

@@ -26,8 +26,9 @@ const {
   GATEWAY_RATE_LIMIT_GLOBAL,
   GATEWAY_RATE_LIMIT,
 } = require('@abtnode/constant');
+const { toHex } = require('@ocap/util');
 const promiseRetry = require('promise-retry');
+const difference = require('lodash/difference');
 const logger = require('@abtnode/logger')('router:nginx:controller');
@@ -174,6 +175,7 @@ class NginxProvider extends BaseProvider {
     proxyPolicy,
     wafPolicy,
     cacheEnabled,
+    wafDisabledBlocklets = [],
   } = {}) {
     if (!Array.isArray(routingTable)) {
       throw new Error('routingTable must be an array');
@@ -228,7 +230,7 @@ class NginxProvider extends BaseProvider {
         this.ensureUpstreamServers(allRules);
-        this._addModSecurity(conf, wafPolicy);
+        this._addModSecurity(conf, wafPolicy, wafDisabledBlocklets);
         // eslint-disable-next-line no-restricted-syntax
         for (const site of sites) {
@@ -940,7 +942,7 @@ class NginxProvider extends BaseProvider {
     return httpsServerUnit;
   }
-  _addModSecurity(conf, wafPolicy = {}) {
+  _addModSecurity(conf, wafPolicy = {}, wafDisabledBlocklets = []) {
     if (!wafPolicy.enabled) {
       return;
     }
@@ -966,6 +968,8 @@ class NginxProvider extends BaseProvider {
     fs.writeFileSync(modSecurityConfPath, getModSecurityConf(variables));
     fs.writeFileSync(coreRuleSetConfPath, getCoreRuleSetConf(variables));
+    this.syncCustomCRSFiles({ wafDisabledBlocklets });
     conf.nginx.http._add('modsecurity', 'on');
     conf.nginx.http._add('modsecurity_transaction_id', '$request_id');
     conf.nginx.http._add('modsecurity_rules_file', modSecurityConfPath);
@@ -1076,6 +1080,103 @@ class NginxProvider extends BaseProvider {
     };
   }
+  _didToNumber(did) {
+    return parseInt(toHex(Buffer.from(did)).slice(-8), 16);
+  }
+  _getBlockletWAFTemplateConf({ domainAliases, wafPolicy, defaultWAF = 'On', did = '' }) {
+    if (!Array.isArray(domainAliases) || domainAliases.length === 0) return '';
+    const headerComment = [
+      '# ------------------------------------------------------------------------',
+      '# Blocklet WAF Exclusion Rules',
+      '#',
+      `# This file is generated for Blocklet DID: ${did || '[unknown]'} .`,
+      '#',
+      '# The rules below control ModSecurity WAF behavior for specific domains associated with this DID.',
+      '# Each rule disables or enables the WAF engine for requests matching the Host header.',
+      '#',
+      '# DO NOT EDIT THIS FILE MANUALLY.',
+      '# ------------------------------------------------------------------------',
+      '',
+    ].join('\n');
+    const baseId = 9000000 + (this._didToNumber(did) % 10000);
+    const rules = domainAliases
+      .map((domain, idx) => {
+        let rule;
+        if (domain.includes(SLOT_FOR_IP_DNS_SITE)) {
+          // 只匹配 did- 前缀
+          const didPrefix = `${domain.split('-')[0]}-`;
+          rule = `SecRule REQUEST_HEADERS:Host "@contains ${didPrefix}" \\`;
+        } else {
+          rule = `SecRule REQUEST_HEADERS:Host "@streq ${domain}" \\`;
+        }
+        return `${rule}
+"id:${baseId + idx},\\
+phase:1,\\
+pass,\\
+nolog,\\
+tag:'SERVER_WAF',\\
+tag:'did:${did}',\\
+ctl:ruleEngine=${wafPolicy?.enabled ? defaultWAF : 'Off'}"`;
+      })
+      .join('\n\n');
+    return `${headerComment}${rules}`;
+  }
+  addCustomWAFConf({ did, domainAliases, wafPolicy, defaultWAF }) {
+    if (!Array.isArray(domainAliases) || domainAliases.length === 0) return;
+    const customDIDConfigPath = path.join(this.includesDir, `security/crs4/rules/REQUEST-900-CUSTOM-RULES-${did}.conf`);
+    const confContent = this._getBlockletWAFTemplateConf({
+      domainAliases: domainAliases.map((x) => x.value),
+      defaultWAF,
+      wafPolicy,
+      did,
+    });
+    fs.writeFileSync(customDIDConfigPath, confContent);
+  }
+  syncCustomCRSFiles({ wafDisabledBlocklets = [] }) {
+    const wafDisabledBlockletsDIDs = wafDisabledBlocklets.map((x) => x.did);
+    const rulesDir = path.join(this.includesDir, 'security/crs4/rules');
+    const prefix = 'REQUEST-900-CUSTOM-RULES-';
+    const files = fs.readdirSync(rulesDir).filter((f) => f.startsWith(prefix));
+    const localWafBlockletsDIDs = files.map((x) => x.replace(prefix, '').replace('.conf', ''));
+    const removeList = difference(localWafBlockletsDIDs, wafDisabledBlockletsDIDs);
+    const addList = difference(wafDisabledBlockletsDIDs, localWafBlockletsDIDs);
+    logger.info('syncCustomCRSFiles', { removeList, addList });
+    if (removeList.length) {
+      const removeFiles = removeList.map((x) => path.join(rulesDir, `${prefix}${x}.conf`));
+      for (const file of removeFiles) {
+        try {
+          fs.rmSync(file, { recursive: true, force: true });
+        } catch (err) {
+          logger.error('Failed to remove custom CRS file', { file, error: err });
+        }
+      }
+    }
+    if (addList.length) {
+      for (const did of addList) {
+        try {
+          const blocklet = wafDisabledBlocklets.find((x) => x.did === did);
+          const domainAliases = blocklet?.site?.domainAliases || [];
+          this.addCustomWAFConf({ did, domainAliases, wafPolicy: { enabled: false }, defaultWAF: 'On' });
+        } catch (error) {
+          logger.error('Failed to add custom CRS file', { did, error });
+        }
+      }
+    }
+  }
   getLogDir() {
     return this.logDir;
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.16.44-beta-20250527-130401-1b9ae926",
+  "version": "1.16.44-beta-20250529-004636-15e80e20",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,12 +32,13 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.16.44-beta-20250527-130401-1b9ae926",
-    "@abtnode/logger": "1.16.44-beta-20250527-130401-1b9ae926",
-    "@abtnode/router-templates": "1.16.44-beta-20250527-130401-1b9ae926",
-    "@abtnode/util": "1.16.44-beta-20250527-130401-1b9ae926",
+    "@abtnode/constant": "1.16.44-beta-20250529-004636-15e80e20",
+    "@abtnode/logger": "1.16.44-beta-20250529-004636-15e80e20",
+    "@abtnode/router-templates": "1.16.44-beta-20250529-004636-15e80e20",
+    "@abtnode/util": "1.16.44-beta-20250529-004636-15e80e20",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
+    "@ocap/util": "^1.20.11",
     "axios": "^1.7.9",
     "debug": "^4.3.7",
     "fast-glob": "^3.3.2",
@@ -61,5 +62,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "dc9dbcc0940b331408fd2469147bbbf0c473376b"
+  "gitHead": "93f38f56824d2dd2afcd6950b73a67510d9cd18c"
 }