diff options
| author | Krzysztof Krzyżaniak <eloy@debian.org> | 2006-01-16 19:08:37 +0000 |
|---|---|---|
| committer | Krzysztof Krzyżaniak <eloy@debian.org> | 2006-01-16 19:08:37 +0000 |
| commit | f40f3dcc4b1cbbbd3bcf640e6d852786bd546d12 (patch) | |
| tree | f6c6501b996665c51a3504bf5327b2753d3e048c /src/mod_evasive.c | |
| parent | ae6e5f21be48a40bc2a29518dc655245408cf972 (diff) | |
| download | lighttpd-f40f3dcc4b1cbbbd3bcf640e6d852786bd546d12.tar.gz | |
eloy: new upstream versiondebian/1.4.9-1
Diffstat (limited to 'src/mod_evasive.c')
| -rw-r--r-- | src/mod_evasive.c | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/src/mod_evasive.c b/src/mod_evasive.c new file mode 100644 index 0000000..b9d19ca --- /dev/null +++ b/src/mod_evasive.c @@ -0,0 +1,178 @@ +#include <ctype.h> +#include <stdlib.h> +#include <string.h> + +#include "base.h" +#include "log.h" +#include "buffer.h" + +#include "plugin.h" + +#include "inet_ntop_cache.h" + +/** + * mod_evasive + * + * we indent to implement all features the mod_evasive from apache has + * + * - limit of connections per IP + * - provide a list of block-listed ip/networks (no access) + * - provide a white-list of ips/network which is not affected by the limit + * (hmm, conditionals might be enough) + * - provide a bandwidth limiter per IP + * + * started by: + * - w1zzard@techpowerup.com + */ + +typedef struct { + unsigned short max_conns; +} plugin_config; + +typedef struct { + PLUGIN_DATA; + + plugin_config **config_storage; + + plugin_config conf; +} plugin_data; + +INIT_FUNC(mod_evasive_init) { + plugin_data *p; + + p = calloc(1, sizeof(*p)); + + return p; +} + +FREE_FUNC(mod_evasive_free) { + plugin_data *p = p_d; + + UNUSED(srv); + + if (!p) return HANDLER_GO_ON; + + if (p->config_storage) { + size_t i; + for (i = 0; i < srv->config_context->used; i++) { + plugin_config *s = p->config_storage[i]; + + free(s); + } + free(p->config_storage); + } + + free(p); + + return HANDLER_GO_ON; +} + +SETDEFAULTS_FUNC(mod_evasive_set_defaults) { + plugin_data *p = p_d; + size_t i = 0; + + config_values_t cv[] = { + { "evasive.max-conns-per-ip", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, + { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } + }; + + p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *)); + + for (i = 0; i < srv->config_context->used; i++) { + plugin_config *s; + + s = calloc(1, sizeof(plugin_config)); + s->max_conns = 0; + + cv[0].destination = &(s->max_conns); + + p->config_storage[i] = s; + + if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) { + return HANDLER_ERROR; + } + } + + return HANDLER_GO_ON; +} + +#define PATCH(x) \ + p->conf.x = s->x; +static int mod_evasive_patch_connection(server *srv, connection *con, plugin_data *p) { + size_t i, j; + plugin_config *s = p->config_storage[0]; + + PATCH(max_conns); + + /* skip the first, the global context */ + for (i = 1; i < srv->config_context->used; i++) { + data_config *dc = (data_config *)srv->config_context->data[i]; + s = p->config_storage[i]; + + /* condition didn't match */ + if (!config_check_cond(srv, con, dc)) continue; + + /* merge config */ + for (j = 0; j < dc->value->used; j++) { + data_unset *du = dc->value->data[j]; + + if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.max-conns-per-ip"))) { + PATCH(max_conns); + } + } + } + + return 0; +} +#undef PATCH + +URIHANDLER_FUNC(mod_evasive_uri_handler) { + plugin_data *p = p_d; + size_t conns_by_ip = 0; + size_t j; + + if (con->uri.path->used == 0) return HANDLER_GO_ON; + + mod_evasive_patch_connection(srv, con, p); + + /* no limit set, nothing to block */ + if (p->conf.max_conns == 0) return HANDLER_GO_ON; + + for (j = 0; j < srv->conns->used; j++) { + connection *c = srv->conns->ptr[j]; + + /* check if other connections are already actively serving data for the same IP + * we can only ban connections which are already behind the 'read request' state + * */ + if (c->dst_addr.ipv4.sin_addr.s_addr == con->dst_addr.ipv4.sin_addr.s_addr && + c->state > CON_STATE_REQUEST_END) { + conns_by_ip++; + + if (conns_by_ip > p->conf.max_conns) { + log_error_write(srv, __FILE__, __LINE__, "ss", + inet_ntop_cache_get_ip(srv, &(con->dst_addr)), + "turned away. Too many connections."); + + con->http_status = 403; + return HANDLER_FINISHED; + } + } + } + + return HANDLER_GO_ON; +} + + +int mod_evasive_plugin_init(plugin *p) { + p->version = LIGHTTPD_VERSION_ID; + p->name = buffer_init_string("evasive"); + + p->init = mod_evasive_init; + p->set_defaults = mod_evasive_set_defaults; + p->handle_uri_clean = mod_evasive_uri_handler; + p->cleanup = mod_evasive_free; + + p->data = NULL; + + return 0; +} |