Lighttpd

#include <ctype.h>

#include <stdlib.h>

#include <string.h>

#include "base.h"

#include "log.h"

#include "buffer.h"

#include "plugin.h"

#include "inet_ntop_cache.h"

/**

 * mod_evasive

 *

 * we indent to implement all features the mod_evasive from apache has

 *

 * - limit of connections per IP

 * - provide a list of block-listed ip/networks (no access)

 * - provide a white-list of ips/network which is not affected by the limit

 *   (hmm, conditionals might be enough)

 * - provide a bandwidth limiter per IP

 *

 * started by:

 * - w1zzard@techpowerup.com

 */

typedef struct {

        unsigned short max_conns;

} plugin_config;

typedef struct {

        PLUGIN_DATA;

        plugin_config **config_storage;

        plugin_config conf;

} plugin_data;

INIT_FUNC(mod_evasive_init) {

        plugin_data *p;

        UNUSED(srv);

        p = calloc(1, sizeof(*p));

        return p;

}

FREE_FUNC(mod_evasive_free) {

        plugin_data *p = p_d;

        UNUSED(srv);

        if (!p) return HANDLER_GO_ON;

        if (p->config_storage) {

                size_t i;

                for (i = 0; i < srv->config_context->used; i++) {

                        plugin_config *s = p->config_storage[i];

                        free(s);

                }

                free(p->config_storage);

        }

        free(p);

        return HANDLER_GO_ON;

}

SETDEFAULTS_FUNC(mod_evasive_set_defaults) {

        plugin_data *p = p_d;

        size_t i = 0;

        config_values_t cv[] = {

                { "evasive.max-conns-per-ip",    NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },

                { NULL,                          NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }

        };

        p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));

        for (i = 0; i < srv->config_context->used; i++) {

                plugin_config *s;

                s = calloc(1, sizeof(plugin_config));

                s->max_conns       = 0;

                cv[0].destination = &(s->max_conns);

                p->config_storage[i] = s;

                if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) {

                        return HANDLER_ERROR;

                }

        }

        return HANDLER_GO_ON;

}

static int mod_evasive_patch_connection(server *srv, connection *con, plugin_data *p) {

        size_t i, j;

        plugin_config *s = p->config_storage[0];

        PATCH_OPTION(max_conns);

        /* skip the first, the global context */

        for (i = 1; i < srv->config_context->used; i++) {

                data_config *dc = (data_config *)srv->config_context->data[i];

                s = p->config_storage[i];

                /* condition didn't match */

                if (!config_check_cond(srv, con, dc)) continue;

                /* merge config */

                for (j = 0; j < dc->value->used; j++) {

                        data_unset *du = dc->value->data[j];

                        if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.max-conns-per-ip"))) {

                                PATCH_OPTION(max_conns);

                        }

                }

        }

        return 0;

}

URIHANDLER_FUNC(mod_evasive_uri_handler) {

        plugin_data *p = p_d;

        size_t conns_by_ip = 0;

        size_t j;

        if (con->uri.path->used == 0) return HANDLER_GO_ON;

        mod_evasive_patch_connection(srv, con, p);

        /* no limit set, nothing to block */

        if (p->conf.max_conns == 0) return HANDLER_GO_ON;

        switch (con->dst_addr.plain.sa_family) {

                case AF_INET:

#ifdef HAVE_IPV6

                case AF_INET6:

#endif

                        break;

                default: // Address family not supported

                        return HANDLER_GO_ON;

        };

        for (j = 0; j < srv->conns->used; j++) {

                connection *c = srv->conns->ptr[j];

                /* check if other connections are already actively serving data for the same IP

                 * we can only ban connections which are already behind the 'read request' state

                 * */

                if (c->dst_addr.plain.sa_family != con->dst_addr.plain.sa_family) continue;

                if (c->state <= CON_STATE_HANDLE_REQUEST_HEADER) continue;

                switch (con->dst_addr.plain.sa_family) {

                        case AF_INET:

                                if (c->dst_addr.ipv4.sin_addr.s_addr != con->dst_addr.ipv4.sin_addr.s_addr) continue;

                                break;

#ifdef HAVE_IPV6

                        case AF_INET6:

                                if (0 != memcmp(c->dst_addr.ipv6.sin6_addr.s6_addr, con->dst_addr.ipv6.sin6_addr.s6_addr, 16)) continue;

                                break;

#endif

                        default: // Address family not supported, should never be reached

                                continue;

                };

                conns_by_ip++;

                if (conns_by_ip > p->conf.max_conns) {

                        log_error_write(srv, __FILE__, __LINE__, "ss",

                                inet_ntop_cache_get_ip(srv, &(con->dst_addr)),

                                "turned away. Too many connections.");

                        con->http_status = 403;

                        return HANDLER_FINISHED;

                }

        }

        return HANDLER_GO_ON;

}

LI_EXPORT int mod_evasive_plugin_init(plugin *p);

LI_EXPORT int mod_evasive_plugin_init(plugin *p) {

        p->version     = LIGHTTPD_VERSION_ID;

        p->name        = buffer_init_string("evasive");

        p->init        = mod_evasive_init;

        p->set_defaults = mod_evasive_set_defaults;

        p->handle_uri_clean  = mod_evasive_uri_handler;

        p->cleanup     = mod_evasive_free;

        p->data        = NULL;

        return 0;

}