Application Firewall Design

 

Application Firewall Design

Web Application Firewall, 7layer Firewall

MrNeo Chen (netkiller)陈景峰(BG7NYT)


中国广东省深圳市龙华新区民之街道溪山美地
518109
+86 13113668890
+86 755 29812080

$Id: appfirewall.xml 491 2012-11-14 10:09:53Z netkiller $

摘要

提供web url的保护, 实现访问控制

下面是我多年积累下来的经验总结,整理成文档供大家参考:

 

Netkiller Architect 手札 Netkiller Developer 手札 Netkiller Testing 手札 Netkiller Cryptography 手札 Netkiller Version 手札
Netkiller Linux 手札 Netkiller Debian 手札 Netkiller CentOS 手札 Netkiller FreeBSD 手札 Netkiller Security 手札
Netkiller Installation 手札 Netkiller Web 手札 Netkiller Monitoring 手札 Netkiller Storage 手札 Netkiller Mail 手札
Netkiller Database 手札 Netkiller PostgreSQL 手札 Netkiller MySQL 手札 Netkiller NoSQL 手札 Netkiller LDAP 手札
Netkiller Cisco IOS 手札 Netkiller Intranet 手札 Netkiller Multimedia 手札 Netkiller Shell 手札 Netkiller Docbook 手札
Netkiller Management 手札        

 

目录

1. 功能说明
1.1. 访问控制列表 ACL
1.2. 用户认证
1.3. 元素
2. 使用方法
2.1. 嵌入使用
2.2. URL代理
2.3. 代理方式
3. URL代理实现方式
4. example

1. 功能说明

  1. 计数器

  2. 策略

  3. 访问控制

  4. 用户认证

1.1. 访问控制列表 ACL

  1. 黑名单

  2. 白名单

1.2. 用户认证

  1. AAA

  2. LDAP

  3. MySQL

1.3. 元素

  1. IP地址,端口号

  2. URL(GET)

  3. POST

  4. Cookie

  5. HTTP Header

  6. 协议(HTTP,JASON,AJAX,SOAP,XML-RPM...)

2. 使用方法

2.1. 嵌入使用

作为SDK/API的方式使用

2.2. URL代理

http://app.mydomain.com/firewall/login

login: http://login.mydomain.com/

根据login关键字,将url跳转到指定的保护URL上面

2.3. 代理方式

3. URL代理实现方式

http://app.mydomain.com/firewall/login

 

		
login: http://login.mydomain.com/
		
		
		

4. example

		
<?php
/*
* =====================================
* Website: http://netkiller.github.com
* Author: neo <[email protected]>
* Email: [email protected]
* =====================================
*/
class ApplicationFirewall{

	protected $status;
	protected $policy;
	protected $chain;
	protected $rule;
	protected $match;
	private $debug;
	//$get,$post,$cookie,$server;

	public function __construct() {
		$this->name 	= "ApplicationFirewall";
	}

	public function __destruct() {
		//print "Destroying " . $this->name . "\n";
	}

	public function enable(){
		$this->status = true;
	}
	public function disable(){
		$this->status = false;
	}

	public function get(){
		if($this->status){
			$this->chain 	= $_GET;
			return($this);
		}else{
			return($this->status);
		}
	}

	public function post(){
		if($this->status){
			$this->chain 	= $_GET;
			return($this);
		}else{
			return($this->status);
		}
		$this->chain 	= $_POST;
	}

	public function cookie() {
		if($this->status){
			$this->chain = $_COOKIE;
			return($this);
		}else{
			return($this->status);
		}

	}

	public function server(){
		if($this->status){
			$this->chain = $_SERVER;
			return($this);
		}else{
			return($this->status);
		}
	}

	public function match($key, $value){
		if($this->debug) print_r($this->chain);
		$this->match = false;
		if(!array_key_exists($this->chain, $key)){
			if($this->chain[$key] == $value){
				$this->match = true;
			}
		}
		return($this);
	}
	public function policy($p){
		$this->policy = $p;
	}
	public function counter($tm, $cnt){
		return($this);
	}
	public function allow($fun = null){
		if($this->status && $this->match){
			if($fun){
				$fun();
			}
		}
		$this->destroy();
		return($this->status);
	}
	public function deny($fun = null){
		if($this->status && $this->match){
			if($fun){
				$fun();
			}
		}
		$this->destroy();
		return($this->status);
	}
	public function debug($tmp){
		$this->debug = $tmp;
	}
	public function ip($ipaddr){
		return $this->server()->match('REMOTE_ADDR', $ipaddr);
	}
	public function destroy(){
		$this->chain = array();
		$this->match = false;
	}
};

#include_once('applicationfirewall.php')
$fw = new ApplicationFirewall();

$fw->debug(true);
$fw->debug(false);
$fw->enable();
//$fw->disable();
function test(){
	echo 'OK';
};
function allow(){
	echo 'allow';
};
function deny(){
	echo 'deny';
};
//$fw->policy('blacklist');

$fw->ip('192.168.3.17')->allow('allow');
$fw->ip('192.168.3.17')->deny('deny');

$fw->counter('1m',5)->match('id','1000')->deny('test');

/*
$fw->ip('172.16.0.0/24')->allow();
$fw->ip('172.16.0.0','255.255.255.0')->allow();

$fw->header(array('User-Agent' => 'MSIE5'))->deny()
*/
$fw->get()->match('id','1000')->deny('test');
$fw->get()->match('name','chen')->allow('test');
//$fw->get()->match(array('id' => '1000'))->deny();
/*
$fw->post()->data(array('action'=>'/login.php'))->allow()
$fw->cookie()->data(array('userid'=>'test'))->deny()
*/
$fw->server()->match('HTTP_REFERER', 'http://www.mydomain.com/index.html')->allow('test');
$fw->server()->match('REQUEST_METHOD', 'GET')->deny('test');

$fw->disable();
//$fw->destroy();

你可能感兴趣的:(Security,netkiller,firewall)