7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

解决防爆并行问题,取消中间件

This commit is contained in:
wsczx 2024-11-12 17:31:10 +08:00
parent ffb7dbfb1c
commit 4ed3177b67
5 changed files with 89 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
server/admin/lockmanager.go
View File

@ -30,8 +30,8 @@ type IPWhitelists struct {
} }
type LockManager struct { type LockManager struct {
mu sync.Mutex mu sync.Mutex
LoginStatus sync.Map // 登录状态 // LoginStatus sync.Map // 登录状态
ipLocks map[string]*LockState // 全局IP锁定状态 ipLocks map[string]*LockState // 全局IP锁定状态
userLocks map[string]*LockState // 全局用户锁定状态 userLocks map[string]*LockState // 全局用户锁定状态
ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态 ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
@ -45,7 +45,7 @@ var once sync.Once
func GetLockManager() *LockManager { func GetLockManager() *LockManager {
once.Do(func() { once.Do(func() {
lockmanager = &LockManager{ lockmanager = &LockManager{
LoginStatus: sync.Map{}, // LoginStatus: sync.Map{},
ipLocks: make(map[string]*LockState), ipLocks: make(map[string]*LockState),
userLocks: make(map[string]*LockState), userLocks: make(map[string]*LockState),
ipUserLocks: make(map[string]map[string]*LockState), ipUserLocks: make(map[string]map[string]*LockState),
@ -409,3 +409,53 @@ func (lm *LockManager) Unlock(state *LockState) {
state.LockTime = time.Time{} state.LockTime = time.Time{}
state.Locked = false state.Locked = false
} }
// 检查锁定状态
func (lm *LockManager) CheckLocked(username, ipaddr string) bool {
if !base.Cfg.AntiBruteForce {
return true
}
ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
return true
}
now := time.Now()
// 检查IP是否在白名单中
if lm.IsWhitelisted(ip) {
return true
}
// 检查全局 IP 锁定
if base.Cfg.MaxGlobalIPBanCount > 0 && lm.CheckGlobalIPLock(ip, now) {
base.Warn("IP", ip, "is globally locked. Try again later.")
return false
}
// 检查全局用户锁定
if base.Cfg.MaxGlobalUserBanCount > 0 && lm.CheckGlobalUserLock(username, now) {
base.Warn("User", username, "is globally locked. Try again later.")
return false
}
// 检查单个用户的 IP 锁定
if base.Cfg.MaxBanCount > 0 && lm.CheckUserIPLock(username, ip, now) {
base.Warn("IP", ip, "is locked for user", username, "Try again later.")
return false
}
return true
}
func (lm *LockManager) UpdateLock(username, ipaddr string, loginStatus bool) {
ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
return
}
now := time.Now()
// 更新用户登录状态
lm.UpdateGlobalIPLock(ip, now, loginStatus)
lm.UpdateGlobalUserLock(username, now, loginStatus)
lm.UpdateUserIPLock(username, ip, now, loginStatus)
}

108
server/handler/antiBruteForce.go
View File

@ -1,108 +0,0 @@
package handler
import (
"encoding/xml"
"io"
"net"
"net/http"
"strings"
"time"
"github.com/bjdgyc/anylink/admin"
"github.com/bjdgyc/anylink/base"
)
var lockManager = admin.GetLockManager()
// 防爆破中间件
func antiBruteForce(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// 防爆破功能全局开关
if !base.Cfg.AntiBruteForce {
next.ServeHTTP(w, r)
return
}
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
defer r.Body.Close()
cr := ClientRequest{}
err = xml.Unmarshal(body, &cr)
if err != nil {
http.Error(w, "Failed to parse XML", http.StatusBadRequest)
return
}
username := cr.Auth.Username
if r.URL.Path == "/otp-verification" {
sessionID, err := GetCookie(r, "auth-session-id")
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
sessionData, err := SessStore.GetAuthSession(sessionID)
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
username = sessionData.ClientRequest.Auth.Username
}
ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
return
}
now := time.Now()
// 检查IP是否在白名单中
if lockManager.IsWhitelisted(ip) {
r.Body = io.NopCloser(strings.NewReader(string(body)))
next.ServeHTTP(w, r)
return
}
// 检查全局 IP 锁定
if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.CheckGlobalIPLock(ip, now) {
base.Warn("IP", ip, "is globally locked. Try again later.")
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 检查全局用户锁定
if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.CheckGlobalUserLock(username, now) {
base.Warn("User", username, "is globally locked. Try again later.")
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 检查单个用户的 IP 锁定
if base.Cfg.MaxBanCount > 0 && lockManager.CheckUserIPLock(username, ip, now) {
base.Warn("IP", ip, "is locked for user", username, "Try again later.")
http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 重新设置请求体以便后续处理器可以访问
r.Body = io.NopCloser(strings.NewReader(string(body)))
// 调用下一个处理器
next.ServeHTTP(w, r)
// 检查登录状态
Status, _ := lockManager.LoginStatus.Load(cr.SessionId)
loginStatus, _ := Status.(bool)
// 更新用户登录状态
lockManager.UpdateGlobalIPLock(ip, now, loginStatus)
lockManager.UpdateGlobalUserLock(username, now, loginStatus)
lockManager.UpdateUserIPLock(username, ip, now, loginStatus)
// 清除登录状态
lockManager.LoginStatus.Delete(cr.SessionId)
})
}

21
server/handler/link_auth.go
View File

@ -77,6 +77,12 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
return return
} }
// 锁定状态判断
if !lockManager.CheckLocked(cr.Auth.Username, r.RemoteAddr) {
http.Error(w, "Locked! Try again later.", http.StatusTooManyRequests)
return
}
// 用户活动日志 // 用户活动日志
ua := &dbdata.UserActLog{ ua := &dbdata.UserActLog{
Username: cr.Auth.Username, Username: cr.Auth.Username,
@ -94,7 +100,8 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
// TODO 用户密码校验 // TODO 用户密码校验
err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect) err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
if err != nil { if err != nil {
lockManager.LoginStatus.Store(cr.SessionId, false) // 记录登录失败状态 // lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
lockManager.UpdateLock(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态
base.Warn(err, r.RemoteAddr) base.Warn(err, r.RemoteAddr)
ua.Info = err.Error() ua.Info = err.Error()
ua.Status = dbdata.UserAuthFail ua.Status = dbdata.UserAuthFail
@ -119,12 +126,18 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
} }
// 用户otp验证 // 用户otp验证
if !v.DisableOtp { if !v.DisableOtp {
lockManager.LoginStatus.Store(cr.SessionId, true) // 重置OTP验证计数 lockManager.UpdateLock(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数
sessionID, err := GenerateSessionID()
if err != nil {
base.Error("Failed to generate session ID: ", err)
http.Error(w, "Failed to generate session ID", http.StatusInternalServerError)
return
}
sessionData.ClientRequest.Auth.OtpSecret = v.OtpSecret sessionData.ClientRequest.Auth.OtpSecret = v.OtpSecret
SessStore.SaveAuthSession(cr.SessionId, sessionData) SessStore.SaveAuthSession(sessionID, sessionData)
SetCookie(w, "auth-session-id", cr.SessionId, 0) SetCookie(w, "auth-session-id", sessionID, 0)
data := RequestData{} data := RequestData{}
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)

28
server/handler/link_auth_otp.go
View File

@ -9,12 +9,15 @@ import (
"net/http" "net/http"
"sync" "sync"
"github.com/bjdgyc/anylink/admin"
"github.com/bjdgyc/anylink/base" "github.com/bjdgyc/anylink/base"
"github.com/bjdgyc/anylink/dbdata" "github.com/bjdgyc/anylink/dbdata"
"github.com/bjdgyc/anylink/pkg/utils"
"github.com/bjdgyc/anylink/sessdata" "github.com/bjdgyc/anylink/sessdata"
) )
var SessStore = NewSessionStore() var SessStore = NewSessionStore()
var lockManager = admin.GetLockManager()
// const maxOtpErrCount = 3 // const maxOtpErrCount = 3
@ -65,14 +68,13 @@ func (s *SessionStore) DeleteAuthSession(sessionID string) {
// return int(newI) // return int(newI)
// } // }
// func GenerateSessionID() (string, error) { func GenerateSessionID() (string, error) {
// sessionID := utils.RandomRunes(32) sessionID := utils.RandomRunes(32)
// if sessionID == "" { if sessionID == "" {
// return "", fmt.Errorf("failed to generate session ID") return "", fmt.Errorf("failed to generate session ID")
// } }
return sessionID, nil
// return sessionID, nil }
// }
func SetCookie(w http.ResponseWriter, name, value string, maxAge int) { func SetCookie(w http.ResponseWriter, name, value string, maxAge int) {
cookie := &http.Cookie{ cookie := &http.Cookie{
@ -111,8 +113,7 @@ func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSess
cr := authSession.ClientRequest cr := authSession.ClientRequest
ua := authSession.UserActLog ua := authSession.UserActLog
lockManager.LoginStatus.Store(cr.SessionId, true) // 更新登录成功状态 lockManager.UpdateLock(cr.Auth.Username, r.RemoteAddr, true) // 更新登录成功状态
lockManager.LoginStatus.Delete(cr.SessionId) // 清除登录状态
sess := sessdata.NewSession("") sess := sessdata.NewSession("")
sess.Username = cr.Auth.Username sess.Username = cr.Auth.Username
@ -194,6 +195,11 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
otpSecret := sessionData.ClientRequest.Auth.OtpSecret otpSecret := sessionData.ClientRequest.Auth.OtpSecret
otp := cr.Auth.SecondaryPassword otp := cr.Auth.SecondaryPassword
// 锁定状态判断
if !lockManager.CheckLocked(username, r.RemoteAddr) {
http.Error(w, "Locked! Try again later.", http.StatusTooManyRequests)
return
}
// 动态码错误 // 动态码错误
if !dbdata.CheckOtp(username, otp, otpSecret) { if !dbdata.CheckOtp(username, otp, otpSecret) {
// if sessionData.AddOtpErrCount(1) > maxOtpErrCount { // if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
@ -201,7 +207,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
// http.Error(w, "TooManyError, please login again", http.StatusBadRequest) // http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
// return // return
// } // }
lockManager.LoginStatus.Store(cr.SessionId, false) // 记录登录失败状态 lockManager.UpdateLock(username, r.RemoteAddr, false) // 记录登录失败状态
base.Warn("OTP 动态码错误", username, r.RemoteAddr) base.Warn("OTP 动态码错误", username, r.RemoteAddr)
ua.Info = "OTP 动态码错误" ua.Info = "OTP 动态码错误"

4
server/handler/server.go
View File

@ -111,10 +111,10 @@ func initRoute() http.Handler {
}) })
r.HandleFunc("/", LinkHome).Methods(http.MethodGet) r.HandleFunc("/", LinkHome).Methods(http.MethodGet)
r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost) r.HandleFunc("/", LinkAuth).Methods(http.MethodPost)
r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect) r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet) r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost) r.HandleFunc("/otp-verification", LinkAuth_otp).Methods(http.MethodPost)
r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) { r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
b, _ := os.ReadFile(base.Cfg.Profile) b, _ := os.ReadFile(base.Cfg.Profile)
w.Write(b) w.Write(b)