Application Firewall Design
Web Application Firewall, 7layer Firewall
Mr. Neo Chen (netkiller), 陈景峰(BG7NYT)
中国广东省深圳市龙华新区民之街道溪山美地
518109
+86 13113668890
+86 755 29812080<netkiller@msn.com>
版权 2011, 2012 http://netkiller.github.com
$Id: appfirewall.xml 491 2012-11-14 10:09:53Z netkiller $
摘要
提供web url的保护, 实现访问控制
下面是我多年积累下来的经验总结,整理成文档供大家参考:
目录
1. 功能说明1.1. 访问控制列表 ACL1.2. 用户认证1.3. 元素2. 使用方法2.1. 嵌入使用2.2. URL代理2.3. 代理方式3. URL代理实现方式4. example
1. 功能说明
- 计数器
- 策略
- 访问控制
- 用户认证
1.1. 访问控制列表 ACL
- 黑名单
- 白名单
1.2. 用户认证
- AAA
- LDAP
- MySQL
1.3. 元素
- IP地址,端口号
- URL(GET)
- POST
- Cookie
- HTTP Header
- 协议(HTTP,JASON,AJAX,SOAP,XML-RPM...)
2. 使用方法
2.1. 嵌入使用
作为SDK/API的方式使用
2.2. URL代理
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
根据login关键字,将url跳转到指定的保护URL上面
2.3. 代理方式
3. URL代理实现方式
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
4. example
<?php /* * ===================================== * Website: http://netkiller.github.com * Author: neo <netkiller@msn.com> * Email: netkiller@msn.com * ===================================== */ class ApplicationFirewall{ protected $status; protected $policy; protected $chain; protected $rule; protected $match; private $debug; //$get,$post,$cookie,$server; public function __construct() { $this->name = "ApplicationFirewall"; } public function __destruct() { //print "Destroying " . $this->name . "\n"; } public function enable(){ $this->status = true; } public function disable(){ $this->status = false; } public function get(){ if($this->status){ $this->chain = $_GET; return($this); }else{ return($this->status); } } public function post(){ if($this->status){ $this->chain = $_GET; return($this); }else{ return($this->status); } $this->chain = $_POST; } public function cookie() { if($this->status){ $this->chain = $_COOKIE; return($this); }else{ return($this->status); } } public function server(){ if($this->status){ $this->chain = $_SERVER; return($this); }else{ return($this->status); } } public function match($key, $value){ if($this->debug) print_r($this->chain); $this->match = false; if(!array_key_exists($this->chain, $key)){ if($this->chain[$key] == $value){ $this->match = true; } } return($this); } public function policy($p){ $this->policy = $p; } public function counter($tm, $cnt){ return($this); } public function allow($fun = null){ if($this->status && $this->match){ if($fun){ $fun(); } } $this->destroy(); return($this->status); } public function deny($fun = null){ if($this->status && $this->match){ if($fun){ $fun(); } } $this->destroy(); return($this->status); } public function debug($tmp){ $this->debug = $tmp; } public function ip($ipaddr){ return $this->server()->match('REMOTE_ADDR', $ipaddr); } public function destroy(){ $this->chain = array(); $this->match = false; } }; #include_once('applicationfirewall.php') $fw = new ApplicationFirewall(); $fw->debug(true); $fw->debug(false); $fw->enable(); //$fw->disable(); function test(){ echo 'OK'; }; function allow(){ echo 'allow'; }; function deny(){ echo 'deny'; }; //$fw->policy('blacklist'); $fw->ip('192.168.3.17')->allow('allow'); $fw->ip('192.168.3.17')->deny('deny'); $fw->counter('1m',5)->match('id','1000')->deny('test'); /* $fw->ip('172.16.0.0/24')->allow(); $fw->ip('172.16.0.0','255.255.255.0')->allow(); $fw->header(array('User-Agent' => 'MSIE5'))->deny() */ $fw->get()->match('id','1000')->deny('test'); $fw->get()->match('name','chen')->allow('test'); //$fw->get()->match(array('id' => '1000'))->deny(); /* $fw->post()->data(array('action'=>'/login.php'))->allow() $fw->cookie()->data(array('userid'=>'test'))->deny() */ $fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test'); $fw->server()->match('REQUEST_METHOD', 'GET')->deny('test'); $fw->disable(); //$fw->destroy();
时间: 2024-08-06 18:55:13