Annotation of embedaddon/lighttpd/src/mod_evasive.c, revision 1.1
1.1 ! misho 1: #include "base.h"
! 2: #include "log.h"
! 3: #include "buffer.h"
! 4:
! 5: #include "plugin.h"
! 6:
! 7: #include "inet_ntop_cache.h"
! 8:
! 9: #include <ctype.h>
! 10: #include <stdlib.h>
! 11: #include <string.h>
! 12:
! 13: /**
! 14: * mod_evasive
! 15: *
! 16: * we indent to implement all features the mod_evasive from apache has
! 17: *
! 18: * - limit of connections per IP
! 19: * - provide a list of block-listed ip/networks (no access)
! 20: * - provide a white-list of ips/network which is not affected by the limit
! 21: * (hmm, conditionals might be enough)
! 22: * - provide a bandwidth limiter per IP
! 23: *
! 24: * started by:
! 25: * - w1zzard@techpowerup.com
! 26: */
! 27:
! 28: typedef struct {
! 29: unsigned short max_conns;
! 30: unsigned short silent;
! 31: } plugin_config;
! 32:
! 33: typedef struct {
! 34: PLUGIN_DATA;
! 35:
! 36: plugin_config **config_storage;
! 37:
! 38: plugin_config conf;
! 39: } plugin_data;
! 40:
! 41: INIT_FUNC(mod_evasive_init) {
! 42: plugin_data *p;
! 43:
! 44: p = calloc(1, sizeof(*p));
! 45:
! 46: return p;
! 47: }
! 48:
! 49: FREE_FUNC(mod_evasive_free) {
! 50: plugin_data *p = p_d;
! 51:
! 52: UNUSED(srv);
! 53:
! 54: if (!p) return HANDLER_GO_ON;
! 55:
! 56: if (p->config_storage) {
! 57: size_t i;
! 58: for (i = 0; i < srv->config_context->used; i++) {
! 59: plugin_config *s = p->config_storage[i];
! 60:
! 61: free(s);
! 62: }
! 63: free(p->config_storage);
! 64: }
! 65:
! 66: free(p);
! 67:
! 68: return HANDLER_GO_ON;
! 69: }
! 70:
! 71: SETDEFAULTS_FUNC(mod_evasive_set_defaults) {
! 72: plugin_data *p = p_d;
! 73: size_t i = 0;
! 74:
! 75: config_values_t cv[] = {
! 76: { "evasive.max-conns-per-ip", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
! 77: { "evasive.silent", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
! 78: { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
! 79: };
! 80:
! 81: p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));
! 82:
! 83: for (i = 0; i < srv->config_context->used; i++) {
! 84: plugin_config *s;
! 85:
! 86: s = calloc(1, sizeof(plugin_config));
! 87: s->max_conns = 0;
! 88: s->silent = 0;
! 89:
! 90: cv[0].destination = &(s->max_conns);
! 91: cv[1].destination = &(s->silent);
! 92:
! 93: p->config_storage[i] = s;
! 94:
! 95: if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) {
! 96: return HANDLER_ERROR;
! 97: }
! 98: }
! 99:
! 100: return HANDLER_GO_ON;
! 101: }
! 102:
! 103: #define PATCH(x) \
! 104: p->conf.x = s->x;
! 105: static int mod_evasive_patch_connection(server *srv, connection *con, plugin_data *p) {
! 106: size_t i, j;
! 107: plugin_config *s = p->config_storage[0];
! 108:
! 109: PATCH(max_conns);
! 110: PATCH(silent);
! 111:
! 112: /* skip the first, the global context */
! 113: for (i = 1; i < srv->config_context->used; i++) {
! 114: data_config *dc = (data_config *)srv->config_context->data[i];
! 115: s = p->config_storage[i];
! 116:
! 117: /* condition didn't match */
! 118: if (!config_check_cond(srv, con, dc)) continue;
! 119:
! 120: /* merge config */
! 121: for (j = 0; j < dc->value->used; j++) {
! 122: data_unset *du = dc->value->data[j];
! 123:
! 124: if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.max-conns-per-ip"))) {
! 125: PATCH(max_conns);
! 126: } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.silent"))) {
! 127: PATCH(silent);
! 128: }
! 129: }
! 130: }
! 131:
! 132: return 0;
! 133: }
! 134: #undef PATCH
! 135:
! 136: URIHANDLER_FUNC(mod_evasive_uri_handler) {
! 137: plugin_data *p = p_d;
! 138: size_t conns_by_ip = 0;
! 139: size_t j;
! 140:
! 141: if (con->uri.path->used == 0) return HANDLER_GO_ON;
! 142:
! 143: mod_evasive_patch_connection(srv, con, p);
! 144:
! 145: /* no limit set, nothing to block */
! 146: if (p->conf.max_conns == 0) return HANDLER_GO_ON;
! 147:
! 148: switch (con->dst_addr.plain.sa_family) {
! 149: case AF_INET:
! 150: #ifdef HAVE_IPV6
! 151: case AF_INET6:
! 152: #endif
! 153: break;
! 154: default: /* Address family not supported */
! 155: return HANDLER_GO_ON;
! 156: };
! 157:
! 158: for (j = 0; j < srv->conns->used; j++) {
! 159: connection *c = srv->conns->ptr[j];
! 160:
! 161: /* check if other connections are already actively serving data for the same IP
! 162: * we can only ban connections which are already behind the 'read request' state
! 163: * */
! 164: if (c->dst_addr.plain.sa_family != con->dst_addr.plain.sa_family) continue;
! 165: if (c->state <= CON_STATE_REQUEST_END) continue;
! 166:
! 167: switch (con->dst_addr.plain.sa_family) {
! 168: case AF_INET:
! 169: if (c->dst_addr.ipv4.sin_addr.s_addr != con->dst_addr.ipv4.sin_addr.s_addr) continue;
! 170: break;
! 171: #ifdef HAVE_IPV6
! 172: case AF_INET6:
! 173: if (0 != memcmp(c->dst_addr.ipv6.sin6_addr.s6_addr, con->dst_addr.ipv6.sin6_addr.s6_addr, 16)) continue;
! 174: break;
! 175: #endif
! 176: default: /* Address family not supported, should never be reached */
! 177: continue;
! 178: };
! 179: conns_by_ip++;
! 180:
! 181: if (conns_by_ip > p->conf.max_conns) {
! 182: if (!p->conf.silent) {
! 183: log_error_write(srv, __FILE__, __LINE__, "ss",
! 184: inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
! 185: "turned away. Too many connections.");
! 186: }
! 187:
! 188: con->http_status = 403;
! 189: con->mode = DIRECT;
! 190: return HANDLER_FINISHED;
! 191: }
! 192: }
! 193:
! 194: return HANDLER_GO_ON;
! 195: }
! 196:
! 197:
! 198: int mod_evasive_plugin_init(plugin *p);
! 199: int mod_evasive_plugin_init(plugin *p) {
! 200: p->version = LIGHTTPD_VERSION_ID;
! 201: p->name = buffer_init_string("evasive");
! 202:
! 203: p->init = mod_evasive_init;
! 204: p->set_defaults = mod_evasive_set_defaults;
! 205: p->handle_uri_clean = mod_evasive_uri_handler;
! 206: p->cleanup = mod_evasive_free;
! 207:
! 208: p->data = NULL;
! 209:
! 210: return 0;
! 211: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mod_evasive.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / lighttpd / src