Application Firewall Design
Web Application Firewall, 7layer Firewall
版权 © 2011, 2012 http://netkiller.github.com
$Id: appfirewall.xml 491 2012-11-14 10:09:53Z netkiller $
摘要
提供web url的保护, 实现访问控制
下面是我多年积累下来的经验总结,整理成文档供大家参考:
目录
1. 功能说明
1.1. 访问控制列表 ACL
1.2. 用户认证
1.3. 元素
2. 使用方法
2.1. 嵌入使用
2.2. URL代理
2.3. 代理方式
3. URL代理实现方式
4. example
-
计数器
-
策略
-
访问控制
-
用户认证
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
根据login关键字,将url跳转到指定的保护URL上面
<?php
/*
* =====================================
* Website: http://netkiller.github.com
* Author: neo <[email protected]>
* Email: [email protected]
* =====================================
*/
class ApplicationFirewall{
protected $status;
protected $policy;
protected $chain;
protected $rule;
protected $match;
private $debug;
//$get,$post,$cookie,$server;
public function __construct() {
$this->name = "ApplicationFirewall";
}
public function __destruct() {
//print "Destroying " . $this->name . "\n";
}
public function enable(){
$this->status = true;
}
public function disable(){
$this->status = false;
}
public function get(){
if($this->status){
$this->chain = $_GET;
return($this);
}else{
return($this->status);
}
}
public function post(){
if($this->status){
$this->chain = $_GET;
return($this);
}else{
return($this->status);
}
$this->chain = $_POST;
}
public function cookie() {
if($this->status){
$this->chain = $_COOKIE;
return($this);
}else{
return($this->status);
}
}
public function server(){
if($this->status){
$this->chain = $_SERVER;
return($this);
}else{
return($this->status);
}
}
public function match($key, $value){
if($this->debug) print_r($this->chain);
$this->match = false;
if(!array_key_exists($this->chain, $key)){
if($this->chain[$key] == $value){
$this->match = true;
}
}
return($this);
}
public function policy($p){
$this->policy = $p;
}
public function counter($tm, $cnt){
return($this);
}
public function allow($fun = null){
if($this->status && $this->match){
if($fun){
$fun();
}
}
$this->destroy();
return($this->status);
}
public function deny($fun = null){
if($this->status && $this->match){
if($fun){
$fun();
}
}
$this->destroy();
return($this->status);
}
public function debug($tmp){
$this->debug = $tmp;
}
public function ip($ipaddr){
return $this->server()->match('REMOTE_ADDR', $ipaddr);
}
public function destroy(){
$this->chain = array();
$this->match = false;
}
};
#include_once('applicationfirewall.php')
$fw = new ApplicationFirewall();
$fw->debug(true);
$fw->debug(false);
$fw->enable();
//$fw->disable();
function test(){
echo 'OK';
};
function allow(){
echo 'allow';
};
function deny(){
echo 'deny';
};
//$fw->policy('blacklist');
$fw->ip('192.168.3.17')->allow('allow');
$fw->ip('192.168.3.17')->deny('deny');
$fw->counter('1m',5)->match('id','1000')->deny('test');
/*
$fw->ip('172.16.0.0/24')->allow();
$fw->ip('172.16.0.0','255.255.255.0')->allow();
$fw->header(array('User-Agent' => 'MSIE5'))->deny()
*/
$fw->get()->match('id','1000')->deny('test');
$fw->get()->match('name','chen')->allow('test');
//$fw->get()->match(array('id' => '1000'))->deny();
/*
$fw->post()->data(array('action'=>'/login.php'))->allow()
$fw->cookie()->data(array('userid'=>'test'))->deny()
*/
$fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test');
$fw->server()->match('REQUEST_METHOD', 'GET')->deny('test');
$fw->disable();
//$fw->destroy();
Application Firewall Design
Web Application Firewall, 7layer Firewall
版权 © 2011, 2012 http://netkiller.github.com
$Id: appfirewall.xml 491 2012-11-14 10:09:53Z netkiller $
摘要
提供web url的保护, 实现访问控制
下面是我多年积累下来的经验总结,整理成文档供大家参考:
目录
-
计数器
-
策略
-
访问控制
-
用户认证
http://app.mydomain.com/firewall/login
login: http://login.mydomain.com/
根据login关键字,将url跳转到指定的保护URL上面
<?php /* * ===================================== * Website: http://netkiller.github.com * Author: neo <[email protected]> * Email: [email protected] * ===================================== */ class ApplicationFirewall{ protected $status; protected $policy; protected $chain; protected $rule; protected $match; private $debug; //$get,$post,$cookie,$server; public function __construct() { $this->name = "ApplicationFirewall"; } public function __destruct() { //print "Destroying " . $this->name . "\n"; } public function enable(){ $this->status = true; } public function disable(){ $this->status = false; } public function get(){ if($this->status){ $this->chain = $_GET; return($this); }else{ return($this->status); } } public function post(){ if($this->status){ $this->chain = $_GET; return($this); }else{ return($this->status); } $this->chain = $_POST; } public function cookie() { if($this->status){ $this->chain = $_COOKIE; return($this); }else{ return($this->status); } } public function server(){ if($this->status){ $this->chain = $_SERVER; return($this); }else{ return($this->status); } } public function match($key, $value){ if($this->debug) print_r($this->chain); $this->match = false; if(!array_key_exists($this->chain, $key)){ if($this->chain[$key] == $value){ $this->match = true; } } return($this); } public function policy($p){ $this->policy = $p; } public function counter($tm, $cnt){ return($this); } public function allow($fun = null){ if($this->status && $this->match){ if($fun){ $fun(); } } $this->destroy(); return($this->status); } public function deny($fun = null){ if($this->status && $this->match){ if($fun){ $fun(); } } $this->destroy(); return($this->status); } public function debug($tmp){ $this->debug = $tmp; } public function ip($ipaddr){ return $this->server()->match('REMOTE_ADDR', $ipaddr); } public function destroy(){ $this->chain = array(); $this->match = false; } }; #include_once('applicationfirewall.php') $fw = new ApplicationFirewall(); $fw->debug(true); $fw->debug(false); $fw->enable(); //$fw->disable(); function test(){ echo 'OK'; }; function allow(){ echo 'allow'; }; function deny(){ echo 'deny'; }; //$fw->policy('blacklist'); $fw->ip('192.168.3.17')->allow('allow'); $fw->ip('192.168.3.17')->deny('deny'); $fw->counter('1m',5)->match('id','1000')->deny('test'); /* $fw->ip('172.16.0.0/24')->allow(); $fw->ip('172.16.0.0','255.255.255.0')->allow(); $fw->header(array('User-Agent' => 'MSIE5'))->deny() */ $fw->get()->match('id','1000')->deny('test'); $fw->get()->match('name','chen')->allow('test'); //$fw->get()->match(array('id' => '1000'))->deny(); /* $fw->post()->data(array('action'=>'/login.php'))->allow() $fw->cookie()->data(array('userid'=>'test'))->deny() */ $fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test'); $fw->server()->match('REQUEST_METHOD', 'GET')->deny('test'); $fw->disable(); //$fw->destroy();