npm - mm_os - Versions diffs - 3.2.8 → 3.3.0 - Mend

mm_os 3.2.8 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/README.md +47 -1
package/core/base/mqtt/index.js +344 -157
package/core/base/web/index.js +98 -11
package/core/com/middleware/com.js +152 -152
package/core/com/socket/config.tpl.json +2 -2
package/core/com/socket/drive.js +2 -2
package/core/com/socket/index.js +1 -1
package/core/com/sql/drive.js +7 -7
package/index.js +41 -37
package/middleware/performance/index.js +150 -142
package/middleware/security_audit/index.js +549 -0
package/middleware/security_audit/middleware.json +48 -0
package/middleware/security_headers/index.js +487 -0
package/middleware/security_headers/middleware.json +45 -0
package/middleware/waf/index.js +277 -6
package/middleware/waf/middleware.json +2 -1
package/middleware/waf_ddos/index.js +520 -0
package/middleware/waf_ddos/middleware.json +38 -0
package/middleware/waf_ip/index.js +231 -20
package/middleware/waf_ip/middleware.json +43 -4
package/middleware/waf_xss/index.js +269 -0
package/middleware/waf_xss/middleware.json +18 -0
package/middleware/web_before/middleware.json +1 -1
package/middleware/web_socket/middleware.json +2 -2
package/package.json +18 -7
package/middleware/cors/index.js +0 -103
package/middleware/cors/middleware.json +0 -9
package/middleware/log/index.js +0 -32
package/middleware/log/middleware.json +0 -9
package/middleware/rate_limit/index.js +0 -112
package/middleware/rate_limit/middleware.json +0 -10
package/nodemon.json +0 -31
package/package.txt +0 -1
package/rps.bat +0 -3
package/test.js +0 -5
package/tps.bat +0 -3
package/update.bat +0 -1
package//347/263/273/347/273/237/346/236/266/346/236/204/350/257/204/344/274/260/344/270/216/344/274/230/345/214/226/345/273/272/350/256/256.md +0 -599

package/middleware/waf_ddos/index.js ADDED Viewed

@@ -0,0 +1,520 @@
+const mm_expand = require('mm_expand');
+/**
+ * 综合流量控制与DDOS攻击防护中间件
+ * 合并了原rate_limit和ddos_protection的功能，提供全面的流量防护机制
+ */
+class Middleware {
+	/**
+	 * 构造函数
+	 */
+	constructor() {
+		// 内存存储，用于记录请求计数和IP信息
+		this.ipRequestCount = new Map();
+		this.blockedIps = new Map();
+		this.connectionCount = new Map();
+		this.default = {
+			// 启用综合流量保护
+			enable: true,
+			// 存储方式: 'memory', 'redis'
+			storage: 'memory',
+			// 基于IP的速率限制
+			ip_rate_limit: {
+				// 时间窗口(毫秒)
+				window_ms: 60000,
+				// 每个IP在时间窗口内的最大请求数
+				max_requests: 100,
+				// 是否启用
+				enable: true
+			},
+			// 基于路径的速率限制
+			path_rate_limit: {
+				// 时间窗口(毫秒)
+				window_ms: 60000,
+				// 每个IP对每个路径在时间窗口内的最大请求数
+				max_requests: 50,
+				// 是否启用
+				enable: true
+			},
+			// 连接限制
+			connection_limit: {
+				// 单个IP的最大并发连接数
+				max_connections: 50,
+				// 是否启用
+				enable: true
+			},
+			// 阻止规则
+			blocking: {
+				// 触发阻止的阈值倍数
+				threshold: 2,
+				// 阻止时间(毫秒)
+				block_time: 300000, // 5分钟
+				// 是否自动解除阻止
+				auto_unblock: true
+			},
+			// 白名单IP
+			whitelist: [],
+			// 忽略的路径（白名单路径）
+			ignore_paths: ['/api/health', '/favicon.ico', '/static/'],
+			// 是否记录攻击尝试
+			log: true,
+			// 是否阻止恶意请求
+			block: true,
+			// 响应状态码
+			status_code: 429,
+			// 响应消息
+			response_message: '请求过于频繁，请稍后再试',
+			// 是否设置X-RateLimit响应头
+			set_rate_limit_headers: true
+		};
+	}
+	/**
+	 * 初始化中间件
+	 * @param {Object} config 配置项
+	 */
+	init(config) {
+		config = Object.assign({}, this.default, config);
+		this.config = config;
+		// 启动清理过期数据的定时器（仅在内存存储模式下需要）
+		if (config.storage === 'memory') {
+			this.startCleanupTimer();
+		}
+		return function() {
+			// 返回中间件的run方法作为实际的处理函数
+			return function(ctx, next) {
+				return middleware.run(ctx, next);
+			};
+		};
+	}
+	/**
+	 * 获取客户端真实IP
+	 * 在代理环境中，优先从代理头获取真实IP
+	 * @param {Object} ctx Koa上下文
+	 * @returns {String} 客户端真实IP
+	 */
+	getClientIp(ctx) {
+		const headers = ctx.headers;
+		// 优先检查常用代理头获取真实IP
+		const xForwardedFor = headers['x-forwarded-for'];
+		if (xForwardedFor) {
+			// X-Forwarded-For 格式通常为: client, proxy1, proxy2
+			const ips = xForwardedFor.split(',').map(ip => ip.trim());
+			for (let i = 0; i < ips.length; i++) {
+				const ip = ips[i];
+				if (ip && ip !== 'unknown' && ip !== '127.0.0.1' && ip !== '::1') {
+					return ip;
+				}
+			}
+		}
+		// 检查其他常见的代理头
+		return headers['x-real-ip'] ||
+			headers['x-client-ip'] ||
+			headers['cf-connecting-ip'] || // CloudFlare
+			headers['fastly-client-ip'] || // Fastly
+			headers['true-client-ip'] || // Akamai and Cloudflare
+			ctx.ip; // 默认回退到ctx.ip
+	}
+	/**
+	 * 使用Redis存储请求计数（从rate_limit中间件合并的功能）
+	 * @param {String} clientKey 客户端标识符（通常是IP）
+	 * @param {String} prefix 键前缀
+	 * @param {Number} windowMs 时间窗口（秒）
+	 * @returns {Promise<Number>} 请求计数
+	 */
+	async incrementRequestWithRedis(clientKey, prefix, windowMs) {
+		try {
+			// 检查Redis是否可用
+			if ($.cache && typeof $.cache.addInt === 'function') {
+				const key = `${prefix}:${clientKey}`;
+				// 使用addInt方法增加计数（mm_redis包提供的方法）
+				const count = await $.cache.addInt(key, 1);
+				// 设置过期时间
+				await $.cache.ttl(key, Math.ceil(windowMs / 1000));
+				return count || 0;
+			}
+		} catch (error) {
+			if (this.config.log && $.log && $.log.error) {
+				$.log.error('Redis速率限制失败:', error);
+			}
+		}
+		// Redis不可用时返回null，将使用内存存储
+		return null;
+	}
+	/**
+	 * 执行中间件
+	 * @param {Object} ctx Koa上下文
+	 * @param {Function} next 下一个中间件
+	 */
+	async run(ctx, next) {
+		const config = this.config;
+		// 使用改进的IP获取方法
+		const ip = this.getClientIp(ctx);
+		const path = ctx.path;
+		if (!config.enable) {
+			return await next();
+		}
+		// 检查是否在白名单中
+		if (this.isWhitelisted(ip)) {
+			return await next();
+		}
+		// 检查是否应该忽略该路径
+		if (this.shouldIgnorePath(path)) {
+			return await next();
+		}
+		// 检查IP是否被阻止
+		if (this.isBlocked(ip)) {
+			if (config.log && $.log && $.log.warn) {
+				$.log.warn('Blocked IP Attempted Access:', {
+					ip: ip,
+					path: path,
+					method: ctx.method
+				});
+			}
+			ctx.status = config.status_code;
+			ctx.body = {
+				code: config.status_code,
+				msg: config.response_message
+			};
+			return;
+		}
+		// 检查连接限制
+		if (config.connection_limit.enable && !this.checkConnectionLimit(ip)) {
+			this.blockIp(ip, 'Exceeded connection limit');
+			ctx.status = config.status_code;
+			ctx.body = {
+				code: config.status_code,
+				msg: config.response_message
+			};
+			return;
+		}
+		// 检查IP速率限制
+		let requestCount = null;
+		if (config.ip_rate_limit.enable) {
+			if (config.storage === 'redis') {
+				// 使用Redis进行速率限制
+				requestCount = await this.incrementRequestWithRedis(
+					ip,
+					'rate_limit',
+					config.ip_rate_limit.window_ms
+				);
+				if (requestCount !== null) {
+					// Redis成功执行了计数
+					if (requestCount > config.ip_rate_limit.max_requests) {
+						this.blockIp(ip, 'Exceeded IP rate limit');
+						// 设置响应头
+						if (config.set_rate_limit_headers) {
+							ctx.set('X-RateLimit-Limit', config.ip_rate_limit.max_requests);
+							ctx.set('X-RateLimit-Remaining', 0);
+						}
+						ctx.status = config.status_code;
+						ctx.body = {
+							code: config.status_code,
+							msg: config.response_message
+						};
+						return;
+					}
+					// 设置响应头
+					if (config.set_rate_limit_headers) {
+						ctx.set('X-RateLimit-Limit', config.ip_rate_limit.max_requests);
+						ctx.set('X-RateLimit-Remaining', Math.max(0, config.ip_rate_limit.max_requests -
+							requestCount));
+					}
+				} else {
+					// Redis不可用，使用内存存储方式
+					if (!this.checkIpRateLimit(ip)) {
+						this.blockIp(ip, 'Exceeded IP rate limit');
+						ctx.status = config.status_code;
+						ctx.body = {
+							code: config.status_code,
+							msg: config.response_message
+						};
+						return;
+					}
+				}
+			} else {
+				// 使用内存存储方式
+				if (!this.checkIpRateLimit(ip)) {
+					this.blockIp(ip, 'Exceeded IP rate limit');
+					ctx.status = config.status_code;
+					ctx.body = {
+						code: config.status_code,
+						msg: config.response_message
+					};
+					return;
+				}
+			}
+		}
+		// 检查路径速率限制（仅内存存储支持）
+		if (config.path_rate_limit.enable && config.storage === 'memory') {
+			if (!this.checkPathRateLimit(ip, path)) {
+				this.blockIp(ip, `Exceeded path rate limit for ${path}`);
+				ctx.status = config.status_code;
+				ctx.body = {
+					code: config.status_code,
+					msg: config.response_message
+				};
+				return;
+			}
+		}
+		// 增加连接计数
+		this.incrementConnection(ip);
+		try {
+			await next();
+		} finally {
+			// 减少连接计数
+			this.decrementConnection(ip);
+		}
+	}
+	/**
+	 * 检查IP是否在白名单中
+	 * @param {String} ip IP地址
+	 * @returns {Boolean} 是否在白名单中
+	 */
+	isWhitelisted(ip) {
+		return this.config.whitelist.includes(ip);
+	}
+	/**
+	 * 检查是否应该忽略该路径
+	 * @param {String} path 路径
+	 * @returns {Boolean} 是否忽略
+	 */
+	shouldIgnorePath(path) {
+		return this.config.ignore_paths.some(p => path === p || path.startsWith(p));
+	}
+	/**
+	 * 检查IP是否被阻止
+	 * @param {String} ip IP地址
+	 * @returns {Boolean} 是否被阻止
+	 */
+	isBlocked(ip) {
+		const blocked = this.blockedIps.get(ip);
+		if (!blocked) return false;
+		// 如果启用了自动解除阻止
+		if (this.config.blocking.auto_unblock) {
+			if (Date.now() > blocked.unblock_time) {
+				this.blockedIps.delete(ip);
+				return false;
+			}
+		}
+		return true;
+	}
+	/**
+	 * 阻止IP
+	 * @param {String} ip IP地址
+	 * @param {String} reason 阻止原因
+	 */
+	blockIp(ip, reason) {
+		if (!this.config.block) return;
+		const blockTime = this.config.blocking.block_time;
+		const unblockTime = Date.now() + blockTime;
+		this.blockedIps.set(ip, {
+			reason: reason,
+			block_time: Date.now(),
+			unblock_time: unblockTime
+		});
+		if (this.config.log && $.log && $.log.warn) {
+			$.log.warn('IP Blocked:', {
+				ip: ip,
+				reason: reason,
+				block_time: new Date().toISOString(),
+				unblock_time: new Date(unblockTime).toISOString()
+			});
+		}
+	}
+	/**
+	 * 检查连接限制
+	 * @param {String} ip IP地址
+	 * @returns {Boolean} 是否通过检查
+	 */
+	checkConnectionLimit(ip) {
+		const count = this.connectionCount.get(ip) || 0;
+		return count < this.config.connection_limit.max_connections;
+	}
+	/**
+	 * 增加连接计数
+	 * @param {String} ip IP地址
+	 */
+	incrementConnection(ip) {
+		const count = this.connectionCount.get(ip) || 0;
+		this.connectionCount.set(ip, count + 1);
+	}
+	/**
+	 * 减少连接计数
+	 * @param {String} ip IP地址
+	 */
+	decrementConnection(ip) {
+		const count = this.connectionCount.get(ip);
+		if (count && count > 0) {
+			this.connectionCount.set(ip, count - 1);
+		} else {
+			this.connectionCount.delete(ip);
+		}
+	}
+	/**
+	 * 检查IP速率限制（内存存储方式）
+	 * @param {String} ip IP地址
+	 * @returns {Boolean} 是否通过检查
+	 */
+	checkIpRateLimit(ip) {
+		const now = Date.now();
+		const windowMs = this.config.ip_rate_limit.window_ms;
+		const maxRequests = this.config.ip_rate_limit.max_requests;
+		let requests = this.ipRequestCount.get(ip) || [];
+		// 清理过期的请求记录
+		requests = requests.filter(timestamp => now - timestamp < windowMs);
+		// 检查是否超过限制
+		if (requests.length >= maxRequests) {
+			return false;
+		}
+		// 添加当前请求时间戳
+		requests.push(now);
+		this.ipRequestCount.set(ip, requests);
+		return true;
+	}
+	/**
+	 * 检查路径速率限制（内存存储方式）
+	 * @param {String} ip IP地址
+	 * @param {String} path 路径
+	 * @returns {Boolean} 是否通过检查
+	 */
+	checkPathRateLimit(ip, path) {
+		const key = `${ip}:${path}`;
+		const now = Date.now();
+		const windowMs = this.config.path_rate_limit.window_ms;
+		const maxRequests = this.config.path_rate_limit.max_requests;
+		let requests = this.ipRequestCount.get(key) || [];
+		// 清理过期的请求记录
+		requests = requests.filter(timestamp => now - timestamp < windowMs);
+		// 检查是否超过限制
+		if (requests.length >= maxRequests) {
+			return false;
+		}
+		// 添加当前请求时间戳
+		requests.push(now);
+		this.ipRequestCount.set(key, requests);
+		return true;
+	}
+	/**
+	 * 启动清理过期数据的定时器
+	 */
+	startCleanupTimer() {
+		// 每30秒清理一次过期数据
+		setInterval(() => {
+			this.cleanupExpiredData();
+		}, 30000);
+	}
+	/**
+	 * 清理过期数据
+	 */
+	cleanupExpiredData() {
+		const now = Date.now();
+		// 清理过期的IP请求记录
+		for (const [key, requests] of this.ipRequestCount.entries()) {
+			const cleanedRequests = requests.filter(timestamp =>
+				now - timestamp < Math.max(this.config.ip_rate_limit.window_ms, this.config.path_rate_limit
+					.window_ms)
+			);
+			if (cleanedRequests.length > 0) {
+				this.ipRequestCount.set(key, cleanedRequests);
+			} else {
+				this.ipRequestCount.delete(key);
+			}
+		}
+		// 自动解除过期的阻止
+		if (this.config.blocking.auto_unblock) {
+			for (const [ip, blockInfo] of this.blockedIps.entries()) {
+				if (now > blockInfo.unblock_time) {
+					this.blockedIps.delete(ip);
+					if (this.config.log && $.log && $.log.info) {
+						$.log.info('IP Unblocked Automatically:', {
+							ip: ip,
+							reason: blockInfo.reason
+						});
+					}
+				}
+			}
+		}
+	}
+}
+// 创建中间件实例
+const middleware = new Middleware();
+// 导出符合系统期望的函数
+exports = module.exports = function(server, config) {
+	// 初始化中间件
+	const handlerFactory = middleware.init(config);
+	const middlewareHandler = handlerFactory();
+	// 直接使用server.use注册中间件
+	server.use(middlewareHandler);
+	// 记录中间件初始化信息
+	if ($.log && $.log.info) {
+		const cg = middleware.config;
+		$.log.info(
+			`综合流量控制中间件已加载: 存储方式=${cg.storage}, IP限制=${cg.ip_rate_limit.max_requests}/${cg.ip_rate_limit.window_ms/1000}秒, 连接限制=${cg.connection_limit.max_connections}`
+			);
+	}
+	return server;
+};
+// 保留原始实例，以便其他方式调用
+exports.middleware = middleware;

package/middleware/waf_ddos/middleware.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "name": "waf_ddos",
+  "title": "综合流量控制与DDOS攻击防护中间件",
+  "type": "web_before",
+  "status": 1,
+  "sort": 12,
+  "desc": "提供DDOS攻击防护和速率限制，包括IP限流、路径限流、连接控制和IP封禁功能",
+  "config": {
+    "enable": true,
+    "storage": "memory",
+    "ip_rate_limit": {
+      "window_ms": 60000,
+      "max_requests": 100,
+      "enable": true
+    },
+    "path_rate_limit": {
+      "window_ms": 60000,
+      "max_requests": 50,
+      "enable": true
+    },
+    "connection_limit": {
+      "max_connections": 50,
+      "enable": true
+    },
+    "blocking": {
+      "threshold": 2,
+      "block_time": 300000,
+      "auto_unblock": true
+    },
+    "whitelist": [],
+    "ignore_paths": ["/api/health", "/favicon.ico", "/static/"],
+    "log": true,
+    "block": true,
+    "status_code": 429,
+    "response_message": "请求过于频繁，请稍后再试",
+    "set_rate_limit_headers": true
+  }
+}