package handler import ( "encoding/xml" "io" "log" "net" "net/http" "strings" "sync" "time" "github.com/bjdgyc/anylink/base" ) // 自定义 contextKey 类型,避免键冲突 type contextKey string // 定义常量作为上下文的键 const loginStatusKey contextKey = "login_status" func init() { if base.Cfg.AntiBruteForce { lockManager.startCleanupTicker() } } // 防爆破中间件 func antiBruteForce(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // 防爆破功能全局开关 if !base.Cfg.AntiBruteForce { next.ServeHTTP(w, r) return } body, err := io.ReadAll(r.Body) if err != nil { http.Error(w, "Failed to read request body", http.StatusBadRequest) return } defer r.Body.Close() cr := ClientRequest{} err = xml.Unmarshal(body, &cr) if err != nil { http.Error(w, "Failed to parse XML", http.StatusBadRequest) return } username := cr.Auth.Username ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址,去掉端口号 if err != nil { http.Error(w, "Unable to parse IP address", http.StatusInternalServerError) return } now := time.Now() // // 速率限制 // lockManager.mu.RLock() // limiter, exists := lockManager.rateLimiter[ip] // if !exists { // limiter = rate.NewLimiter(rate.Limit(base.Cfg.RateLimit), base.Cfg.Burst) // lockManager.rateLimiter[ip] = limiter // } // lockManager.mu.RUnlock() // if !limiter.Allow() { // log.Printf("Rate limit exceeded for IP %s. Try again later.", ip) // http.Error(w, "Rate limit exceeded. Try again later.", http.StatusTooManyRequests) // return // } // 检查全局 IP 锁定 if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) { log.Printf("IP %s is globally locked. Try again later.", ip) http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests) return } // 检查全局用户锁定 if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) { log.Printf("User %s is globally locked. Try again later.", username) http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests) return } // 检查单个用户的 IP 锁定 if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) { log.Printf("IP %s is locked for user %s. Try again later.", ip, username) http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests) return } // 重新设置请求体以便后续处理器可以访问 r.Body = io.NopCloser(strings.NewReader(string(body))) // 调用下一个处理器 next.ServeHTTP(w, r) // 从 context 中获取登录状态 loginStatus, _ := r.Context().Value(loginStatusKey).(bool) // 更新用户登录状态 lockManager.updateGlobalIPLock(ip, now, loginStatus) lockManager.updateGlobalUserLock(username, now, loginStatus) lockManager.updateUserIPLock(username, ip, now, loginStatus) }) } type LockState struct { FailureCount int LockTime time.Time LastAttempt time.Time } type LockManager struct { mu sync.RWMutex ipLocks map[string]*LockState // 全局IP锁定状态 userLocks map[string]*LockState // 全局用户锁定状态 ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态 // rateLimiter map[string]*rate.Limiter // 速率限制器 cleanupTicker *time.Ticker } var lockManager = &LockManager{ ipLocks: make(map[string]*LockState), userLocks: make(map[string]*LockState), ipUserLocks: make(map[string]map[string]*LockState), // rateLimiter: make(map[string]*rate.Limiter), } func (lm *LockManager) startCleanupTicker() { lm.cleanupTicker = time.NewTicker(5 * time.Minute) go func() { for range lm.cleanupTicker.C { lm.cleanupExpiredLocks() } }() } // 定期清理过期的锁定 func (lm *LockManager) cleanupExpiredLocks() { now := time.Now() var ipKeys, userKeys []string var IPuserKeys []struct{ user, ip string } lm.mu.Lock() for ip, state := range lm.ipLocks { if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { ipKeys = append(ipKeys, ip) } } for user, state := range lm.userLocks { if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { userKeys = append(userKeys, user) } } for user, ipMap := range lm.ipUserLocks { for ip, state := range ipMap { if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second { IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip}) } } } lm.mu.Unlock() lm.mu.Lock() for _, ip := range ipKeys { delete(lm.ipLocks, ip) } for _, user := range userKeys { delete(lm.userLocks, user) } for _, key := range IPuserKeys { delete(lm.ipUserLocks[key.user], key.ip) if len(lm.ipUserLocks[key.user]) == 0 { delete(lm.ipUserLocks, key.user) } } lm.mu.Unlock() } // 检查全局 IP 锁定 func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool { lm.mu.RLock() defer lm.mu.RUnlock() state, exists := lm.ipLocks[ip] if !exists { return false } // 如果超过时间窗口,重置失败计数 lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalIPBanResetTime) if !state.LockTime.IsZero() && now.Before(state.LockTime) { return true } return false } // 检查全局用户锁定 func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool { // 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求···· if username == "" { return false } lm.mu.RLock() defer lm.mu.RUnlock() state, exists := lm.userLocks[username] if !exists { return false } // 如果超过时间窗口,重置失败计数 lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalUserBanResetTime) if !state.LockTime.IsZero() && now.Before(state.LockTime) { return true } return false } // 检查单个用户的 IP 锁定 func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool { // 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求···· if username == "" { return false } lm.mu.RLock() defer lm.mu.RUnlock() userIPMap, userExists := lm.ipUserLocks[username] if !userExists { return false } state, ipExists := userIPMap[ip] if !ipExists { return false } // 如果超过时间窗口,重置失败计数 lm.resetLockStateIfExpired(state, now, base.Cfg.BanResetTime) if !state.LockTime.IsZero() && now.Before(state.LockTime) { return true } return false } // 更新全局 IP 锁定状态 func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool) { lm.mu.Lock() defer lm.mu.Unlock() state, exists := lm.ipLocks[ip] if !exists { state = &LockState{} lm.ipLocks[ip] = state } lm.updateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime) } // 更新全局用户锁定状态 func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, success bool) { // 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求···· if username == "" { return } lm.mu.Lock() defer lm.mu.Unlock() state, exists := lm.userLocks[username] if !exists { state = &LockState{} lm.userLocks[username] = state } lm.updateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime) } // 更新单个用户的 IP 锁定状态 func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, success bool) { // 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求···· if username == "" { return } lm.mu.Lock() defer lm.mu.Unlock() userIPMap, userExists := lm.ipUserLocks[username] if !userExists { userIPMap = make(map[string]*LockState) lm.ipUserLocks[username] = userIPMap } state, ipExists := userIPMap[ip] if !ipExists { state = &LockState{} userIPMap[ip] = state } lm.updateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime) } // 更新锁定状态 func (lm *LockManager) updateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) { if success { state.FailureCount = 0 state.LockTime = time.Time{} } else { state.FailureCount++ if state.FailureCount >= maxBanCount { state.LockTime = now.Add(time.Duration(lockTime) * time.Second) } } state.LastAttempt = now } // 超过时间窗口时重置锁定状态 func (lm *LockManager) resetLockStateIfExpired(state *LockState, now time.Time, resetTime int) { if state == nil || state.LastAttempt.IsZero() { return } if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second { state.FailureCount = 0 state.LockTime = time.Time{} } }