root/trunk/src/mod_evasive.c

#include <ctype.h>
#include <stdlib.h>
#include <string.h>

#include "base.h"
#include "log.h"
#include "buffer.h"

#include "plugin.h"

#include "inet_ntop_cache.h"

/**
 * mod_evasive
 *
 * we indent to implement all features the mod_evasive from apache has
 *
 * - limit of connections per IP
 * - provide a list of block-listed ip/networks (no access)
 * - provide a white-list of ips/network which is not affected by the limit
 *   (hmm, conditionals might be enough)
 * - provide a bandwidth limiter per IP
 *
 * started by:
 * - w1zzard@techpowerup.com
 */

typedef struct {
        unsigned short max_conns;
} plugin_config;

typedef struct {
        PLUGIN_DATA;

        plugin_config **config_storage;

        plugin_config conf;
} plugin_data;

INIT_FUNC(mod_evasive_init) {
        plugin_data *p;

        UNUSED(srv);

        p = calloc(1, sizeof(*p));

        return p;
}

FREE_FUNC(mod_evasive_free) {
        plugin_data *p = p_d;

        UNUSED(srv);

        if (!p) return HANDLER_GO_ON;

        if (p->config_storage) {
                size_t i;
                for (i = 0; i < srv->config_context->used; i++) {
                        plugin_config *s = p->config_storage[i];

                        free(s);
                }
                free(p->config_storage);
        }

        free(p);

        return HANDLER_GO_ON;
}

SETDEFAULTS_FUNC(mod_evasive_set_defaults) {
        plugin_data *p = p_d;
        size_t i = 0;

        config_values_t cv[] = {
                { "evasive.max-conns-per-ip",    NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },
                { NULL,                          NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
        };

        p->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));

        for (i = 0; i < srv->config_context->used; i++) {
                plugin_config *s;

                s = calloc(1, sizeof(plugin_config));
                s->max_conns       = 0;

                cv[0].destination = &(s->max_conns);

                p->config_storage[i] = s;

                if (0 != config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv)) {
                        return HANDLER_ERROR;
                }
        }

        return HANDLER_GO_ON;
}

static int mod_evasive_patch_connection(server *srv, connection *con, plugin_data *p) {
        size_t i, j;
        plugin_config *s = p->config_storage[0];

        PATCH_OPTION(max_conns);

        /* skip the first, the global context */
        for (i = 1; i < srv->config_context->used; i++) {
                data_config *dc = (data_config *)srv->config_context->data[i];
                s = p->config_storage[i];

                /* condition didn't match */
                if (!config_check_cond(srv, con, dc)) continue;

                /* merge config */
                for (j = 0; j < dc->value->used; j++) {
                        data_unset *du = dc->value->data[j];

                        if (buffer_is_equal_string(du->key, CONST_STR_LEN("evasive.max-conns-per-ip"))) {
                                PATCH_OPTION(max_conns);
                        }
                }
        }

        return 0;
}

URIHANDLER_FUNC(mod_evasive_uri_handler) {
        plugin_data *p = p_d;
        size_t conns_by_ip = 0;
        size_t j;

        if (con->uri.path->used == 0) return HANDLER_GO_ON;

        mod_evasive_patch_connection(srv, con, p);

        /* no limit set, nothing to block */
        if (p->conf.max_conns == 0) return HANDLER_GO_ON;

        switch (con->dst_addr.plain.sa_family) {
                case AF_INET:
#ifdef HAVE_IPV6
                case AF_INET6:
#endif
                        break;
                default: // Address family not supported
                        return HANDLER_GO_ON;
        };

        for (j = 0; j < srv->conns->used; j++) {
                connection *c = srv->conns->ptr[j];

                /* check if other connections are already actively serving data for the same IP
                 * we can only ban connections which are already behind the 'read request' state
                 * */
                if (c->dst_addr.plain.sa_family != con->dst_addr.plain.sa_family) continue;
                if (c->state <= CON_STATE_HANDLE_REQUEST_HEADER) continue;

                switch (con->dst_addr.plain.sa_family) {
                        case AF_INET:
                                if (c->dst_addr.ipv4.sin_addr.s_addr != con->dst_addr.ipv4.sin_addr.s_addr) continue;
                                break;
#ifdef HAVE_IPV6
                        case AF_INET6:
                                if (0 != memcmp(c->dst_addr.ipv6.sin6_addr.s6_addr, con->dst_addr.ipv6.sin6_addr.s6_addr, 16)) continue;
                                break;
#endif
                        default: // Address family not supported, should never be reached
                                continue;
                };
                conns_by_ip++;

                if (conns_by_ip > p->conf.max_conns) {
                        log_error_write(srv, __FILE__, __LINE__, "ss",
                                inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
                                "turned away. Too many connections.");

                        con->http_status = 403;
                        return HANDLER_FINISHED;
                }
        }

        return HANDLER_GO_ON;
}


LI_EXPORT int mod_evasive_plugin_init(plugin *p) {
        p->version     = LIGHTTPD_VERSION_ID;
        p->name        = buffer_init_string("evasive");

        p->init        = mod_evasive_init;
        p->set_defaults = mod_evasive_set_defaults;
        p->handle_uri_clean  = mod_evasive_uri_handler;
        p->cleanup     = mod_evasive_free;

        p->data        = NULL;

        return 0;
}