TSG-91

* 修改策略编译配置表名称
* 增加对用户自定域协议字段处理
* 修改配置文件，json文件

plugin/business/pangu-http/src/pangu_http.cpp

@@ -469,6 +469,8 @@ static enum manipulate_action manipulate_action_str2idx(const char *action_str)
 void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
 					 MAAT_RULE_EX_DATA* ad, long argl, void *argp)
 {
+	struct policy_action_param* param=NULL;
+
 	*ad=NULL;
 	if((unsigned int)rule->serv_def_len<strlen("{}")+1)
 	{
@@ -487,8 +489,18 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
 		return;
 	}
 
-	struct policy_action_param* param=ALLOC(struct policy_action_param, 1);
+	item=cJSON_GetObjectItem(json, "protocol");
+	if(unlikely(!item || !cJSON_IsString(item)))
+	{
+		TFE_LOG_ERROR(g_pangu_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", rule->config_id);
+        goto error_out;
+	}
+	if(0!=strcasecmp(item->valuestring, "http"))
+	{
+		goto error_out;
+	}
 
+	param=ALLOC(struct policy_action_param, 1);
  	param->ref_cnt=1;
 	pthread_mutex_init(&(param->lock), NULL);
 
@@ -572,8 +584,10 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
 		default: assert(0);
 			break;
 	}
-	cJSON_Delete(json);
 	*ad=param;
+	TFE_LOG_INFO(g_pangu_rt->local_logger, "Add ctrl policy: %d", rule->config_id);
+error_out:
+	cJSON_Delete(json);
 	return;
 }
 
@@ -1658,7 +1672,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
 	}
 
 	if (tfe_http_in_request(events))
-	{		
+	{
 		return;
 	}
 
@@ -1696,9 +1710,9 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
 		}
 		const char* cont_disposition_val=tfe_http_std_field_read(to_write_sess->resp, TFE_HTTP_CONT_DISPOSITION);
 		if (cont_disposition_val != NULL)
-		{		
+		{
 			tfe_http_std_field_write(response, TFE_HTTP_CONT_DISPOSITION, cont_disposition_val);
-		}	
+		}
 		tfe_http_std_field_write(response, TFE_HTTP_CONT_TYPE, hijack_profile->profile_type);
 		snprintf(cont_len_str, sizeof(cont_len_str), "%lu", hijack_size);
 		tfe_http_std_field_write(response, TFE_HTTP_CONT_LENGTH, cont_len_str);

plugin/business/pangu-http/src/pangu_logger.cpp

@@ -191,12 +191,13 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
 
 	const char *app_proto[]= {"unkonw","http1", "http2"};
 
-	struct json_spec req_fields[]={	{"cookie", TFE_HTTP_COOKIE},
+	struct json_spec req_fields[]={	{"http_cookie", TFE_HTTP_COOKIE},
-									{"referer", TFE_HTTP_REFERER},
+									{"http_referer", TFE_HTTP_REFERER},
-									{"user_agent", TFE_HTTP_USER_AGENT} };
+									{"http_user_agent", TFE_HTTP_USER_AGENT} };
 
-	struct json_spec resp_fields[]={	{"content_type", TFE_HTTP_CONT_TYPE},
+	struct json_spec resp_fields[]={	{"http_content_type", TFE_HTTP_CONT_TYPE},
-										{"content_len", TFE_HTTP_CONT_LENGTH} };
+										{"http_content_length", TFE_HTTP_CONT_LENGTH},
+										{"http_set_cookie", TFE_HTTP_SET_COOKIE}};
 
 	if (!handle->en_sendlog)
 	{
@@ -206,43 +207,55 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
 	common_obj=cJSON_CreateObject();
 	cur_time = time(NULL);
 
-	cJSON_AddNumberToObject(common_obj, "start_time", cur_time);
+	cJSON_AddNumberToObject(common_obj, "common_start_time", cur_time);
-	cJSON_AddNumberToObject(common_obj, "end_time", cur_time);
+	cJSON_AddNumberToObject(common_obj, "common_end_time", cur_time);
-	cJSON_AddStringToObject(common_obj, "app_proto", app_proto[http->major_version]);
+	cJSON_AddStringToObject(common_obj, "http_version", app_proto[http->major_version]);
+
+	uint64_t opt_val;
+	uint16_t opt_out_size;
+	struct tfe_cmsg * cmsg = tfe_stream_get0_cmsg(log_msg->stream);
+	if (cmsg!=NULL)
+	{
+		int ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_STREAM_TRACE_ID, (unsigned char *) &opt_val, sizeof(opt_val), &opt_out_size);
+		if (ret==0)
+		{
+			cJSON_AddNumberToObject(common_obj, "common_stream_trace_id", opt_val);
+		}
+	}
 
 	switch(addr->addrtype)
 	{
 		case TFE_ADDR_STREAM_TUPLE4_V4:
-			cJSON_AddNumberToObject(common_obj, "addr_type", 4);
+			cJSON_AddNumberToObject(common_obj, "common_address_type", 4);
 			inet_ntop(AF_INET, &addr->tuple4_v4->saddr, src_ip_str, sizeof(src_ip_str));
 			inet_ntop(AF_INET, &addr->tuple4_v4->daddr, dst_ip_str, sizeof(dst_ip_str));
-			cJSON_AddStringToObject(common_obj, "client_ip", src_ip_str);
+			cJSON_AddStringToObject(common_obj, "common_client_ip", src_ip_str);
-			cJSON_AddStringToObject(common_obj, "server_ip", dst_ip_str);
+			cJSON_AddStringToObject(common_obj, "common_server_ip", dst_ip_str);
-			cJSON_AddNumberToObject(common_obj, "client_port", ntohs(addr->tuple4_v4->source));
+			cJSON_AddNumberToObject(common_obj, "common_client_port", ntohs(addr->tuple4_v4->source));
-			cJSON_AddNumberToObject(common_obj, "server_port", ntohs(addr->tuple4_v4->dest));
+			cJSON_AddNumberToObject(common_obj, "common_server_port", ntohs(addr->tuple4_v4->dest));
-			cJSON_AddStringToObject(common_obj, "trans_proto", "IPv4_TCP");
+			cJSON_AddStringToObject(common_obj, "common_l4_protocol", "IPv4_TCP");
 			break;
 		case TFE_ADDR_STREAM_TUPLE4_V6:
-			cJSON_AddNumberToObject(common_obj, "addr_type", 6);
+			cJSON_AddNumberToObject(common_obj, "common_address_type", 6);
 			inet_ntop(AF_INET6, &addr->tuple4_v6->saddr, src_ip_str, sizeof(src_ip_str));
 			inet_ntop(AF_INET6, &addr->tuple4_v6->daddr, dst_ip_str, sizeof(dst_ip_str));
-			cJSON_AddStringToObject(common_obj, "client_ip", src_ip_str);
+			cJSON_AddStringToObject(common_obj, "common_client_ip", src_ip_str);
-			cJSON_AddStringToObject(common_obj, "server_ip", dst_ip_str);
+			cJSON_AddStringToObject(common_obj, "common_server_ip", dst_ip_str);
-			cJSON_AddNumberToObject(common_obj, "client_port", ntohs(addr->tuple4_v6->source));
+			cJSON_AddNumberToObject(common_obj, "common_client_port", ntohs(addr->tuple4_v6->source));
-			cJSON_AddNumberToObject(common_obj, "server_port", ntohs(addr->tuple4_v6->dest));
+			cJSON_AddNumberToObject(common_obj, "common_server_port", ntohs(addr->tuple4_v6->dest));
-			cJSON_AddStringToObject(common_obj, "trans_proto", "IPv6_TCP");
+			cJSON_AddStringToObject(common_obj, "common_l4_protocol", "IPv6_TCP");
 			break;
 		default:
 			break;
 	}
-	cJSON_AddNumberToObject(common_obj, "direction", 0);	//0：域内->域外，1：域外->域内，描述的是CLIENT_IP信息
+	cJSON_AddNumberToObject(common_obj, "common_direction", 0);	//0：域内->域外，1：域外->域内，描述的是CLIENT_IP信息
-	cJSON_AddNumberToObject(common_obj, "Link_id", 0);
+	cJSON_AddNumberToObject(common_obj, "common_link_id", 0);
-	cJSON_AddNumberToObject(common_obj, "stream_dir", 3);	//1:c2s, 2:s2c, 3:double
+	cJSON_AddNumberToObject(common_obj, "common_stream_dir", 3);	//1:c2s, 2:s2c, 3:double
-	cJSON_AddStringToObject(common_obj, "cap_ip", handle->local_ip_str);
+	cJSON_AddStringToObject(common_obj, "common_sled_ip", handle->local_ip_str);
-	cJSON_AddNumberToObject(common_obj, "entrance_id", handle->entry_id);
+	cJSON_AddNumberToObject(common_obj, "common_entrance_id", handle->entry_id);
-	cJSON_AddNumberToObject(common_obj, "device_id", 0);
+	cJSON_AddNumberToObject(common_obj, "common_device_id", 0);
-	cJSON_AddStringToObject(common_obj, "url", http->req->req_spec.url);
+	cJSON_AddStringToObject(common_obj, "http_url", http->req->req_spec.url);
-	cJSON_AddStringToObject(common_obj, "host", http->req->req_spec.host);
+	cJSON_AddStringToObject(common_obj, "http_host", http->req->req_spec.host);
 	for(size_t i=0;i<sizeof(req_fields)/sizeof(struct json_spec);i++)
 	{
 		tmp_val=tfe_http_std_field_read(http->req, req_fields[i].field_id);
@@ -280,7 +293,7 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
 														log_file_upload_path, sizeof(log_file_upload_path));
 		if(tmp==0)
 		{
-			cJSON_AddStringToObject(common_obj, "req_body", log_file_upload_path);
+			cJSON_AddStringToObject(common_obj, "http_request_body", log_file_upload_path);
 		}
 		else
 		{
@@ -306,8 +319,7 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
 
 		if(tmp==0)
 		{
-			cJSON_AddStringToObject(common_obj, "resp_body", log_file_upload_path);
+			cJSON_AddStringToObject(common_obj, "http_response_body", log_file_upload_path);
-
 		}
 		else
 		{
@@ -331,9 +343,9 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
 		}
 
 		per_hit_obj=cJSON_Duplicate(common_obj, 1);
-		cJSON_AddNumberToObject(per_hit_obj, "policy_id", log_msg->result[i].config_id);
+		cJSON_AddNumberToObject(per_hit_obj, "common_policy_id", log_msg->result[i].config_id);
-		cJSON_AddNumberToObject(per_hit_obj, "service", log_msg->result[i].service_id);
+		cJSON_AddNumberToObject(per_hit_obj, "common_service", log_msg->result[i].service_id);
-		cJSON_AddNumberToObject(per_hit_obj, "action", (unsigned char)log_msg->result[i].action);
+		cJSON_AddNumberToObject(per_hit_obj, "common_action", (unsigned char)log_msg->result[i].action);
 		log_payload = cJSON_PrintUnformatted(per_hit_obj);
 
 		TFE_LOG_DEBUG(handle->local_logger, "%s", log_payload);

plugin/business/ssl-policy/src/ssl_policy.cpp

@@ -60,26 +60,38 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
 	ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
 	if(ret<0)
-	{	
+	{
 		TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
 		return;
-	}	
+	}
 	json_str=ALLOC(char, len+1);
-	memcpy(json_str, table_line+intercept_user_region_offset, len);	
+	memcpy(json_str, table_line+intercept_user_region_offset, len);
 	json=cJSON_Parse(json_str);
 	if(json==NULL)
 	{
 		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
 		goto error_out;
 	}
-	param=ALLOC(struct intercept_param, 1);	
+
+	item=cJSON_GetObjectItem(json, "protocol");
+	if(unlikely(!item || !cJSON_IsString(item)))
+	{
+		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
+        goto error_out;
+	}
+	if (0!=strcasecmp(item->valuestring, "SSL/HTTP"))
+	{
+		goto error_out;
+	}
+
+	param=ALLOC(struct intercept_param, 1);
 	param->policy_id=atoi(key);
 	param->ref_cnt=1;
 	param->bypass_mutual_auth=1;
 	param->bypass_pinning=1;
 	param->mirror_client_version=1;
 	param->keyring=1;
-	
+
 	item=cJSON_GetObjectItem(json, "keyring");
 	if(item)
 	{
@@ -96,7 +108,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring format", param->policy_id);
 		}
 	}
-	
+
 	exclusions=cJSON_GetObjectItem(json, "dynamic_bypass");
 	if(exclusions)
 	{
@@ -119,7 +131,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 		if(approach)
 		{
 			item=cJSON_GetObjectItem(approach, "cn");
-			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;			
+			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
 			item=cJSON_GetObjectItem(approach, "issuer");
 			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_issuer=1;
 			item=cJSON_GetObjectItem(approach, "self-signed");
@@ -138,14 +150,14 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 	}
 	ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
 	if(ssl_ver)
-	{		
+	{
-		item=cJSON_GetObjectItem(ssl_ver, "mirror_client");	
+		item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
 		if(item && item->type==cJSON_Number) param->mirror_client_version=item->valueint;
 		if(!param->mirror_client_version)
 		{
-			item=cJSON_GetObjectItem(ssl_ver, "min");	
+			item=cJSON_GetObjectItem(ssl_ver, "min");
 			if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->valuestring);
-			item=cJSON_GetObjectItem(ssl_ver, "max");	
+			item=cJSON_GetObjectItem(ssl_ver, "max");
 			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
 			if(param->ssl_min_version<0||param->ssl_max_version<0)
 			{
@@ -153,12 +165,12 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 				TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: ssl version = %s", item->valuestring);
 			}
 		}
-		item=cJSON_GetObjectItem(ssl_ver, "allow_http2"); 
+		item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
 		if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
 	}
 	*ad=param;
 	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
-error_out:	
+error_out:
 	cJSON_Delete(json);
 	free(json_str);
 	return;
@@ -171,7 +183,7 @@ void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, v
 	{
 		return;
 	}
-	
+
     if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
 	{
 		TFE_LOG_INFO(enforcer->logger, "Del intercept policy %d", param->policy_id);\
@@ -189,10 +201,10 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
 	struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
 	enforcer->maat=g_business_maat;
 	enforcer->logger=logger;
-	enforcer->table_id=Maat_table_register(enforcer->maat, "PXY_INTERCEPT_COMPILE");
+	enforcer->table_id=Maat_table_register(enforcer->maat, "TSG_SECURITY_COMPILE");
-	UNUSED int ret=Maat_plugin_EX_register(enforcer->maat, 
+	UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
 							enforcer->table_id,
-							intercept_param_new_cb,							
+							intercept_param_new_cb,
 							intercept_param_free_cb,
 							intercept_param_dup_cb,
 							NULL,
@@ -222,7 +234,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	else
 	{
 		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
-		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));		
+		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
 		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %d", addr_string, sni, policy_id);
 	}
 	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;

plugin/business/traffic-mirror/src/entry.cpp

@@ -83,6 +83,17 @@ void policy_table_ex_data_new_cb(int table_id, const char * key, const char * ta
         goto ignore;
     }
 
+	json_item=cJSON_GetObjectItem(json_root, "protocol");
+	if (unlikely(!json_item || !cJSON_IsString(json_item)))
+	{
+		TFE_LOG_ERROR(instance->logger, "invalid JSON, protocol not existed or invalid type.");
+        goto ignore;
+	}
+	if (0!=strcasecmp(json_item->valuestring, "SSL/HTTP"))
+	{
+		goto out;
+	}
+
     json_subroot = cJSON_GetObjectItem(json_root, "decrypt_mirror");
     if (unlikely(!json_subroot))
     {
@@ -496,10 +507,10 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
     }
 
 	/* REGISTER MAAT FEATHER */
-	instance->policy_table_id = Maat_table_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE");
+	instance->policy_table_id = Maat_table_register(instance->maat_feather, "TSG_SECURITY_COMPILE");
 	if (unlikely(instance->policy_table_id < 0))
     {
-        TFE_LOG_ERROR(instance->logger, "failed at register table PXY_INTERCEPT_COMPILE, ret = %d",
+        TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d",
             instance->policy_table_id); goto errout;
     }
 

plugin/protocol/http2/src/http2_stream.cpp

@@ -2003,6 +2003,32 @@ nghttp2_client_on_frame_recv(nghttp2_session *session,
 	return 0;
 }
 
+static enum tfe_stream_action
+nghttp2_submit_data_by_user(struct tfe_h2_stream *connection,
+						    struct tfe_h2_session *h2_session,
+						    enum tfe_conn_dir dir)
+{	
+	int rv = -1;
+	enum tfe_stream_action stream_action = ACTION_DROP_DATA;	
+	
+	struct tfe_h2_half_private *h2_half = tfe_h2_stream_get_half(h2_session, dir);
+	nghttp2_session *ngh2_session = tfe_h2_stream_get_nghttp2_session(connection, dir);
+
+	struct tfe_h2_payload *body = &h2_half->h2_payload;
+
+	nghttp2_data_provider upstream_data_provider;
+	upstream_data_provider.source.ptr    = (void *)body;
+	upstream_data_provider.read_callback = upstream_read_callback;
+
+	rv = nghttp2_submit_data(ngh2_session, body->flags,
+	                       h2_session->ngh2_stream_id, &upstream_data_provider);
+	if (rv != 0){
+		stream_action = ACTION_FORWARD_DATA;
+	    //printf("Fatal server submit data error: %s\n", nghttp2_strerror(rv));
+	}
+	return stream_action;
+}
+
 static int
 nghttp2_client_on_data_chunk_recv(nghttp2_session *session, uint8_t flags,
 							      int32_t stream_id, const uint8_t *input,
@@ -2041,6 +2067,26 @@ nghttp2_client_on_data_chunk_recv(nghttp2_session *session, uint8_t flags,
 			input      = (const uint8_t*)uncompr;
 			input_len  = uncompr_len;
 		}
+		else
+		{
+			/*if input is end_stream, send by nghttp2_submit_frame_data **/	
+			if (flags != NGHTTP2_FLAG_END_STREAM)
+			{
+				/**Decompression failed, send this data**/		
+				stream_action = nghttp2_submit_data_by_user(h2_stream_info, h2_session, CONN_DIR_UPSTREAM);
+				if (stream_action == ACTION_DROP_DATA)
+				{
+					xret = nghttp2_session_send(h2_stream_info->as_server);
+					if (xret != 0) 
+					{
+						stream_action = ACTION_FORWARD_DATA;
+						TFE_LOG_ERROR(logger()->handle, "Fatal upstream(%d) send error: %s\n",stream_id, nghttp2_strerror(xret));
+					}
+				}			
+				h2_stream_info->stream_action = stream_action;
+				return 0;
+			}
+		}
 	}
 	data = input;
 	len  = input_len;

resource/pangu/pangu_http.json

@@ -9,7 +9,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.baidu.com/index.html\"}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.baidu.com/index.html\"}",
 	    "is_valid": "yes",
             "groups": [
                 {
@@ -35,7 +35,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":101}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":101}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -61,7 +61,7 @@
             "do_blacklist": 1,
 			"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":102}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\",\"html_profile\":102}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -87,7 +87,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"比特币\",\"replace_with\":\"硬币\"}]}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"比特币\",\"replace_with\":\"硬币\"}]}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -113,7 +113,7 @@
             "do_blacklist": 1,
 			"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"hijack\",\"hijack_profile\":201}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":201}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -139,7 +139,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"hijack\",\"hijack_profile\":201}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":201}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -165,7 +165,7 @@
             "do_blacklist": 1,
 			"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"hijack\",\"hijack_profile\":202}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"hijack\",\"hijack_profile\":202}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -191,7 +191,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"insert\",\"insert_profile\":302}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":302}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -217,7 +217,7 @@
             "do_blacklist": 1,
             "do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"insert\",\"insert_profile\":303,\"position\":\"after-page-load\"}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":303,\"position\":\"after-page-load\"}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -243,7 +243,7 @@
             "do_blacklist": 1,
             "do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"insert\",\"insert_profile\":303,\"position\":\"before-page-load\"}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"insert\",\"insert_profile\":303,\"position\":\"before-page-load\"}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -269,7 +269,7 @@
             "do_blacklist": 1,
 						"do_log": 1,
             "effective_range": 0,
-            "user_region": "{\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)q=([^&|^#]*)(?=&|$)\",\"replace_with\":\"q=find\"},{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)ei=([^&|^#]*)(?=&|$)\",\"replace_with\":\"ei=chaxun\"}]}",
+            "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)q=([^&|^#]*)(?=&|$)\",\"replace_with\":\"q=find\"},{\"search_in\":\"http_req_uri\",\"find\":\"(?<=\\\\\\?|^|&)ei=([^&|^#]*)(?=&|$)\",\"replace_with\":\"ei=chaxun\"}]}",
             "is_valid": "yes",
             "groups": [
                 {
@@ -300,23 +300,23 @@
         {
             "table_name": "PXY_PROFILE_HIJACK_FILES",
             "table_content": [
-                "201\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1",
+                "201\tchakanqi\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1",
-                "202\tWPS8648-132M.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/WPS8648-132M.exe\t1"
+                "202\tWPS8648\tWPS8648-132M.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/WPS8648-132M.exe\t1"
             ]
         },
 				{
             "table_name": "PXY_PROFILE_INSERT_SCRIPTS",
             "table_content": [
-                "301\ttime\tjs\t./resource/pangu/policy_file/time.js\t1",
+                "301\ttime\tjs\t./resource/pangu/policy_file/time.js\tbefore_page_load\t1",
-                "302\tu1\tcss\t./resource/pangu/policy_file/u1.css\t1",
+                "302\tu1\tcss\t./resource/pangu/policy_file/u1.css\tbefore_page_load\t1",
-                "303\tu1\tjs\t./resource/pangu/policy_file/alert.js\t1"
+                "303\tu1\tjs\t./resource/pangu/policy_file/alert.js\tbefore_page_load\t1"
             ]
         },
 				{
-            "table_name": "PXY_INTERCEPT_COMPILE",
+            "table_name": "TSG_SECURITY_COMPILE",
             "table_content": [
-                "0\t0\t2\t1\t1\t{}\t{\"keyring\":765,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"decrypt_mirror\":{\"enable\":0}}\t1\t2",
+                "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL/HTTP\",\"keyring\":765,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"decrypt_mirror\":{\"enable\":0}}\t1\t2",
-                "1\t0\t2\t1\t1\t{}\t{\"keyring\":0,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1},\"decrypt_mirror\":{\"enable\":1,\"mirror_profile\":4}}\t1\t2"
+                "1\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL/HTTP\",\"keyring\":0,\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"pass-through\"},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1},\"decrypt_mirror\":{\"enable\":1,\"mirror_profile\":4}}\t1\t2"
             ]
         }
     ]

resource/pangu/table_info.conf

@@ -42,5 +42,5 @@
 16	PXY_PROFILE_RESPONSE_PAGES plugin	{"key":1,"foreign":"4","valid":5}
 17	PXY_PROFILE_HIJACK_FILES   plugin	{"key":1,"foreign":"5","valid":6}
 18	PXY_PROFILE_INSERT_SCRIPTS plugin	{"key":1,"foreign":"4","valid":6}
-19	PXY_INTERCEPT_COMPILE	plugin	{"key":1,"valid":8}
+19	TSG_SECURITY_COMPILE	plugin	{"key":1,"valid":8}
 20	PXY_PROFILE_TRAFFIC_MIRROR	plugin	{"key":1,"valid":4}

resource/pangu/table_info_traffic_mirror.conf

@@ -15,5 +15,5 @@
 #
 #For expr/expr_plus Table
 #id	name	type	src_charset	dst_charset	do_merge cross_cache quick_mode
-0	PXY_INTERCEPT_COMPILE	plugin	{"key":1,"valid":8}
+0	TSG_SECURITY_COMPILE	plugin	{"key":1,"valid":8}
 1	PXY_PROFILE_TRAFFIC_MIRROR	plugin	{"key":1,"valid":4}