Application Firewall Design
Web Application Firewall, 7layer Firewall
版權聲明
轉載請與作者聯繫,轉載時請務必標明文章原始出處和作者信息及本聲明。
|
|
|
微信掃瞄二維碼進入 Netkiller 微信訂閲號 QQ群:128659835 請註明“讀者” |
$Id: appfirewall.xml 494 2012-11-21 10:25:26Z netkiller
摘要
提供web url的保護, 實現訪問控制
1. 功能說明
計數器
策略
訪問控制
用戶認證
1.1. 訪問控制列表 ACL
黑名單
白名單
1.2. 用戶認證
AAA
LDAP
MySQL
1.3. 元素
IP地址,連接埠號
URL(GET)
POST
Cookie
HTTP Header
協議(HTTP,JASON,AJAX,SOAP,XML-RPM...)
2. 使用方法
2.1. 嵌入使用
作為SDK/API的方式使用
2.2. URL代理
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
根據login關鍵字,將url跳轉到指定的保護URL上面
2.3. 代理方式
3. URL代理實現方式
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
4. example
<?php
/*
* =====================================
* Website: http://netkiller.github.com
* Author: neo <netkiller@msn.com>
* Email: netkiller@msn.com
* =====================================
*/
class ApplicationFirewall{
protected $status;
protected $policy;
protected $chain;
protected $rule;
protected $match;
private $debug;
//$get,$post,$cookie,$server;
public function __construct() {
$this->name = "ApplicationFirewall";
}
public function __destruct() {
//print "Destroying " . $this->name . "\n";
}
public function enable(){
$this->status = true;
}
public function disable(){
$this->status = false;
}
public function get(){
if($this->status){
$this->chain = $_GET;
return($this);
}else{
return($this->status);
}
}
public function post(){
if($this->status){
$this->chain = $_GET;
return($this);
}else{
return($this->status);
}
$this->chain = $_POST;
}
public function cookie() {
if($this->status){
$this->chain = $_COOKIE;
return($this);
}else{
return($this->status);
}
}
public function server(){
if($this->status){
$this->chain = $_SERVER;
return($this);
}else{
return($this->status);
}
}
public function match($key, $value){
if($this->debug) print_r($this->chain);
$this->match = false;
if(!array_key_exists($this->chain, $key)){
if($this->chain[$key] == $value){
$this->match = true;
}
}
return($this);
}
public function policy($p){
$this->policy = $p;
}
public function counter($tm, $cnt){
return($this);
}
public function allow($fun = null){
if($this->status && $this->match){
if($fun){
$fun();
}
}
$this->destroy();
return($this->status);
}
public function deny($fun = null){
if($this->status && $this->match){
if($fun){
$fun();
}
}
$this->destroy();
return($this->status);
}
public function debug($tmp){
$this->debug = $tmp;
}
public function ip($ipaddr){
return $this->server()->match('REMOTE_ADDR', $ipaddr);
}
public function destroy(){
$this->chain = array();
$this->match = false;
}
};
#include_once('applicationfirewall.php')
$fw = new ApplicationFirewall();
$fw->debug(true);
$fw->debug(false);
$fw->enable();
//$fw->disable();
function test(){
echo 'OK';
};
function allow(){
echo 'allow';
};
function deny(){
echo 'deny';
};
//$fw->policy('blacklist');
$fw->ip('192.168.3.17')->allow('allow');
$fw->ip('192.168.3.17')->deny('deny');
$fw->counter('1m',5)->match('id','1000')->deny('test');
/*
$fw->ip('172.16.0.0/24')->allow();
$fw->ip('172.16.0.0','255.255.255.0')->allow();
$fw->header(array('User-Agent' => 'MSIE5'))->deny()
*/
$fw->get()->match('id','1000')->deny('test');
$fw->get()->match('name','chen')->allow('test');
//$fw->get()->match(array('id' => '1000'))->deny();
/*
$fw->post()->data(array('action'=>'/login.php'))->allow()
$fw->cookie()->data(array('userid'=>'test'))->deny()
*/
$fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test');
$fw->server()->match('REQUEST_METHOD', 'GET')->deny('test');
$fw->disable();
//$fw->destroy();