PyPI - cancan-microstack - Versions diffs - 0.0.1__py3-none-any.whl - Mend

cancan-microstack 0.0.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (440) hide show

cancan_microstack/assets/builds/caddy/README.md ADDED Viewed

@@ -0,0 +1,343 @@
+# Caddy with Coraza WAF - 使用指南
+本项目使用**自定义构建的 Caddy**，集成了 **Coraza WAF（Web Application Firewall）** 模块，提供企业级的安全防护。
+---
+## 🛡️ 安全特性
+### 已启用的防护功能
+1. **SQL 注入防护** - 检测和阻止 SQL 注入攻击
+2. **XSS 防护** - 阻止跨站脚本攻击
+3. **路径遍历防护** - 防止访问敏感文件（.env, .git, backup 等）
+4. **协议违规检测** - 验证 HTTP 协议合规性
+5. **文件扩展名过滤** - 阻止访问危险文件类型
+6. **请求大小限制** - 防止 DoS 攻击（最大 10MB）
+7. **Content-Type 验证** - API 请求必须使用 `application/json`
+### WAF 配置
+- **偏执级别**: 2（增强保护）
+- **入站异常阈值**: 5
+- **出站异常阈值**: 4
+- **审计日志**: 仅记录相关事件（4xx/5xx 错误）
+---
+## 📁 目录结构
+```
+caddy/
+├── Dockerfile              # 自定义 Caddy 构建文件（包含 Coraza）
+├── Caddyfile              # Caddy 主配置文件
+├── waf/
+│   └── coraza.conf        # Coraza WAF 配置
+├── logs/
+│   ├── access.log         # 访问日志
+│   ├── access.json        # JSON 格式访问日志
+│   ├── waf-audit.log      # WAF 审计日志
+│   └── waf-debug.log      # WAF 调试日志
+├── data/                  # Caddy 数据目录（证书等）
+├── config/                # Caddy 配置目录
+└── geoip/                 # GeoIP 数据库目录
+    └── GeoLite2-City.mmdb
+```
+---
+## 🚀 构建和启动
+### 1. 构建 Caddy 镜像
+Docker Compose 会自动构建包含 Coraza WAF 的 Caddy 镜像：
+```bash
+# 构建镜像
+docker-compose build caddy.service
+# 或直接启动（会自动构建）
+docker-compose up -d caddy.service
+```
+### 2. 验证 WAF 是否启用
+```bash
+# 查看 Caddy 日志
+docker-compose logs caddy.service
+# 应该看到类似的输出：
+# {"level":"info","ts":...,"msg":"using provided configuration","adapter":"caddyfile"}
+```
+### 3. 测试 WAF 防护
+#### 测试 SQL 注入防护
+```bash
+# 应该被阻止（返回 403）
+curl "http://localhost/v1/besrv/api?id=1' OR '1'='1"
+# 正常请求应该成功
+curl "http://localhost/v1/besrv/api?id=123"
+```
+#### 测试 XSS 防护
+```bash
+# 应该被阻止（返回 403）
+curl "http://localhost/v1/besrv/api?name=<script>alert(1)</script>"
+# 正常请求应该成功
+curl "http://localhost/v1/besrv/api?name=John"
+```
+#### 测试路径遍历防护
+```bash
+# 应该被阻止（返回 403）
+curl "http://localhost/.env"
+curl "http://localhost/.git/config"
+curl "http://localhost/backup/database.sql"
+# 正常请求应该成功
+curl "http://localhost/health"
+```
+#### 测试 API Content-Type 验证
+```bash
+# POST 请求没有 Content-Type: application/json 会被拒绝
+curl -X POST "http://localhost/v1/besrv/api" \
+  -d "data=test"  # 应该返回 400
+# 正确的请求
+curl -X POST "http://localhost/v1/besrv/api" \
+  -H "Content-Type: application/json" \
+  -d '{"key":"value"}'  # 应该成功
+```
+---
+## 📊 WAF 日志
+### 审计日志
+WAF 会记录所有被阻止的请求到审计日志：
+```bash
+# 查看 WAF 审计日志
+docker exec cancan_caddy tail -f /var/log/caddy/waf-audit.log
+```
+日志格式示例：
+```
+[2025-01-01T10:30:00Z] [client 1.2.3.4] [id "900510"] [msg "SQL Injection Attempt Detected"] [uri "/v1/besrv/api?id=1' OR '1'='1"]
+```
+### 调试日志
+开发环境可以查看详细的 WAF 调试日志：
+```bash
+# 查看 WAF 调试日志
+docker exec cancan_caddy tail -f /var/log/caddy/waf-debug.log
+```
+---
+## ⚙️ WAF 配置调整
+### 修改偏执级别
+编辑 `caddy/waf/coraza.conf`：
+```conf
+# 调整偏执级别（1-4）
+SecAction \
+  "id:900000,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.paranoia_level=3"  # 改为 1（宽松）或 4（严格）
+```
+### 添加 IP 白名单
+在 `caddy/waf/coraza.conf` 中添加：
+```conf
+# 允许特定 IP 绕过 WAF
+SecRule REMOTE_ADDR "@ipMatch 192.168.1.0/24" \
+  "id:900401,\
+  phase:1,\
+  pass,\
+  nolog,\
+  ctl:ruleEngine=Off"
+```
+### 添加 IP 黑名单
+```conf
+# 阻断特定 IP
+SecRule REMOTE_ADDR "@ipMatch 1.2.3.4" \
+  "id:900402,\
+  phase:1,\
+  deny,\
+  status:403,\
+  log,\
+  msg:'Blocked IP address'"
+```
+### 添加自定义规则
+```conf
+# 阻止特定 User-Agent
+SecRule REQUEST_HEADERS:User-Agent "@contains BadBot" \
+  "id:900700,\
+  phase:1,\
+  deny,\
+  status:403,\
+  log,\
+  msg:'Blocked bot user-agent'"
+```
+### 修改后重启 Caddy
+```bash
+docker-compose restart caddy.service
+```
+---
+## 🔧 故障排查
+### WAF 误报（False Positive）
+如果正常请求被 WAF 阻止：
+1. **查看审计日志**，找到触发的规则 ID
+   ```bash
+   docker exec cancan_caddy tail -100 /var/log/caddy/waf-audit.log
+   ```
+2. **禁用特定规则**（在 `coraza.conf` 中添加）
+   ```conf
+   # 禁用规则 ID 900510
+   SecRuleRemoveById 900510
+   ```
+3. **调整偏执级别**（降低到 1）
+### Caddy 启动失败
+```bash
+# 查看详细错误
+docker-compose logs caddy.service
+# 常见问题：
+# 1. Caddyfile 语法错误
+# 2. WAF 配置文件路径不正确
+# 3. 端口被占用
+```
+### 验证 Coraza 模块是否加载
+```bash
+# 进入容器
+docker exec -it cancan_caddy sh
+# 检查 Caddy 版本和模块
+/usr/bin/caddy version
+/usr/bin/caddy list-modules | grep coraza
+```
+---
+## 📈 性能优化
+### 1. 关闭响应体检查
+响应体检查会影响性能，生产环境建议关闭：
+```conf
+# 在 coraza.conf 中已默认关闭
+SecResponseBodyAccess Off
+```
+### 2. 调整日志级别
+生产环境降低调试日志级别：
+```conf
+SecDebugLogLevel 3  # 3=警告, 5=详细（开发环境）
+```
+### 3. 限制审计日志
+只记录阻断事件：
+```conf
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+```
+---
+## 🌐 OWASP CRS（可选）
+如果需要使用完整的 **OWASP Core Rule Set**：
+### 1. 下载 CRS
+```bash
+cd caddy/waf
+wget https://github.com/coreruleset/coreruleset/archive/v4.0.0.tar.gz
+tar -xzf v4.0.0.tar.gz
+mv coreruleset-4.0.0 owasp-crs
+```
+### 2. 更新 coraza.conf
+```conf
+# 包含 OWASP CRS
+Include /etc/caddy/waf/owasp-crs/crs-setup.conf.example
+Include /etc/caddy/waf/owasp-crs/rules/*.conf
+```
+### 3. 重新构建镜像
+```bash
+docker-compose build caddy.service
+docker-compose up -d caddy.service
+```
+---
+## 📚 参考资料
+- [Caddy 官方文档](https://caddyserver.com/docs/)
+- [Coraza WAF 文档](https://coraza.io/docs/)
+- [OWASP Core Rule Set](https://owasp.org/www-project-modsecurity-core-rule-set/)
+- [Caddy Coraza 模块](https://github.com/corazawaf/coraza-caddy)
+---
+## ⚠️ 安全建议
+1. **定期更新** Caddy 和 Coraza 模块
+2. **定期审查** WAF 审计日志
+3. **调整规则** 根据实际业务需求调整 WAF 规则
+4. **监控误报** 及时处理误报，避免影响正常业务
+5. **备份配置** 修改配置前先备份
+6. **测试环境** 在测试环境验证配置后再应用到生产环境
+---
+## 📞 支持
+如有问题，请查看：
+- WAF 审计日志: `/var/log/caddy/waf-audit.log`
+- WAF 调试日志: `/var/log/caddy/waf-debug.log`
+- Caddy 日志: `docker-compose logs caddy.service`

cancan_microstack/assets/builds/caddy/geoip/README.md ADDED Viewed

@@ -0,0 +1,5 @@
+# GeoIP database placeholder
+This folder must contain a GeoLite2 `.mmdb` file so both Caddy and the ops BFF IP locator can enrich requests during
+local development. Cancan cannot redistribute those databases—create a free MaxMind account, download GeoLite2-City,
+and place `GeoLite2-City.mmdb` here before starting the stack.

cancan_microstack/assets/builds/caddy/start.sh ADDED Viewed

@@ -0,0 +1,78 @@
+#!/bin/bash
+# Caddy 快速启动脚本
+set -e
+echo "=========================================="
+echo "  Caddy with Coraza WAF - 快速启动"
+echo "=========================================="
+echo ""
+# 检查必要的目录
+echo "[1/5] 检查目录结构..."
+mkdir -p caddy/logs
+mkdir -p caddy/data
+mkdir -p caddy/config
+mkdir -p caddy/geoip
+mkdir -p caddy/waf
+echo "✓ 目录结构检查完成"
+echo ""
+# 下载 GeoIP 数据库（可选）
+echo "[2/5] 检查 GeoIP 数据库..."
+if [ ! -f "caddy/geoip/GeoLite2-City.mmdb" ]; then
+    echo "⚠️  GeoLite2-City.mmdb 不存在"
+    echo "   请手动下载并放置到 caddy/geoip/ 目录"
+    echo "   下载地址: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data"
+else
+    echo "✓ GeoIP 数据库已存在"
+fi
+echo ""
+# 构建 Caddy 镜像
+echo "[3/5] 构建 Caddy 镜像（包含 Coraza WAF）..."
+docker-compose build caddy.service
+echo "✓ Caddy 镜像构建完成"
+echo ""
+# 启动服务
+echo "[4/5] 启动 Caddy 服务..."
+docker-compose up -d caddy.service
+echo "✓ Caddy 服务启动成功"
+echo ""
+# 等待服务就绪
+echo "[5/5] 等待 Caddy 就绪..."
+sleep 5
+# 检查服务状态
+if docker-compose ps | grep -q "caddy.service.*Up"; then
+    echo "✓ Caddy 运行正常"
+else
+    echo "✗ Caddy 启动失败，请查看日志："
+    echo "  docker-compose logs caddy.service"
+    exit 1
+fi
+echo ""
+echo "=========================================="
+echo "  Caddy 启动完成！"
+echo "=========================================="
+echo ""
+echo "服务访问地址："
+echo "  - HTTP:  http://localhost"
+echo "  - HTTPS: https://localhost"
+echo "  - Admin API: http://localhost:2019"
+echo ""
+echo "查看日志："
+echo "  - Caddy 日志:      docker-compose logs -f caddy.service"
+echo "  - WAF 审计日志:    docker exec my_app_caddy tail -f /var/log/caddy/waf-audit.log"
+echo "  - WAF 调试日志:    docker exec my_app_caddy tail -f /var/log/caddy/waf-debug.log"
+echo ""
+echo "测试 WAF 防护："
+echo "  - SQL 注入测试:    curl \"http://localhost/v1/besrv/api?id=1' OR '1'='1\""
+echo "  - XSS 测试:        curl \"http://localhost/v1/besrv/api?name=<script>alert(1)</script>\""
+echo "  - 路径遍历测试:    curl \"http://localhost/.env\""
+echo ""
+echo "更多信息请查看: caddy/README.md"
+echo ""

cancan_microstack/assets/builds/caddy/waf/coraza.conf ADDED Viewed

@@ -0,0 +1,179 @@
+# Coraza WAF 优化配置
+# 基于 OWASP Core Rule Set (CRS)
+# ==========================================
+# 核心引擎配置
+# ==========================================
+SecRuleEngine On
+# 请求体访问控制（统一为 20MB）
+SecRequestBodyAccess On
+SecRequestBodyLimit 20971520
+SecRequestBodyNoFilesLimit 131072
+SecRequestBodyLimitAction Reject
+# 响应体访问控制（关闭以提高性能）
+SecResponseBodyAccess Off
+SecResponseBodyMimeType text/plain text/html text/xml
+# 临时目录
+SecTmpDir /tmp/
+SecDataDir /tmp/
+# 调试日志级别（生产环境设置为 3）
+SecDebugLog /var/log/caddy/waf-debug.log
+SecDebugLogLevel 3
+# 审计日志
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(5|4[^0])"
+SecAuditLogParts ABIJDEFHZ
+SecAuditLogType Serial
+SecAuditLog /var/log/caddy/waf-audit.log
+# ==========================================
+# OWASP CRS 配置
+# ==========================================
+# 设置偏执级别为 1（高准确性，低误报）
+SecAction \
+  "id:900000,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.paranoia_level=1"
+# 异常评分阈值
+# 入站阈值（请求）
+SecAction \
+  "id:900110,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.inbound_anomaly_score_threshold=5"
+# 出站阈值（响应）
+SecAction \
+  "id:900111,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.outbound_anomaly_score_threshold=4"
+# ==========================================
+# 执行动作配置
+# ==========================================
+# 默认拒绝动作
+# "pass" = 仅检测（日志）模式。
+# "deny" = 拦截模式。
+# 警告：请先使用 "pass" 模式充分测试，确认无误报后再切换到 "deny"。
+SecDefaultAction "phase:1,log,auditlog,deny,status:403"
+SecDefaultAction "phase:2,log,auditlog,deny,status:403"
+# ==========================================
+# 允许的 HTTP 方法
+# ==========================================
+SecAction \
+  "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
+# ==========================================
+# 允许的请求 Content-Type
+# ==========================================
+SecAction \
+  "id:900220,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+# ==========================================
+# 允许的响应 Content-Type
+# ==========================================
+SecAction \
+  "id:900230,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_response_content_type=|text/plain| |text/html| |text/xml| |text/javascript| |application/xml| |application/xhtml+xml| |application/json| |application/javascript| |application/x-javascript|'"
+# ==========================================
+# 文件扩展名限制
+# ==========================================
+SecAction \
+  "id:900240,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+# ==========================================
+# 协议配置
+# ==========================================
+SecAction \
+  "id:900250,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3'"
+# ==========================================
+# 地理位置阻断（已按要求禁用）
+# ==========================================
+# SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb
+# ...
+# ==========================================
+# IP 黑名单（已按要求禁用）
+# ==========================================
+# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
+# ...
+# ==========================================
+# 自定义规则 (已移除)
+# ==========================================
+# 注：以下规则 (900500, 900510, 900520) 已被 OWASP CRS PL1 覆盖。
+# 无需重复定义，已移除以提升性能和可维护性。
+# SecRule REQUEST_URI "@rx /\.env|/\.git|..."
+# SecRule ARGS|ARGS_NAMES... "@rx (?i:(\bunion\b.*\bselect\b...))"
+# SecRule ARGS|ARGS_NAMES... "@rx (?i:<script|javascript:|...)"
+# ==========================================
+# API 特定规则
+# ==========================================
+# 限制请求大小（防止 DoS）
+SecRule REQUEST_HEADERS:Content-Length "@gt 20971520" \
+  "id:900600,\
+  phase:1,\
+  deny,\
+  status:413,\
+  log,\
+  msg:'Request body too large (max 10MB)'"
+# 要求 API v1-v9999 的 POST/PUT/PATCH 请求使用 JSON Content-Type
+SecRule REQUEST_URI "@rx ^/v([1-9][0-9]{0,3})/" \
+  "id:900610,\
+  phase:1,\
+  pass,\
+  log,\
+  chain"
+SecRule REQUEST_METHOD "@rx ^(POST|PUT|PATCH)$" \
+  "chain"
+SecRule REQUEST_HEADERS:Content-Type "!@rx application/json" \
+  "deny,\
+  status:400,\
+  msg:'API (v1-v9999) requests must use application/json'"

cancan_microstack/assets/builds/service/Dockerfile ADDED Viewed

@@ -0,0 +1,59 @@
+# syntax=docker/dockerfile:1.7-labs
+# Shared Python runtime image for infrasrv / opsbffsrv / controllersrv.
+#
+# The image installs the published `cancan-microstack` package (and its bundled
+# service dependencies) from PyPI — it does NOT copy any source from the build
+# context. A clean `pip install cancan-microstack` workspace can therefore build
+# and run the stack without an `src/` tree.
+#
+# Build args (injected automatically by the `cancan` CLI):
+#   CANCAN_VERSION   exact released version to install (keeps container == host CLI)
+#   CANCAN_PIP_SPEC  override the whole pip spec (e.g. a local wheel / VCS url) for dev
+#   PIP_INDEX_URL    custom index (mirrors / private index)
+ARG PYTHON_VERSION=3.13-slim
+FROM python:${PYTHON_VERSION} AS runtime
+ENV DEBIAN_FRONTEND=noninteractive \
+    TZ=Asia/Shanghai \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1
+WORKDIR /app
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    tzdata \
+    && ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime \
+    && echo ${TZ} > /etc/timezone \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+RUN python -m venv /opt/venv
+ENV VIRTUAL_ENV=/opt/venv
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+ARG CANCAN_VERSION
+ARG CANCAN_PIP_SPEC=
+ARG PIP_INDEX_URL=
+# Install cancan-microstack from PyPI (or the override spec). Its dependencies
+# (linglong-web[all], dragonfly-container[all], jinja2, ...) come transitively.
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -eu; \
+    PIP_SPEC="${CANCAN_PIP_SPEC:-cancan-microstack==${CANCAN_VERSION}}"; \
+    if [ "${PIP_SPEC}" = "cancan-microstack==" ]; then \
+        echo "ERROR: set CANCAN_VERSION or CANCAN_PIP_SPEC (the 'cancan' CLI sets this automatically)" >&2; \
+        exit 1; \
+    fi; \
+    pip install --upgrade pip; \
+    pip install --no-warn-script-location ${PIP_INDEX_URL:+--index-url "${PIP_INDEX_URL}"} "${PIP_SPEC}"
+RUN mkdir -p /app/server_log_data /app/ddl
+EXPOSE 8080
+# The concrete service is selected by compose, e.g.:
+#   python -m cancan_microstack.cmd.infrasrv.run
+CMD ["python", "-c", "import sys; sys.stderr.write('Specify a service module via compose, e.g. python -m cancan_microstack.cmd.infrasrv.run\\n'); sys.exit(1)"]

cancan_microstack/assets/builds/service/README.md ADDED Viewed

@@ -0,0 +1,13 @@
+# Service image scaffold
+This folder contains the multi-stage Dockerfile that Cancan uses for Python services. The bootstrap command copies
+`Dockerfile` into `builds/service/` so compose overrides can reference it via `context: ./builds/service`.
+The image:
+- Uses Python 3.13 slim with Asia/Shanghai timezone baked in.
+- Creates a venv at `/opt/venv` and caches pip downloads.
+- Copies `src/`, `cmd/`, and `tools/` into `/app` and sets `PYTHONPATH` accordingly.
+- Leaves the final command to docker-compose per service, ensuring consistent base runtime.
+Feel free to customize the exported copy for service-specific dependencies; rerunning bootstrap does not overwrite an
+existing file.

cancan_microstack/assets/ddl/create_db.sql ADDED Viewed

@@ -0,0 +1,22 @@
+-- 初始化三个逻辑数据库，分别面向基础设施、运维可视化以及业务域。
+-- 该脚本主要用于本地调试或一次性初始化，正式环境由 DDLManager 自动管理。
+\echo 'Ensuring Cancan logical databases (infra / ops / biz)...'
+DO $$
+BEGIN
+	IF NOT EXISTS (SELECT FROM pg_database WHERE datname = 'infra') THEN
+		EXECUTE 'CREATE DATABASE infra WITH ENCODING ''UTF8'' TEMPLATE template0 LC_COLLATE ''en_US.UTF-8'' LC_CTYPE ''en_US.UTF-8''';
+	END IF;
+	IF NOT EXISTS (SELECT FROM pg_database WHERE datname = 'ops') THEN
+		EXECUTE 'CREATE DATABASE ops WITH ENCODING ''UTF8'' TEMPLATE template0 LC_COLLATE ''en_US.UTF-8'' LC_CTYPE ''en_US.UTF-8''';
+	END IF;
+	IF NOT EXISTS (SELECT FROM pg_database WHERE datname = 'biz') THEN
+		EXECUTE 'CREATE DATABASE biz WITH ENCODING ''UTF8'' TEMPLATE template0 LC_COLLATE ''en_US.UTF-8'' LC_CTYPE ''en_US.UTF-8''';
+	END IF;
+END;
+$$;
+\connect infra;