diff options
| -rw-r--r-- | 80-tfe.conf (renamed from tfe_sysctl.conf) | 0 | ||||
| -rw-r--r-- | config/tfe/resource/pangu/pangu_http.json | 271 | ||||
| -rw-r--r-- | config/tfe/tfe/tfe.conf | 2 | ||||
| -rw-r--r-- | docker-compose.yml | 1 | ||||
| -rw-r--r-- | dockerfile/tfe/Dockerfile | 9 | ||||
| -rw-r--r-- | dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm | bin | 3509860 -> 0 bytes | |||
| -rw-r--r-- | dockerfile/tfe/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm | bin | 0 -> 3509700 bytes | |||
| -rw-r--r-- | dockerfile/tfe/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm | bin | 0 -> 5612052 bytes | |||
| -rw-r--r-- | dockerfile/tfe/tfe-env.sh | 108 | ||||
| -rw-r--r-- | init_tfe_env.sh | 4 | ||||
| -rwxr-xr-x | restart_vpp_sapp_tfe.sh | 19 |
11 files changed, 299 insertions, 115 deletions
diff --git a/tfe_sysctl.conf b/80-tfe.conf index f8ec209..f8ec209 100644 --- a/tfe_sysctl.conf +++ b/80-tfe.conf diff --git a/config/tfe/resource/pangu/pangu_http.json b/config/tfe/resource/pangu/pangu_http.json new file mode 100644 index 0000000..e56ab2f --- /dev/null +++ b/config/tfe/resource/pangu/pangu_http.json @@ -0,0 +1,271 @@ +{ + "compile_table": "PXY_CTRL_COMPILE", + "group2compile_table": "GROUP_COMPILE_RELATION", + "group2group_table": "GROUP_GROUP_RELATION", + "rules": [ + { + "compile_id": 1021, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_url", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_URL", + "table_type": "string", + "table_content": { + "keywords": "baidu.com", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 1022, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}", + "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_url", + "virtual_table":"TSG_FIELD_HTTP_URL", + "not_flag":0 + } + ] + }, + { + "compile_id": 1023, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"邮箱\",\"replace_with\":\"test\"}]}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_fqdn", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_FQDN", + "table_type": "string", + "table_content": { + "keywords": "www.126.com", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 1024, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region":"{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"大师\",\"replace_with\":\"小小\"}]}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_fqdn", + "virtual_table":"TSG_FIELD_HTTP_HOST", + "not_flag":0 + } + ] + }, + { + "compile_id": 1025, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"会员\",\"replace_with\":\"用户\"}]}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_fqdn", + "virtual_table":"TSG_FIELD_DOH_QNAME", + "not_flag":0 + } + ] + }, + { + "compile_id": 1026, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_signature_ua", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_HTTP_SIGNATURE", + "table_type": "expr_plus", + "table_content": { + "district": "User-Agent", + "keywords": "Chrome", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + + "group_name":"http_signature_cookie", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_HTTP_SIGNATURE", + "table_type": "expr_plus", + "table_content": { + "district": "Cookie", + "keywords": "uid=12345678", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 1027, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "test", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_url_bing", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_URL", + "table_type": "string", + "table_content": { + "keywords": "bing.com", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 1028, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}", + "is_valid": "yes", + "groups": [ + { + "group_name":"http_signature_ua", + "virtual_table":"TSG_FIELD_HTTP_REQ_HDR", + "not_flag":0 + }, + { + "group_name":"http_url_bing", + "virtual_table":"TSG_FIELD_HTTP_URL", + "not_flag":0 + }, + { + "group_name":"app_id", + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_APP_ID", + "table_type": "string", + "table_content": { + "keywords": "http.", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + } + ], + "plugin_table": [ + { + "table_name": "TSG_PROFILE_RESPONSE_PAGES", + "table_content": [ + "101\t404\thtml\t./resource/pangu/policy_file/404.html\t1" + ] + }, + { + "table_name": "PXY_PROFILE_HIJACK_FILES", + "table_content": [ + "201\tchakanqi\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1" + ] + }, + { + "table_name": "PXY_PROFILE_INSERT_SCRIPTS", + "table_content": [ + "301\ttime\tjs\t./resource/pangu/policy_file/time.js\tbefore_page_load\t1" + ] + }, + { + "table_name": "TSG_PROFILE_DECRYPTION", + "table_content": [ + "0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"pass-through\"}}\t1", + "3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1", + "4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1" + ] + }, + { + "table_name": "TSG_SECURITY_COMPILE", + "table_content": [ + "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"decrypt_mirror\":{\"enable\":0}}\t1\t2", + "7\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"decrypt_mirror\":{\"enable\":0}}\t1\t2" + ] + }, + { + "table_name": "PXY_SSL_FINGERPRINT", + "table_content": [ + "1\t599f223c2c9ee5702f5762913889dc21\t0\t1", + "2\teb149984fc9c44d85ed7f12c90d818be\t1\t0", + "3\te6573e91e6eb777c0933c5b8f97f10cd\t1\t1" + ] + } + ] +} diff --git a/config/tfe/tfe/tfe.conf b/config/tfe/tfe/tfe.conf index 9323726..2ff8360 100644 --- a/config/tfe/tfe/tfe.conf +++ b/config/tfe/tfe/tfe.conf @@ -16,7 +16,7 @@ breakpad_minidump_dir=/run/tfe/crashreport # the first mask for acceptor thread # the others mask for worker thread enable_cpu_affinity=1 -cpu_affinity_mask=1-9 +cpu_affinity_mask=11-19 # LEAST_CONN = 0; ROUND_ROBIN = 1 load_balance=1 diff --git a/docker-compose.yml b/docker-compose.yml index c38cef3..ea4a581 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -38,4 +38,5 @@ services: - ./config/tfe/tfe/future.conf:/opt/tsg/tfe/conf/tfe/future.conf - ./config/tfe/tfe/tfe.conf:/opt/tsg/tfe/conf/tfe/tfe.conf - ./config/tfe/tfe/zlog.conf:/opt/tsg/tfe/conf/tfe/zlog.conf + - ./config/tfe/resource/pangu/pangu_http.json:/opt/tsg/tfe/resource/pangu/pangu_http.json - /etc/localtime:/etc/localtime:ro diff --git a/dockerfile/tfe/Dockerfile b/dockerfile/tfe/Dockerfile index 0d2ac47..fc1c7ff 100644 --- a/dockerfile/tfe/Dockerfile +++ b/dockerfile/tfe/Dockerfile @@ -39,9 +39,10 @@ RUN yum install -y \ && pip3 install supervisor \ && yum clean all -COPY tfe-env.sh /opt/tsg/tfe/ -COPY tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm /root/ -RUN rpm -ivh /root/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm && chmod o+x /opt/tsg/tfe/tfe-env.sh +COPY tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm /tmp/ +COPY tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm /tmp/ +RUN rpm -ivh /tmp/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm && rpm -ivh /tmp/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm + COPY supervisord.conf /etc/supervisord/ WORKDIR /opt/tsg/tfe/ @@ -49,4 +50,4 @@ WORKDIR /opt/tsg/tfe/ ENTRYPOINT ["/usr/local/bin/supervisord", "-n", "-c", "/etc/supervisord/supervisord.conf"] # docker run -it --cap-add=NET_ADMIN --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --device /dev/net/tun:/dev/net/tun tfe:v1 /bin/bash -# supervisorctl -c /etc/supervisord/supervisord.conf status
\ No newline at end of file +# supervisorctl -c /etc/supervisord/supervisord.conf status diff --git a/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm b/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm Binary files differdeleted file mode 100644 index 4885842..0000000 --- a/dockerfile/tfe/tfe-4.3.30.202103111806030800.ce55dbd-1.el7.x86_64.rpm +++ /dev/null diff --git a/dockerfile/tfe/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm b/dockerfile/tfe/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm Binary files differnew file mode 100644 index 0000000..93b91b9 --- /dev/null +++ b/dockerfile/tfe/tfe-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm diff --git a/dockerfile/tfe/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm b/dockerfile/tfe/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm Binary files differnew file mode 100644 index 0000000..d4c70c4 --- /dev/null +++ b/dockerfile/tfe/tfe-debuginfo-4.3.30.202103251012260800.7e54768-1.el7.x86_64.rpm diff --git a/dockerfile/tfe/tfe-env.sh b/dockerfile/tfe/tfe-env.sh deleted file mode 100644 index b6e4dcf..0000000 --- a/dockerfile/tfe/tfe-env.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -INCOMING_DEVICE=tun_kni - -LOCAL_MAC_ADDR=fe:65:b7:00:00:01 -PEER_MAC_ADDR=aa:bb:cc:dd:ee:ff - -LOCAL_IP_ADDR=172.16.241.2 -PEER_IP_ADDR=172.16.241.1 - -start_fun() -{ - # 创建虚拟网卡 - /usr/sbin/ip tuntap add dev ${INCOMING_DEVICE} mode tun one_queue - - # 设置网卡的 MAC - /usr/sbin/ip link set ${INCOMING_DEVICE} address ${LOCAL_MAC_ADDR} - # 设置网卡的状态 - /usr/sbin/ip link set ${INCOMING_DEVICE} up - /usr/sbin/ip addr flush dev ${INCOMING_DEVICE} - - # 设置网卡的 IPv4 地址 - /usr/sbin/ip addr add ${LOCAL_IP_ADDR}/30 dev ${INCOMING_DEVICE} - - # 刷新网卡的 ARP - # /usr/sbin/ip neigh flush dev ${INCOMING_DEVICE} - # 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中 - #/usr/sbin/ip neigh add ${PEER_IP_ADDR} lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent - - ########################################################################### - # policy route v4 - ########################################################################### - - # 流入的流量走 100 号路由表 - /usr/sbin/ip rule add iif ${INCOMING_DEVICE} tab 100 - /usr/sbin/ip route add local default dev lo table 100 - - # 流出的带 0x65 的流量走 101 号路由表 - /usr/sbin/ip rule add fwmark 0x65 lookup 101 - /usr/sbin/ip route add default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101 - - ########################################################################### - # policy route v6 - ########################################################################### - - # 设置网卡的 IPv6 地址 - /usr/sbin/ip addr add fd00::02/64 dev ${INCOMING_DEVICE} - - /usr/sbin/ip -6 route add default via fd00::01 - - # 流入的流量走 102 号路由表 - /usr/sbin/ip -6 rule add iif ${INCOMING_DEVICE} tab 102 - /usr/sbin/ip -6 route add local default dev lo table 102 - - # 将 PEER 的 IP / MAC 加入到本地设备的 ARP 表中 - #/usr/sbin/ip -6 neigh add fd00::01 lladdr ${PEER_MAC_ADDR} dev ${INCOMING_DEVICE} nud permanent - - ########################################################################### - # iptables netfilter - ########################################################################### - iptables -A INPUT -i ${INCOMING_DEVICE} -m bpf --bytecode '14,48 0 0 0,84 0 0 240,21 0 10 64,48 0 0 9,21 0 8 6,40 0 0 6,69 6 0 8191,177 0 0 0,80 0 0 20,21 0 3 88,80 0 0 21,21 0 1 4,6 0 0 65535,6 0 0 0' -j NFQUEUE --queue-num 1 -} - -stop_fun() -{ - iptables -F - - /usr/sbin/ip rule del iif ${INCOMING_DEVICE} tab 100 - /usr/sbin/ip route del local default dev lo table 100 - - /usr/sbin/ip rule del fwmark 0x65 lookup 101 - /usr/sbin/ip route del default dev ${INCOMING_DEVICE} via ${PEER_IP_ADDR} table 101 - - /usr/sbin/ip -6 rule del iif ${INCOMING_DEVICE} tab 102 - /usr/sbin/ip -6 route del default via fd00::01 - /usr/sbin/ip -6 route del local default dev lo table 102 - - /usr/sbin/ip addr del fd00::02/64 dev ${INCOMING_DEVICE} - - /usr/sbin/ip link set ${INCOMING_DEVICE} down - - # 删除虚拟网卡 - /usr/sbin/ip tuntap del dev ${INCOMING_DEVICE} mode tap -} - -status_fun() -{ - iptables -L -} - -case "$1" in - start) - start_fun - ;; - stop) - stop_fun - ;; - restart) - stop_fun - start_fun - ;; - status) - status_fun - ;; - *) - echo "Usage: $0 {start|stop|status|restart}" -esac -exit 0 diff --git a/init_tfe_env.sh b/init_tfe_env.sh index 0c29f78..d0af4a0 100644 --- a/init_tfe_env.sh +++ b/init_tfe_env.sh @@ -19,7 +19,7 @@ dockerrmf () docker rm `docker ps --no-trunc -aq` } -cp tfe_sysctl.conf /etc/sysctl.d/ +cp 80-tfe.conf /etc/sysctl.d/ sysctl -p /etc/sysctl.d/tfe_sysctl.conf #dockerrmf @@ -76,4 +76,4 @@ echo "================ run 'iptables' in container ================" ip netns exec ${container} iptables -L echo "================ run 'ping' in container ================" -ip netns exec ${container} ping -c10 ${PEER_IP} +ip netns exec ${container} ping -c5 ${PEER_IP} diff --git a/restart_vpp_sapp_tfe.sh b/restart_vpp_sapp_tfe.sh new file mode 100755 index 0000000..8896350 --- /dev/null +++ b/restart_vpp_sapp_tfe.sh @@ -0,0 +1,19 @@ +#!bin/bash + +# work dir +cd /root/tsg_container + +# stop sapp tfe vpp +docker-compose down +systemctl stop vpp + +# start vpp sapp tfe +systemctl start vpp +sleep 5 +docker-compose up >> restart.log & +sleep 3 + +# start tfe env +sh init_tfe_env.sh + +cd - |