feat: add ip block list settings

This commit is contained in:
Emil Zhai 2022-12-06 07:00:42 +00:00
parent 7d1905a556
commit de75cbb7ac
No known key found for this signature in database
GPG Key ID: 780B385DB72F1EBD
3 changed files with 161 additions and 0 deletions

View File

@ -92,6 +92,34 @@ class Access_Core
return $entrypoint;
}
/**
* 判断当前 IP 是否在屏蔽 IP()
*
* @access private
* @return bool
*/
private function isBlockIp($ip): ?bool
{
$version = Access_Ip::matchIPVersion($ip);
if ($version === null) {
return false;
}
$lines = explode('\n', $this->config->blockIps);
foreach ($lines as $line) {
$cidr = explode('#', $line)[0];
$cidr = trim($cidr);
if (!empty($cidr)) {
if (Access_Ip::matchCIDR($cidr, $ip)) {
return true;
}
}
}
return false;
}
/**
* 记录当前访问(管理员登录不会记录)
*
@ -107,6 +135,9 @@ class Access_Core
$url = $this->request->getServer('REQUEST_URI');
}
$ip = $this->request->getIp();
if ($this->isBlockIp($ip)) {
return;
}
if(!empty($ip)) {
# 解析ip归属地
try {

126
Access_Ip.php Normal file
View File

@ -0,0 +1,126 @@
<?php
if (!defined('__ACCESS_PLUGIN_ROOT__')) {
throw new Exception('Bootstrap file not found');
}
class Access_Ip
{
/**
* Check if a string is a valid IPv4 address
* @param string $str test string
* @return bool return true if it is a valid IPv4 address
*/
public static function isIPv4($str)
{
if (filter_var($str, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
return true;
}
return false;
}
/**
* Check if a string is a valid IPv6 address
* @param string $str test string
* @return bool return true if it is a valid IPv6 address
*/
public static function isIPv6($str)
{
if (filter_var($str, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
return true;
}
return false;
}
/**
* Check if a string is a valid IP address, and return its version
* @param string $str test string
* @return number|null return version or null if it is not a ip address
*/
public static function matchIPVersion($str)
{
if (Access_Ip::isIPv4($str)) {
return 4;
}
if (Access_Ip::isIPv6($str)) {
return 6;
}
return null;
}
/**
* Check if an ip address is in the CIDR subnet.
* @param string $cidr - an ipv6 address, ex 1.2.3.5/24, ::1, 2001:288:5200::1, :: ,etc.
* @param string $addr - an ip subnet, ex 1.2.3.4 or 2001:288:5400/39 or 2001:288:5432:/64 or 2001:288:5478::/64..
* @return bool return true if $addr is inside the $cidr subnet, or return false.
*/
public static function matchCIDR($cidr, $addr)
{
$cidrVersion = Access_Ip::matchIPVersion(explode('/', $cidr)[0]);
$addrVersion = Access_Ip::matchIPVersion($addr);
if ($cidrVersion !== $addrVersion) {
return false;
}
if ($cidrVersion === 4) {
return Access_Ip::matchCIDRv4($cidr, $addr);
}
if ($cidrVersion === 6) {
return Access_Ip::matchCIDRv6($cidr, $addr);
}
return false;
}
/**
* Check if an ipv4 address is in the CIDRv4 subnet.
* @param $cidr string an ipv4 subnet ex .. 1.2.3.5/24
* @param $addr string an ipv4 address ex.. 1.2.3.4
* @return bool return true if $ip is inside the $cidr subnet, or return false.
*/
public static function matchCIDRv4($cidr, $addr)
{
$parts = explode('/', $cidr);
$cidr_ip = $parts[0];
$cidr_mask = count($parts) >= 2 ? $parts[1] : '32';
return (ip2long($addr) >> (32 - $cidr_mask) == ip2long($cidr_ip) >> (32 - $cidr_mask));
}
/**
* Convert an ipv6 address to bin string
* @param string $addr - an ipv6 address
* @return string return the binary string of an ipv6 address if parameter ip6 is an ipv6 address,
* else it return an empty string.
*/
public static function ExpandIPv6Notation2Bin($addr)
{
if (strpos($addr, '::') !== false) {
$addr = str_replace('::', str_repeat(':0', 8 - substr_count($addr, ':')) . ':', $addr);
}
$ip6parts = explode(':', $addr);
$res = "";
foreach ($ip6parts as $part) {
$res .= str_pad(base_convert($part, 16, 2), 16, 0, STR_PAD_LEFT);
}
return $res;
}
/**
* Check if an ipv6 address is in the CIDRv6 subnet.
* @param string $cidr - an ipv6 subnet, ex 2001:288:5400/39 or 2001:288:5432:/64 or 2001:288:5478::/64..
* @param string $addr - an ipv6 address, ex ::1, 2001:288:5200::1, :: ,etc.
* @return bool return true if $addr is inside the $cidr subnet, or return false.
*/
public static function MatchCIDRv6($cidr, $addr)
{
$parts = explode('/', $cidr);
$cidr_ip = $parts[0];
$cidr_mask = count($parts) >= 2 ? $parts[1] : '128';
$cidr_bin = substr(Access_Ip::ExpandIPv6Notation2Bin($cidr_ip), 0, $cidr_mask);
$ip_bin = substr(Access_Ip::ExpandIPv6Notation2Bin($addr), 0, $cidr_mask);
if (!strcmp($cidr_bin, $ip_bin))
return true;
return false;
}
}

View File

@ -75,9 +75,13 @@ class Access_Plugin implements Typecho_Plugin_Interface
'0' => '后端',
'1' => '前端',
), '0', '日志写入类型:', '请选择日志写入类型,如果写入速度较慢可选择前端写入日志。<br/>如果您使用了pjax请在pjax相关事件中调用 window.Access.track() 方法。');
$blockIps = new Typecho_Widget_Helper_Form_Element_Textarea(
'blockIps', null, '',
'IP 黑名单', '每行一个,不记录来自这些 IP 的访问记录,支持 CIDR 掩码配置,支持 # 行注释');
$form->addInput($pageSize);
$form->addInput($isDrop);
$form->addInput($writeType);
$form->addInput($blockIps);
}
/**