src/mod_evasive.c

   1 #include "first.h"
   2
   3 #include "base.h"
   4 #include "log.h"
   5 #include "buffer.h"
   6
   7 #include "plugin.h"
   8
   9 #include "inet_ntop_cache.h"
  10
  11 #include <ctype.h>
  12 #include <stdlib.h>
  13 #include <string.h>
  14
  15 /**
  16  * mod_evasive
  17  *
  18  * we indent to implement all features the mod_evasive from apache has
  19  *
  20  * - limit of connections per IP
  21  * - provide a list of block-listed ip/networks (no access)
  22  * - provide a white-list of ips/network which is not affected by the limit
  23  *   (hmm, conditionals might be enough)
  24  * - provide a bandwidth limiter per IP
  25  *
  26  * started by:
  27  * - w1zzard@techpowerup.com
  28  */
  29
  30 typedef struct {
  31         unsigned short max_conns;
  32         unsigned short silent;
  33 } plugin_config;
  34
  35 typedef struct {
  36         PLUGIN_DATA;
  37
  38         plugin_config **config_storage;
  39
  40         plugin_config conf;
  41 } plugin_data;
  42
  43 INIT_FUNC(mod_evasive_init) {
  44         plugin_data *p;
  45
  46         p = calloc(1, sizeof(*p));
  47
  48         return p;
  49 }
  50
  51 FREE_FUNC(mod_evasive_free) {
  52         plugin_data *p = p_d;
  53
  54         UNUSED(srv);
  55
  56         if (!p) return HANDLER_GO_ON;
  57
  58         if (p->config_storage) {
  59                 size_t i;
  60                 for (i = 0; i < srv->config_context->used; i++) {
  61                         plugin_config *s = p->config_storage[i];
  62
  63                         if (NULL == s) continue;
  64
  65                         free(s);
  66                 }
  67                 free(p->config_storage);
  68         }
  69
  70         free(p);
  71
  72         return HANDLER_GO_ON;
  73 }
  74
  75 SETDEFAULTS_FUNC(mod_evasive_set_defaults) {
  76         plugin_data *p = p_d;
  77         size_t i = 0;
  78
  79         config_values_t cv[] = {
  80                 { "evasive.max-conns-per-ip",    NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },   /* 0 */
  81                 { "evasive.silent",              NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
  82                 { NULL,                          NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
  83         };
  84
  85         p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
  86
  87         for (i = 0; i < srv->config_context->used; i++) {
  88                 data_config const* config = (data_config const*)srv->config_context->data[i];
  89                 plugin_config *s;
  90
  91                 s = calloc(1, sizeof(plugin_config));
  92                 s->max_conns       = 0;
  93                 s->silent          = 0;
  94
  95                 cv[0].destination = &(s->max_conns);
  96                 cv[1].destination = &(s->silent);
  97
  98                 p->config_storage[i] = s;
  99
 100                 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
 101                         return HANDLER_ERROR;
 102                 }
 103         }
 104
 105         return HANDLER_GO_ON;
 106 }
 107
 108 #define PATCH(x) \
 109         p->conf.x = s->x;
 110 static int mod_evasive_patch_connection(server *srv, connection *con, plugin_data *p) {
 111         size_t i, j;
 112         plugin_config *s = p->config_storage[0];
 113
 114         PATCH(max_conns);
 115         PATCH(silent);
 116
 117         /* skip the first, the global context */
 118         for (i = 1; i < srv->config_context->used; i++) {
 119                 data_config *dc = (data_config *)srv->config_context->data[i];
 120                 s = p->config_storage[i];
 121
 122                 /* condition didn't match */
 123                 if (!config_check_cond(srv, con, dc)) continue;
 124
 125                 /* merge config */
 126                 for (j = 0; j < dc->value->used; j++) {
 127                         data_unset *du = dc->value->data[j];
 128
 129                         if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.max-conns-per-ip"))) {
 130                                 PATCH(max_conns);
 131                         } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.silent"))) {
 132                                 PATCH(silent);
 133                         }
 134                 }
 135         }
 136
 137         return 0;
 138 }
 139 #undef PATCH
 140
 141 URIHANDLER_FUNC(mod_evasive_uri_handler) {
 142         plugin_data *p = p_d;
 143         size_t conns_by_ip = 0;
 144         size_t j;
 145
 146         if (buffer_is_empty(con->uri.path)) return HANDLER_GO_ON;
 147
 148         mod_evasive_patch_connection(srv, con, p);
 149
 150         /* no limit set, nothing to block */
 151         if (p->conf.max_conns == 0) return HANDLER_GO_ON;
 152
 153         switch (con->dst_addr.plain.sa_family) {
 154                 case AF_INET:
 155 #ifdef HAVE_IPV6
 156                 case AF_INET6:
 157 #endif
 158                         break;
 159                 default: /* Address family not supported */
 160                         return HANDLER_GO_ON;
 161         };
 162
 163         for (j = 0; j < srv->conns->used; j++) {
 164                 connection *c = srv->conns->ptr[j];
 165
 166                 /* check if other connections are already actively serving data for the same IP
 167                  * we can only ban connections which are already behind the 'read request' state
 168                  * */
 169                 if (c->dst_addr.plain.sa_family != con->dst_addr.plain.sa_family) continue;
 170                 if (c->state <= CON_STATE_REQUEST_END) continue;
 171
 172                 switch (con->dst_addr.plain.sa_family) {
 173                         case AF_INET:
 174                                 if (c->dst_addr.ipv4.sin_addr.s_addr != con->dst_addr.ipv4.sin_addr.s_addr) continue;
 175                                 break;
 176 #ifdef HAVE_IPV6
 177                         case AF_INET6:
 178                                 if (0 != memcmp(c->dst_addr.ipv6.sin6_addr.s6_addr, con->dst_addr.ipv6.sin6_addr.s6_addr, 16)) continue;
 179                                 break;
 180 #endif
 181                         default: /* Address family not supported, should never be reached */
 182                                 continue;
 183                 };
 184                 conns_by_ip++;
 185
 186                 if (conns_by_ip > p->conf.max_conns) {
 187                         if (!p->conf.silent) {
 188                                 log_error_write(srv, __FILE__, __LINE__, "ss",
 189                                         inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
 190                                         "turned away. Too many connections.");
 191                         }
 192
 193                         con->http_status = 403;
 194                         con->mode = DIRECT;
 195                         return HANDLER_FINISHED;
 196                 }
 197         }
 198
 199         return HANDLER_GO_ON;
 200 }
 201
 202
 203 int mod_evasive_plugin_init(plugin *p);
 204 int mod_evasive_plugin_init(plugin *p) {
 205         p->version     = LIGHTTPD_VERSION_ID;
 206         p->name        = buffer_init_string("evasive");
 207
 208         p->init        = mod_evasive_init;
 209         p->set_defaults = mod_evasive_set_defaults;
 210         p->handle_uri_clean  = mod_evasive_uri_handler;
 211         p->cleanup     = mod_evasive_free;
 212
 213         p->data        = NULL;
 214
 215         return 0;
 216 }