EasySite FireWall 防火墙模块

<?php
/**
	EasySite FireWall 防火墙模块
	13:25 2012/7/23
*/

define('FW_ADMIN_KEY',   '21232f297a57a5a743894a0e4a801fc3');  // 超级管理员密钥
define('FW_IP_RULE_FILE', APP_PATH.'Runtime/Conf/Config.Iprule.php');

$FW_DEFEND_IP_ON = false; 	// 开启IP规则过滤
$FW_DEFEND_IP_TP = 1; 	  	// 开设置IP过滤模式 0-IP黑名单过滤  1-IP白名单过滤
$FW_DEFEND_CC_ON = false; 	// 开启防恶意刷新
$FW_DEFEND_CC_TL = 5; 		// 每五次请求最小间隔时间/S

if(isset($_GET['fwkey']) || isset($_COOKIE['es_admin_fwkey'])){
	$fwkey = isset($_GET['fwkey']) ? trim($_GET['fwkey']) : 
	(isset($_COOKIE['es_admin_fwkey']) ? $_COOKIE['es_admin_fwkey'] : '');
    if($fwkey === FW_ADMIN_KEY) $FW_DEFEND_IP_ON  = $FW_DEFEND_CC_ON  = false;
	setcookie('es_admin_fwkey', $fwkey, time()+3600*24, SITE_PATH);
}

if(true === $FW_DEFEND_IP_ON){
	$client_ip = get_client_ip2();
	$MYFW_LIST = (include FW_IP_RULE_FILE);

	if(1 === $FW_DEFEND_IP_TP){
		$allowed = false;
		$MYFW_LIST = parse_ip_list($MYFW_LIST['whitelist']);
		foreach($MYFW_LIST as $ip){
			if(preg_match($ip, $client_ip)){
				$allowed = true;
				break;
			}
		}
		if(!$allowed){
			header('HTTP/1.1 403 Forbidden');
			exit('HTTP/1.1 403 ES FireWall Forbidden :  Not allowed IP');
		}
	}else{
		$MYFW_LIST = parse_ip_list($MYFW_LIST['blacklist']);
		foreach($MYFW_LIST as $ip){
			if(preg_match($ip, $client_ip)){
				header('HTTP/1.1 403 Forbidden');
				exit('HTTP/1.1 403 ES FireWall Forbidden :  Not allowed IP');
			}
		}
	}

	unset($allowed, $client_ip, $MYFW_LIST);
}


if(true === $FW_DEFEND_CC_ON){
	if(!session_id()) session_start();

	$nowtime = $lasttime = $_SERVER['REQUEST_TIME'];
	if(isset($_SESSION['FireWall'])){
		$lasttime = intval($_SESSION['FireWall']['lasttime']);
$fwtimes  = intval($_SESSION['FireWall']['fwtimes']) + 
(isset($_SERVER['HTTP_X_REQUESTED_WITH']) ? 0 : 1);
		$_SESSION['FireWall']['fwtimes'] = $fwtimes;
		
		
		if(($nowtime - $lasttime) < $FW_DEFEND_CC_TL){
			if($fwtimes >= 5){
				header('HTTP/1.1 403 Forbidden');
				$_SESSION['FireWall']['lasttime'] = $nowtime;
				exit('HTTP/1.1 403 ES FireWall Forbidden :  Not allowed CC');
			}
		}else{
			$_SESSION['FireWall']['fwtimes']  = 0;
			$_SESSION['FireWall']['lasttime'] = $nowtime;
		}
	
	}else{
		$_SESSION['FireWall']['fwtimes']  = 1;
		$_SESSION['FireWall']['lasttime'] = $nowtime;
	}

	unset($nowtime, $lasttime, $fwtimes);
}
?>

<?php

/**
 * 获取客户端IP
 * @param  void
 * @return String 客户端IP
 */
function get_client_ip2(){
	if(getenv('HTTP_CLIENT_IP')){
		$client_ip = getenv('HTTP_CLIENT_IP');
	}elseif(getenv('HTTP_X_FORWARDED_FOR')){
		$client_ip = getenv('HTTP_X_FORWARDED_FOR');
	}elseif(getenv('REMOTE_ADDR')) {
		$client_ip = getenv('REMOTE_ADDR');
	}else{
		$client_ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
	}
	return $client_ip;
}

/**
 * 解析IP规则列表
 * @param  void
 * @return Array IP规则列表
 */
function parse_ip_list($rules){
	$arr = array();
	foreach($rules as $rule){
		if($rule['start_time'] > $_SERVER['REQUEST_TIME'] || $rule['end_time'] 
		< $_SERVER['REQUEST_TIME']) continue;

		$ip = str_replace('.', '.', $rule['ip']);
		if($start = strstr($ip, '-')){
			$start = substr($ip, 0, - strlen(strrchr($ip, '.')) + 1);
			$pos = explode('-', trim(strrchr($ip, '.'), '.'));
			for($i=intval($pos[0]),$a=intval($pos[1])+1; $i < $a; $i++ ){
				$arr[] = '#^'.$start.$i.'$#i';
			}
		}elseif($start = strstr($ip, '[')){
			$_ips  = explode('|', substr($start, 1, -1));
		$arr[] = '#^'.substr($ip, 0, - strlen($start)).'(('.implode(')|(',$_ips ).'))'.'$#i';
		}elseif(strpos($ip, '*')){
	$arr[] = '#^'.str_replace('*', '((25[0-5])|(2[0-4]\d)|(1\d{2})|(\d{1,2}))', $ip).'$#i';
		}else{
			$arr[] = '#^'.$ip.'$#i';
		}
	}
	return $arr;
}
?>